From annual audit to continuous diff
Supply chain incidents unfold in days. Quarterly snapshots cannot show what an agent installed yesterday. Heartbeat diffs can.
- fleet
- visibility
- compliance
Compliance frameworks still talk about "periodic review" of software inventory. Meanwhile, npm maintainer compromises, MCP marketplace poisoning, and agent-driven installs operate on a timeline measured in hours.
The audit gap
Traditional IT audits ask: "What software is installed as of this quarter?"
That produces a point-in-time CSV, a slide deck, and a remediation backlog that is stale before the next meeting. It does not catch:
- A typosquat pulled in by
npx -yon Tuesday - An MCP server added to three engineers' configs before lunch
- A Homebrew cask installed to unblock a demo
Continuous diff is the minimum viable upgrade
Koban Fleet receives signed snapshots from enrolled Macs on each heartbeat. The control plane:
- Stores the previous snapshot
- Computes a diff against the current one
- Evaluates YAML rules against new or changed entries
- Routes alerts to Slack, webhooks, or your SIEM
You are not waiting for an auditor to ask the question. The diff fires when the change happens.
What this is not
Continuous diff is not real-time blocking. It is not a guarantee that nothing bad installs. It means you see the install on the next sync.
For many security teams, that is the actual gap. They already have blocking in CI and MDM. They lack visibility on the developer laptop between merges.
Operational cadence
Teams we talk to typically start with:
- Week 1: Enroll a pilot cohort, establish baselines
- Week 2-3: Write Fleet rules for MCP allowlists and critical package denylists
- Ongoing: Triage diffs like any other alert queue, with context, not panic
The shift from annual audit to continuous diff is cultural as much as technical. Incidents become events with timestamps, not surprises in a spreadsheet.