Skip to content
Log in

Baseline comparison

Definition

Comparison of a recovered system's current state, including running processes, network connections, scheduled tasks, and file hashes, against a known-good reference state captured before or immediately after a clean rebuild. Deviations from baseline indicate residual compromise or misconfiguration.

Related terms

Extended monitoring window
A defined period of heightened detection sensitivity following recovery, during which security operations maintain increased logging, alert thresholds, and analyst attention. Ends...
Honeytoken
A synthetic credential, document, or data record placed in a monitored location. Any attempt to use or access the honeytoken is an...
Recovery validation
The verification process that confirms a restored system is clean, correctly configured, and free from residual attacker access. Distinct from eradication, which...
Recurrence
Re-establishment of attacker access or re-execution of the same attack vector after the prior incident has been eradicated. Recurrence triggers the incident...
Tripwire
A deliberately placed artefact or detection rule designed to fire only if an attacker returns or residual malware reactivates. Examples include canary...

Explained in

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account