The response to the article has been huge. We’ve been receiving a lot of questions asking for more detail. Unsurprisingly, regulatory compliance seems to be high on the list of priorities when it comes to the challenges our readers are facing right now.
At Predatar, we like to give the people what they want. So, in this blog we’re digging deeper into the topic. We’re moving from the ‘why’ to the ‘how,’ to give you practical advice that will help you prove you can recover effectively – giving you recovery confidence and helping you achieve compliance.
Here’s a practical playbook based on 7 steps you can start using right away.
#1. Know your obligations
Begin by understanding exactly which regulations apply to you. This might be direct (because you operate in a regulated sector) or indirect (because you are part of the supply chain for a regulated customer). Write the requirements down, highlight the parts that relate specifically to recovery, and make sure your leadership team and IT teams are looking at the same information.
#2. Define what “acceptable” downtime looks like
Your Recovery Time Objective (RTO) should never be a guess. It should reflect the real cost of downtime in your business. Calculate what an outage of critical IT systems will cost your business per hour and multiply this by how many hours a full recovery will take. Is the total acceptable? Can your business tolerate the impact? If not, you’ve got important work to do.
It’s not enough to run a quick restore in a safe lab environment once a year or carry out the occasional data centre failover test. The threats you’re facing today don’t wait for annual tests. Modern ransomware and the reconnaissance tools attackers are using are designed to evade primary security tools without detection. By the time an attack is launched, the malware has probably burrowed deep inside your backups.
We know this because Predatar has found hidden malware in the backups of 86% of our customers. If you’re only testing infrequently, you’re giving the attackers a head start. Testing daily means you can catch and remove malicious code before it has a chance to cause real damage, and you can be confident that your recovery point is both safe and ready to go when you need it.
#4. Check the health of your backups
Before you recover anything, be certain it’s clean. This means scanning for dormant malware and confirming the integrity of the data before it re-enters your production environment.
#5. Automate the evidence
Most regulations don’t just want you to be compliant, they want you to prove it. Automate the collection of logs, test results and recovery reports so that when the auditors ask for proof, you can provide it immediately.
#6. Close the gaps quickly
If a test shows you are not meeting your RTO, or if your backups fail a malware scan, treat it as an opportunity to improve. It is far better to find and fix weaknesses during a test, rather than in a real crisis.
#7. Make it part of your routine
Recovery testing should be part of your regular operational rhythm. Daily testing ensures your team is always ready, and your documentation is always accurate and up to date. Thanks to automation and AI, daily recovery testing and reporting is now easy to achieve.
Why this matters now
Whether it’s NIS2 in Europe, DORA in financial services, or FISMA in the US, the message is the same. You must be able to recover quickly, cleanly, and with proof.
Following this playbook is not just about passing compliance checks. It is about building true resilience. It’s the confidence that when the worst happens, you can get back to business without the drama.
What next?
The Predatar Recovery Assurance platform can do a lot of the heavy lifting. From fully automated recovery testing and malware scanning to automated evidence reporting, Predatar makes it simple to be ready and to prove it.
On 15th June 2025, the team at Adicom received a real-time alert from Predatar relating to one of their customers. It said:
Predatar has identified a suspicious file named Ransom.HTML.LOCKY.SM.note in *Customer X’s* backup environment during the current scan process.
This file is a known ransomware-related HTML document typically used by the Locky ransomware family to deliver ransom instructions after encrypting files. Although this file appears to be a ransom note rather than active malware, its presence indicates that malicious activity may have occurred or may still be occurring in the environment or backups.
We recommend checking the original source of this backup data immediately to understand why the environment contains this file.
Predatar had only been installed on this customer’s environment for 6 days, and with the help of the built-in automation and AI, it had been systematically working through all of the backups – hunting down potential recovery issues and hidden malware.
Adicom’s Chris Hogrefe explains. “When it comes to cyberattacks, every second can count. We received a notification from Predatar, highlighting a potential issue before the scan of the compromised workload had even been completed.
The workload in question was a business-critical virtual machine based on VMWare. The very first time it was restored and scanned for malware signatures with Predatar, a potential problem was uncovered.
What had happened?
Back in 2016, the customer fell victim to a ransomware attack that resulted in the complete encryption of all company data.
As part of an extensive response and recovery process the IT infrastructure was rebuilt, and all ransomware files were manually removed. Or that’s what the customer thought…
Almost 10 years later, Predatar found an HTML file in a folder during its first scan, which was created during the attack. It included the original ransom demand message and payment information for decryption.
None of the antivirus programmes running on the customer’s IT networks had found these files or classified them as anomalies, yet thanks to the totally unique way that Predatar works, they were found and could be removed. The customer was able to breathe a sigh of relief and delete the last remnants of the ransomware attack.
Why does this matter?
In this instance, the malicious files were a legacy from a historic attack. They didn’t pose an active threat. But all-to-often, live malware does find its way into backup environments. In fact, Predatar has found malware in the backups of more than 80% of its customers. In many cases that malware did have the potential to cause serious damage.
Until now, Predatar had not uncovered malicious files that had been hidden for so long. This story goes to show that the cyber security practices that are typically used in businesses today are not as robust as they need to be.
Do you have malware in your backups?
The truth is, you simply don’t know if you have malware in your backups, but our stats suggests that you probably do. Not knowing is a big risk. Predatar uses some of the most sophisticated enterprises security tools and deploys them in a totally unique way to hunt-down threats that other solutions simply can’t find. Visit predatar.com to learn more, or book a demo here.
Adicom and Predatar
Adicom is a leading Backup & Recovery services provider in Germany. Thanks to their extensive technical knowledge and their relentless focus on customer experience they have been selected as one of Predatar’s elite APEX partner.s Together Adicom and Predatar is delivering unrivalled recovery confidence for medium and large enterprises in Germany.
