Backups used to be boring. Not anymore. Regulations like DORA, NIS2, and FISMA have arrived – and things have got a lot more interesting.
For a long time, backup and disaster recovery lived quietly in the background. You knew it was important. You had something in place. Maybe you even tested it…. once a year.But now, governments and regulators are paying attention.
And they’re not just asking if you have backups. They want to know, in detail, how fast you can recover, how clean those backups are and what evidence you have to prove it.
Regulations like NIS2, DORA, and FISMA are leading the charge – and if your business touches critical infrastructure, finance, healthcare (or even just supplies companies that do) this matters to you.
Let’s take a look at what’s changing and how you can stay ahead.
So, what are these regulations actually saying?
NIS2 (The EU’s Network & Information Security Directive) This one landed in October 2024 and has recently dramatically expanded who it applies to. Suddenly, mid-sized companies are on the hook for proving they can respond to and recover from a cyberattack. The key point is that regulators want evidence that your recovery plans work. Not assumptions. Not best efforts. Actual proof.
DORA (Digital Operational Resilience Act) This one’s aimed at financial services, but if you sell into that world (or work with a firm that does), you’re likely affected too. DORA demands frequent, real-world testing of recovery systems, not just theoretical policies.
Think ransomware simulations, timed recoveries, and clean-room validations.
FISMA (US Federal Information Security Modernization Act) Updated to reflect today’s threat landscape, FISMA now requires integrity checks on restored systems. In other words, can you prove your backup isn’t infected before putting it back into production?
Why this matters and what’s at risk?
Let’s cut to the chase. Failing to comply doesn’t just mean a slap on the wrist. It means you face:
Hefty fines
Lost business, especially if your customers need you to meet their own compliance needs
Reputational damage if recovery from an attack takes days (or worse, reintroduces malware)
We’ve seen this play out. More than once. And it’s no longer just a security issue, it’s a board-level conversation.
Recovery Assurance: Your compliance ace in the hole
At Predatar, we believe that the most overlooked part of cybersecurity is what happens after an attack.
That’s where Recovery Assurance comes in. It gives you the confidence—not just that you have backups, but that they actually work, are malware-free and can get you back up and running when it counts.
Even better, it gives you the audit-ready evidence regulators are asking for.
Let’s map that out:
Regulation
What they want
What Predatar does
NIS2
Proof of working recovery strategy
Automated risk-based recovery testing
DORA
Simulated attack recoveries
CleanRoom testing + recovery scoring
FISMA
Clean, validated backups
Threat scanning + evidence trails
No guesswork. No scrambling when an auditor shows up. Just scheduled, reliable, and reportable testing that proves you’re ready.
What should you do next?
If any of this has your attention, here are some practical steps:
Find out which regulations apply to you (or your biggest customers).
Review how often you test your backups and how real those tests are.
Ask yourself: could we prove we’re compliant if asked tomorrow?
Let’s talk. We make this process simple.
Wrapping it up
Regulators aren’t just looking for cybersecurity best practices anymore. They want real-world readiness. The ability to recover, quickly and cleanly, with proof to back it up.
That’s where Recovery Assurance fits in. And that’s where Predatar can help.
If you’d like to see how Predatar supports customers navigating these changes, get in touch today, and if you know some that needs a nudge, don’t forget to share this post with them.
Cybercriminals are innovative, agile, and tenacious. Most medium and large enterprises are not. Ransomware gangs have significantly changed the way they operate in the last 12 to 18 months. But, have you significantly changed your approach to detection and response for ransomware events in your organisation? No, didn’t think so.
How it begins
Some things haven’t changed. Most ransomware attacks still start the way they always have. Someone clicks a phishing link. A password gets reused. A system goes unpatched. In fact, the top three breach methods remain the same:
– 78% start with human error: Including phishing, stolen credentials, compromised employees or social engineering
– 11 % come from misconfigured or unpatched systems: Including system integration points such as poorly developed APIs
– Only 3 % involve zero-day exploits
Then: Quiet, patient, and hidden in plain sight
Attackers haven’t changed the way they get in, but they have changed what they do once they’re inside. Two years ago, attackers took their time. Once they had access, they’d quietly explore. Their approach was known as ‘living off the land,’ using the tools and credentials already inside your environment to avoid detection. They would:
– Use PowerShell to run commands without downloading new tools
– Use Remote Desktop Protocols to move around your environment
– Set up scheduled tasks to ensure that access privileges remained in place
– Exploit default admin accounts to hide in plain sight
All the time, they would be quietly seeding their ransomware scripts across systems, often spreading them into backups unnoticed. The longer they stayed, the more control they gained, and the more chaos they would cause when they finally ‘pulled the trigger’ on the attack.
Two years ago, the average ‘dwell time’ was well over 100 days.
Now: Fast, automated and clinical
This approach no longer works. Security technology has improved significantly. Businesses are investing more than ever in tools like:
– EDR (Endpoint Detection and Response) – XDR (Extended Detection and Response) – SIEM platforms with real-time alerting
These tools detect behaviour patterns, track lateral movement, and raise alerts much earlier than they did before. To stay ahead, attackers have flipped the playbook.
Now they use automated reconnaissance tools (used in 91% of modern breaches). These tools scan entire environments in hours, logging keystrokes, showing attackers where backups are stored, how security policies are configured, and which systems hold the keys.
From breach to boom can now take less than 14 days.
What attackers target first
Once they’re in, attackers don’t waste any time. Their priorities are usually the same:
– Active Directory: to escalate access and move freely – Backup systems: to delete copies, corrupt data or block recovery – Security tools: to modify policies, disable alerts and whitelist malware
They time the final attack – often referred to as the “boom moment” – for when your team is least ready. Think long weekends and public holidays.
Why your security tools aren’t catching everything
Here’s the part that often gets missed. Production security tools aren’t typically configured to scan every file on every system, every day. Doing this would kill the performance of production systems and seriously impact your business’s ability to operate.
Instead, they typically scan files when: – They’re created – They’re modified – Occasionally, when they’re accessed.
