Built-In vs. Bolt-On Cyberstorage
Bolt-on tools like Superna Ransomware Defender and Prolion CryptoSpike read audit logs after the storage has already served the request. To stop APTs, insider threats, and data theft, Active Defense has to live inside the NAS — in the data path, not next to it.
Cyberstorage is a place, not a product line
The whole point of Cyberstorage is that the storage system is an active participant in defense — not a passive log source for somebody else's tool. That distinction is not marketing language. It is an architectural one. The defense either lives inside the NAS data path, or it does not.
Bolt-on storage security products — Superna Ransomware Defender on top of Dell PowerScale, Prolion CryptoSpike on top of NetApp, and similar tools — operate by consuming the underlying NAS's audit feed, correlating events, and triggering an out-of-band response. That architecture has a ceiling. It cannot inspect operations before they commit. It cannot stop the operation that is happening right now. It cannot enforce zero-trust policy at the moment of access. It can only react after the storage has already served the request.
Against commodity ransomware, that ceiling is uncomfortable but tolerable. Against APTs, insider threats, and quiet data theft, it is the wrong architecture for the threat.
Six things that only happen inside the storage
These are not features you can replicate by pointing a security tool at a NAS's audit log. They are properties of an integrated architecture.
Inline
Inspection in the data path
Every SMB, NFS, and S3 operation evaluated against behavioral analytics, AI-driven anomaly detection, and zero-trust policy — before the operation commits. Not in a downstream log pipeline. Not after the fact.
Automatic
Real-time response in the storage
When Active Defense recognizes an attack pattern, the platform terminates the offending session and isolates the user in under a second — without a human in the loop, without an external SIEM/SOAR, without a console click.
Native
Zero Trust at the data layer
Zero trust policy evaluated and enforced for every operation, by the storage itself — no implicit trust, no bolt-on policy engine, no separate enforcement point. Trust is decided where the data lives, at the moment of access.
Forensic
Immutable audit by construction
Every file operation captured by the platform that served it — complete, ordered, tamper-evident. The forensic record is a byproduct of how the storage works, not a feature you have to enable and hope is correct.
Surgical
Intelligent Bulk Remediation
Roll back only the files an attack session touched, in minutes. Use the platform's own forensic record — not snapshots that may have been compromised — to recover with confidence.
Vaulted
ImmutaVault
A virtual air gap inside the storage system itself — immutable, indelible, isolated copies of critical data that survive even administrative compromise. No separate vault appliance.
Bolt-on storage security vs. built-in Cyberstorage
Where bolt-on tools sit, what they can see, and how fast they can act — compared to a NAS where Active Defense is part of the platform.
| Capability | Bolt-On (Superna, CryptoSpike, etc.) | Built-In (BrickStor SP) |
|---|---|---|
| Where it inspects file operations | Out-of-band — reads audit logs and event feeds after the storage has already served the request | Inline in the storage data path — every SMB, NFS, and S3 operation evaluated before it commits |
| How fast it can stop an attack | Seconds to minutes — depends on log shipping, event correlation, and an out-of-band action | Sub-second — the storage itself terminates the session and isolates the user |
| Visibility into authorized credential abuse | Limited — looks for ransomware signatures and entropy spikes; misses slow exfiltration | Full — behavioral analytics on every operation catch quiet, credentialed data theft |
| Coverage when the bolt-on agent is bypassed or disabled | None — if the agent or external tool is compromised or off, the storage keeps serving | Active Defense is the storage — it cannot be bypassed without taking the NAS offline |
| Audit and forensic record | Whatever the source NAS exposes via its audit feed — gaps and lossy events are common | Native, immutable, complete — every operation captured by the platform that served it |
| Surgical recovery from a cyber event | Restore from snapshots or backups — restores entire shares, including unaffected files | Intelligent Bulk Remediation rolls back only the files an attack session touched |
| Zero-trust enforcement at the data layer | Inherits whatever the underlying NAS supports — typically POSIX/AD ACLs only | Native ABAC — attribute-based access control evaluated for every operation |
| Coverage of the threats that matter most | Tuned for known ransomware patterns; weak against APTs, insiders, and slow theft | Designed for APTs, insider exfiltration, and data theft — not just commodity ransomware |
Three limits no amount of tuning can fix
Beyond what the table shows, three properties of the bolt-on architecture cannot be configured away.
It can be bypassed, disabled, or starved
A separate agent or external service is a separate failure domain. Compromise the credential it uses to query the NAS, kill the connector, throttle its event feed, or simply turn it off — and the storage keeps serving every request.
It depends on the NAS exposing the right telemetry
Bolt-on products can only see what the underlying storage tells them. Most legacy NAS platforms leak a partial, lossy event stream optimized for compliance audit, not for real-time threat detection. Coverage gaps are structural.
You are paying twice for an incomplete picture
Bolt-on means a separate license, separate infrastructure, separate operations, and a separate vendor relationship — for capabilities that, even at their best, are a subset of what a true Cyberstorage platform delivers natively.
APTs, insiders, and data theft don't look like ransomware
The threats that hurt the most are the ones bolt-on tools were never designed to catch.
Advanced Persistent Threats (APTs)
The pain: APTs use legitimate credentials, blend into normal traffic, and operate over weeks or months. They do not encrypt files. They read them.
Why built-in matters: Inline inspection on every read — combined with behavioral analytics that profile normal access patterns per user, host, and dataset — is the only way to flag credentialed access that is shaped like exfiltration. Bolt-on log analyzers, tuned to ransomware signatures, miss it.
Insider Threats
The pain: A privileged user, a disgruntled engineer, or a compromised admin account does exactly what they are authorized to do — at a volume and pace that a human reviewer would never catch in time.