“Predatar has already shown that even undetected malware anomalies can be found reliably and accurately. In addition, Predatar has once again shown that partnership, support and communication form the stable basis for a long-term relationship” – Chris Hogrefe, Adicom
Backups used to be boring. Not anymore. Regulations like DORA, NIS2, and FISMA have arrived – and things have got a lot more interesting.
For a long time, backup and disaster recovery lived quietly in the background. You knew it was important. You had something in place. Maybe you even tested it…. once a year.But now, governments and regulators are paying attention.
And they’re not just asking if you have backups. They want to know, in detail, how fast you can recover, how clean those backups are and what evidence you have to prove it.
Regulations like NIS2, DORA, and FISMA are leading the charge – and if your business touches critical infrastructure, finance, healthcare (or even just supplies companies that do) this matters to you.
Let’s take a look at what’s changing and how you can stay ahead.
So, what are these regulations actually saying?
NIS2 (The EU’s Network & Information Security Directive) This one landed in October 2024 and has recently dramatically expanded who it applies to. Suddenly, mid-sized companies are on the hook for proving they can respond to and recover from a cyberattack. The key point is that regulators want evidence that your recovery plans work. Not assumptions. Not best efforts. Actual proof.
DORA (Digital Operational Resilience Act) This one’s aimed at financial services, but if you sell into that world (or work with a firm that does), you’re likely affected too. DORA demands frequent, real-world testing of recovery systems, not just theoretical policies.
Think ransomware simulations, timed recoveries, and clean-room validations.
FISMA (US Federal Information Security Modernization Act) Updated to reflect today’s threat landscape, FISMA now requires integrity checks on restored systems. In other words, can you prove your backup isn’t infected before putting it back into production?
Why this matters and what’s at risk?
Let’s cut to the chase. Failing to comply doesn’t just mean a slap on the wrist. It means you face:
Hefty fines
Lost business, especially if your customers need you to meet their own compliance needs
Reputational damage if recovery from an attack takes days (or worse, reintroduces malware)
We’ve seen this play out. More than once. And it’s no longer just a security issue, it’s a board-level conversation.
Recovery Assurance: Your compliance ace in the hole
At Predatar, we believe that the most overlooked part of cybersecurity is what happens after an attack.
That’s where Recovery Assurance comes in. It gives you the confidence—not just that you have backups, but that they actually work, are malware-free and can get you back up and running when it counts.
Even better, it gives you the audit-ready evidence regulators are asking for.
Let’s map that out:
Regulation
What they want
What Predatar does
NIS2
Proof of working recovery strategy
Automated risk-based recovery testing
DORA
Simulated attack recoveries
CleanRoom testing + recovery scoring
FISMA
Clean, validated backups
Threat scanning + evidence trails
No guesswork. No scrambling when an auditor shows up. Just scheduled, reliable, and reportable testing that proves you’re ready.
What should you do next?
If any of this has your attention, here are some practical steps:
Find out which regulations apply to you (or your biggest customers).
Review how often you test your backups and how real those tests are.
Ask yourself: could we prove we’re compliant if asked tomorrow?
Let’s talk. We make this process simple.
Wrapping it up
Regulators aren’t just looking for cybersecurity best practices anymore. They want real-world readiness. The ability to recover, quickly and cleanly, with proof to back it up.
That’s where Recovery Assurance fits in. And that’s where Predatar can help.
If you’d like to see how Predatar supports customers navigating these changes, get in touch today, and if you know some that needs a nudge, don’t forget to share this post with them.
Cybercriminals are innovative, agile, and tenacious. Most medium and large enterprises are not. Ransomware gangs have significantly changed the way they operate in the last 12 to 18 months. But, have you significantly changed your approach to detection and response for ransomware events in your organisation? No, didn’t think so.
How it begins
Some things haven’t changed. Most ransomware attacks still start the way they always have. Someone clicks a phishing link. A password gets reused. A system goes unpatched. In fact, the top three breach methods remain the same:
– 78% start with human error: Including phishing, stolen credentials, compromised employees or social engineering
– 11 % come from misconfigured or unpatched systems: Including system integration points such as poorly developed APIs
– Only 3 % involve zero-day exploits
Then: Quiet, patient, and hidden in plain sight
Attackers haven’t changed the way they get in, but they have changed what they do once they’re inside. Two years ago, attackers took their time. Once they had access, they’d quietly explore. Their approach was known as ‘living off the land,’ using the tools and credentials already inside your environment to avoid detection. They would:
– Use PowerShell to run commands without downloading new tools
– Use Remote Desktop Protocols to move around your environment
– Set up scheduled tasks to ensure that access privileges remained in place
– Exploit default admin accounts to hide in plain sight
All the time, they would be quietly seeding their ransomware scripts across systems, often spreading them into backups unnoticed. The longer they stayed, the more control they gained, and the more chaos they would cause when they finally ‘pulled the trigger’ on the attack.
Two years ago, the average ‘dwell time’ was well over 100 days.
Now: Fast, automated and clinical
This approach no longer works. Security technology has improved significantly. Businesses are investing more than ever in tools like:
– EDR (Endpoint Detection and Response) – XDR (Extended Detection and Response) – SIEM platforms with real-time alerting
These tools detect behaviour patterns, track lateral movement, and raise alerts much earlier than they did before. To stay ahead, attackers have flipped the playbook.
Now they use automated reconnaissance tools (used in 91% of modern breaches). These tools scan entire environments in hours, logging keystrokes, showing attackers where backups are stored, how security policies are configured, and which systems hold the keys.
From breach to boom can now take less than 14 days.
What attackers target first
Once they’re in, attackers don’t waste any time. Their priorities are usually the same:
– Active Directory: to escalate access and move freely – Backup systems: to delete copies, corrupt data or block recovery – Security tools: to modify policies, disable alerts and whitelist malware
They time the final attack – often referred to as the “boom moment” – for when your team is least ready. Think long weekends and public holidays.
