Author: Ben Hodge

A blog from our Managing Director, Rick Norgate

For our global readers, let me set the scene. Marks & Spencer, or M&S, is more than just a retailer in the UK. It’s a national institution. Think tea, crumpets and politely saying sorry when someone bumps into you. It’s part of our cultural fabric.

So when M&S was hit by a major cyberattack over the Easter break, it didn’t just rattle the markets. It rattled the nation. As someone who spends every day thinking about how to make businesses more resilient to exactly this kind of event, I wanted to share some thoughts on what happened, why it happened, and what it tells us about where our defences are falling short.

The timeline

The attack landed over Easter, a public holiday weekend when IT and security teams were stretched thin. Scattered Spider, one of the more notorious ransomware gangs has claimed responsibility.

The attack wiped nearly £1 billion off M&S’s market value, and with some services – including online ordering – still not up and running, the company is reportedly losing around £43 million per week. Despite already paying out a reported £100 million to the attackers via cyber insurance, the company is predicting disruption will continue into July.

How they got in

It’s believed Scattered Spider started with social engineering. Phishing, impersonation, basically exploiting the human layer, which is still the weakest link. This is not unusual. In almost 9 out of 10 successful attacks, the entry point is a person.

Once in, they moved to install ransomware and access Active Directory, locking out admins and, it’s believed, tampering with backups. That’s a logical move. Backups are the safety net. If attackers can take that away, victims are left extremely vulnerable.

But the ransomware wasn’t the start

Most people think ransomware is step one. It’s not. According to Trend Micro over 90% of attacks start with reconnaissance tools such as keystroke loggers, spyware, credential harvesters. These tools are designed to silently gather intelligence about your estate. They can slip past XDR solutions and allow attackers to learn how to go deeper.

And they don’t hang around. The average time from initial breach to the encryption event is now just 14 days. In 2023, it was 100. That acceleration is no accident. Better security tools mean longer dwell times are risky for attackers. So they move quickly, hit hard, and aim to encrypt when your team is least available.

Enter DragonForce

Scattered Spider didn’t build their own ransomware. They used a service from DragonForce who are a dark web group offering ransomware-as-a-service. Think SaaS, but for criminals. DragonForce operates like a business, complete with account managers and affiliate programmes.

Their most popular kit is based on something called LockBit 3.0 which a leaked builder tool that lets criminals easily customise powerful ransomware that is tailored for each target. It’s modular, it’s configurable and it’s dangerous.

So what if it hits you?

Let’s say LockBit 3.0 is unleashed in your environment. The great news is that fantastic tools exist to help. For example HPE Zerto has real-time encryption detection. IBM has lightening fast encryption awareness built into its FlashSystem storage boxes, and offers Sensors for virtual workloads.

These are great tools as they close the barn door fast once an encryption event stats. But not before a few horses have already bolted. That’s the nature of reactive defences. They reduce loss, not eliminate it.

So, why not stop it earlier?

Why not test everything, every day?

It sounds obvious, but we all know the reality. Deep scanning production environments for malware every day isn’t feasible. The performance impact on your production systems, the cost, the resources needed, and the disruption. It’s just not practical.

For this reason most XDR tools are configured to scan only new or modified files. That leaves plenty of room for reconnaissance tools to sit quietly, doing damage while staying under the radar.

What if there was another way?

There is another way. And it doesn’t interfere with your production systems at all.

Your backups. That’s where the value lies. They are a goldmine of information that often sits idle, stored on expensive hardware, doing very little.

With Predatar and Trend Micro you can automate recovery tests of your backup servers in an isolated CleanRoom every single day. Then you can use market leading XDR tools to scan them for malware with no negative impact on production performance. It’s fast, automated and powered by threat intelligence that’s updated multiple times daily.

We’re talking 500,000 new signatures a day, supported by over 450 threat researchers and 1,500 security engineers.

Why does this matter to CISOs?

Because recovery testing has always been a tick-box exercise. What we’re doing is turning it into a proactive security control. We’re detecting threats at stage one. That gives your team the time and space to respond before the damage is done.

And for those still sceptical?

We’ve found malware in 82% of the client estates we monitor. This is malware that their production XDR tools missed. Every one of those clients uses Gartner Magic Quadrant vendors.

And of that 82%, over half were stage one threats. Keyloggers. Spyware. Trojan horses. The kind of tools that groups like Scattered Spider may well have used to start the M&S attack.

Final thoughts

The M&S attack is a case study in how fast, sophisticated and strategic today’s ransomware operations have become. If your cyber resilience strategy only kicks in after encryption has started, it’s already too late.

Your backup is a valuable untapped asset, your second chance to catch what production missed. Learn more about Predatar Recovery Asurance.

Rick Norgate, Managing Director, Predatar

Cybercriminals can take your business down at any time. You need to know that if your organisation is hit by a serious attack, you can restore your critical systems and data – quickly and safely.

At Predatar, it’s our mission to give our customers total recovery confidence. The release of CleanRoom 3, our third-generation Cyber Recovery CleanRoom has made pre-emptive, AI-powered Recovery Assurance technology attainable for more organisations than ever before.

