Key takeaways
- Backup protects a copy after the fact; it is a recovery mechanism, not a control.
- It cannot detect attacks, stop exfiltration, or prevent insider theft.
- Active defense on production data is what closes the window backups leave open.
There is a comfortable assumption in a lot of security programs: if we have immutable backups, we are covered. Backups are essential, and immutability is a real improvement over what came before. But a backup is a recovery target, not a control. It cannot see what is happening to production data, cannot stop an attack in progress, and cannot tell you that sensitive files were copied before they were encrypted.
What backup cannot do
Modern extortion frequently steals data before encrypting it. By the time you restore from a clean backup, the attacker still has the data and the leverage. Backup does nothing about that. It also does nothing about a credentialed insider quietly reading files they should not, because nothing in the backup workflow watches live access.
The point is not to trust backups less. It is to stop treating them as the whole strategy. The window between when an attack starts and when you reach for the backup is exactly where the damage — encryption, theft, exposure — actually happens.
Defend the data, then recover it
Active defense on production data closes that window. Detect the malicious behavior inline, stop the session, preserve the evidence, and then recover surgically from immutable copies. Backup is the last step of that chain, not a substitute for the rest of it.
