zero drift is only related to process enforcement. the difference is that it will allow any binary present in the deployed container, which is invoked by pid1 to be run. Otherwise in basic , any process that will run needs to be learned or manually added. So zero drift works well for hardened images where there are few if any shell outs, potentially infrequently that might be missed in discover mode (i.e. a monthly trigger). In our experience, most users are not hardening to this extent, or using distroless, so basic is likely better coverage.