We’ve put all of our learnings from almost 5 years of ground-breaking CleanRoom innovation into CleanRoom 3. It’s a ‘ground up’ design, with one objective in mind… to lower the barriers to adoption for what is quickly becoming an essential technology for operational resilience.

You can learn how we’ve made CleanRoom 3 more flexible, so you can deploy it in more ways on more types of environment than ever before in this blog, or discover how we’ve made it possible to get your CleanRoom up-and-running in under an hour in this blog.

But, not only is CleanRoom 3 faster to deploy and more flexible – read on to find out how we’ve made it a more cost-effective solution than previous iterations… and made it easier to buy too.

Deploy CleanRoom 3 on your existing infrastructure

Predatar, is a subscription-based Recovery Assurance platform. Pricing is based on usage. i.e how much data a customer chooses to validate using Predatar. Some customers use it to continually test all of their backups and snapshots, while others use Predatar only for their business-critical data.

The pricing model is flexible and fair. It has rarely been considered as a barrier to adoption for prospective users. It’s a different story however, when it comes to the infrastructure required to perform the Recovery Assurance processes – until now.

Previous Predatar CleanRooms have required relatively high-spec servers with specific technical attributes. New customers would need to procure expensive hardware or spin-up expensive new Cloud infrastructure before they could set up their CleanRoom. This added a significant cost to the overall solution.

CleanRoom 3 has been designed to run on widely available ‘commodity’ hardware. Not only is this more cost effective to buy, but in many cases, customers already own this readily available and can deploy their CleanRoom on existing infrastructure.

Say good bye third-party licences

Unlike our previous CleanRoom iterations, CleanRoom 3 is a self-contained virtual appliance.
Delivered as an ISO, the new architecture removes the dependency on VMware, meaning Predatar customers are no longer required to purchase VMware licenses.

We’ve also worked closely with our Cyber Security partners to remove the requirement for Predatar customers to purchase third-party licensing for the XDR (Extended Endpoint Detection & Response) capabilities that are built in to Predatar.

For Predatar customers using Cleanroom 3, XDR licensing is baked into their Predatar subscription at no additional cost.

Easy to deploy. Easy to buy.

The combination of hardware flexibility and no third-party licensing makes Predatar significantly more cost-effective than ever before. Speed and simplicity of deployment means new customers can save on upfront deployment costs too.

And not only is Predatar now significantly more cost effective. It’s much easier to buy too. Where once, Predatar customers would need to procure Infrastructure, VMware and XDR licences from different vendors in addition to their Predatar subscription, now a single Predatar subscription is all that is needed.

Get Recovery Confident

To learn more about how CleanRoom 3 is making Recovery Confidence achievable for organisations like yours, join our next webcast.

Sign up today!

With your backups under attack from cybercriminals, you need to know that your data is clean and recoverable before a crisis hits. But the complexity and disjointed nature of modern storage environments can make meaningful data validation almost impossible.

Predatar has been pioneering cyber recovery cleanroom technology for almost five years, and with the release of CleanRoom 3, we’ve changed the game again. Our third-generation CleanRoom has been redesigned from the ground up for simplicity and flexibility.

Because, if you’ve got a complex and disjointed storage environment, the last thing you need is complex and disjointed data resiliency solutions.

Unified Recovery Assurance

Large organisations often have multiple storage and backup technologies in play. It’s not unusual for a large business to store data in the Cloud and on-premise. As well as backups, they might also use immutable snapshots for their most critical data. It’s likely they’ll leverage technologies from Mainframe to VMs and newer technologies like Kubernetes too.   

Holistic resilience is a fundamental principle at Predatar. It’s our ambition to create technology that can validate the cleanliness and recoverability of your critical data, regardless of what it is and how it’s stored.

Predatar already supports proactive recovery testing and advanced malware interrogation across backup and primary storage products – from vendors including IBM, Veeam, Pure, Cohesity and Rubrik – and now with CleanRoom 3, we‘ve made it even more flexible.

Flexible deployment

Until now, a Predatar CleanRoom could only be deployed as a Virtual Machine running on VMware, meaning that only organisations running VMware environments could benefit from Predatar’s unique recovery assurance capabilities.

With the launch of CleanRoom 3, Predatar is no longer VMware-dependent. Predatar customers can now deploy a Cleanroom as a Virtual Machine using other hypervisors too, for example in a Hyper V environment. This will become increasingly important as organisations reconsider their choices following Broadcom’s acquisition of VMware last year and the subsequent price hikes.   

In fact, the new CleanRoom architecture means that for the first time, a CleanRoom can be deployed directly onto bare metal, removing the need for a hypervisor entirely.

Where previously, customers would need to acquire new hardware or cloud infrastructure to deploy a CleanRoom, the new levels of flexibility mean that in many cases new customers are able to build CleanRoom 3 on hardware they already have.

Deployment simplicity

Not only is the operating system built-in, but the EDR (Endpoint Detection & Response) software that Predatar uses for malware interrogation and cleaning is too. Previously, Predatar customers would need to buy VMware and third-party XDR licences, and configure their cleanroom to recognise the licence keys – now it’s all baked in.

