Backup & disaster recovery that actually restores when ransomware hits at 3am
Veeam, Datto SIRIS, immutable cloud, and SaaS backup — engineered so an admin with stolen credentials cannot delete your backup chain. Quarterly screenshot-verified restores, named DR engineer on the bridge call, and SOC 2 evidence delivered to your portal.
No credit card. 20-minute call to scope data volume, RPO target, and current backup state. Same-day written summary.
across all clients
per year · 100% pass rate
across DR events last 12 mo
across 14 ransomware events in 2025
Three lanes for backup & recovery. Per-seat pricing. The CFO can model it before the next board meeting.
Every tier writes to immutable storage by default. The difference is whether you need a local appliance for sub-hour RTO, multi-site replication, or air-gapped vaulting for regulators. Upgrades are in-place — we don't re-seed your backup chain.
- Endpoint backup (Windows, Mac, Linux) with 24-hour RPO
- Microsoft 365 backup: mailbox, OneDrive, SharePoint, Teams
- Immutable cloud storage on Wasabi or AWS Glacier
- Monthly file-level restore test, screenshot evidence
- 30-day retention standard, 90-day available
- 3-day onboarding, deployed via API + agents
- Everything in Essentials
- Datto SIRIS appliance on-site for sub-hour RTO local restore
- 15-minute RPO via incremental hypervisor snapshots
- Immutable cloud replication to Datto Cloud (3-2-1-1-0 by default)
- Quarterly full DR exercise — we restore your top VMs in our cloud and screenshot the application login
- Salesforce backup via OwnBackup (first 100 users included)
- Named DR engineer for any P1 event
- Everything in Resilient
- Cohesity / Rubrik / Veeam Hardened Repository on customer-owned infra
- Continuous Data Protection (CDP) for tier-1 VMs — near-zero RPO
- Multi-site cross-replication with sub-15-minute RTO
- Air-gapped weekly vault for HIPAA / CMMC / FedRAMP workloads
- Annual full failover tabletop exercise with your executive team
- Customer-managed encryption keys (KMS / HSM)
Seven ways data dies. Seven different recovery paths. Here is how each one actually plays out.
"Backups" doesn't mean anything. The question is which failure mode hits you and whether you have the right copy, in the right location, with the right restore tool, to recover from it. Here is what we actually do for each.
| Failure mode | What it looks like | Primary recovery | Realistic time-to-restore |
|---|---|---|---|
| Ransomware | Files encrypted, ransom note dropped, attacker also tried to delete backups | Datto SIRIS local instant-boot — backups untouched because immutable retention prevents deletion even by domain admin | 2-6 hours for top VMs to local appliance, then schedule full restore |
| Datacenter fire / flood | Physical site destroyed, hardware unrecoverable, on-prem servers gone | Cloud failover from immutable replica to Datto Cloud or AWS, run production from cloud during rebuild | 4-8 hours to bring tier-1 production live in cloud |
| Disgruntled admin | Departing IT person deletes backups, hypervisor LUNs, M365 mailboxes on the way out | Immutable retention prevents backup chain deletion. M365 backup is in our tenant, not theirs — outside their reach. | Same day — mailbox-level restore in minutes, full server rebuild within hours |
| Hardware failure | Server motherboard dies, RAID controller fails, storage array goes offline | Instant boot of failed VM directly from local Datto repository while replacement hardware ships | 15-60 minutes for VM back online; production runs from BCDR until hardware swap |
| Accidental deletion | User deletes the wrong folder, marketing ops admin runs bad data load, dev drops production table | Granular file / object / database table restore from any retained recovery point | Under 30 minutes from ticket open to restored item in user's hands |
| M365 mailbox loss | Departing employee's mailbox deleted past 30-day retention, legal needs the emails for a discovery request | Veeam Backup for M365 retains beyond Microsoft's native window — up to 7 years configurable | Same business day — mailbox export to PST or live restore to a holding mailbox |
| SaaS account compromise | Salesforce admin credentials stolen, attacker mass-deletes records or runs destructive update | OwnBackup point-in-time restore to last clean snapshot, surgical record-level rollback for partial damage | 2-12 hours depending on record count; partial restores can run while production stays live |
The full recovery runbook (per workload, with named engineers and step-by-step recovery commands) is in every Statement of Work. Ask for a sample runbook.