This means if malware slips past the perimeter defences, it can go completely undetected. So what’s the answer?
The answer (and probably some malware) is in your backups.
The team at Predatar has realised something very powerful. Your backups are much more than a last line of defence, they can be the frontline in threat detection. Your backups are a copy of all of your data, and while it’s not practical to continuously scan your production systems every day – you can scan your backups.
The Predatar Recovery Assurance platform continuously moves backups into an isolated CleanRoom, where it uses best-in-class integrated security tools from Trend Micro to interrogate every file for signs of malware, with no negative impact on production systems.
Today, businesses around the world are using Predatar to validate the recoverability and cleanliness of their data 24×7, and the findings are truly worrying.
In the last year alone, Predatar has discovered malware in more than 80% of its users backups. That includes:
– Active ransomware strains: complete with embedded ransom notes – Encrypted data from attacks: that customers did not realise was in progress – And in over 50 percent of cases: reconnaissance tools that help attackers map environments and identify weak points
What does this mean for you? Let’s start with the good news. With Predatar, you can perform in-depth security scanning in your backup environment that simply isn’t possible on production systems. The bad news? Well, you probably already have malware hiding in your data.
Data resilience is now a priority for storage and backup teams. They need certainty that the data they’re responsible for hasn’t been compromised. They need to know that when it’s needed, it can be used for a clean and fast recovery. They need to know there is no risk of reinfecting production systems following a cyberattack.
The Predatar Recovery Assurance platform and Veeam SureBackup have both been designed to solve these challenges. Because Predatar works with Veeam Backup & Replication, the question we regularly get asked is ‘Which one is right for my business?’
For many Veeam customers, SureBackup is a great choice – especially as it’s included at no additional cost within some Veeam subscriptions. However, for lots of Veeam customers, Predataris the best option. For example, Predatar’s speed, automation capabilities, and advanced reporting makes it an ideal choice for highly regulated organisations that need to achieve recovery validation at scale, and prove compliance. Businesses using multiple backup products may also find that Predatar is a better fit for them.
This article will help you understand the differences between these two solutions, and make the right choice for you.
Access to Veeam SureBackup and Predatar
When it comes to accessing SureBackup, things are a little complicated. It’s only available as part of some – but not all – Veeam subscription packages. It’s not available as a standalone product, so if it’s not part of your subscription, you will need to upgrade your Veeam plan to use it.
You can find out which Veeam subscription plans include SureBackup here.
It’s also important to know that in order to unlock ALL of the power of Veeam SureBackup, user will also need Veeam ONE and Veeam Recovery Orchestration subscriptions.
When it comes to Predatar, it’s much simpler. Predatar is available as a standalone subscription platform. It is available to all Veeam Backup & Replication users, regardless of their subscription package.
Core functionality
At a high level, Veeam SureBackup and Predatar are built to achieve the same goal: to validate the recoverability and cleanliness of backups. The differences lie in how they do it, their scalability, and in the scope of the backup platforms and file types each one supports.
Backup application support
Veeam SureBackup is built into Veeam Backup & Replication and is designed to validate both VMware and Hyper-V VMs (Virtual Machines). It works well on-prem or in hybrid setups, but not when Veeam runs entirely in the cloud.
By contrast, Predatar is an independent, vendor-agnostic platform providing broader support. In addition to validating Veeam backups, Predatar can also validate backups from:
• IBM Storage Protect, • IBM Defender Data Protect, • Cohesity Data Protect, • Rubrik Security Cloud.
Additionally, Predatar can validate immutable snapshots on IBM FlashSystems and Pure Storage boxes. This makes Predatar a great fit for businesses with two or more backup and storage technologies in their stack.
Workload support
Veeam SureBackup supports Windows and Linux VMs. Predatar goes further, not just validating Windows and Linux virtual machines but also Windows and Linux bare metal servers, SQL databases, and AIX workloads too.
Automation and AI
Veeam SureBackup provides the ability to run automated workflows for recovery testing and antivirus scanning that significantly reduce time, complexity, and manual effort. However, the ‘out of the box’ workflows are relatively basic, and can only triggered based on pre-defined schedules. While the schedules are easy to configure by the user, more advanced automations are only possible with Veeam Recovery Orchestrator (a separate product), or with custom scripting via PowerShell.
Predatar’s built-in automations are more advanced and highly customisable via an easy-to-use interface featuring dropdown options and simple toggle switches. In addition to pre-defined schedules, Predatar automations can be triggered by threat alerts, failed backup runs, SIEM notifications and more.
One of the most impressive aspects of the Predatar platform is the underlying Aurora AI engine. Aurora continually monitors thousands of signals across your backup environment and external intelligence sources to apply a real-time risk score to every node in your environment. Aurora will trigger and prioritise automated testing of workloads at high-risk with no human intervention required.
Veeam’s Isolated lab vs Predatar CleanRoom
Veeam SureBackup uses Isolated Labs. Predatar uses a CleanRoom. So, what’s the difference?
The purpose and general principle are the same: both are safe, segregated environments where backups can be tested for recoverability and potential infections — without any risk to the performance or integrity of production systems.
Veeam’s Isolated Labs run inside on-premise hypervisors and require a Proxy appliance, virtual switch configuration, and access to production backups. When a recovery test is triggered, SureBackup will immediately spin-up an Isolated lab on a VM. Once the workflow is complete the lab will vanish.
Predatar CleanRooms are permanent, always-on environments, which can be deployed on bare metal, hypervisors, or in the cloud – in a just a few hours. CleanRooms are designed to continually run recovery tests and malware interrogation 24x7x365.
Threat intelligence
SureBackup uses ClamAV, an open-source antivirus engine, to detect known infection signatures hiding in your backups. Predatar includesTrend Micro Vision One – recognised by Gartner as a ‘Leader’ in XDR platforms – at no additional cost.
Vision One updates four times daily with up to half a million new malware and ransomware definitions. It brings the insight of over 1,600 threat researchers directly into your backup validation. The strength of this collaboration with Predatar and Trend Micro has meant that Predatar has found malware or in more than 80% of its customers backups that their production security tools had missed.