CleanRoom 3 is supplied as a single, downloadable ISO image which can be configured via an easy-to-use setup wizard and installed quickly. A Predatar CleanRoom can be up and running in under an hour.

Everyday simplicity

Regardless of whether you’re using Cleanroom 3 or a previous version, you’ll use the same Predatar CRO (Cyber Recovery Orchestrator) software to manage it. That means you’ll benefit from the intuitive GUI and all of the user-friendly features that customers have come to expect from Predatar.

But in addition, CleanRoom 3 leverages continuous updates to ensure the platform remains secure, up-to-date, and optimised without requiring manual intervention. The system continuously downloads updates and enhancements from Predatar’s repositories to ensure that CleanRoom 3 is always equipped with the latest security improvements, malware definitions, and performance optimisations.

By automating the update process, CleanRoom 3 eliminates the need for manual updates by engineers, reducing the risk of human error, saving time, and making day-to-day admin and maintenance easier than ever.

Think again about Cleanrooms

If you think that cyber recovery cleanrooms are complicated and expensive, think again! To find out how a Predatar CleanRoom can make recovery confidence a reality in your organisation, join our next webcast.

Don’t miss this live session: Register now

Oliver Parpart’s journey to leading two strategic growth initiatives at CANCOM GmbH is anything but conventional. With a rich background in project delivery, Oliver brings a deeply consultative and empathetic approach to client engagement — an approach shaped by years of hands-on experience ensuring IT service delivery success.

Unlike many leaders from a sales background, his method is not about pushing products but about deeply understanding a client’s environment and project delivery challenges. This ability to listen and ask good questions before prescribing solutions sets his team apart in a market dominated by large and competitive System Houses.

This client-first mentality has also influenced the strategic direction of his business unit, which focuses on two major growth initiatives: CANCOM’s DevOps practice and its Cyber Resilience practice.

As cybersecurity threats evolve rapidly, CANCOM is positioning itself as a trusted partner that can not only sell and integrate good technology but also deliver real business outcomes in a scalable, cost-effective way. At the heart of this approach is CANCOM’s Backup Assurance as a Service (BAaaS), a comprehensive, vendor-agnostic cyber resilience platform powered by Predatar.

Why Predatar?

CANCOM has a broad portfolio of backup and storage solutions. However, the complexity of modern enterprise IT landscapes demands a more unified approach to cyber resilience. This is where Predatar’s independence becomes a strategic advantage. Unlike vendor-specific solutions that often create silos, Predatar enables CANCOM to deliver a horizontal cyber resilience service that spans multiple technologies. This means customers can optimize costs, reduce complexity, and proactively defend against increasingly sophisticated cyber threats.

With BAaaS, CANCOM can rapidly elevate a client’s cyber resilience capabilities, deploying advanced security measures in a matter of weeks rather than months. This speed and efficiency are critical in the German and Austrian markets, where there is a shortage of highly skilled cybersecurity professionals. By leveraging Predatar’s automation and intelligence-driven platform, CANCOM can fill this gap, ensuring clients remain protected without the burden of hiring scarce in-house expertise.

Overcoming Internal Challenges to Scale the Service

Despite the strong market demand for cyber resilience services, CANCOM faces an internal challenge: ensuring its vast sales force of over 300 professionals across Germany—and 5,600 employees across Europe—are equipped to sell and support this new offering. Historically, CANCOM’s regional offices have had their own vendor preferences, making a unified approach difficult to implement.

To address this, CANCOM has developed strategic competencies that are independent of its vendor resale model. This allows the company to scale its BAaaS offering across its entire enterprise while improving margin performance and revenue predictability. Additionally, the sales enablement strategy includes a structured playbook and digital sales room templates via the Seismic platform, ensuring that all sales professionals can effectively communicate the value of CANCOM’s cyber resilience services.

Incubating BAaaS for Long-Term Success

To ensure the successful rollout of BAaaS, CANCOM made a considered decision to incubate the service within its Professional Services division, rather than placing it under the IBM resale business. This approach allows for tight control over initial deployments, ensuring quality and consistency. Over time, as adoption grows, the service will transition into CANCOM’s managed cyber and security services practice, enabling it to scale across a broader customer base.

The Future of Cyber Resilience at CANCOM

Cyber threats continue to evolve, and businesses need to be just as agile in their defences. With its consultative approach, deep technical expertise, and enhanced use of Predatar, CANCOM is well-positioned to deliver enterprise-grade cyber resilience at scale. The company’s ability to unify multiple backup and security technologies into a single, cohesive service offering is a game-changer for customers looking to simplify and strengthen their defences. By tackling internal and external challenges head-on, Oliver Parpart and his team are not just building another service — they are shaping the future of cyber resilience in Europe. Through strategic partnerships, an innovative delivery model, and a relentless focus on client success, CANCOM is proving that cybersecurity is not just about technology — it’s about trust, expertise, and execution at scale.

Start Your Journey To Resilience with an APEX Partner

CANCOM is a Predatar’s APEX partner, one of an elite group of expert service providers hand-picked for their customer-centricity, and their ability to deliver world-class cyber resiliency services powered by Predatar. To kick start your cyber resiliency project, contact the team at CANCOM or find an APEX Partner near you.