Why your security tools aren’t catching everything
Here’s the part that often gets missed. Production security tools aren’t typically configured to scan every file on every system, every day. Doing this would kill the performance of production systems and seriously impact your business’s ability to operate.
Instead, they typically scan files when: – They’re created – They’re modified – Occasionally, when they’re accessed.
This means if malware slips past the perimeter defences, it can go completely undetected. So what’s the answer?
The answer (and probably some malware) is in your backups.
The team at Predatar has realised something very powerful. Your backups are much more than a last line of defence, they can be the frontline in threat detection. Your backups are a copy of all of your data, and while it’s not practical to continuously scan your production systems every day – you can scan your backups.
The Predatar Recovery Assurance platform continuously moves backups into an isolated CleanRoom, where it uses best-in-class integrated security tools from Trend Micro to interrogate every file for signs of malware, with no negative impact on production systems.
Today, businesses around the world are using Predatar to validate the recoverability and cleanliness of their data 24×7, and the findings are truly worrying.
In the last year alone, Predatar has discovered malware in more than 80% of its users backups. That includes:
– Active ransomware strains: complete with embedded ransom notes – Encrypted data from attacks: that customers did not realise was in progress – And in over 50 percent of cases: reconnaissance tools that help attackers map environments and identify weak points
What does this mean for you? Let’s start with the good news. With Predatar, you can perform in-depth security scanning in your backup environment that simply isn’t possible on production systems. The bad news? Well, you probably already have malware hiding in your data.
Data resilience is now a priority for storage and backup teams. They need certainty that the data they’re responsible for hasn’t been compromised. They need to know that when it’s needed, it can be used for a clean and fast recovery. They need to know there is no risk of reinfecting production systems following a cyberattack.
The Predatar Recovery Assurance platform and Veeam SureBackup have both been designed to solve these challenges. Because Predatar works with Veeam Backup & Replication, the question we regularly get asked is ‘Which one is right for my business?’
For many Veeam customers, SureBackup is a great choice – especially as it’s included at no additional cost within some Veeam subscriptions. However, for lots of Veeam customers, Predataris the best option. For example, Predatar’s speed, automation capabilities, and advanced reporting makes it an ideal choice for highly regulated organisations that need to achieve recovery validation at scale, and prove compliance. Businesses using multiple backup products may also find that Predatar is a better fit for them.
This article will help you understand the differences between these two solutions, and make the right choice for you.
Access to Veeam SureBackup and Predatar
When it comes to accessing SureBackup, things are a little complicated. It’s only available as part of some – but not all – Veeam subscription packages. It’s not available as a standalone product, so if it’s not part of your subscription, you will need to upgrade your Veeam plan to use it.
You can find out which Veeam subscription plans include SureBackup here.
It’s also important to know that in order to unlock ALL of the power of Veeam SureBackup, user will also need Veeam ONE and Veeam Recovery Orchestration subscriptions.
When it comes to Predatar, it’s much simpler. Predatar is available as a standalone subscription platform. It is available to all Veeam Backup & Replication users, regardless of their subscription package.
Core functionality
At a high level, Veeam SureBackup and Predatar are built to achieve the same goal: to validate the recoverability and cleanliness of backups. The differences lie in how they do it, their scalability, and in the scope of the backup platforms and file types each one supports.
Backup application support
Veeam SureBackup is built into Veeam Backup & Replication and is designed to validate both VMware and Hyper-V VMs (Virtual Machines). It works well on-prem or in hybrid setups, but not when Veeam runs entirely in the cloud.
By contrast, Predatar is an independent, vendor-agnostic platform providing broader support. In addition to validating Veeam backups, Predatar can also validate backups from:
• IBM Storage Protect, • IBM Defender Data Protect, • Cohesity Data Protect, • Rubrik Security Cloud.
Additionally, Predatar can validate immutable snapshots on IBM FlashSystems and Pure Storage boxes. This makes Predatar a great fit for businesses with two or more backup and storage technologies in their stack.
Workload support
Veeam SureBackup supports Windows and Linux VMs. Predatar goes further, not just validating Windows and Linux virtual machines but also Windows and Linux bare metal servers, SQL databases, and AIX workloads too.
Automation and AI
Veeam SureBackup provides the ability to run automated workflows for recovery testing and antivirus scanning that significantly reduce time, complexity, and manual effort. However, the ‘out of the box’ workflows are relatively basic, and can only triggered based on pre-defined schedules. While the schedules are easy to configure by the user, more advanced automations are only possible with Veeam Recovery Orchestrator (a separate product), or with custom scripting via PowerShell.
Predatar’s built-in automations are more advanced and highly customisable via an easy-to-use interface featuring dropdown options and simple toggle switches. In addition to pre-defined schedules, Predatar automations can be triggered by threat alerts, failed backup runs, SIEM notifications and more.
One of the most impressive aspects of the Predatar platform is the underlying Aurora AI engine. Aurora continually monitors thousands of signals across your backup environment and external intelligence sources to apply a real-time risk score to every node in your environment. Aurora will trigger and prioritise automated testing of workloads at high-risk with no human intervention required.
Veeam’s Isolated lab vs Predatar CleanRoom
Veeam SureBackup uses Isolated Labs. Predatar uses a CleanRoom. So, what’s the difference?
The purpose and general principle are the same: both are safe, segregated environments where backups can be tested for recoverability and potential infections — without any risk to the performance or integrity of production systems.
Veeam’s Isolated Labs run inside on-premise hypervisors and require a Proxy appliance, virtual switch configuration, and access to production backups. When a recovery test is triggered, SureBackup will immediately spin-up an Isolated lab on a VM. Once the workflow is complete the lab will vanish.