Speed and performance
In controlled lab conditions, Predatar was tested alongside Veeam SureBackup to evaluate the success and performance of recoverability and cleanliness validation for backup data.
Each solution was tasked with testing 100 virtual machines (including both Windows and Linux), ranging from 100 GB to 500 GB. Some VMs were deliberately infected with sample malware to simulate a realistic threat scenario.
While both products successfully detected the infections, Predatar completed the tests in just 41 minutes, compared to 3.5 hours for Veeam SureBackup.
Trust and Credibility
Did you know, Predatar is a Veeam Ready Partner? For many Veeam customers, Predatar may be a brand they’re not yet familiar with. But Predatar has been creating backup intelligence and automation tools for over 10 years, and has been pioneering Cyber Recovery CleanRoom technology for nearly five years.
In 2024, after rigorous validation by Veeam, Predatar was awarded Veeam Ready status. Today, Veeam users around the world are using Predatar every day, to proactively prove their recoverability.
Veeam SureBackup focuses on technical backup and recovery metrics and feeds them directly into Veeam ONE. This is particularly convenient for storage and backup administrators already leveraging Veeam ONE for dashboards and reporting.
Predatar’s reporting is designed for compliance teams as well as backup teams. Out of the box, reports align with NIS2 and other commonly used frameworks, giving you proof of cyber recovery confidence not just technical success.
Conclusion
Veeam SureBackup is a solid option for many Veeam Backup & Replication users — especially small to medium sized businesses with Veeam Universal Licences (VUL).
Predatar offers a more robust and comprehensive solution, organisation handles large volumes of data, wants to test more than virtual machines, operates a multi-vendor environment, or runs 100% in the cloud, Predatar is likely to be the better choice. It delivers deeper automation, broader workload support, and reporting that stands up to the toughest audits.
Want to dig deeper?
Take a look at our Veeam SureBackup and Predatar comparison table and FAQs here. They will help you evaluate both solutions and choose the one that’s right for your organisation.
Keep us honest: At Predatar, we make every effort to ensure our content is accurate. If you believe anything in this blog is misleading, incorrect, or out-of-date, please let us know.
Celerity’s acquisition of Silverstring kick-starts a new era for Predatar.
It takes almost 10 days to trek to Everest Base Camp.It’s a difficult journey. The risks of altitude sickness, injury, and physical exhaustion mean that a quarter of adventurers who set out on the journey don’t even make it that far.
As we stand at the foot of our own Everest, we’re allowing ourselves a few moments to reflect on the achievement of getting here – to our own metaphorical base camp – before the adventure gets really interesting.
So how did we get here?
A pioneer was born
The Predatar story started more than a decade ago. Silverstring Limited was – and still is – an innovative Managed Service Provider (MSP) delivering backup and recovery services for enterprises with complex storage environments. Rewind 10 years, and the business was struggling with the challenges of growth. The service delivery team was drowning in repetitive reporting and admin tasks. As the business grew, so did the tasks.
Founder and CEO, Alistair Mackenzie, recognised that automation was the answer. The engineers at Silverstring set about building a tool that would streamline the manual and time-consuming jobs that were impacting productivity. The platform that would soon become known as Predatar was born. User-friendly, flexible, intuitive, in the cloud – the platform was ahead of its time.
It quickly became clear that other MSPs and backup teams inside large organisations could benefit from the pioneering technology that Alistair and his team had built. In 2017, Predatar Limited was born: a SaaS business created under the wing of Silverstring Holdings, to take the product to the world.
The first steps on the journey
Just like the trek to base camp, many start-ups don’t make it. But Predatar has had a big advantage: a strong, knowledgeable, and dedicated companion and guide. Silverstring has been our Sherpa in the early stages of the Predatar journey. Without Silverstring leading the way, those first treacherous climbs wouldn’t have been possible.
In the beginning, Predatar Limited had a great product and big ambitions, but no customers and no revenue. Silverstring helped us take our first steps. With the financial support of an established and profitable business, we recruited the best people. We got stronger.
Silverstring’s knowledge of the market and insights from its customers drove our innovation roadmap and our product development. We got smarter.
Silverstring helped us find our first customers. Our strides got bigger.
A fork in the path
When we started out, customers told us that they were lacking confidence in their backups. Complicated and opaque technology meant they didn’t have visibility of backup success rates or backup run failures. Predatar fixed this for them.
But then the world changed. Suddenly, our customers were asking different questions. The big one – the one that was now keeping them awake at night:
Will our backups be recoverable in a cyberattack?
The Predatar team did what we do best. We innovated. By leveraging our deep technical knowledge in automation for backup and recovery – and by partnering with Trend Micro, a world leader in cyber security technology – we developed the world’s first proactive cyber recovery cleanroom, and software that automates the continuous validation of backups, to prove they are always recoverable and free from malware.
The decision to pivot from a backup and recovery management platform to one that is focused on cyber recovery assurance has been a defining moment in our journey. It was a game changer. We’ve built a product that isn’t just a nice-to-have for businesses – It’s a necessity for operational resilience.
Going our separate ways
So here we are. Our journey to base camp has taken eight years. The role that Silverstring has played in getting us here is without doubt. But it’s time to go our separate ways.
Silverstring, our companion and guide, will go on to have many more adventures – and the next one starts today, as they join the Celerity family. Backed by major capital investor BGF, Celerity Limited is on its own big expedition, and the Silverstring team will bring their unrivalled expertise in backup and recovery assurance services to complement the extensive cyber security and infrastructure capabilities of Celerity. Together, they will reach new heights.
With renewed focus, energy, and investment from the sale of Silverstring Limited, Predatar will continue under the ownership and direction of Alistair Mackenzie.
Our Everest
We’ve already defied the odds to get this far. We’ve created truly a unique technology with patents in the USA, Europe, and the UK.
