Patrol

Continuous compliance

Know the moment a customer's environment stops matching what you expect

Patrol scans connected cloud accounts on a schedule, compares the result against an accepted baseline, and gives you a clear audit trail of what changed, when, and whether it was expected.

Get started See the walkthrough
Cloud account Scan / snapshot Baseline Latest scan In sync Drift detected

The model

Drift is any change Patrol can't explain

Every scan is diffed against the active baseline. What happens next depends on whether that change was something Patrol did.

Change sets

Changes that correlate with a Patrol-triggered deployment are presented as a change set for review, linked to that deployment run. Accept it to advance the baseline.

Unexplained drift

Changes from scheduled scans with no linked deployment are flagged as unexplained drift — something changed in the account that Patrol didn't do.

Baseline Accepted 14 days ago ec2: acme-payments-app sg: acme-payments-sg tag: env=production role: payments-task-role Latest scan — change set 2 minutes ago ec2: acme-payments-app + added: ec2: acme-payments-app-2 - removed: sg: acme-payments-sg ~ modified: tag: env=staging role: payments-task-role Accept change set

Walkthrough

From first deploy to flagged drift

This is the exact flow used in Patrol's AWS EC2 drift-test example — a single t3.micro instance deployed and monitored end to end.

  1. 1

    Deploy

    Patrol triggers your deployment pipeline — for example, Terraform applies a new EC2 instance — and the workflow calls back to Patrol when it's done.

  2. 2

    Scan & adopt a baseline

    After the first scan, accept the snapshot as the baseline — the reference point every future scan is compared against.

  3. 3

    In-sync checks

    Re-run the scan (manually or on a schedule). If nothing has changed outside of Patrol, the environment stays marked in_sync.

  4. 4

    Drift detected

    Change a tag — or anything else — directly in the AWS console. The next scan flags it as drifted, with a path-level before/after diff.

Connect any cloud

Scan independently of how something was deployed

Connect a customer's cloud account and Patrol inventories it on a schedule — whether or not Patrol was the one that deployed it.

AWS

Patrol-hosted scanning (pull)

Azure

Patrol-hosted scanning (pull)

Google Cloud

Patrol-hosted scanning (pull)

OpenStack

On-site collector

VMware

On-site collector

Cross-account access via the Patrol CLI

For AWS, the recommended path is a cross-account IAM role. Run the Patrol CLI on a machine with credentials for the customer's account: 

patrol connect aws --token <one-time-token>

The CLI creates a PatrolReadOnly role scoped to Patrol's account with an external ID condition, and attaches AWS's managed SecurityAudit and ViewOnlyAccess policies — enough to scan, nothing that can modify resources.

Who it's for

Built for teams accountable for someone else's infrastructure

Managed service providers

Stand up new customers from the same templates every time, and know immediately if a customer's environment drifts from what was agreed.

Platform & DevOps teams

Get multi-cloud visibility into what's actually running across AWS, Azure, GCP, OpenStack and VMware accounts — not just what's in your IaC.

Compliance & audit

Every accepted or rejected change set is a record — a clear, timestamped trail of what changed, when, and whether it was expected.

Try the AWS EC2 drift-test example

A minimal, free-tier Terraform setup that deploys, checks in-sync status, and flags drift end to end.

Get started About Patrol