Backup Only Looks Boring to Security Operations Until Everything is on Fire
Security Operations teams get excited about the parts of their tool stack that look alive: End-point Detection and Response feels alive. Cyber Threat Intelligence feels alive. Security Orchestration & Automated Response feels alive. Security Information & Event Managennt feels alive. Identity & Access Management feels alive, well conscious anyway. Backup, by contrast, is too often treated by Security Operations like the plumbing of enterprise IT: important, necessary but fundamentally uninteresting. That is a huge mistake for Security Operations teams to make.
In a destructive cyberattack, backup is not just a recovery mechanism. It is one of the most useful sources of historical truth an organisation has. In many cases, it is also one of the few places left where truth has not been tampered with, evaded, deleted or blinded by the adversary, and that should make it far more interesting to Security Operations than it usually is.
When the question changes from “how do we detect malicious activity?” to “what can we still trust?”, backup becomes a lot more interesting. The problem is that many Security Operations teams only realise that too late, usually when they are facing their first destructive cyberattack, whether ransomware or a wiper. Exfiltration and fraud are serious, but they are operationally different from a scorched-earth attack designed to destroy systems and erode trust across the environment. Security Operations teams that ignore the many incident response use cases enabled by backup platforms are leaving one of the most useful tools they already own sitting idle in the toolbox. The investment has already been made, the CIO has already paid for the platform, and the backup administrators have already done the hard work of getting the data into it. Security Operations can use that capability to make investigation, validation and recovery materially more effective; they just need to choose to.
Backup is not just for restore
A lot of organisations still frame backup as a tool for putting data back after something bad has happened. That is too narrow.
In a ransomware or wiper incident, the challenge is not simply recovering data. The challenge is recovering the organisation to a trusted state. That means understanding what changed, when it changed, how far compromise spread, what persistence exists, what evidence remains and what can be safely brought back online without inviting the attacker straight back in. Backup can help answer all of those questions.
If Security Operations only sees backup as the thing you use after the real work is done, then it is badly underestimating its value. In mature cyber resilience programmes, backup is part of the investigation, part of the analysis and part of the trust-restoration process, not just the final act of IT clean-up.
No agent, no problem
One of backup’s biggest advantages as a security asset is that it does not depend on an agent surviving on the host you are trying to understand. Attackers know how to evade, blind and degrade endpoint tooling. They know how to interfere with telemetry, remove artefacts, wipe logs and generally poison the evidence defenders hope to rely on. Much of modern detection capability sits directly on the battlefield, which means it is perfectly placed to be attacked there. In the hundreds of incidents my teams have helped customers through where data was encrypted or wiped, almost every victim had a leading EDR tool installed, fully licensed and apparently up to date. That still did not stop those controls being routinely bypassed by fast-moving, automated Ransomware-as-a-Service operations. Any organisation whose detection and response strategy rests too heavily on EDR or XDR should spend a bit of time studying current evasion techniques. Just do it in the morning, because once you understand how common some of them are, you may not sleep especially well that night.
Backup-derived evidence is different. Snapshots and protected copies can preserve the state of a system without depending on an endpoint agent surviving the moment of compromise. When those copies sit in a vaulted, immutable platform outside the adversary’s reach, responders can understand exactly what the attacker has done and begin planning their strategy before they even enter the battlespace of the compromised environment. The analysis is passive, the evidence is resistant to evasion, and the tooling used to interrogate it is far more likely to be trusted.
That gives responders something extremely valuable: another source of truth, one that is often less exposed to the common evasion techniques used against security tools. It does not replace EDR, but it gives you something EDR cannot always give you once the attacker starts breaking the furniture.
Retention is a superpower
Security Operations typical tooling is often rich in detail but shallow in time., many attacks are neither. Destructive cyberattacks often involve quiet preparation well before impact, from hundreds of days in nation-state wiper attacks, through dozens in targeted ransomware to a matter of days for Ransomware-as-a-Service smash-and-grab attacks. There may be credential theft, privilege escalation, staged persistence, configuration tampering, slow lateral movement and pre-positioning weeks, months or even years before the organisation feels the blast radius. That is where backup becomes particularly valuable.
Backup platforms often retain data for far longer than security tooling retains high-fidelity telemetry. That allows responders to look back across time and compare system states, file systems, application footprints and configuration drift. It gives them a better chance of identifying when malicious change began rather than just when the organisation finally noticed something was wrong.
That is not just useful. It can materially change the quality of investigation and the quality of remediation and recovery decisions. When Security Operations ignores backup, it is often ignoring one of the best long-range historical records available to it.
Passive hunting is underrated
There is another advantage here that does not get enough attention: passive hunting. Hunting in live environments can create noise that can tip off an adversary. It can cause them to accelerate, detonate, clean up or shift tactics. Sometimes that is unavoidable. Sometimes it is exactly what must be done, but not always. Being able to hunt across snapshots and historical copies gives defenders a quieter option. It allows them to inspect systems, trace change and look for known bad artefacts without always interacting directly with the live compromised environment in the same way.
