A digital twin is not a CMDB. It is a continuously reconciled, queryable model of every endpoint, identity, configuration, dependency, and state transition in the estate: fresh enough to act against, durable enough to audit, and rich enough that an autonomous agent can answer non-trivial questions about it before any change touches reality.
The twin holds three layers, materialized side by side. Inventory: every node, identity, license, certificate, and connector. State: current configuration, applied policy, observed health, posture. History: the immutable change-log of every transition, with provenance and operator-of-record.
Critically, it also holds relationships: which identity owns which device, which application depends on which subnet, which backup job protects which dataset, which endpoint sits behind which firewall rule. Without the relationship graph the twin is a list, not a model.
The twin is fed by 112 connectors organized in nine categories: PSA, RMM, SIEM, identity, backup, automation, communication, cloud, and email security. Each connector is responsible for one well-defined data domain and one refresh contract.
Refresh rates are tiered. Hot sources (alerts, posture, identity events) push or stream at sub-second to single-digit seconds. Warm sources (config, inventory) pull at one-to-five-minute intervals. Cold sources (compliance reports, audit logs) batch hourly. Every connector emits a heartbeat; missed heartbeats degrade the twin's confidence score for that domain rather than silently going stale.
A model that goes silently stale is worse than no model at all. Confidence is a first-class attribute of every fact in the twin.
Reconciliation runs in two modes. Continuous reconciliation re-evaluates incoming events against the materialized state and fires drift signals when the two diverge. Periodic reconciliation walks the full estate at a slower cadence (typically four-hourly) and corrects any silent drift the event-stream missed (connector outages, partial syncs, third-party rate-limits).
Both modes feed the same change-log. The agent does not care which one detected a divergence; it cares that the divergence is accurate, attributable, and timestamped.
The persistence model is event-sourced. Every fact about the estate is an immutable event with a source connector, timestamp, and confidence. The current-state view is materialized from the event stream and rebuilt from scratch at any point in time: useful for audit, useful for debugging an incident, useful for rehearsing a change against a snapshot of the estate from yesterday.
This is what makes the rehearsal loop possible. The twin is not a snapshot; it is a function over time.
The agent does not poll connectors directly. It queries the twin. Queries range from the trivial (list every endpoint with KB-5031234 outstanding) to the structural (which workloads depend on the identity that owns service-account-04 and would be impacted if its session were rotated in the next ten minutes). The twin's job is to answer both kinds of questions in milliseconds.
Drift is the gap between the desired-state policy and the observed state of the estate. The twin computes drift continuously, scoped per node and per policy domain, with a per-domain severity model. A small drift in a low-severity domain (a stale wallpaper policy) is logged and ignored. A small drift in a high-severity domain (an MFA exception that was supposed to expire) is escalated immediately, with the agent already preparing the remediation branch.
Detection is the easy half. The hard half (rehearsing the remediation against a live twin before applying it) is filed separately under field-note 03.
