A security philosophy and architectural model built on one principle: recovery must be continuously proven, not periodically tested or assumed. Analogous to Zero Trust for identity and access, Active Cyber Resilience applies continuous verification to data integrity and recoverability. Requires deep file inspection, three-surface coverage, and evidence-based recovery verification. The defining security control is DDR (Data Detection and Resilience).
Elastio deploys without installing agents on production workloads. All inspection happens through API-level access to snapshots, storage volumes, and backup repositories. No kernel modules. No sidecars. No performance impact on production.
A deployment mode where the Hunt Engine operates in an environment with no outbound internet connectivity. Hunt runs as a single binary against storage volumes across block, file, and object storage. No cloud connection required. Used in regulated environments, classified networks, and high-security deployments.
A backup copy that is physically or logically isolated from production networks and the internet. Air-gap isolation protects against deletion but does not guarantee the data inside is clean. Elastio hunts inside air-gapped backups to confirm they are free of threats before restore. The Hunt Engine runs in air-gapped environments as a single binary with no outbound connectivity required.
A timestamped, evidence-backed record that a specific asset or recovery point was inspected and found clean or compromised at a given point in time. Attestations are the audit artifacts Elastio produces. Used for compliance reporting, board evidence, and regulatory response.
The integration component that connects the Hunt Engine to backup vendor repositories. Provides read-only access to backup data managed by Veeam, Rubrik, Cohesity, Commvault, Veritas, AWS Backup, and Azure Backup. Mounts backup recovery points for deep file inspection without modifying or disrupting the backup environment. Enables third-surface coverage.
The third data surface. Recovery points created and managed by backup vendors. Examples: Veeam backup jobs, Commvault data agents, Cohesity protection groups, Rubrik SLA domains, AWS Backup vaults, Azure Backup vaults. Elastio hunts across backup data from any supported vendor.
The process of verifying that backup data has not been corrupted, encrypted, or tampered with, ensuring recovery points are trustworthy before an incident occurs. Backup vendor tools validate job completion status, not data integrity. Elastio performs backup integrity validation through deep file inspection, producing R-RPO and Last Known Clean per asset as evidence of a clean recovery point.
The total scope of assets, data, and recovery points affected by a detected threat. Measured after Hunt Engine findings are correlated across all three data surfaces. Blast radius determines how far back recovery must go and how many assets require remediation.
The dividing line in time between recovery points that are verified clean and those that are not. Everything before the clean boundary is safe to restore from. Everything after it is not. The clean boundary moves as the Hunt Engine processes new data.
A verified backup snapshot confirmed free of ransomware, malware, and corruption, and safe for use in a recovery operation. In Elastio terminology: a recovery point that has passed deep file inspection by the Hunt Engine. Clean recovery points establish the Last Known Clean timestamp and clean boundary for each asset.
The compute component deployed inside the customer's cloud account that runs the Hunt Engine. Connects to cloud-native storage APIs (EBS, S3, FSx, Azure Blob, IBM COS) to mount snapshots and volumes for inspection. No agents on production workloads. No data leaves the customer environment. All compute, storage, and hunt state remain inside the customer's cloud account. Supports AWS, Azure, and IBM Cloud.
A hunt policy that runs automatically against selected assets on a defined schedule or cloud event trigger. No manual invocation required. The default operating mode. Every new snapshot, object, volume, and recovery point is inspected as it arrives across all three data surfaces. A policy defines scope (which assets, which data surfaces), the schedule or trigger (new snapshot, new backup event, elapsed time), and the hunt rules to execute. Findings stream to the Elastio Console and the customer SIEM.
The percentage of assets in the environment under continuous Hunt Engine inspection. 100% coverage means every asset has an active hunt policy and produces R-RPO and Last Known Clean data. Coverage gaps are assets that exist in the environment but are not yet connected to Elastio.
User-defined or Elastio-managed detection rules that extend the Hunt Engine beyond its built-in models. SQL queries run against the data surface. YARA rules match binary patterns. Regex rules match text patterns. IOC libraries maintained by Elastio are updated continuously. MCP enables AI agents to define and execute custom hunts autonomously.
The process of restoring IT systems and data after a cyberattack. Unlike traditional disaster recovery, cyber recovery requires confirming backup integrity before restoration to avoid reinfection. Elastio delivers Provable Recovery: the Hunt Engine identifies the last known clean recovery point before restore begins, and the full audit trail provides evidence for insurers, regulators, and the board.