That can be particularly useful when an attacker is still present and defenders are trying to understand the shape of the intrusion before making more visible moves. Good responders do not just want visibility, they want visibility without unnecessary signalling.
Cold logs are often where the good stuff is
Not every useful log makes it to the SIEM. Some never got forwarded. Some were overwritten. Some sat locally on servers or endpoints and were never part of a collection policy. Some were present at the time of compromise but gone by the time anyone knew where to look: backup snapshots preserve those logs.
That means backup can help restore visibility that no longer exists in live systems. Local application logs, endpoint artefacts, configuration traces, scheduled tasks, transient scripts, installer remnants and other pieces of evidence that never made it into centralised telemetry may still exist inside protected copies, that is a game changer in many incidents.
In serious incident response, answers are often found in the scraps the attacker forgot to remove or the data the organisation forgot it still had: backup is often where those scraps live.
Snapshots can be inspected, not just restored
One of the worst habits in cyber recovery is treating restore as a transport exercise. Copy data from one place back to another, power things on and declare success. That is not recovery to a trusted state, that is just data movement.
A more mature approach is to reinstantiate snapshots in an isolated environment and inspect them properly. Vulnerability scan them. Review their configurations. Compare them against known-good states. Examine services, patch levels, exposed components and evidence of persistence. Validate them before they are reintroduced into production. Hunt for Indicators of Compromise that indicate a Living-of-the-Land attack, or scan the snapshots for malware. Classify the data on the impacted system snapshots to understand your contractual and regulatory obligations. Detonate suspicious files found in the snapshots in sandboxes to see what files they created or modified, network connections they attempted and processes it spawned.
That is the difference between restoring fast and restoring safely. If the vulnerability that enabled compromise is still present, if the malware is still there, if persistence is buried in scheduled tasks or startup paths or if key security controls remain degraded, then hurried recovery simply creates a second incident with less surprise. Security Operations should care deeply about any capability that helps prevent that.
Modern backup platforms do more than store copies
Part of the problem is that many people still have an outdated mental model of what backup technology does. Modern platforms increasingly provide native capabilities that are directly useful in security operations and incident response. These can include IoC scanning, cryptographic hashing, malware scanning, data classification and newer capabilities such as sandboxing. Each of those matters.
IoC scanning helps search historical copies for signs of known attacker tooling or compromise. Cryptographic hashing helps validate integrity and identify change. Malware scanning provides another control point before restore. Data classification helps organisations understand what sensitive or regulated information may have been exposed or affected. Sandboxing gives defenders a safer place to inspect suspicious files and artefacts before extending trust to them again.
That is no longer just backup; it is security functionality wrapped around historical evidence and recovery data that most traditional security tooling simply does not possess. Backup snapshots give security analysts something close to time travel: the ability to go back, inspect the environment as it really was, and understand how compromise took shape before the attacker destroyed, altered or concealed the evidence.
Security Operations teams should be far more interested in that than many of them currently are.
Backup restore trust, not just service
This is the point that matters most: in a destructive attack, getting a service back online is only part of the problem. The harder question is whether that service should be trusted when it comes back online.
Trust has to be rebuilt across the workload, the operating system, the identity layer, the management plane, the data itself and the evidence used to conclude that restoration is safe. Backup plays into all of that. It gives responders historical comparison points, known-good references, isolated inspection opportunities, preserved artefacts and a basis for validating whether restored systems deserve to be reconnected. That is why backup belongs in cyber resilience conversations, not just infrastructure conversations.
Iin a real attack the objective is not merely to restore function: it is to restore function without restoring compromise alongside it.
The real issue is the gap between teams
Security Operations often assumes backup belongs to infrastructure teams. Infrastructure teams often assume investigative use cases belong to Security Operations. The result is predictable: the capability sits there, but the operational model around using it does not. That is where maturity shows up.
The more resilient organisations are the ones that define shared workflows in advance. They agree who can access snapshots during an investigation. They determine how backup-derived evidence is handled. They decide how IoC scanning, malware scanning and validation activities are performed. They rehearse how isolated environments are used to inspect restore points before production reintroduction. They make sure Security Operations and IT Operations are not standing on opposite sides of the same tool looking at it as somebody else’s problem.
Cyber resilience usually fails in the gaps between teams, and this is one of those gaps I see most often when my consultants are assessing the operational cyber resiliency capability of an organisation.
Backup is not a silver bullet, but it is a serious security asset
None of this means backup replaces the rest of the security stack. It does not replace identity security, prevention, EDR, SIEM, segmentation, patching or good DFIR. It does not compensate for poor decision-making or weak coordination. It does not magically make an immature organisation resilient (although my consultants can make an immature organisation resilient 😉). It does, however, mean this: treating backup as uninteresting from a Security Operations perspective is a strategic error.
It is one of the few capabilities that can support investigation, passive hunting, long-range historical review, cold log recovery, integrity validation, malware inspection, sensitive data understanding and trust-led recovery at the same time.
That is not boring, that is operationally critically important. In a destructive cyberattack, the teams that understand that usually recover with more evidence, more confidence and less self-inflicted damage than the ones that do not.