80-employee professional services firm. Ransomware Friday 11pm. $0 paid, doors open Monday.
A regional accounting firm got hit at the worst possible time — Friday night before tax extension deadline week. Their domain controllers were encrypted, their primary file server was encrypted, and the attacker had used the domain admin account to try to wipe the backup repository. This is what the next 10 hours looked like. Names changed, timing real.
"Brennan Ridge CPAs" · 80 seats · 1 office · Western PA
- 22:48 SentinelOne EDR detects mass-encryption activity on FILE-01. Auto-isolates the host. Pages on-call. Datto SIRIS appliance fires nightly screenshot verification at 23:00 — last good backup confirmed at 22:00.
- 23:04 Diego Ramirez (DR Lead, Tampa) takes the bridge call. Confirms ransomware. Attempts to delete Datto repository fail — immutable retention rejects every delete API call. Backup chain intact. The attacker's PowerShell script logs the failure and gives up.
- 23:18 Network segmented at the firewall. All managed endpoints quarantined to a clean VLAN. 17 endpoints confirmed encrypted, 63 confirmed clean. Domain admin password reset to a 24-character break-glass credential.
- 23:42 Instant-boot of FILE-01 from Datto SIRIS local repository (22:00 snapshot) into isolated recovery network. Application login screen reached and screenshot captured at 23:51 EDT. RTO measured: 63 minutes from detection.
- 01:30 DC-01 and DC-02 instant-booted from BCDR. Active Directory restored from authoritative replica. Group Policy verified clean. Tax-prep workflow systems back online by 02:15.
- 04:50 Forensic capture of encrypted hosts handed to Priya Venkatesh (IR Lead). Initial entry vector confirmed: MFA bombing of a junior staff account (no number-matching enforced — gap closed Saturday morning across all 80 users).
- Sat 09:00 All production restored. 17 encrypted endpoints reimaged from clean Autopilot baseline by Saturday noon. Tax preparation continues on schedule. Zero ransom paid. Zero customer notification required (no client tax data touched).
- Mon Doors open Monday morning at 8am as normal. Post-incident report filed with cyber insurance carrier; covered loss came in at $11,400 (engineering hours + 17 reimaged laptops). The carrier's incident response retainer was never activated. LockBit affiliate's wallet got exactly $0.
Backup is half of every framework's audit. We deliver the evidence the auditor asks for.
Quarterly evidence packets include: immutability proof (object-lock policy snapshot), restore-test logs with screenshot verification, RPO measurements per workload, retention policy attestation, and the named DR runbook with last-execution date. Auditors love this; your team gets their weekend back.
When the ransomware hits at 3am, these are the engineers who restore your file server before sunrise.
Our DR engineers and NOC are staffed in-house from Orlando, Tampa, and Chicago. Every named DR Lead has run at least 50 production restores and at least 5 actual ransomware recoveries before they take a P1 bridge call. No overseas tier-1 wall, no shift handoffs in the middle of your incident.
Ten questions. Honest answers.
What is the difference between backup and disaster recovery?
Backup is a copy of your data. Disaster recovery is the orchestrated plan that uses those backups to get you back to a working production state inside an agreed-upon RTO. A backup tells you the data exists somewhere. A DR plan tells you exactly which engineer is going to run which runbook on which infrastructure to have your ERP back online by 9am Monday. We deliver both as one managed service — backups that are tested every quarter via a real restore, not a green checkmark in a dashboard.
Will your backups survive a ransomware attack?
Yes, by design. Every Resilient and Enterprise plan writes to immutable storage (Veeam Hardened Repository, Datto Cloud immutable retention, Wasabi object-lock, or AWS S3 Glacier with vault lock). Once written, the backup cannot be deleted or modified — even by an admin with stolen credentials — for the configured retention window (typically 30-90 days). Ransomware that compromises your domain admin cannot reach into the backup chain. We also keep an air-gapped weekly vault for clients with regulatory requirements.