Last year, our Annual Recurring Revenue (ARR) grew by 100%, and the number of businesses using Predatar more than doubled. Today, we’ve got more than 100 customers across North America, Latin America, Europe, Middle East, Africa, and Australia.
For Predatar, our Everest is scale. We want every business in the world to know the potential of Predatar’s recovery assurance technology for their operations. It’s a big goal for an independent start-up from Oxford, UK – but we’ve never been short of ambition.
Big tech vendors and ambitious startups alike have seen our technology. They’ve seen the opportunity. And they want to catch us. We must stay ahead.
With the summit looming large on the horizon, we’re more than ready to tackle the challenge – and we’ll do it our way. The Predatar way. We will be more agile, more focused, and more daring than ever before.
Every day, we will go further than the last. We’ll move faster. We’ll climb higher. We will remember the journey we have been on. But we won’t look down.
Keep track of our journey
Stay in the loop with all the latest news from Predatar. Get market insights, product news, and practical advice for operational resiliency delivered directly to your inbox. Subscribe to news
Why backup anomaly detection is essential, but not enough.
A fire starts in your home in the middle of the night. You’re fast asleep, when a malicious low-life targets your house in an unprovoked and indiscriminate attack. A lit newspaper is pushed through an open window. After a few minutes the curtains catch alight.
Luckily, your smoke alarm is triggered, and you wake with a start. But you’re dazed and confused. By the time you work out what’s going on and get downstairs, the carpet and the armchair are on fire too.
You shout at your partner to “grab the cat, get the hell out, and call the fire department!!!“
You try to contain the blaze with a fire extinguisher. The fire department arrives fast. You’ve successfully stopped the fire spreading and the professionals quickly extinguish the flames. The emergency is over, and you’re relieved the damage was limited.
The fire chief confirms what you already know. Your smoke alarm has saved the day. This could have been so much worse.
What does this have to do with anomaly detection?
It doesn’t take a genius to work out where we’re heading with this analogy. Whether it’s a domestic fire or an enterprise cyberattack, the ability to respond fast is critical.
In principle, the anomaly detection tools that are now prolific in enterprise backup and storage tools are like smoke alarms.
The moment that a cyber incident is activated, these tools will recognise the patterns of behaviour in your data that are associated with criminal encryption or exfiltration events. With almost instantaneous alerts, anomaly detection will enable you to respond quickly and limit the impact of a live cyberattack.
Prevention is better than even the fastest response
The ability to respond fast is essential, but you need to remember that when anomaly detection kicks in, an attack is already in progress. Damage is already being done. What if the curtains in this analogy are your HR records? the carpet – your billing system? What if the armchair is your email server? Bringing them back will be disruptive, probably time-consuming, possibly costly, and in some cases – impossible.
Predatar brings proactive threat detection to your storage and backup environment. The big idea is to hunt down malware before an attack is activated. Why? Because prevention is better than even the fastest response.
So how does it work?…
You probably already have malware in your backups.
More than 80% of Predatar customers have found malware in their backups that they didn’t previously know was there. This is malware that has slipped through firewalls and front-end antivirus tools, before being replicated into backups and snapshots.
It hasn’t triggered anomaly detection, either because it’s not been activated yet, or often it’s small ‘reconnaissance’ applications like spyware and key loggers which only cause tiny, almost imperceptible changes in your data.
On average, cyberattacks aren’t triggered until 14 days after attackers first gain access to their victim’s IT network. It’s during this time that these tools are deployed by the criminals, to gain deeper access and ultimately enable them to cause more damage. Reconnaissance software is currently used in 91% of ransomware attacks.
Predatar assumes that any workload in your storage or backups could be infected. By running fully automated recovery tests and full malware interrogation using Trend Micro Vision One, Predatar finds and eliminates even inactive malware before a crisis begins. Predatar in always-on, hunting down threats based on intelligence from Trend Micro’s global threat intelligence network.
Does Predatar make anomaly detection obsolete?
Definitely not. Cyber resilience is all about layers of defence. In fact, Predatar has some powerful anomaly detection built in to complement its proactive threat-hunting capabilities.
The great news for lots of businesses is that in most cases, the storage and backup products they are already using have anomaly detection capabilities built in, including these ones:
If you are using any of these products, you really should be utilising the anomaly detection features that are available to you. The products above are also compatible with Predatar. So adding proactive threat detection to your backup and storage is easy.
In conclusion
Anomaly detection for your storage and backup environments is essential for limiting the impact of live cyberattacks. Businesses should make sure they are enabling the reactive anomaly detection tools that are built into the platforms they are already using.
Predatar is different. Infrastructure teams can quickly and easily add a layer of proactive threat-hunting to their backup and storage environments with Predatar’s SaaS Recovery Assurance platform to eliminate threats before an attack is activated.
Earlier this year, Predatar launched CleanRoom 3. Our third-generation Cyber Recovery CleanRoom has been redesigned from the ground up – to make our unique Recovery Assurance technology accessible to more organisations than ever before.
In our recent webcast, ‘Recovery Assurance for All‘, Ian Richardson (Predatar CTO) and Rick Norgate (Predatar Managing Director) explain how we’ve broken down some of the biggest barriers to the adoption of this important technology. If you missed it, don’t worry – we’ve pulled out some of the key questions and answers from the session in this blog
Ben: We’ve been using the term ‘CleanRoom’ at Predatar for a few years now, and recently we’ve been hearing it used more and more by cybersecurity experts, major tech vendors, and in the industry press. Rick, what is a CleanRoom? And what does it do?
Rick: That’s a great question. When we talk about CleanRooms, we’re specifically referring to Cyber Recovery CleanRooms. You might also hear them referred to in the industry as Isolated Recovery Environments. Essentially, it’s an isolated environment that you can use to perform recovery testing and malware scanning.
There is often some confusion around the term ‘CleanRoom’. When you look at how some technology vendors are using it in the market, and you dig into what they mean by ‘CleanRoom’, they’re generally referring to a tool that’s used post-attack to conduct forensic analysis. Imagine an organisation gets attacked – they’ll need to recover workloads somewhere to check they are clean and haven’t been compromised before they begin restoration.