Predatar CleanRooms are permanent, always-on environments, which can be deployed on bare metal, hypervisors, or in the cloud – in a just a few hours. CleanRooms are designed to continually run recovery tests and malware interrogation 24x7x365.
Threat intelligence
SureBackup uses ClamAV, an open-source antivirus engine, to detect known infection signatures hiding in your backups. Predatar includesTrend Micro Vision One – recognised by Gartner as a ‘Leader’ in XDR platforms – at no additional cost.
Vision One updates four times daily with up to half a million new malware and ransomware definitions. It brings the insight of over 1,600 threat researchers directly into your backup validation. The strength of this collaboration with Predatar and Trend Micro has meant that Predatar has found malware or in more than 80% of its customers backups that their production security tools had missed.
Speed and performance
In controlled lab conditions, Predatar was tested alongside Veeam SureBackup to evaluate the success and performance of recoverability and cleanliness validation for backup data.
Each solution was tasked with testing 100 virtual machines (including both Windows and Linux), ranging from 100 GB to 500 GB. Some VMs were deliberately infected with sample malware to simulate a realistic threat scenario.
While both products successfully detected the infections, Predatar completed the tests in just 41 minutes, compared to 3.5 hours for Veeam SureBackup.
Trust and Credibility
Did you know, Predatar is a Veeam Ready Partner? For many Veeam customers, Predatar may be a brand they’re not yet familiar with. But Predatar has been creating backup intelligence and automation tools for over 10 years, and has been pioneering Cyber Recovery CleanRoom technology for nearly five years.
In 2024, after rigorous validation by Veeam, Predatar was awarded Veeam Ready status. Today, Veeam users around the world are using Predatar every day, to proactively prove their recoverability.
Veeam SureBackup focuses on technical backup and recovery metrics and feeds them directly into Veeam ONE. This is particularly convenient for storage and backup administrators already leveraging Veeam ONE for dashboards and reporting.
Predatar’s reporting is designed for compliance teams as well as backup teams. Out of the box, reports align with NIS2 and other commonly used frameworks, giving you proof of cyber recovery confidence not just technical success.
Conclusion
Veeam SureBackup is a solid option for many Veeam Backup & Replication users — especially small to medium sized businesses with Veeam Universal Licences (VUL).
Predatar offers a more robust and comprehensive solution, organisation handles large volumes of data, wants to test more than virtual machines, operates a multi-vendor environment, or runs 100% in the cloud, Predatar is likely to be the better choice. It delivers deeper automation, broader workload support, and reporting that stands up to the toughest audits.
Want to dig deeper?
Take a look at our Veeam SureBackup and Predatar comparison table and FAQs here. They will help you evaluate both solutions and choose the one that’s right for your organisation.
Keep us honest: At Predatar, we make every effort to ensure our content is accurate. If you believe anything in this blog is misleading, incorrect, or out-of-date, please let us know.
Celerity’s acquisition of Silverstring kick-starts a new era for Predatar.
It takes almost 10 days to trek to Everest Base Camp.It’s a difficult journey. The risks of altitude sickness, injury, and physical exhaustion mean that a quarter of adventurers who set out on the journey don’t even make it that far.
As we stand at the foot of our own Everest, we’re allowing ourselves a few moments to reflect on the achievement of getting here – to our own metaphorical base camp – before the adventure gets really interesting.
So how did we get here?
A pioneer was born
The Predatar story started more than a decade ago. Silverstring Limited was – and still is – an innovative Managed Service Provider (MSP) delivering backup and recovery services for enterprises with complex storage environments. Rewind 10 years, and the business was struggling with the challenges of growth. The service delivery team was drowning in repetitive reporting and admin tasks. As the business grew, so did the tasks.
Founder and CEO, Alistair Mackenzie, recognised that automation was the answer. The engineers at Silverstring set about building a tool that would streamline the manual and time-consuming jobs that were impacting productivity. The platform that would soon become known as Predatar was born. User-friendly, flexible, intuitive, in the cloud – the platform was ahead of its time.
It quickly became clear that other MSPs and backup teams inside large organisations could benefit from the pioneering technology that Alistair and his team had built. In 2017, Predatar Limited was born: a SaaS business created under the wing of Silverstring Holdings, to take the product to the world.
The first steps on the journey
Just like the trek to base camp, many start-ups don’t make it. But Predatar has had a big advantage: a strong, knowledgeable, and dedicated companion and guide. Silverstring has been our Sherpa in the early stages of the Predatar journey. Without Silverstring leading the way, those first treacherous climbs wouldn’t have been possible.
In the beginning, Predatar Limited had a great product and big ambitions, but no customers and no revenue. Silverstring helped us take our first steps. With the financial support of an established and profitable business, we recruited the best people. We got stronger.
Silverstring’s knowledge of the market and insights from its customers drove our innovation roadmap and our product development. We got smarter.
Silverstring helped us find our first customers. Our strides got bigger.
A fork in the path
When we started out, customers told us that they were lacking confidence in their backups. Complicated and opaque technology meant they didn’t have visibility of backup success rates or backup run failures. Predatar fixed this for them.
But then the world changed. Suddenly, our customers were asking different questions. The big one – the one that was now keeping them awake at night:
Will our backups be recoverable in a cyberattack?
The Predatar team did what we do best. We innovated. By leveraging our deep technical knowledge in automation for backup and recovery – and by partnering with Trend Micro, a world leader in cyber security technology – we developed the world’s first proactive cyber recovery cleanroom, and software that automates the continuous validation of backups, to prove they are always recoverable and free from malware.
The decision to pivot from a backup and recovery management platform to one that is focused on cyber recovery assurance has been a defining moment in our journey. It was a game changer. We’ve built a product that isn’t just a nice-to-have for businesses – It’s a necessity for operational resilience.