An organization's ability to anticipate, withstand, recover from, and adapt to cyberattacks. Cyber resilience goes beyond prevention to include detection, response, and proven recovery. Elastio frames this as Active Cyber Resilience: recovery must be continuously proven, not periodically tested or assumed.
The security control that continuously hunts for threats in data, scores recovery readiness per asset, and proves recovery will succeed from a clean point. DDR requires four capabilities: (1) An ensemble of detection models fed by deep file inspection, not statistical inference from metadata. (2) Hunting across all three data surfaces (live data, replicated data, and backup data), not just backup repositories. (3) Continuous operation between backup windows, not triggered only during backup jobs. (4) Evidence-based recovery verification with R-RPO per asset, not backup job completion status.
The unauthorized transfer of data from an organization's environment. Modern ransomware attacks frequently combine encryption with exfiltration for double-extortion leverage. Elastio's Persistence Detection model identifies exfiltration indicators before encryption begins.
The three categories of data that DDR requires coverage across. Always in this order: Live Data, Replicated Data, Backup Data. A solution that only hunts backup data does not deliver DDR. Threats that stage in live data or replicated data before reaching backups are invisible to backup-only detection. Three-surface coverage is a defining requirement of DDR and Active Cyber Resilience.
The technical method the Hunt Engine uses to detect threats. Inspection occurs inside the file, not from metadata, entropy scores, or access patterns observed from the outside. An ensemble of detection models runs against what is found inside the file. Backup vendors and anomaly detection tools do not open the file. Deep File Inspection is the architectural distinction that separates DDR from inference-based detection.
An EU regulation requiring financial entities to demonstrate operational resilience, including the ability to recover from ICT-related disruptions. DORA mandates regular testing of recovery capabilities. Elastio's attestation output and R-RPO per asset provide the continuous evidence DORA testing requires.
A ransomware tactic where attackers both encrypt an organization's data and threaten to publish stolen data unless a ransom is paid. Elastio's Persistence Detection model identifies the data staging and exfiltration activity that precedes double-extortion payloads.
The period between when an attacker first gains access to an environment and when the intrusion is detected. During dwell time, ransomware silently corrupts backup data across multiple recovery points. Elastio's Continuous Hunt detects activity during dwell time by hunting every new recovery point as it arrives, and identifies the clean boundary: the point before the attacker was present.
The Active Cyber Resilience platform. Delivers DDR across live data, replicated data, and backup data. One engine, two outcomes: Hunt Engine (detect) + Verified Data + Provable Recovery. Agentless, API-native, deploys in minutes. Tagline: "Recovery you can prove."
The control plane for the Elastio platform. Manages hunt policies, surfaces findings, displays R-RPO and coverage metrics per asset, and provides the audit trail for recovery decisions. Integrates with customer SIEM via alerts and exportable findings. Deployed in two modes: SaaS (Elastio-hosted) or Private Cloud (customer-hosted). The Hunt Engine runs inside the customer environment in both modes. No customer data is transmitted to Elastio infrastructure regardless of Console deployment type.
An implementation of Anthropic's Model Context Protocol that connects AI assistants directly to your data through Elastio. Enables natural language queries against findings, recovery status, and hunt orchestration. Available at mcp.elastio.com.
Evidence collected by the Hunt Engine during inspection: infected file paths, encryption markers, persistence mechanisms, registry modifications, credential harvesting indicators, and timeline data. Forensic artifacts enable post-incident analysis without re-hunting the environment.
The detection engine within Elastio. Uses an ensemble of detection models to inspect inside every file across block, file, and object storage. Four automated detection models: Zero-Day Ransomware, Persistence Detection, Insider Threat, and Malware. Plus Custom Hunts: analyst-defined rules via SQL, YARA, and regex. Achieves 99.995% precision with fewer than 5 false positives per 10 million files inspected.
Four automated detection models that compose the Hunt Engine: (1) Zero-Day Ransomware Detection: ensemble of models trained on 2,300+ families and 10,000+ variants. (2) Persistence Detection: attacker persistence mechanisms, lateral movement, credential harvesting, and staged exfiltration indicators across recovery points. Identifies attacker presence before encryption begins. (3) Insider Threat Detection: selective data manipulation by actors with legitimate access. (4) Malware Detection: trojans, backdoors, rootkits, and cryptominers that survived backup cycles. Custom Hunts extend these models with analyst-defined SQL, YARA, and regex rules.
A backup that cannot be modified, deleted, or encrypted after creation for a defined retention period. Immutability protects against deletion but does not guarantee the data inside is clean. An immutable backup that contains ransomware is an immutable liability. Elastio hunts inside immutable backups to confirm they contain verified clean data.