At Predatar, when we talk about a CleanRoom, we’re actually referring to a proactive tool. The overarching concept is the same, but a Predatar CleanRoom is used to test your backups for recoverability, and then scan them for malware on a proactive basis – that’s the key difference when we talk about CleanRooms in the context of Predatar.
What is the role of a CleanRoom within a Recovery Assurance solution?
Ben: We talk about Predatar as a Recovery Assurance platform. So, Ian, can you explain what the role of a CleanRoom is within that overall solution?
Ian: Predatar is built on two core components. The first is CRO (Cyber Recovery Orchestration) software. This is the AI and automation engine at the heart of the solution. It pulls metadata from your backup applications into the platform. When users access their CRO interface via a browser, they can manage how they want their recoveries to work. They can trigger them manually, or set up rules for automation – which is where the real power of Predatar lies.
Users can choose whether they want to trigger workflows based on a signal of activity (like some sort of anomaly), on a predefined schedule, or both. The goal is to prove recoverability every single day, not just when a disaster strikes.
The second component is the CleanRoom. The CleanRoom is essentially a secure, isolated recovery environment where you can test and validate your recoveries without risk to your production environment. This is where users recover their workloads to. Following a successful recovery, Predatar runs a full malware scan – all without the risk of reintroducing potentially compromised data back into your live systems. This is how Predatar can give organisations confidence that if they ever need to recover for real, their data is clean, usable and safe.
So, to recap: the CRO automates and proves recoverability, then the CleanRoom provides a safe space to validate that recovery before putting anything back into production. Together, they close the loop on Recovery Assurance.
Can you give a real-world example of a Recovery Assurance use case?
Ben: Now, we’ve talked about the concept of Recovery Assurance. Rick, can you give us an example of a real-world use case?
Rick: Sure, I can do that. There’s a highly relevant and high-profile example in the UK at the moment. Marks & Spencer (M&S) is one of the biggest retailers in the UK. It’s been around for as long as I can remember – on every high street, in every town – in petrol stations, in airports – everywhere.
M&S was attacked last month by a group called Scattered Spider. The attack took place over the Easter break. We’re seeing more and more cyberattacks occurring during holiday periods, when IT and security staff are more likely to be out of the office, impacting the speed at which they can respond to and contain an attack.
So, back to M&S. They’ve already paid out to the ransomware group via their insurance company but have been unable to recover fully. They’re currently losing around £43 million per week.
Now, what’s really interesting about this attack – and this is fairly common – is that the ransomware gang originally gained access to M&S’s systems via social engineering. Once they had compromised employee accounts and gained access to the network, they didn’t immediately install ransomware. They spent time observing, learning, and escalating their access. Then, once they had reached all the systems they wanted to, they deployed ransomware to create maximum disruption.
So, how can Predatar help? First off, when this ransomware gang first accessed the Marks & Spencer environment, they likely installed reconnaissance tools like keyloggers and spyware to learn as much about the environment as possible. Often, these tools can be used discreetly, without triggering perimeter alarms or anomaly detection – which are usually designed to spot encryption and exfiltration events.
This is where Predatar can help. By running proactive recovery testing and carrying out full malware scans on workloads, Predatar has a high chance of picking up the criminals’ surveillance tools.
Predatar has found malware in 80% of our customers’ backup environments that they didn’t previously know was there – and much of that is made up of tools like key loggers and spyware.
Secondly, Predatar can also help once a malicious encryption event begins. Predatar has anomaly detection built in, which will trigger when workloads start to become encrypted. This acts as an early warning system to raise the alarm during an active attack.
How is Predatar different from other cyber resilience solutions?
Ben: That’s a great example, Rick. But there are lots of technologies on the market offering cyber resilience right now. Ian, perhaps you can tell us what makes Predatar different?
Ian: That’s a great question, and it’s one we hear a lot. There are plenty of technologies out there that claim to offer cyber resilience, but there are a few key ways in which Predatar really stands out.
First and foremost, Predatar is unified. A lot of the options on the market today come directly from backup and storage vendors. The big catch here is that they’re built to work only within their own technology ecosystem and stack. So, if you don’t want to be locked into a specific vendor, or you’re running a mix of technologies, Predatar is a great choice.
Predatar is agnostic to the technology stack. So, whether you’re using IBM, Rubrik, Cohesity – we can integrate with and orchestrate recoveries across all of them. And it’s not just about the products – we support multiple workloads on those platforms too: physical, virtual, snapshots from a storage subsystem – you name it. Instead of siloed tools for each backup platform or application, Predatar gives you one solution that works across many. It’s centralised, consistent, and scalable.
The second big difference is around speed and simplicity. When it comes to setting up things like CleanRooms, many of the products on the market today are more like DIY kits. They come with a reference architecture, some automation scripts, and then it’s up to you to pull it all together using your own resources. That might be fine for a huge enterprise with dedicated teams, but for most organisations, it’s a slow, complex, and costly project.
Predatar takes a completely different approach. We’ve productised the solution. We can deploy a fully functional CleanRoom environment – integrated with orchestration, automation, validation, and reporting – in just a matter of hours, not weeks. No complex integrations, no need to hire teams to build it out – just straightforward deployment and value from day one.
So, in summary, it’s one platform that brings together multiple backup products, supports a wide range of workloads, and makes recovery validation fast, simple, and accessible to any organisation.
Ben: Rick before we move on have you got anything you’d like to add with regard to what’s different about Predatar?
Rick: I think Ian’s covered that really well – as he always does. But there’s one thing worth adding. It’s important to say that Predatar is a proven technology. We’ve been doing recovery testing for the best part of 12 years, and we brought our first CleanRoom to market almost five years ago. Today, Predatar CleanRooms are in use all around the world. We’ve got customers in pretty much every geography using Predatar every day. We’ve got numerous customer case studies, and as I mentioned earlier, 80% of our customers have found malware in their environments that their primary XDR tools didn’t detect.