Bringing automated, AI-powered recovery testing and advanced malware hunting to your existing storage estate has never been easier.

At Predatar, we’ve launched our third-generation cleanroom. Not only is CleanRoom 3 the most advanced cyber recovery cleanroom on the market, it’s also easy to deploy and easy to manage.

Our new CleanRoom has been re-designed from the ground up with one objective – to make adoption of recovery assurance technology achievable to more organisations than ever before.

Until now, complexity has been a real barrier to adoption. This short article explains how we’ve simplified deployment and management of cleanroom technology.

What is a Cyber Recovery Cleanroom?

Before we talk about how Predatar is making cleanroom technology quick and easy to deploy, let’s recap on what cleanrooms are, and why your organisation needs one.

The truth is, there is a significant risk that your backups and immutable snapshots contain malware or other recovery issues. This will jeopardise your incident response, and severely impact your ability to restore business-critical IT systems following a cyberattack, or any other data-loss event.

A cleanroom is a secure, isolated environment where your IT team can validate the integrity and recoverability of the data your organisation will rely on for recovery – before a crisis hits.

4 years of CleanRoom implementations

CleanRoom 1: The original

Built for IBM Storage Protect backup environments, Predatar’s first generation Cyber Recovery Cleanroom was a game-changer. Previously, Cleanrooms (or Isolated Recovery Environments as they were commonly referred to at the time) were little more than a concept – often just an architectural design or blueprint, which could be deployed as a reactive tool for validating data in a crisis scenario.

When Predatar launched CleanRoom 1 in 2021, it was the first ‘productised’ cyber recovery cleanroom solution available. Not only did this make proactive cyber recovery testing a reality for IBM backup customers, but Predatar’s user-friendly software layer made day-to-day operation easy.

The difficult bit was deployment. Every storage estate is different, and every CleanRoom implementation needed a tailored design. A typical deployment would require 10-15 days of implementation services from highly skilled Predatar engineers. What’s more, each CleanRoom deployment would require new hardware or cloud infrastructure to be purchased and configured – sometimes adding weeks or months to the deployment depending on hardware availability.

CleanRoom 2: Multi-vendor support and faster deployments

The release of CleanRoom 2 in 2023 was another huge step forward. By extending support beyond IBM backup products to Cohesity, Veeam and Rubrik, and later adding capabilities to validate Immutable Snapshots on IBM FlashSystem and Pure Storage, Predatar had opened up the possibilities of recovery assurance to many more organisations.  

Other enhancements followed, including integrations with leading SIEM (Security Information and Event Management) platforms, AI-powered reporting, and more.

Despite CleanRoom 2 delivering greatly enhanced capabilities, the Predatar R&D team managed to significantly simplify deployments. Now a Predatar implementation could be completed in 3-5 days by an experienced Predatar Engineer, or one of Predatar’s APEX partners.

CleanRoom 3: Recovery Assurance For All

Our 3rd-generation CleanRoom marks another big leap forward. CleanRoom 3 has been designed to make Recovery Assurance technology accessible to more organisations than ever before, by breaking down the barriers to adoption. The cost and complexity of deployment has been one of those barriers.

Cleanroom 3 can be deployed on existing infrastructure, in less than one day, without the need for extensive training.

Here’s what’s changed…

New: ISO-based deployment

The most significant change, is that CleanRoom 3 is delivered as a self-contained virtual appliance. Users configure their cleanroom via a step-by-step setup wizard, before downloading a self-contained ISO image.

The ISO includes all the required components, pre-configured using the inputs from the wizard. Assuming the technical pre-reqs and minimum requirements are met, the ISO image can simply be installed on existing hardware or Cloud Infrastructure, and can be up and running in as little as 2 hours.

New: No third-party licences

Previously, Predatar customers would need to purchase VMware and third-party XDR (Extended Endpoint Detection & Response) licences for the CleanRoom. Not only did this add cost and administrative work, but it also added complexity to the setup, as the CleanRoom would need to be configured to recognise the licence keys for the third-party products.

With CleanRoom 3, the need for third-party licences has gone away. CleanRoom 3 doesn’t require VMware and the XDR licensing is now baked-in to your Predatar subscription.

New: Automated updates

CleanRoom 3.0 leverages continuous updates to ensure the platform remains secure, up-to-date, and optimised without requiring manual intervention. The system continuously downloads updates and enhancements from Predatar’s Git repository. This ensures that CleanRoom 3.0 is always equipped with the latest security improvements, malware definitions, and performance optimisations.

By automating the update process, CleanRoom 3.0 eliminates the need for manual updates by engineers, reducing the risk of human error, saving time, and ensuring that the system is always running the most current version.

Time to think again about CleanRooms?

If you think that achieving recovery assurance for your organisation is complicated, think again. With CleanRoom 3 from Predatar, you can bring automated, AI-powered recovery testing and malware interrogation to your existing storage environment in a matter of days.

Get started now. Find out more about Predatar, or book a demo.

At Predatar, we’ve just launched CleanRoom 3. Not only is our third-generation CleanRoom the most advanced cyber recovery cleanroom on the market, but it’s also the most accessible.

