For AI agents: The documentation index is at https://docs.digitalocean.com/llms.txt. Markdown versions of pages use the same URL with index.html.md in place of the HTML page (for example, append index.html.md to the directory path instead of opening the HTML document).

Cloud Security Posture Management (CSPM) uses two rule types to evaluate your DigitalOcean environment: standard rules and workload rules. These rule types determine what resources CSPM evaluates and which capabilities are available in each plan.

Standard Rules

Standard rules evaluate foundational cloud configuration across your DigitalOcean environment. They focus on common infrastructure and account-level security checks that identify broad posture issues without requiring workload-specific analysis.

Standard rules apply to the following resource types:

• IAM configurations
• Volumes
• Load balancers
• Firewalls
• VPCs
• DigitalOcean Container Registry (DOCR) repositories

Standard rules are included in the free plan and all paid plans.

Workload Rules

Workload rules evaluate supported workloads for deeper, resource-specific security risks. These rules target resources that run applications, store active data, or represent compute or database infrastructure that typically requires more targeted posture analysis.

Workload rules apply to:

• Droplets
• Managed Database instances

Workload rules are available in paid plans only and are not included in the free plan.

Rule Types and Scans

When you run a scan, CSPM evaluates resources based on the rule types available in your plan. If your plan includes only standard rules, CSPM evaluates only supported standard-rule resource types. If your plan includes workload rules, CSPM evaluates both standard resources and all workloads with coverage enabled.

For more details, see Scans and Evaluation.

Rule Types and Findings

Each finding in CSPM is produced when a rule identifies a potential security issue on a supported resource. Standard-rule findings typically reflect broader configuration posture, while workload-rule findings focus on specific workloads and their security state.

For more details, see Findings and Severity.