What is RPO and RTO and what are realistic targets for SMB?
RPO (Recovery Point Objective) is how much data you can afford to lose, measured in time. RTO (Recovery Time Objective) is how long the recovery itself can take. Most SMBs assume they have 24-hour RPO from a tape that nobody has tested in 8 months. Our Resilient plan delivers 15-minute RPO and sub-1-hour RTO for VMs on the local Datto appliance, and 4-hour RTO for a full-site cloud failover. We've delivered sub-5-minute RPO for a regulated client running CDP replication.
How do you actually test the backups?
Three layers, every quarter. First, automated screenshot verification — every nightly backup is booted into an isolated sandbox and a screenshot of the OS login screen is captured and stored as proof. Second, file-level recovery test — we restore a randomly chosen file each month and compare hashes. Third, full DR exercise — every quarter we spin up your top 3 production VMs in our cloud, take a screenshot of the application login (not just the OS), and document the elapsed time. The report goes to your portal and your auditor.
Do you back up Microsoft 365 and Google Workspace?
Yes. Microsoft and Google explicitly do not back up your data — they replicate it. If a user (or attacker) deletes a mailbox, OneDrive folder, SharePoint site, or Teams channel beyond the native retention window (typically 30-90 days), the data is gone. We back up M365 mailboxes, OneDrive, SharePoint, Teams, and Microsoft Planner with unlimited retention via Veeam Backup for M365 or Datto SaaS Protection. Google Workspace uses the same products. Restoration is granular — single email, single file, single channel post.
What about SaaS apps like Salesforce, HubSpot, and QuickBooks?
Salesforce backup is included in the Resilient and Enterprise tiers via OwnBackup or Spanning. We can also back up HubSpot, Dynamics 365, NetSuite, ServiceNow, GitHub, GitLab, and Atlassian via API-level backup tools. Most clients don't realize Salesforce removed its native restoration service in 2020 — if a marketing operations admin runs a bad data load on a Friday, the only path to undo it is your third-party backup.
How long does onboarding take?
Cloud-only Essentials: 3 business days from signed agreement to first backup. Resilient with on-site Datto appliance: typically 14 business days, including hardware shipment, configuration, network integration, and a 7-day shadow run before we cut over from any incumbent backup tool. Enterprise multi-site: scoped per environment. We never decommission your existing backup until ours has run a full successful restore from your environment.
What happens during an actual disaster — who runs it?
Our 24/7 NOC initiates within 15 minutes of a confirmed P1 (you call, or our monitoring alerts us). A named DR Lead engineer takes the bridge call and stays on it until production is restored — no shift changes, no handoffs. We follow the runbook we wrote during onboarding, communicate status every 30 minutes via your preferred channel (Teams, Slack, phone tree), and document everything for the post-incident report. Enterprise tier includes an annual full-failover tabletop exercise where your executives also practice the comms side.
Is this HIPAA / SOC 2 / PCI compliant?
Yes. Our backup architecture is BAA-eligible for HIPAA (PHI is encrypted in transit and at rest with customer-managed keys available), produces SOC 2 evidence automatically (immutability proof, restore-test logs, RTO measurements), and meets PCI-DSS retention requirements for cardholder data environments. We've supported 90+ HIPAA-regulated clients and 180+ SOC 2 clients. Evidence packets are quarterly; auditors love the screenshot-verified restore logs.
Can you restore a single file or do we have to restore the whole VM?
Both. Granular restore at the file, folder, mailbox, mailbox-item, database table, or VM level. We can mount a backup as a read-only volume to recover a single Word document from 47 days ago, or instantly boot a VM directly from the backup repository for full disaster recovery. Most week-to-week restores are file-level and take under 10 minutes from ticket open to restored file in the user's hands.
Find out where your backup chain breaks — before ransomware does.
Our free BDR readiness check looks at your current backup state: tooling, retention, immutability, last successful restore test, and RTO/RPO posture against your stated business needs. 20-minute call, written summary back same day, no obligation.