Going our separate ways
So here we are. Our journey to base camp has taken eight years. The role that Silverstring has played in getting us here is without doubt. But it’s time to go our separate ways.
Silverstring, our companion and guide, will go on to have many more adventures – and the next one starts today, as they join the Celerity family. Backed by major capital investor BGF, Celerity Limited is on its own big expedition, and the Silverstring team will bring their unrivalled expertise in backup and recovery assurance services to complement the extensive cyber security and infrastructure capabilities of Celerity. Together, they will reach new heights.
With renewed focus, energy, and investment from the sale of Silverstring Limited, Predatar will continue under the ownership and direction of Alistair Mackenzie.
Our Everest
We’ve already defied the odds to get this far. We’ve created truly a unique technology with patents in the USA, Europe, and the UK.
Last year, our Annual Recurring Revenue (ARR) grew by 100%, and the number of businesses using Predatar more than doubled. Today, we’ve got more than 100 customers across North America, Latin America, Europe, Middle East, Africa, and Australia.
For Predatar, our Everest is scale. We want every business in the world to know the potential of Predatar’s recovery assurance technology for their operations. It’s a big goal for an independent start-up from Oxford, UK – but we’ve never been short of ambition.
Big tech vendors and ambitious startups alike have seen our technology. They’ve seen the opportunity. And they want to catch us. We must stay ahead.
With the summit looming large on the horizon, we’re more than ready to tackle the challenge – and we’ll do it our way. The Predatar way. We will be more agile, more focused, and more daring than ever before.
Every day, we will go further than the last. We’ll move faster. We’ll climb higher. We will remember the journey we have been on. But we won’t look down.
Keep track of our journey
Stay in the loop with all the latest news from Predatar. Get market insights, product news, and practical advice for operational resiliency delivered directly to your inbox. Subscribe to news
Why backup anomaly detection is essential, but not enough.
A fire starts in your home in the middle of the night. You’re fast asleep, when a malicious low-life targets your house in an unprovoked and indiscriminate attack. A lit newspaper is pushed through an open window. After a few minutes the curtains catch alight.
Luckily, your smoke alarm is triggered, and you wake with a start. But you’re dazed and confused. By the time you work out what’s going on and get downstairs, the carpet and the armchair are on fire too.
You shout at your partner to “grab the cat, get the hell out, and call the fire department!!!“
You try to contain the blaze with a fire extinguisher. The fire department arrives fast. You’ve successfully stopped the fire spreading and the professionals quickly extinguish the flames. The emergency is over, and you’re relieved the damage was limited.
The fire chief confirms what you already know. Your smoke alarm has saved the day. This could have been so much worse.
What does this have to do with anomaly detection?
It doesn’t take a genius to work out where we’re heading with this analogy. Whether it’s a domestic fire or an enterprise cyberattack, the ability to respond fast is critical.
In principle, the anomaly detection tools that are now prolific in enterprise backup and storage tools are like smoke alarms.
The moment that a cyber incident is activated, these tools will recognise the patterns of behaviour in your data that are associated with criminal encryption or exfiltration events. With almost instantaneous alerts, anomaly detection will enable you to respond quickly and limit the impact of a live cyberattack.
Prevention is better than even the fastest response
The ability to respond fast is essential, but you need to remember that when anomaly detection kicks in, an attack is already in progress. Damage is already being done. What if the curtains in this analogy are your HR records? the carpet – your billing system? What if the armchair is your email server? Bringing them back will be disruptive, probably time-consuming, possibly costly, and in some cases – impossible.
Predatar brings proactive threat detection to your storage and backup environment. The big idea is to hunt down malware before an attack is activated. Why? Because prevention is better than even the fastest response.
So how does it work?…
You probably already have malware in your backups.
More than 80% of Predatar customers have found malware in their backups that they didn’t previously know was there. This is malware that has slipped through firewalls and front-end antivirus tools, before being replicated into backups and snapshots.
It hasn’t triggered anomaly detection, either because it’s not been activated yet, or often it’s small ‘reconnaissance’ applications like spyware and key loggers which only cause tiny, almost imperceptible changes in your data.
On average, cyberattacks aren’t triggered until 14 days after attackers first gain access to their victim’s IT network. It’s during this time that these tools are deployed by the criminals, to gain deeper access and ultimately enable them to cause more damage. Reconnaissance software is currently used in 91% of ransomware attacks.
Predatar assumes that any workload in your storage or backups could be infected. By running fully automated recovery tests and full malware interrogation using Trend Micro Vision One, Predatar finds and eliminates even inactive malware before a crisis begins. Predatar in always-on, hunting down threats based on intelligence from Trend Micro’s global threat intelligence network.
Does Predatar make anomaly detection obsolete?
Definitely not. Cyber resilience is all about layers of defence. In fact, Predatar has some powerful anomaly detection built in to complement its proactive threat-hunting capabilities.
The great news for lots of businesses is that in most cases, the storage and backup products they are already using have anomaly detection capabilities built in, including these ones:
If you are using any of these products, you really should be utilising the anomaly detection features that are available to you. The products above are also compatible with Predatar. So adding proactive threat detection to your backup and storage is easy.
In conclusion
Anomaly detection for your storage and backup environments is essential for limiting the impact of live cyberattacks. Businesses should make sure they are enabling the reactive anomaly detection tools that are built into the platforms they are already using.
Predatar is different. Infrastructure teams can quickly and easily add a layer of proactive threat-hunting to their backup and storage environments with Predatar’s SaaS Recovery Assurance platform to eliminate threats before an attack is activated.
Earlier this year, Predatar launched CleanRoom 3. Our third-generation Cyber Recovery CleanRoom has been redesigned from the ground up – to make our unique Recovery Assurance technology accessible to more organisations than ever before.