This proves that even if you have the very best XDR tools at the front end, malware can still get through. The more layers of defence you have, the better.
What was the big idea behind CleanRoom 3?
Ben: Okay, I think we’ve now got a good overview of Recovery Assurance, CleanRooms, and Predatar. So, let’s focus more specifically on CleanRoom 3. Rick, can you explain where the idea came from – and what was wrong with CleanRoom 2?
Rick: The first thing to say, Ben, is that there was nothing wrong with CleanRoom 2. And in some instances, CleanRoom 2 will still be the best option. The inspiration for CleanRoom 3 came from our customers and some of the channel partners we work with.
The concept of CleanRooms is resonating across the market, but we were getting feedback that the complexity of scoping and deploying the solution was causing friction. Customers didn’t want to buy lots of third-party products to make it work. With CleanRoom 2, for example, you needed Windows licences, SQL licences, VMware licences, and your own XDR licences too. That just adds complexity, increases cost, and slows down implementation.
With CleanRoom 3, the two guiding principles were: [1] we wanted to make CleanRooms as easy and quick to deploy as possible, and [2] we wanted to remove any dependency on third-party licences.
How did Predatar make the CleanRoom 3 concept a reality?
Ben: So, as Predatar’s CTO, Ian, I guess it fell to you and your team to put the concept into action and make Predatar’s third-generation CleanRoom a reality. Can you talk us through how you achieved it?
Ian: Yes, I’m excited to walk you through what’s new, because this is where we’ve really made big strides – not just from a technical perspective, but also in terms of making CleanRooms much more accessible and scalable for our customers. Let me break it down into a few key areas.
Firstly, we’ve removed the dependency on third-party software and licensing. In earlier iterations of our CleanRoom, there were certain third-party tools and licences – especially VMware – that we had to rely on. That added complexity, cost, and friction for our customers.
With CleanRoom 3, we’ve designed the entire environment to be natively driven by the Predatar portal. That means no additional licensing requirements and no extra software stacks that customers need to purchase, maintain, or configure. Everything is powered and controlled natively through Predatar. So, we’ve massively simplified the stack, making it cleaner and quicker to deploy, while also removing those hidden blockers around licence management and support overheads.
Secondly, we no longer require new hardware or cloud infrastructure. This is one of the most powerful changes in CleanRoom 3. It eliminates the need for customers to stand up new infrastructure – whether that’s physical servers or spinning up a collection of virtual machines. Instead, CleanRoom 3 lets you deploy into your existing environment exactly how you want – whether that be on bare metal or virtualised through VMware or Hyper-V.
For customers, this means no new hardware requirements, no additional software contracts, and no need to carve out or maintain separate infrastructure. You just deploy it however you need for your environment – and then we bring the CleanRoom to life on top of it: completely isolated, fully secure, and built for Recovery Assurance.
Thirdly, the deployment is now faster than ever – and this is an area where we’ve really pushed ourselves, because we knew that one of the biggest barriers to cyber recovery solutions was time to value. With CleanRoom 3, we’ve built a fully automated deployment process. What used to take weeks – from provisioning to configuration and validation – now takes just a few hours.
This is thanks to a new wizard within the Predatar portal, which generates an ISO image specifically for your environment – complete with all the networking and configuration embedded within it. This allows customers to run their unique ISO image on any system they choose, whether it’s a virtual machine or a bare-metal server.
The process is as simple as connecting the system to the ISO image, booting from it, and sitting back while everything is configured for you. We’ve essentially removed the DIY complexity and replaced it with a push-button deployment experience.
Now, CleanRoom projects don’t take weeks. A customer can stand one up in the morning, run test jobs that afternoon, and start building true recovery confidence immediately.
To sum it up: CleanRoom 3 is all about removing friction.
Key takeaways
CleanRoom 3 is another big stride forward for Predatar and for Recovery Assurance technology as a whole. Here’s three key takeaways from the webcast:
#1. If you’re not using any sort of proactive Recovery Assurance today there’s a high chance that there’s malware in your backupsalready …just like 80% of Predatar customers before they deployed our solution.
#2 Predatar is the only vendor agnostic pre-emptive Recovery Assurance platform available
#3 CleanRoom 3 has made Recovery Assurance more attainable for lots of organisations. It’s more cost- effective, more flexible, and easier to deploy.
If you want to know more about how Predatar’s Recovery Assurance platform can benefit your organisation, visit www.predatar.com
I’ve been mildly obsessed with Geoff Manaugh’s book, A Burglar’s Guide to the City for a while. It’s one of those rare reads that permanently shifts your perspective. This book is not about cyber crime, it’s not even really about traditional crime. It’s about how we understand and navigate the systems we inhabit every day. And it’s a book, I think every CISO should read.
At its core the book argues that burglars are the ultimate super-users of urban environments. They don’t merely move through cities, they manipulate them. Walls become doors, rooftops turn into pathways and manholes become secret entrances. The criminals Manaugh describes don’t smash through front doors with guns – they meticulously uncover hidden routes that others miss.
One of the most compelling stories in the book focusses on the infamous Hole in the Ground Gang. In the mid-1980s, employees at a First Interstate Bank in Hollywood began hearing unsettling noises including what sounded like metallic scraping and muffled drilling from beneath the vault floor. The power flickered unexpectedly, telephones disconnected randomly, and at one point the alarm system spontaneously kicked in late at night, terrifying a lone bank manager. Authorities, when notified, investigated and dismissed it as rats.
But rats don’t drive Suzuki 4×4’s through sewer tunnels beneath the streets of West Hollywood.
The Hole in the Ground Gang were no ordinary thieves. They understood LA at an almost geological level. They had intricate knowledge of the city’s hidden infrastructure including storm drains, underground rivers, sewer lines, and forgotten passageways. They accessed maps that showed subterranean routes leading directly under the bank vault. Slowly, quietly, and meticulously, they excavated their tunnels, exploiting unseen pathways until they reached their target, slipping away with over $2.5 million worth of cash and valuables, undetected.
