Persistence Confluence

Persistence confluence is present when an agent possesses the combination of capabilities required to establish unauthorized persistent access to systems.

Condition definition

Persistence confluence requires three capabilities in combination.

The first capability is write access to files, databases, or configuration stores. The agent can modify persistent state that survives session termination.

The second capability is read access to credentials, tokens, or authentication material. The agent can obtain secrets that enable future access.

The third capability is the ability to create scheduled tasks, cron jobs, or persistent processes. The agent can establish execution that continues beyond the current session.

Detection requirements

Systems shall evaluate agent capability sets against the persistence confluence condition. Evaluation occurs at capability grant time and continuously during operation.

The combination of write, credential access, and scheduling capabilities enables creation of persistent backdoors even when each individual capability appears benign.

Response controls

When persistence confluence is detected, systems shall apply Critical profile controls regardless of declared certification scope.

This elevation ensures that the highest level of controls addresses the elevated risk from capability combination. Organizations cannot avoid Critical controls by declaring lower certification profiles when persistence confluence exists.