File integrity monitoring (FIM) is a security control that tracks files for unexpected changes, such as edits, deletions, permission changes, or new files appearing in sensitive directories. It typically compares current file state against a trusted baseline and alerts when something differs. Common targets include web application files, system binaries, configuration files, and scripts.
FIM matters because many intrusions leave traces in the filesystem. Attackers may alter login pages, drop web shells, modify startup scripts, or tamper with security tools to keep access hidden. In extortion or ransomware cases, FIM can reveal early signs of compromise before data is encrypted or exfiltrated. Defenders use it alongside log analysis, endpoint telemetry, and backups to confirm whether a change was authorized. Good FIM coverage focuses on critical paths, reduces noisy alerts, and preserves evidence so responders can tell normal maintenance apart from malicious tampering.