Why built-in matters: Cyberstorage enforces ABAC and behavioral policy at the moment of access, not in a SIEM dashboard hours later. The storage itself denies the operation, captures the attempt, and isolates the user. Bolt-on tools can alert; they cannot stop.
Data Theft and Exfiltration
The pain: Modern attacks exfiltrate before they encrypt. The ransomware is leverage; the data theft is the business model.
Why built-in matters: Detecting exfiltration requires watching every read in real time and recognizing patterns — large transfers, off-hours access, unusual host or path combinations — at the storage layer, before the bytes leave. A NAS that only logs reads cannot stop them.
BrickStor SP was first — and is still the only platform with the full architecture
While other vendors were treating storage security as someone else's problem, RackTop was building the architecture. The dates are not marketing claims — they are public, verifiable, and patented.
2018
CyberConverged™ Storage
RackTop coined the term and shipped the first NAS designed around embedded cybersecurity — encryption, key management, and Multi-Level Security baked into the platform.
October 2020
Active Defense ships
The first NAS with inline threat detection, automated response, and surgical remediation in the storage data path. The first true Cyberstorage product in production.
July 2021
Gartner names the category
Gartner introduces "Cyberstorage" — nine months after BrickStor SP shipped Active Defense — and names RackTop a sample vendor in the category's debut report.
2024–2026
Four U.S. patents issued
Active Defense (filed September 2020 — ten months before the category had a name), Intelligent Bulk Remediation, Transparent Data Movement, and ImmutaVault — the patented architecture that defines end-to-end Cyberstorage.
End-to-end means inline detection, automated response, ABAC, immutable audit, surgical recovery, and a built-in virtual air gap — delivered by a single platform. Not assembled from a primary NAS plus a bolt-on.
If your threat model includes APTs, insiders, or data theft, the architecture is the decision
The honest framing: bolt-on tools are real products that do real work. For organizations whose primary concern is commodity ransomware against a legacy NAS they cannot replace, they can raise the floor.
But if the threat model is broader — credentialed insiders, nation-state APTs reading sensitive data, quiet long-running exfiltration of intellectual property, AI training corpora, or regulated records — the bolt-on architecture is the wrong shape. You need a NAS that inspects every operation in real time, enforces zero trust at the data layer, and stops the operation before it commits. That is a different kind of storage system, not a different kind of agent on top of an old one.
That kind of storage system is Cyberstorage. The original is BrickStor SP.
Built-in vs. bolt-on, answered
- Bolt-on tools (e.g., Superna Ransomware Defender on Dell PowerScale, Prolion CryptoSpike on NetApp) sit outside the storage system, consume its audit telemetry, and react to suspicious patterns in those logs. Cyberstorage embeds detection and automated response inside the storage data path itself — every operation is inspected and can be stopped before it commits. The difference is architectural: bolt-on is reactive after the fact; Cyberstorage is inline and preventive.
- They are not designed to. Most bolt-on storage security products are tuned for commodity ransomware patterns — mass file rewrites and high-entropy writes. APTs and insider threats use authorized credentials, move slowly, and read more than they write. Detecting that pattern requires inline behavioral analytics on every operation, ABAC enforcement at the data layer, and the ability to terminate sessions in real time — capabilities that live inside Cyberstorage platforms like BrickStor SP, not bolt-on agents.
- RackTop Systems. RackTop coined "CyberConverged™ Storage" in 2018, shipped the first inline Active Defense capability in October 2020, and was named by Gartner as a sample vendor when Gartner introduced the term "Cyberstorage" in July 2021. RackTop holds four U.S. patents on the core architecture: Active Defense, Intelligent Bulk Remediation, Transparent Data Movement, and ImmutaVault.
- BrickStor SP — the original and only NAS that ships with inline detection, automated response, ABAC, immutable forensic audit, surgical recovery, and a built-in virtual air gap as a single, integrated platform. End-to-end means every layer of the Cyberstorage definition is delivered by one platform, not assembled from a primary NAS plus a third-party security tool.
- Inline inspection requires sitting inside the data path of the storage system and being able to terminate operations before they commit. The major NAS platforms do not expose that point of control to third-party software — they were not architected for it. Bolt-on products are built around the constraints of consuming audit feeds from outside the storage. That is a different architecture, not a different feature.
- Cyberstorage produces continuous compliance evidence as a byproduct of how the platform operates — every operation captured, every policy decision logged, every Active Defense response recorded. With bolt-on tools, compliance evidence depends on whatever the underlying NAS exposes, plus whatever the bolt-on captures, with gaps where the two do not line up. For regulated environments — CMMC / NIST 800-171, HIPAA, financial services — built-in is materially easier to defend in an audit.
Read more, or see it in action
BrickStor SP →
The original end-to-end Cyberstorage platform — Active Defense, ABAC, ImmutaVault, and TDM in a single NAS.
Active Defense →
Inline detection and automated response in the storage data path — the patented technology bolt-on tools cannot replicate.
BrickStor SP vs. Superna →
The vendor-specific teardown — detection model, recovery, ABAC, air gap, and the attack surface of an overlay in a separate VM.
BrickStor SP vs. ProLion CryptoSpike →
FPolicy event-driven detection, the vendor-managed blocklist, and what an overlay on NetApp can and cannot stop.
The History of Cyberstorage →
How RackTop invented the category, what Gartner named it, and why the architecture matters.
What Is Cyberstorage? →
The category definition, the criteria a true Cyberstorage platform meets, and the threats it is built for.
See What Built-In Cyberstorage Actually Does
In a 30-minute demo, we'll show Active Defense stopping a simulated insider exfiltration and a ransomware attack — inline, in the storage, in under a second.