EO 14412 CISA CBOM minimum elements due ~March 19, 2027 · PQC key establishment by Dec 31, 2030 · digital signatures by Dec 31, 2031

Receipt Drift Detection

Paste two signed receipts to generate a cryptographic diff — components added, removed, upgraded, and risk delta. Requires Advanced tier receipts.

Advanced Feature · Requires Advanced Tier Receipts
Drift Detection

Compare Two Receipts

Advanced

Paste two signed receipts (JWS tokens) to generate a cryptographic diff. The system decodes both, compares component lists, versions, and risk assessments, and returns a structured delta showing exactly what changed.

AEarlier Receipt
BLater Receipt
How It Works

What the diff shows you

The compare engine decodes both receipts, verifies signatures, and produces a structured delta across four dimensions:

Components
Added / Removed
Every component present in one receipt but not the other. New dependencies introduced, old ones removed between deploys.
Versions
Upgraded / Downgraded
Components in both receipts but at different versions. Distinguishes upgrades from downgrades.
Risk Delta
CVE Exposure Change
Whether the deploy increased or decreased vulnerability surface. New CVEs introduced vs resolved.
Provenance
Anchor & Timestamp
Time elapsed between receipts, and confirmation both are signed by the same authority and anchored protocol.
Use Cases

When to use receipt comparison

Deployment Audit
Before and after a production deploy
Generate a receipt before deploying, another after. Compare them to produce a cryptographic record of every change introduced — no log parsing, no trust required.
CVE Response
Proving a vulnerability was remediated
After patching a known CVE, a comparison receipt proves the vulnerable component is gone or upgraded — signed, independently verifiable evidence for auditors and clients.
Compliance
Prove the migration happened
Run a receipt before your post-quantum migration and one after. The comparison shows exactly which quantum-vulnerable assets you removed, which you did not, and what appeared — signed, dated, and verifiable. Progress you can prove, not progress you claim.
Supply Chain
Vendor delivery verification
Compare the receipt a vendor issued at delivery against a re-scan receipt. Any divergence between what was claimed and what was delivered shows up immediately.
Quick Reference

How to run a comparison

1
Get your Advanced tier receipts
Generate two receipts from the Workbench — one before a change, one after. Both must be Advanced tier. Open the Workbench →
2
Paste both JWS tokens
Copy the full signed JWS string from each receipt and paste into the A (earlier) and B (later) fields above. The JWS is the long eyJ… string included in every receipt download.
3
Run the comparison
The system decodes, verifies, and diffs both receipts, returning a structured delta across components, versions, and risk. Need an Advanced pack? View pricing →