We believe that every organisation that relies on data can benefit from pre-emptive cyber recovery in a cleanroom. That’s why CleanRoom 3 has been redesigned from the ground up to make adoption of this important technology achievable for more businesses than ever before.

This short article highlights 3 reasons your organisation needs one.

What is a Cyber Recovery Cleanroom?

Before we talk about why you need a Cyber Recovery CleanRoom, let’s quickly cover what they are. A cleanroom is a secure environment where IT teams and/or cybersecurity teams can validate the integrity and recoverability of the data their business stores to ensure a clean and safe recovery.

If you are already familiar with the concept of cleanrooms, you might think that they’re only used in high-stakes, post-attack scenarios – but things have changed. Predatar has been leading the way with technology that enables continuous, pre-emptive data validation.

To take a deeper dive into cleanroom technology, read this article: A Guide to Cyber Recovery CleanRooms

Why do you need a Cyber Recovery Cleanroom?

The simple truth is there is only one reason you need a cyber recovery cleanroom, and that’s resilience. You might call it data resilience, cyber resilience, or more broadly – operational resilience. A cleanroom enables you to be ready to bounce back from a cyberattack (or any other data loss event).

But with so many new products and technologies promising to boost resilience, let’s dig in to why a cleanroom is a must-have component in your resiliency toolset.

 

Reason 1: You probably have malware in your backups

Few organisations would question the vital role backup & recovery plays for operational resilience. Backups are often recognised at the last line of defence against data loss events, including cyber attacks. Yet, surprisingly few organisations have steps in place to routinely check their backup data for viruses.

Here’s an eye-opening stat for you.

Predatar has discovered malware in the backups of 80% of its customers – that’s malware that had previously not been detected, and in some cases had the potential to cause serious damage.

Typically, Predatar customers are medium and large enterprises with extensive IT systems and robust cyber security capabilities, but even with best-in-class security tools such as firewalls, antivirus, EDR and XDR, malware can – and clearly does – still get into backups.

You can learn more about how malware infiltrates backups, the damage it can cause, and why immutability doesn’t solve the problem in this article: You probably have Malware in your backups

Implementing a cyber recovery cleanroom is the only way to continually interrogate and clean your data without impacting the performance of your production and backup systems, and crucially without putting your data at risk.

Reason 2: Downtime hurts

You could take a reactive approach to cyber recovery. This is common practice for cyber incident response in many organisations today.  With this approach, following containment of a cyber-attack, security and IT teams will work together to carry out forensic analysis of data as part of the data recovery process.

The big problem here is time. With business-critical systems offline, your organisation’s ability to function will be severely impacted. In fact, it’s common for businesses to go completely ‘dark’ following a serious data breach.

When systems are offline, every minute counts. But according to IBM’s most recent Cost of a Data Breach Report, 75% of businesses that had experienced an attack, took more than 100 days to fully recover. The same study reports that the average cost of a cyber attack to a business is now a massive $4.88 million(USD).

With a reactive approach to cyber recovery, the first step is often to procure the hardware and configure the tools required to analyse data at huge scale. This task alone can take weeks before validation at scale can even begin.
  
Once the process is underway, the next challenge is dealing with any infections or unrecoverable files that are discovered while in the middle of a high-pressure, high-stakes situation.

With a proactive approach, utilising a cyber recovery cleanroom for pre-emptive recovery assurance, when a crisis hits you’ll already know that your data is clean and recoverable. Of course, in a cyber incident scenario we strongly recommend re-validating all data before restoring it, but the great news is:

1. You will already have the hardware and tools configured: Essentially, your cleanroom can be utilised for post-attack validation .
2. The likelihood of finding issues with the data is vastly reduced: It will have been validated recently as part of a proactive validation cycle.

Reason 3: New regulations are coming

Not only is it good practice to test-drive your incident response – It’s quickly becoming a regulatory necessity.

A raft of regulatory frameworks is coming into force around the world with an emphasis on operational resilience – DORA (European Union), HIPPA (United States), FISMA (United States), PRA (United Kingdom) to name a few.

While today, these regulations mainly focus on finance, healthcare, and government organisations – it’s only a matter of time until regulators in other industries follow suit.

The direction of travel is clear. It will no longer be adequate for regulated organisations to have a plan, they will need to demonstrate the effectiveness of those plans.

Proactive cyber recovery in a cleanroom is a cost-effective way to continually demonstrate the effectiveness of data recovery plans.    

Recovery Assurance For All

Learn more about how Predatar has lowered the barriers to adoption and made pre-emptive, AI-powered Cyber Recovery a reality for more or businesses than ever before. Read the article: Recovery Assurance For All… with CleanRoom 3

 

Predatar’s third-generation Cyber Recovery Cleanroom is here. Redesigned from the ground up, CleanRoom 3 is making Recovery Assurance achievable for more organisations than ever before.

Cyber Recovery Cleanrooms – sometimes referred to as Isolated Recovery Environments – have been gaining traction as an important technology for operational resilience.

Big storage vendors including IBM, HPE, Dell and Commvault have introduced cleanroom technology to their portfolios, either as products or reference architectures – but despite the importance of the technology, market adoption has been relatively slow.