They weren’t caught, and now the statute of limitations has expired. Reflecting on their audacity decades later, even the lead investigator confessed to Manaugh he’d love to meet them over a beer, purely to learn exactly how they’d done it.
The gang’s secret? Deep knowledge. They treated the urban landscape not as obstacles but as opportunities, uncovering vulnerabilities everyone else overlooked.
That’s exactly how today’s most sophisticated cybercriminals operate.
Digital attackers don’t typically hammer against your firewall, they quietly navigate forgotten tunnels in your IT landscape. They leverage misconfigured backup systems, exploit outdated login credentials and silently traverse hidden, neglected digital infrastructure. Their advantage lies in their superior understanding of systems sometimes better than the businesses that own them.
To fight back effectively, defenders need similar insight. This is exactly why we developed Predatar’s Recovery Risk Report. Much like uncovering the Hole in the Ground Gang’s subterranean maps, the Recovery Risk Report exposes hidden risks in your backup and recovery estate. It helps you visualise the hidden pathways and blind spots cybercriminals are likely to exploit.
By illuminating these overlooked entry points such as forgotten servers, unpatched backup servers, and vulnerable data copies, it empowers your team to proactively seal them off, dramatically reducing your cyber risk exposure. It also identifies opportunities to strengthen your recovery processes, giving you clarity and control over the infrastructure you depend on most during a recovery.
Think of the Recovery Risk Report as your digital equivalent of those storm-drain maps, empowering you to spot vulnerabilities before attackers do. Because when it comes to protecting your business, understanding the hidden logic of your backup estate isn’t just helpful, it’s essential.
Apply for a free Recovery Risk Report.
Every month we’re giving one Predatar News subscriber a Free Recovery Risk Report (worth $999). Learn more and apply here. If you’re not already on the Predatar mailing lists, you can join the sign up now to stay up-to-date with the latest product news, industry insights… and now, it seems, book reviews too.
Exciting news! Predatar & Trend Micro have announced a renewed partnership which will see Trend Micro Vision OneTM, the compressive threat defence and detection platform incorporated into Predatar’s latest Cyber Recovery CleanRoomTM. The new agreement eliminates previous deployment complexities by enabling Predatar to embed the industry-leading Vision One platform directly into their CleanRoom SaaS solution.
The powerful combination of Predatar and Trend Micro gives users recovery confidence by allowing them to proactively validate their ability to recover quickly and safely from backups and snapshots before a crisis hits.
Since launching the original CleanRoom nearly five years ago, Predatar has relied on Trend Micro’s robust Extended Detection & Response (XDR) capabilities to deliver threat detection, analysis and response. However, requiring customers to procure Trend Micro licences separately introduced friction in the buying and onboarding processes.
Predatar’s third-generation CleanRoom changes that. As part of its complete redesign, Predatar’s R&D team explored a range of alternative XDR tools — including other market leading products and open-source options. After extensive testing, Trend Micro remained the clear choice, consistently outperforming competitors across key criteria including detection speed, integration simplicity and overall resilience.
Ian Richardson, CTO at Predatar explains, “The quality of the XDR technology at the heart of Predatar is non-negotiable, but achieving a frictionless experience for our customers is key to the success of CleanRoom 3.”
Through collaboration with the licensing team at Trend Micro, the two companies have reached an agreement that overcomes the procurement challenges created by the unique way Predatar leverages Trend Micro technology.
Predatar’s CleanRoom 3 is now available – shipping with Trend Micro Vision One™, incorporating Trend Micro’s most powerful XDR engine yet. And what’s more, the required licensing is baked in too.
The new agreement has significantly streamlined the procurement and deployment of Predatar’s market-leading Recovery Assurance technology.
Jonathan Lee, Cybersecurity Director at Trend Micro commented: “Predatar’s technology brings a differentiated approach to cyber recovery, and the integration of our platform further enhances its capabilities. This collaboration reflects the strength of our partnership and our shared commitment to overcoming challenges and delivering continuous innovation.”
Learn more about pre-emptive Recovery Assurance
More than 80% of Predatar customers have found malware in their backups that they didn’t previously know was there. Infected backups and unrecoverable files have the potential to seriously impact incident response and could even make a full recovery following a cyber-attack impossible.
Don’t wait for a crisis to find out if you can recover. Find out more about pre-emptive Recovery Assurance with Predatar and Trend Micro at www.predatar.com
For our global readers, let me set the scene. Marks & Spencer, or M&S, is more than just a retailer in the UK. It’s a national institution. Think tea, crumpets and politely saying sorry when someone bumps into you. It’s part of our cultural fabric.
So when M&S was hit by a major cyber attack over the Easter break, it didn’t just rattle the markets. It rattled the nation. As someone who spends every day thinking about how to make businesses more resilient to exactly this kind of event, I wanted to share some thoughts on what happened, why it happened, and what it tells us about where our defences are falling short.
The timeline
The attack landed over Easter, a public holiday weekend when IT and security teams were stretched thin. Scattered Spider, one of the more notorious ransomware gangs has claimed responsibility.
The attack wiped nearly £1 billion off M&S’s market value, and with some services (including online ordering) still not up and running, the company is reportedly losing around £43 million per week. Despite already paying out a reported £100 million to the attackers via cyber insurance, the company is predicting disruption will continue into July.
How they got in
It’s believed Scattered Spider started with social engineering. Phishing, impersonation, basically exploiting the human layer, which is still the weakest link. This is not unusual. In almost 9 out of 10 successful attacks, the entry point is a person.
Once in, they moved to install ransomware and access Active Directory, locking out admins and, it’s believed, tampering with backups. That’s a logical move. Backups are the safety net. If attackers can take that away, victims are left extremely vulnerable.
But the ransomware wasn’t the start
Most people think ransomware is step one. It’s not. According to Trend Micro over 90% of attacks start with reconnaissance tools such as keystroke loggers, spyware, credential harvesters. These tools are designed to silently gather intelligence about your estate. They can slip past XDR solutions and allow attackers to learn how to go deeper.