In our recent webcast, ‘Recovery Assurance for All‘, Ian Richardson (Predatar CTO) and Rick Norgate (Predatar Managing Director) explain how we’ve broken down some of the biggest barriers to the adoption of this important technology. If you missed it, don’t worry – we’ve pulled out some of the key questions and answers from the session in this blog
Ben: We’ve been using the term ‘CleanRoom’ at Predatar for a few years now, and recently we’ve been hearing it used more and more by cybersecurity experts, major tech vendors, and in the industry press. Rick, what is a CleanRoom? And what does it do?
Rick: That’s a great question. When we talk about CleanRooms, we’re specifically referring to Cyber Recovery CleanRooms. You might also hear them referred to in the industry as Isolated Recovery Environments. Essentially, it’s an isolated environment that you can use to perform recovery testing and malware scanning.
There is often some confusion around the term ‘CleanRoom’. When you look at how some technology vendors are using it in the market, and you dig into what they mean by ‘CleanRoom’, they’re generally referring to a tool that’s used post-attack to conduct forensic analysis. Imagine an organisation gets attacked – they’ll need to recover workloads somewhere to check they are clean and haven’t been compromised before they begin restoration.
At Predatar, when we talk about a CleanRoom, we’re actually referring to a proactive tool. The overarching concept is the same, but a Predatar CleanRoom is used to test your backups for recoverability, and then scan them for malware on a proactive basis – that’s the key difference when we talk about CleanRooms in the context of Predatar.
What is the role of a CleanRoom within a Recovery Assurance solution?
Ben: We talk about Predatar as a Recovery Assurance platform. So, Ian, can you explain what the role of a CleanRoom is within that overall solution?
Ian: Predatar is built on two core components. The first is CRO (Cyber Recovery Orchestration) software. This is the AI and automation engine at the heart of the solution. It pulls metadata from your backup applications into the platform. When users access their CRO interface via a browser, they can manage how they want their recoveries to work. They can trigger them manually, or set up rules for automation – which is where the real power of Predatar lies.
Users can choose whether they want to trigger workflows based on a signal of activity (like some sort of anomaly), on a predefined schedule, or both. The goal is to prove recoverability every single day, not just when a disaster strikes.
The second component is the CleanRoom. The CleanRoom is essentially a secure, isolated recovery environment where you can test and validate your recoveries without risk to your production environment. This is where users recover their workloads to. Following a successful recovery, Predatar runs a full malware scan – all without the risk of reintroducing potentially compromised data back into your live systems. This is how Predatar can give organisations confidence that if they ever need to recover for real, their data is clean, usable and safe.
So, to recap: the CRO automates and proves recoverability, then the CleanRoom provides a safe space to validate that recovery before putting anything back into production. Together, they close the loop on Recovery Assurance.
Can you give a real-world example of a Recovery Assurance use case?
Ben: Now, we’ve talked about the concept of Recovery Assurance. Rick, can you give us an example of a real-world use case?
Rick: Sure, I can do that. There’s a highly relevant and high-profile example in the UK at the moment. Marks & Spencer (M&S) is one of the biggest retailers in the UK. It’s been around for as long as I can remember – on every high street, in every town – in petrol stations, in airports – everywhere.
M&S was attacked last month by a group called Scattered Spider. The attack took place over the Easter break. We’re seeing more and more cyberattacks occurring during holiday periods, when IT and security staff are more likely to be out of the office, impacting the speed at which they can respond to and contain an attack.
So, back to M&S. They’ve already paid out to the ransomware group via their insurance company but have been unable to recover fully. They’re currently losing around £43 million per week.
Now, what’s really interesting about this attack – and this is fairly common – is that the ransomware gang originally gained access to M&S’s systems via social engineering. Once they had compromised employee accounts and gained access to the network, they didn’t immediately install ransomware. They spent time observing, learning, and escalating their access. Then, once they had reached all the systems they wanted to, they deployed ransomware to create maximum disruption.
So, how can Predatar help? First off, when this ransomware gang first accessed the Marks & Spencer environment, they likely installed reconnaissance tools like keyloggers and spyware to learn as much about the environment as possible. Often, these tools can be used discreetly, without triggering perimeter alarms or anomaly detection – which are usually designed to spot encryption and exfiltration events.
This is where Predatar can help. By running proactive recovery testing and carrying out full malware scans on workloads, Predatar has a high chance of picking up the criminals’ surveillance tools.
Predatar has found malware in 80% of our customers’ backup environments that they didn’t previously know was there – and much of that is made up of tools like key loggers and spyware.
Secondly, Predatar can also help once a malicious encryption event begins. Predatar has anomaly detection built in, which will trigger when workloads start to become encrypted. This acts as an early warning system to raise the alarm during an active attack.
How is Predatar different from other cyber resilience solutions?
Ben: That’s a great example, Rick. But there are lots of technologies on the market offering cyber resilience right now. Ian, perhaps you can tell us what makes Predatar different?
Ian: That’s a great question, and it’s one we hear a lot. There are plenty of technologies out there that claim to offer cyber resilience, but there are a few key ways in which Predatar really stands out.
First and foremost, Predatar is unified. A lot of the options on the market today come directly from backup and storage vendors. The big catch here is that they’re built to work only within their own technology ecosystem and stack. So, if you don’t want to be locked into a specific vendor, or you’re running a mix of technologies, Predatar is a great choice.
Predatar is agnostic to the technology stack. So, whether you’re using IBM, Rubrik, Cohesity – we can integrate with and orchestrate recoveries across all of them. And it’s not just about the products – we support multiple workloads on those platforms too: physical, virtual, snapshots from a storage subsystem – you name it. Instead of siloed tools for each backup platform or application, Predatar gives you one solution that works across many. It’s centralised, consistent, and scalable.