Predatar Founder & CEO, Alistair Mackenzie explains: “Most organisations understand they need to boost data resiliency. Cleanrooms have a big role to play, but until now, the technology has been seen as costly and complicated.”

Cyber Recovery Cleanroom Pioneers

Predatar has been ahead of the pack in this area. Since launching our first Cleanroom more than 3 years ago we’ve continued to innovate relentlessly to create the most advanced Recovery Assurance platform on the market today.

With the launch of our third-generation cyber recovery cleanroom, Predatar has significantly lowered the barriers to adoption. CleanRoom 3 is easier and more cost-effective to buy, it supports more storage configurations than ever before, and it can be deployed quickly.

Fewer Licences. Lower Cost.

Previously, customers needed to purchase licences for the hypervisors and third-party XDR (Extended Detection & Response) software that’s embedded in the Predatar platform. With CleanRoom 3 this requirement has gone away.

Not only does this make it much easier to procure the solution, but it’s more cost-effective too.

Now, one Predatar subscription covers all your licensing needs for automated recovery testing and deep malware scanning across Veeam, Rubrik, Cohesity, and IBM backups – and your IBM and Pure immutable snapshots too.

More Flexible.

Where most cleanrooms require customers to purchase new hardware or acquire new cloud infrastructure, CleanRoom 3 has been designed to run on a broad range of commodity hardware, meaning that in many cases customers will have the ability to use technology they already have in their data centre.

What’s more, our third-generation CleanRoom has more deployment options. Now customers have the option to build their CleanRoom as a Virtual Machine or deploy it on Bare Metal.

Quick and Easy to Deploy.

One of the biggest changes we’ve introduced in CleanRoom 3 is a completely new deployment method. All of the config is done via a step-by-step setup wizard. This generates an ISO file which can be downloaded and easily installed on the host environment.

Ian Richardson, CTO at Predatar explains “We’ve made the setup really user-friendly. Thanks to the new ISO-based deployment, a CleanRoom can be deployed in around 2 hours, without the need for extensive training or highly specialist skills.”  

How is Predatar Different?

CleanRoom 3 has been designed to make the benefits of Recovery Assurance achievable for more organisations, but the fundamental principles of Predatar remain the same. Our Recovery Assurance platform stands out in the marketplace in three important ways.

1. Predatar provides pre-emptive recovery testing: Using automation and AI, to continually validate the recoverability of critical backups and snapshots before a crisis hits.
   _
   
2. Predatar goes beyond anomaly detection: Where most alternative solutions identify signs of possible malware using anomaly detection methods, Predatar goes further – actually restoring suspect workloads, before running a full antivirus scan to verify the infection, and where necessary, cleaning the workload too.
   –
   
3. Predatar supports multiple backup and storage technologies including Veeam, Cohesity, Rubrik, IBM Storage Protect, IBM FlashSystems, and Pure Storage, so customers can validate different workloads in one Cleanroom with a single Predatar licence.

Talk to the Recovery Assurance Experts

To learn more about how Predatar can boost resilience in your organisation, contact our team or find a Predatar expert partner near you.

Here’s an alarming statistic for you: At the time of writing this blog, over 80% of Predatar customers have discovered previously undetected malware in their backup data within a month of starting to use Predatar’s Recovery Assurance platform. So, how does it get there? And what can you do to make sure your backups are safe?

Most of Predatar’s customers are medium to large enterprises with expansive IT networks. Every one of these organisations has cyber security technologies in place, including some sort of antivirus product. In most cases it’s market-leading XDR products from vendors like Crowdstrike, Palo Alto, or Microsoft. So, how is malware getting into their backups?

How Does Malware Get into Backups?

1. Replication of zero day viruses

Typically, organisations configure their antivirus technology to run incremental scans on their production systems. Only new data or data that has changed is checked for malware. The reason for this is simple, incremental scans are more efficient – both in terms of time taken and the performance impact to the underlying disk. The reality is that checking all production data, every day, is simply not feasible.

The problem here is zero-day attacks. If a new strain of virus infiltrates your IT network before it’s known to your antivirus vendor, it will slip through the net and hide inside your network. This malware will remain undetected until the data it resides in is altered. At this point, it’s likely the virus definitions in your antivirus tools will have updated, and the malware can be flagged and removed.

But… most organisations create backups every night. So, in this scenario the malware that ‘slipped through’ will have been backed up too. Even if the virus is removed from production systems, very few organisations take the step of proactively checking and cleaning their backups.

2. Planting malware directly into backups

Cyber criminals can – and do – target backups directly. This is a common practice for ransomware gangs, who will encrypt or delete backups as part of a co-ordinated attack. By compromising the backups, they remove their victim’s ability to restore data. This gives them little option but to pay the ransom demands.

In this scenario, the criminals will gain administrator access to their victim’s backup platforms to plant malicious code directly into backup repositories. This approach completely bypasses antivirus protection on production systems.

Access is usually achieved via stolen administrator credentials, or hacking methods such as manipulating OAuth token access. In some cases, criminals will recruit an insider. For example, a Storage Administrator within the target organisation may be offered payment for planting malware in backups.