And they don’t hang around. The average time from initial breach to the encryption event is now just 14 days. In 2023, it was 100. That acceleration is no accident. Better security tools mean longer dwell times are risky for attackers. So they move quickly, hit hard, and aim to encrypt when your team is least available.
Enter DragonForce
Scattered Spider didn’t build their own ransomware. They used a service from DragonForce who are a dark web group offering ransomware-as-a-service. Think SaaS, but for criminals. DragonForce operates like a business, complete with account managers and affiliate programmes.
Their most popular kit is based on something called LockBit 3.0 which is a leaked builder tool that lets criminals easily customise powerful ransomware that is tailored for each target. It’s modular, it’s configurable and it’s dangerous.
So what if it hits you?
Let’s say LockBit 3.0 is unleashed in your environment. The great news is that fantastic tools exist to help. For example HPE Zerto has real-time encryption detection. IBM has lightening fast encryption awareness built into its FlashSystem storage boxes, while they also offer software based Sensors for virtual workloads.
These are great tools as they close the barn door fast once an encryption event starts. But not before a few horses have already bolted. That’s the nature of reactive defences. They reduce loss, not eliminate it.
So, why not stop it earlier?
Why not test everything, every day?
It sounds obvious, but we all know the reality. Deep scanning production environments for malware every day isn’t feasible. The performance impact on your production systems, the cost, the resources needed, and the disruption. It’s just not practical.
For this reason most XDR tools are configured to scan only new or modified files. That leaves plenty of room for reconnaissance tools to sit quietly, harvesting data while staying under the radar.
What if there was another way?
There is another way. And it doesn’t interfere with your production systems at all.
Your backups. That’s where the value lies. They are a goldmine of information that often sits idle, stored on expensive hardware, doing very little.
With Predatar and Trend Micro you can automate recovery tests of your backup servers in an isolated CleanRoomTM every single day. Then you can use market leading XDR tools to scan them for malware with no negative impact on production performance. It’s fast, automated and powered by threat intelligence that’s updated multiple times daily.
We’re talking 500,000new signatures a day, supported by over 450 threat researchers and 1,500 security engineers.
Why does this matter to CISOs?
Because recovery testing has always been a tick-box exercise. What we’re doing is turning it into a proactive security control. We’re detecting threats at stage one. That gives your team the time and space to respond before the damage is done.
And for those still sceptical?
We’ve found malware in 82% of the client estates we monitor. This is malware that their production XDR tools missed. Every one of those clients uses Gartner Magic Quadrant vendors for their production XDR.
And of that 82%, over half were stage one threats. Keyloggers. Spyware. Trojan horses. The kind of tools that groups like Scattered Spider may well have used to start the M&S attack.
Final thoughts
The M&S attack is a case study in how fast, sophisticated and strategic today’s ransomware operations have become. If your cyber resilience strategy only kicks in after encryption has started, it’s already too late.
Your backup is a valuable untapped asset, your second chance to catch what production missed. Learn more about Predatar Recovery Asurance.
Cybercriminals can take your business down at any time. You need to know that if your organisation is hit by a serious attack, you can restore your critical systems and data – quickly and safely.
At Predatar, it’s our mission to give our customers total recovery confidence. The release of CleanRoom 3, our third-generation Cyber Recovery CleanRoom has made pre-emptive, AI-powered Recovery Assurance technology attainable for more organisations than ever before.
We’ve put all of our learnings from almost 5 years of ground-breaking CleanRoom innovation into CleanRoom 3. It’s a ‘ground up’ design, with one objective in mind… to lower the barriers to adoption for what is quickly becoming an essential technology for operational resilience.
You can learn how we’ve made CleanRoom 3 more flexible, so you can deploy it in more ways on more types of environment than ever before in this blog, or discover how we’ve made it possible to get your CleanRoom up-and-running in under an hour in this blog.
But, not only is CleanRoom 3 faster to deploy and more flexible – read on to find out how we’ve made it a more cost-effective solution than previous iterations… and made it easier to buy too.
Deploy CleanRoom 3 on your existing infrastructure
Predatar, is a subscription-based Recovery Assurance platform. Pricing is based on usage. i.e how much data a customer chooses to validate using Predatar. Some customers use it to continually test all of their backups and snapshots, while others use Predatar only for their business-critical data.
The pricing model is flexible and fair. It has rarely been considered as a barrier to adoption for prospective users. It’s a different story however, when it comes to the infrastructure required to perform the Recovery Assurance processes – until now.
Previous Predatar CleanRooms have required relatively high-spec servers with specific technical attributes. New customers would need to procure expensive hardware or spin-up expensive new Cloud infrastructure before they could set up their CleanRoom. This added a significant cost to the overall solution.
CleanRoom 3 has been designed to run on widely available ‘commodity’ hardware. Not only is this more cost effective to buy, but in many cases, customers already own this readily available and can deploy their CleanRoom on existing infrastructure.
Say good bye third-party licences
Unlike our previous CleanRoom iterations, CleanRoom 3 is a self-contained virtual appliance. Delivered as an ISO, the new architecture removes the dependency on VMware, meaning Predatar customers are no longer required to purchase VMware licenses.
We’ve also worked closely with our Cyber Security partners to remove the requirement for Predatar customers to purchase third-party licensing for the XDR (Extended Endpoint Detection & Response) capabilities that are built in to Predatar.
For Predatar customers using Cleanroom 3, XDR licensing is baked into their Predatar subscription at no additional cost.
Easy to deploy. Easy to buy.
The combination of hardware flexibility and no third-party licensing makes Predatar significantly more cost-effective than ever before. Speed and simplicity of deployment means new customers can save on upfront deployment costs too.
And not only is Predatar now significantly more cost effective. It’s much easier to buy too. Where once, Predatar customers would need to procure Infrastructure, VMware and XDR licences from different vendors in addition to their Predatar subscription, now a single Predatar subscription is all that is needed.
Get Recovery Confident
To learn more about how CleanRoom 3 is making Recovery Confidence achievable for organisations like yours, join our next webcast.