Observable evidence that a system or dataset has been compromised, such as known malicious file hashes, suspicious registry entries, or ransomware artifacts found within backup snapshots. Elastio's Custom Hunt model runs customer-defined and Elastio-managed IOC rules via SQL, YARA, and regex against the full data estate on a continuous basis.
The accuracy ceiling of detection methods that rely on statistical inference (anomaly detection, entropy analysis, metadata heuristics) rather than model-based file inspection. Typically 60 to 85 percent accuracy with high false positive rates. The inference threshold explains why backup vendor detection fails: they operate above the threshold, guessing from patterns. DDR operates below it, inspecting inside the file. This is a fundamental architectural difference, not a tuning problem.
The most recent recovery point for a given asset that the Hunt Engine has inspected and confirmed free of threats. This is not the most recent backup. It is the most recent backup that passed deep file inspection. If the last five backups contain ransomware, the last known clean may be days or weeks old.
The first data surface. Production workloads, cloud storage, and file services in their current running state. Examples: EC2 instances, S3 buckets, Azure Blob Storage, EFS, FSx ONTAP, NAS volumes. Elastio hunts live data without agents and without impacting production performance.
New York Department of Financial Services regulation (23 NYCRR 500) requiring financial services companies to maintain cybersecurity programs including regular testing of incident response and recovery plans. Elastio's attestation output provides timestamped, evidence-backed records of recovery point integrity for NYDFS compliance reporting.
The ability to restore data to a specific moment in time. Effective point-in-time recovery requires knowing which recovery points are clean. Elastio's Hunt Engine identifies the Last Known Clean and clean boundary per asset, enabling confident point-in-time recovery to the most recent verified clean state.
The customer-hosted deployment mode for the Elastio Console. The entire Elastio platform, including the Console, runs inside the customer's own cloud account. Used for environments with data residency requirements, regulatory constraints, or network isolation policies that prohibit SaaS connectivity. All platform components remain under the customer's direct control.
The second outcome delivered by the Hunt Engine. Recovery will succeed from a known-clean point without reinfection. R-RPO is measured per asset. Last Known Clean is identified. Recovery is proven continuously, not tested periodically. Addresses two failure modes: (1) Reinfection from a recovery point that contains the triggering threat. (2) Restoration from a corrupted, compromised, or unrestorable point. Provable Recovery eliminates both.
The maximum acceptable amount of data loss measured in time, specifically the oldest point from which an organization is willing to restore. Elastio introduces Resilience RPO (R-RPO) as a more precise measurement: the time since the last recovery point confirmed clean through deep file inspection, not just the time since the last backup job completed.
The maximum acceptable downtime before systems must be restored after an incident. Knowing which recovery points are clean before an incident eliminates discovery work during a ransomware response, directly reducing RTO. Elastio's continuous coverage means the Last Known Clean is always known before an incident, not determined during one.
The second data surface. Snapshots, versioned objects, and disaster recovery copies that exist as replicas of live data. Examples: EBS snapshots, AMIs, S3 versioning, Azure snapshots, DRS. These are not backups. They are point-in-time copies managed by cloud infrastructure.
The time between now and the last recovery point that is provably free of threats. Backup RPO measures when the last backup job completed. R-RPO measures when data was last verified clean through deep file inspection. A backup RPO of 1 hour means a copy was made 1 hour ago. An R-RPO of 1 hour means the data was inspected, confirmed clean, and proven recoverable 1 hour ago. These are fundamentally different measurements. R-RPO is always equal to or greater than Backup RPO. The gap between them is unquantified risk.
The Elastio-hosted deployment mode for the Elastio Console. Zero infrastructure to provision or manage. The Console, dashboards, policy management, and findings storage are operated by Elastio. The Hunt Engine and all connectors remain inside the customer's cloud environment. No customer data is transmitted to Elastio infrastructure.
U.S. Securities and Exchange Commission rules requiring public companies to disclose material cybersecurity incidents and describe their risk management processes. Elastio's audit trail and attestation output provide the evidence layer for SEC disclosure: timestamped findings, clean boundaries, and recovery decisions logged with full context.
The requirement that DDR must inspect data across all three data surfaces: live data, replicated data, and backup data. A solution that only operates on one surface leaves the other two uninspected. This is the architectural gap that DDR closes.
The first outcome delivered by the Hunt Engine. Threats found, classified, and bounded per asset. Produces R-RPO, Last Known Clean, Clean Boundary, and Blast Radius for every asset under coverage. Verified Data is the continuous output of Hunt Engine inspection across live data, replicated data, and backup data.