Why is Malware in Backups a Problem?

Put simply, malware in your backups will put your ability to restore at risk. Whether you need to recover an important file that was accidentally deleted, or mount a large-scale recovery of critical business systems following a cyber attack or other major data loss event – malware in your backups could be a show stopper, leaving you with no way to recover your valuable data.

At best, this will be inconvenient. At worst, business critical systems could be offline for extended periods. In some cases, loss of customer or employee data could lead to regulatory non-compliance, fines and legal action.

Does Immutability Solve the Problem?

Immutability has become a popular method to protect against the problem of malware in backups. While it offers some protection, immutability alone doesn’t solve the problem.

Essentially, immutability means that once data has been written it can’t be altered. Using immutable backups won’t stop undetected malware being replicated into your storage repositories, but it does mean that once it’s there it can’t be activated, and your data is safe from malicious encryption or deletion – while it remains in an immutable state.

The problem comes when an infected immutable backup is recovered. Restoring from an infected backup will introduce the malware to the system you are restoring to, and once the restore has taken place, the data is no longer immutable, and the malware could be activated by the criminals that created it.

How Can You Make Sure Your Backups Are Safe?

The only way to be sure your backups are safe is to check them. Best-practice dictates recovering backups to an isolated recovery environment, also known as a cleanroom, before running antivirus tools to validate them for cleanliness. This method means that if your backups are found to contain malware neither your production or backup systems will be at risk, while you take remedial action.

Today, this approach is generally used as a reactive measure in high-stakes scenarios. When a cyber attack has occurred, organisations will begin the process to validate their backups, starting with their most critical workloads, as part of a large-scale cyber recovery procedure.

What is Proactive Cyber Recovery?

Thanks to automation and artificial intelligence, products like Predatar Recovery Assurance platform can continually validate your backups to ensure they are always recoverable and free from malware. This proactive approach means that you’ll know your backups are safe before a crisis hits.

Only Predatar offers a vendor-agnostic solution that enables you to automate recovery testing and advanced malware interrogation on Veeam, Rubrik, IBM, and Cohesity backups in the same cleanroom. Predatar can also be used to validate immutable IBM and Pure snapshots too.

Want to Become Recovery Confident?

Don’t wait for a crisis to find out if you can recover. Watch this short video to learn more about Predatar and contact our team to start your journey to recovery confidence.

Empalis & Predatar:
A story of Partnership.

Predatar’s APEX partner program is so much more than a traditional reseller channel. It’s built on the foundations of a long-standing, multi-disciplinary collaboration with Empalis Consulting GmbH, and the result is a global community of exceptional collaborators. In this interview, Markus Stumpf, Business Development Manager at Empalis, explains what it takes to be an APEX partner, and why you should talk to one if cyber resilience is a concern in your business.  

Predatar: How did the partnership between Empalis & Predatar first come about?

Markus: It started almost 10 years ago. At the time, we were on the verge of launching our first managed backup and recovery service. Until then, Empalis had focussed on consulting and one-off engineering projects. It was an exciting time, but like any new venture, it was also a bit of risk. Would the service be a success? and if it was, could we scale it?

I met Alistair (Mackenzie, Predatar CEO) by chance at an IBM Storage conference in Las Vegas. He told me about Predatar, and I could instantly see how the automation and reporting features could help us. By automating daily reporting and other repetitive tasks, our service engineers could bring value to more customers.

Predatar: How did this partnership evolve?

Markus: Once we started using Predatar, our team began to see opportunities to enhance the platform further – to deliver even more value for our customers. Since the beginning, the Predatar team has actively looked for feedback, and we were more than happy to share our insights and ideas.

It soon became obvious that we would be great collaborators. We would challenge one another’s ideas and push the boundaries together. Before long, we were having a direct influence on the Predatar product roadmap, and Predatar was helping to shape the future of Empalis too.

Predatar: Can you give an example of how you’ve influenced the innovation of the Predatar Platform?

Markus: There are so many features and functions in Predatar that Empalis has influenced, but let me tell you about one of the more significant collaborations.

Today, Predatar is known for its innovative CleanRoom. In my opinion, it really is the most advanced Cyber Recovery Cleanroom solution available today. But let’s rewind a few years, before Predatar’s CleanRoom was even a spark of an idea.

I met with Alistair (Mackenzie) for a catch-up while he was in Germany on business back in 2019. We met in a small meeting room in Stuttgart. We weren’t intending for the session to be an R&D workshop, but by the time we were done, we’d mapped out the architecture of what would become Predatar’s first generation CleanRoom on a whiteboard.

Predatar: How else have you supported Predatar’s R&D?

Markus: Innovation at Predatar is rapid, but balancing this with rigorous testing has been a challenge for the Predatar team. We’ve been really happy to get hands-on and support with QA and usability testing. We want to get the latest tech to our customers, fast – but not before my team has put it through its paces – so this is a win, win.

Last year, Predatar formalised this process. They now run an Early Access Program (EAP) where Empalis and other APEX partners can test-drive new features. We’ve been putting CleanRoom 3.0 through its paces. Predatar’s third generation of Cyber Recovery Cleanroom will be a game-changer, making Recovery Assurance achievable for many more businesses.

