Baseline

CIS Benchmarks and DISA STIGs are common baseline sources that prescribe hardened configurations per platform. Once a baseline is approved, configuration-management tooling enforces it and reports deviations; unexplained drift from baseline is a leading indicator of misconfiguration or compromise and a frequent SIEM detection rule.