The second big difference is around speed and simplicity. When it comes to setting up things like CleanRooms, many of the products on the market today are more like DIY kits. They come with a reference architecture, some automation scripts, and then it’s up to you to pull it all together using your own resources. That might be fine for a huge enterprise with dedicated teams, but for most organisations, it’s a slow, complex, and costly project.
Predatar takes a completely different approach. We’ve productised the solution. We can deploy a fully functional CleanRoom environment – integrated with orchestration, automation, validation, and reporting – in just a matter of hours, not weeks. No complex integrations, no need to hire teams to build it out – just straightforward deployment and value from day one.
So, in summary, it’s one platform that brings together multiple backup products, supports a wide range of workloads, and makes recovery validation fast, simple, and accessible to any organisation.
Ben: Rick before we move on have you got anything you’d like to add with regard to what’s different about Predatar?
Rick: I think Ian’s covered that really well – as he always does. But there’s one thing worth adding. It’s important to say that Predatar is a proven technology. We’ve been doing recovery testing for the best part of 12 years, and we brought our first CleanRoom to market almost five years ago. Today, Predatar CleanRooms are in use all around the world. We’ve got customers in pretty much every geography using Predatar every day. We’ve got numerous customer case studies, and as I mentioned earlier, 80% of our customers have found malware in their environments that their primary XDR tools didn’t detect.
This proves that even if you have the very best XDR tools at the front end, malware can still get through. The more layers of defence you have, the better.
What was the big idea behind CleanRoom 3?
Ben: Okay, I think we’ve now got a good overview of Recovery Assurance, CleanRooms, and Predatar. So, let’s focus more specifically on CleanRoom 3. Rick, can you explain where the idea came from – and what was wrong with CleanRoom 2?
Rick: The first thing to say, Ben, is that there was nothing wrong with CleanRoom 2. And in some instances, CleanRoom 2 will still be the best option. The inspiration for CleanRoom 3 came from our customers and some of the channel partners we work with.
The concept of CleanRooms is resonating across the market, but we were getting feedback that the complexity of scoping and deploying the solution was causing friction. Customers didn’t want to buy lots of third-party products to make it work. With CleanRoom 2, for example, you needed Windows licences, SQL licences, VMware licences, and your own XDR licences too. That just adds complexity, increases cost, and slows down implementation.
With CleanRoom 3, the two guiding principles were: [1] we wanted to make CleanRooms as easy and quick to deploy as possible, and [2] we wanted to remove any dependency on third-party licences.
How did Predatar make the CleanRoom 3 concept a reality?
Ben: So, as Predatar’s CTO, Ian, I guess it fell to you and your team to put the concept into action and make Predatar’s third-generation CleanRoom a reality. Can you talk us through how you achieved it?
Ian: Yes, I’m excited to walk you through what’s new, because this is where we’ve really made big strides – not just from a technical perspective, but also in terms of making CleanRooms much more accessible and scalable for our customers. Let me break it down into a few key areas.
Firstly, we’ve removed the dependency on third-party software and licensing. In earlier iterations of our CleanRoom, there were certain third-party tools and licences – especially VMware – that we had to rely on. That added complexity, cost, and friction for our customers.
With CleanRoom 3, we’ve designed the entire environment to be natively driven by the Predatar portal. That means no additional licensing requirements and no extra software stacks that customers need to purchase, maintain, or configure. Everything is powered and controlled natively through Predatar. So, we’ve massively simplified the stack, making it cleaner and quicker to deploy, while also removing those hidden blockers around licence management and support overheads.
Secondly, we no longer require new hardware or cloud infrastructure. This is one of the most powerful changes in CleanRoom 3. It eliminates the need for customers to stand up new infrastructure – whether that’s physical servers or spinning up a collection of virtual machines. Instead, CleanRoom 3 lets you deploy into your existing environment exactly how you want – whether that be on bare metal or virtualised through VMware or Hyper-V.
For customers, this means no new hardware requirements, no additional software contracts, and no need to carve out or maintain separate infrastructure. You just deploy it however you need for your environment – and then we bring the CleanRoom to life on top of it: completely isolated, fully secure, and built for Recovery Assurance.
Thirdly, the deployment is now faster than ever – and this is an area where we’ve really pushed ourselves, because we knew that one of the biggest barriers to cyber recovery solutions was time to value. With CleanRoom 3, we’ve built a fully automated deployment process. What used to take weeks – from provisioning to configuration and validation – now takes just a few hours.
This is thanks to a new wizard within the Predatar portal, which generates an ISO image specifically for your environment – complete with all the networking and configuration embedded within it. This allows customers to run their unique ISO image on any system they choose, whether it’s a virtual machine or a bare-metal server.
The process is as simple as connecting the system to the ISO image, booting from it, and sitting back while everything is configured for you. We’ve essentially removed the DIY complexity and replaced it with a push-button deployment experience.
Now, CleanRoom projects don’t take weeks. A customer can stand one up in the morning, run test jobs that afternoon, and start building true recovery confidence immediately.
To sum it up: CleanRoom 3 is all about removing friction.
Key takeaways
CleanRoom 3 is another big stride forward for Predatar and for Recovery Assurance technology as a whole. Here’s three key takeaways from the webcast:
#1. If you’re not using any sort of proactive Recovery Assurance today there’s a high chance that there’s malware in your backupsalready …just like 80% of Predatar customers before they deployed our solution.
#2 Predatar is the only vendor agnostic pre-emptive Recovery Assurance platform available
#3 CleanRoom 3 has made Recovery Assurance more attainable for lots of organisations. It’s more cost- effective, more flexible, and easier to deploy.
If you want to know more about how Predatar’s Recovery Assurance platform can benefit your organisation, visit www.predatar.com
I’ve been mildly obsessed with Geoff Manaugh’s book, A Burglar’s Guide to the City for a while. It’s one of those rare reads that permanently shifts your perspective. This book is not about cyber crime, it’s not even really about traditional crime. It’s about how we understand and navigate the systems we inhabit every day. And it’s a book, I think every CISO should read.