Predatar: How has Predatar shaped Empalis?

Markus: Around 2 years ago we launched Viking Backup Guardian, our flagship managed backup and recovery service with Predatar baked-in. The service provides an immutable copy of customer’s backup data in our cloud, which we proactively verify for recoverability and cleanliness in a Predatar CleanRoom.  

What our customers love about this service is that it takes away the cost and complexity of CleanRoom setup, it’s scalable – so you only pay for what you need, and it’s completely managed. Empalis will deal with all the day-to-day operational stuff.

When we launched Viking, it was totally unique, and even today, with the exception of other Predatar APEX partners, I’m not aware of any MSPs that offer anything similar.

Predatar: Can you explain a bit about the APEX program?

Markus: It’s no secret that Predatar has designed the APEX program with an ambition to replicate the success of the collaborative relationship between Predatar and Empalis. You could say that our partnership has been the blueprint for the program. Today, there are 24 Apex partners globally.

Of course, like any channel program this helps Predatar access markets around the world – but APEX is about so much more. The selection criteria is rigorous. APEX partners must demonstrate they have the vision and capabilities to deliver world-class, value-added services with Predatar under the hood.

Any IBM channel partner can resell Predatar, but only APEX partners are authorised to integrate Predatar into their own products and services.

Predatar: What’s next for Empalis and Predatar?

Markus: We will continue to help more and more customers achieve recovery confidence with the Empalis Viking Guardian service. But when it comes to innovation, anything could happen. Ask me again after our next whiteboard session!

---

To find out how Markus and the team at Empalis can help you manage complexity and boost data resilience in your organisation, contact them here.

Find an APEX partner in your region here.

Are you considering deploying a cyber recovery cleanroom to test your systems’ recoverability from cyber-attacks or other disruptive events?

You’re not alone. The market for recovery assurance solutions, including cleanroom technology, is growing rapidly. Learn more in this article:
5 Reasons the Cyber Recovery Cleanroom Market is Growing Fast.

A common question we hear is; should you build a cleanroom or invest in an off-the-shelf (productised) solution? This article explores the pros and cons of each approach and provides a simple decision tree to help guide your choice.

This discussion assumes that you intend to use a cleanroom for proactive recovery testing rather than solely for post-attack recovery. While productised solutions can expedite deployment after an attack, their primary strength lies in pre-emptive recovery testing and assurance.

Cleanroom customisation

If your environment requires significant customisation, building your own cleanroom might be the best option. A DIY solution allows for precise tailoring to your infrastructure, whereas productised solutions are designed to serve a broad market.

For example, if your workloads include mainframes or iSeries systems that productised solutions do not support, a self-build approach may be your only choice. However, if your environment primarily consists of virtualised workloads—such as VMware, Windows, and Linux file systems—then a productised solution is a viable and often preferable option.

CleanRoom Security

For organisations operating dark sites with no permissible cloud connectivity, a DIY approach may be necessary. Many productised solutions rely on cloud-based control planes for features like AI-driven anomaly detection, and losing this connectivity can limit their effectiveness.

However, an isolated environment comes with trade-offs. Without internet access, you forfeit real-time malware definitions, security updates, and continuous product enhancements—features that productised solutions deliver automatically.

Cleanroom Automation

Productised cleanrooms benefit from advanced workflow automation that optimises resource allocation for recovery testing and malware scanning.

A key component of modern recovery assurance solutions is the use of data lakes and AI/ML models to prioritise anomalies for deeper analysis. The best cleanroom solutions leverage feedback learning to refine anomaly detection and minimise false positives over time.

If you lack in-house data scientists and software engineers, a DIY solution will likely lack the automation and orchestration capabilities of a commercial product.

Cleanroom ease-of-use

If ease of deployment and maintenance is a priority, a productised solution is the clear choice. Here’s why:

• Rapid Deployment – Modern cleanroom software can be deployed in under a day using standard infrastructure.
• Automated Security Patching – Productised solutions can integrate with repositories like GitHub, continuously downloading updates and enhancements to stay ahead of emerging threats.
• Vendor Support & Testing – Purchasing a product means gaining access to enterprise-grade testing, support, and maintenance. Many organisations opt for productised solutions to offload the burden of software development and patching.

Summary & Decision Process

For comparable costs, a productised solution will always provide a more feature-rich and automated cleanroom for supported workloads. Security concerns may restrict the use of some cloud-dependent cleanrooms, but some vendors offer private cloud deployments as an alternative.

As adoption increases and cleanroom solutions become more mainstream, productised offerings will continue to improve while costs decline, making the build-your-own approach increasingly less viable.

By following this structured approach, you can determine the best path forward for implementing a cyber recovery cleanroom tailored to your organisation’s needs.

Learn about Cyber Recovery Cleanrooms from Predatar

Predatar is a leader in Recovery Assurance technology. Our unique CleanRoom solution provides preemptive recovery testing and advanced malware scanning for backups and snapshots from many leading storage vendors including Veeam, Rubrik, IBM, Cohesity and Pure – with support for more technologies on the way.

Learn more at predatar.com.