Why Backup & Cyber Recovery needs proper tools — and what that looks like.
Why it matters
Backup is insurance against two very different problems: hardware failure, and a motivated attacker. The first has been solved for 20 years. The second changes every quarter. Modern backup has to assume an admin credential will be compromised — and plan for the scenario where your backup estate is itself a primary target.
If your backup copy can be deleted with the same credential that encrypted production, it isn't a backup — it's a hostage. Getting this right is the difference between a bad weekend and a company-ending event.
What good looks like
Immutable copies that no admin — including yours — can delete inside the retention window. Air-gap to a storage target that isn't part of the production trust chain. Granular restore for M365 mailboxes, OneDrive, SharePoint and Teams, item by item.
Ransomware detection on the backup stream itself, not just on the primary estate. Recovery drills that actually run, quarterly, with a clean-room environment for verification before you cut over. RPO and RTO numbers the business has signed off on — and can prove are being met.
Pitfalls without the right tools
A backup policy on paper that no one has tested in production. 'Immutable' copies that a domain admin can still nuke with enough rights. M365 protection that restores the whole tenant but not one user's lost folder.
RPO promises to the business that assume the network is up — it won't be. A recovery runbook that references a person who left two years ago. Ransomware that sits quietly in the backup stream for 90 days before detonating, by which time every retention window has flushed the clean copies.
Use cases
Immutable VM backup
Hyper-V, VMware and AHV with air-gap copies and ransomware detection (Vembu, BDRShield).
M365 granular restore
Mailbox, OneDrive, SharePoint and Teams — item-level, with retention policies.
Endpoint & laptop backup
Agents for Windows and Mac laptops with delta-sync and self-service restore.
DR orchestration
One-click failover with automated runbooks and test-recovery schedules.
What partners measure.
Our approach
-
01
Scope
Inventory VMs, M365 tenants, endpoints and SaaS workloads. Classify data by RPO / RTO tier with your team.
-
02
Design
3-2-1-1-0 architecture with Vembu for primary backup, BDRShield for cyber recovery, immutable object storage for air-gap.
-
03
Test
Quarterly restore drills + one ransomware simulation per year. Runbooks validated end-to-end before go-live.
-
04
Operate
SLA-backed recovery service, monthly backup health reports and alert escalation into your SIEM or ticket system.
FAQs
Can you restore individual M365 items, not full mailboxes?
Yes. Vembu BDRSuite does item-level restore across Exchange Online, OneDrive, SharePoint and Teams — and retains data after the user leaves.
How do you achieve true air-gap without a separate data centre?
Immutable object storage with S3 Object Lock (AWS, Wasabi, MinIO) or hardened local repositories with snapshot isolation — admins cannot delete within the retention window.
What is BDRShield doing that Vembu on its own does not?
Behavioural anomaly detection on the backup stream itself, plus clean-room restore into an isolated network for forensic verification before cutting over to production.
What RPO and RTO can you realistically commit to?
15-minute RPO on Tier-1 VMs with continuous data protection; 4-hour RPO on Tier-3. RTO depends on restore target but sub-hour for single-VM failures is typical.
Ready to talk workloads?
Tell us what you're deploying — AVD, backup, endpoint, identity — and we'll map the right stack with local stock, licensing and support.