Recovery resilience that is assessed, not assumed
Backup & Recovery Check
Successful backup jobs are not evidence of successful restore under pressure. We assess whether your architecture actually supports recovery in a real incident – along 3-2-1 coverage, immutability, restore feasibility and the boundary between backup and disaster recovery.
Why recoveries fail when it counts
A green backup dashboard does not prove restore capability. When restore is required, weaknesses tend to cluster around three areas:
- Backup infrastructure itself — backup consoles are targeted directly in attacks
- Missing immutability or air-gap — snapshots are encrypted alongside production data
- Untested restore ordering — dependencies between services are unknown
What we assess
Architecture — 3-2-1 coverage, immutability, air-gap options, retention windows.
Backup infrastructure hardening — separate authentication domain, MFA for backup admins, access chains.
Restore feasibility — ordering, dependencies, realism of RTO/RPO for critical services.
SaaS coverage — M365 and SaaS data that is frequently missing from backup strategies.
DR-Plus — a structured tabletop exercise to validate the DR plan.
Methodology and tooling
Architecture review — data flow, access model, retention logic.
Restore probes — where you can enable them, sampled probes are the strongest signal for restore capability. Where you cannot, we work with architecture review.
Evaluation framework — NIST SP 800-34, BSI IT-Grundschutz CON.3, BCM requirements from NIS2 Art. 21 and DORA Art. 11.
What you receive after the check
The report is suitable as evidence for management, auditors and cyber insurance providers; the immutability assessment is increasingly requested by insurers.
- An architectural report with flagged weaknesses
- A restore feasibility assessment per critical business service
- A concrete action list with effort estimates
- In DR-Plus: a documented outcome of the tabletop exercise
Phases
Scoping
Business services, backup stack, critical interfaces
Data collection
Architecture walkthrough, configuration exports, optional restore probes
Analysis
Framework evaluation, contextualisation
Report & walkthrough
Delivery + workshop; tabletop in DR-Plus
Report typically within 10 business days after data collection is complete.
Pricing
Tier selected by architectural complexity.
Single-Site
One data centre, well-defined stack
from €3,900
Hybrid
Cloud + on-prem, SaaS data
from €7,900
DR-Plus
Multi-site with DR requirements
from €12,500
Indicative figures; final fixed price after scoping call.
Frequently asked questions
Do we have to run a production restore during the check?
No, but we recommend it. Sampled restore tests are the strongest source of restore evidence. Where operational constraints prevent them, we rely on architecture review and restore feasibility.
Which backup products do you support?
All common ones (e.g. Veeam, Commvault, Rubrik, Cohesity, Azure Backup, AWS Backup, Acronis). The check is product-agnostic – we assess architecture and configuration.
Is immutability alone sufficient?
Immutability protects snapshots against modification; air-gap additionally protects against access. Secure architectures combine the two. The right level depends on your risk profile – which is exactly what we assess.
Are our SaaS data (M365, Salesforce) really at risk?
Vendors are responsible for platform availability, not for data loss caused by accidental or malicious deletion. Without your own SaaS backup, you have no reliable restore path.
How does the check map to DORA and NIS2?
Both frameworks require resilience tests (DORA TLPT/CT, NIS2 Art. 21). Our check provides the operational basis; the report serves as resilience evidence.
Do we need DR-Plus if we already have a DR plan?
We assess the existing plan for realism and effectiveness. Gaps between documented plan and actual infrastructure are common findings – that is the core value of DR-Plus.
Kontakt aufnehmen
Will your backup architecture hold under pressure?
A scoping call is enough to align on stack, critical services and the right tier. No commitment up front.