At its core the book argues that burglars are the ultimate super-users of urban environments. They don’t merely move through cities, they manipulate them. Walls become doors, rooftops turn into pathways and manholes become secret entrances. The criminals Manaugh describes don’t smash through front doors with guns – they meticulously uncover hidden routes that others miss.
One of the most compelling stories in the book focusses on the infamous Hole in the Ground Gang. In the mid-1980s, employees at a First Interstate Bank in Hollywood began hearing unsettling noises including what sounded like metallic scraping and muffled drilling from beneath the vault floor. The power flickered unexpectedly, telephones disconnected randomly, and at one point the alarm system spontaneously kicked in late at night, terrifying a lone bank manager. Authorities, when notified, investigated and dismissed it as rats.
But rats don’t drive Suzuki 4×4’s through sewer tunnels beneath the streets of West Hollywood.
The Hole in the Ground Gang were no ordinary thieves. They understood LA at an almost geological level. They had intricate knowledge of the city’s hidden infrastructure including storm drains, underground rivers, sewer lines, and forgotten passageways. They accessed maps that showed subterranean routes leading directly under the bank vault. Slowly, quietly, and meticulously, they excavated their tunnels, exploiting unseen pathways until they reached their target, slipping away with over $2.5 million worth of cash and valuables, undetected.
They weren’t caught, and now the statute of limitations has expired. Reflecting on their audacity decades later, even the lead investigator confessed to Manaugh he’d love to meet them over a beer, purely to learn exactly how they’d done it.
The gang’s secret? Deep knowledge. They treated the urban landscape not as obstacles but as opportunities, uncovering vulnerabilities everyone else overlooked.
That’s exactly how today’s most sophisticated cybercriminals operate.
Digital attackers don’t typically hammer against your firewall, they quietly navigate forgotten tunnels in your IT landscape. They leverage misconfigured backup systems, exploit outdated login credentials and silently traverse hidden, neglected digital infrastructure. Their advantage lies in their superior understanding of systems sometimes better than the businesses that own them.
To fight back effectively, defenders need similar insight. This is exactly why we developed Predatar’s Recovery Risk Report. Much like uncovering the Hole in the Ground Gang’s subterranean maps, the Recovery Risk Report exposes hidden risks in your backup and recovery estate. It helps you visualise the hidden pathways and blind spots cybercriminals are likely to exploit.
By illuminating these overlooked entry points such as forgotten servers, unpatched backup servers, and vulnerable data copies, it empowers your team to proactively seal them off, dramatically reducing your cyber risk exposure. It also identifies opportunities to strengthen your recovery processes, giving you clarity and control over the infrastructure you depend on most during a recovery.
Think of the Recovery Risk Report as your digital equivalent of those storm-drain maps, empowering you to spot vulnerabilities before attackers do. Because when it comes to protecting your business, understanding the hidden logic of your backup estate isn’t just helpful, it’s essential.
Apply for a free Recovery Risk Report.
Every month we’re giving one Predatar News subscriber a Free Recovery Risk Report (worth $999). Learn more and apply here. If you’re not already on the Predatar mailing lists, you can join the sign up now to stay up-to-date with the latest product news, industry insights… and now, it seems, book reviews too.
Exciting news! Predatar & Trend Micro have announced a renewed partnership which will see Trend Micro Vision OneTM, the compressive threat defence and detection platform incorporated into Predatar’s latest Cyber Recovery CleanRoomTM. The new agreement eliminates previous deployment complexities by enabling Predatar to embed the industry-leading Vision One platform directly into their CleanRoom SaaS solution.
The powerful combination of Predatar and Trend Micro gives users recovery confidence by allowing them to proactively validate their ability to recover quickly and safely from backups and snapshots before a crisis hits.
Since launching the original CleanRoom nearly five years ago, Predatar has relied on Trend Micro’s robust Extended Detection & Response (XDR) capabilities to deliver threat detection, analysis and response. However, requiring customers to procure Trend Micro licences separately introduced friction in the buying and onboarding processes.
Predatar’s third-generation CleanRoom changes that. As part of its complete redesign, Predatar’s R&D team explored a range of alternative XDR tools — including other market leading products and open-source options. After extensive testing, Trend Micro remained the clear choice, consistently outperforming competitors across key criteria including detection speed, integration simplicity and overall resilience.
Ian Richardson, CTO at Predatar explains, “The quality of the XDR technology at the heart of Predatar is non-negotiable, but achieving a frictionless experience for our customers is key to the success of CleanRoom 3.”
Through collaboration with the licensing team at Trend Micro, the two companies have reached an agreement that overcomes the procurement challenges created by the unique way Predatar leverages Trend Micro technology.
Predatar’s CleanRoom 3 is now available – shipping with Trend Micro Vision One™, incorporating Trend Micro’s most powerful XDR engine yet. And what’s more, the required licensing is baked in too.
The new agreement has significantly streamlined the procurement and deployment of Predatar’s market-leading Recovery Assurance technology.
Jonathan Lee, Cybersecurity Director at Trend Micro commented: “Predatar’s technology brings a differentiated approach to cyber recovery, and the integration of our platform further enhances its capabilities. This collaboration reflects the strength of our partnership and our shared commitment to overcoming challenges and delivering continuous innovation.”
Learn more about pre-emptive Recovery Assurance
More than 80% of Predatar customers have found malware in their backups that they didn’t previously know was there. Infected backups and unrecoverable files have the potential to seriously impact incident response and could even make a full recovery following a cyber-attack impossible.
Don’t wait for a crisis to find out if you can recover. Find out more about pre-emptive Recovery Assurance with Predatar and Trend Micro at www.predatar.com
