BrickStor SP vs Cohesity SmartFiles — primary Cyberstorage vs file services on a backup platform
Cohesity built one of the industry's strongest data protection platforms, and SmartFiles brings file and object services to it. The question for buyers is not whether Cohesity is good at what it does — it is whether a platform engineered to consolidate and protect copies of data is the right place to serve and defend the live data itself. This page compares the two across storage, security, and performance.
A backup platform serving files vs a file platform built to defend
Cohesity SmartFiles is the file and object face of the Cohesity Data Cloud. The underlying platform — SpanFS — was engineered to consolidate secondary data: backup targets, archives, digital libraries, rich media, and video surveillance, with global deduplication, compression, and erasure coding delivering excellent capacity efficiency for exactly those workloads. Its security stack follows the same center of gravity: DataLock WORM retention on the cluster, machine-learning anomaly detection in the Helios cloud control plane, and DataHawk and FortKnox delivered as SaaS subscriptions for threat scanning, classification, and cyber vaulting.
BrickStor SP was engineered from the first line of code as primary storage that defends itself. Patented Active Defense evaluates every read, write, and delete inline in the data path. ABAC governs every SMB, NFS, S3, and Web Drive operation. ImmutaVault provides a virtual air gap inside the platform, and Intelligent Bulk Remediation rolls back only the files an attack touched — all on the controller, with no cloud dependency and no separate analytics tier.
Why this matters: Cohesity protects copies of your data. BrickStor SP protects the data itself, live, where attacks actually land. Those are different jobs — and the architecture each vendor built reflects the job it was built for.
Credit where it's due
Data protection at scale. Cohesity is one of the largest data backup vendors in the industry — especially after completing its merger with Veritas' enterprise data protection business in December 2024. Backup, replication, and recovery orchestration across large, heterogeneous estates is the company's home turf.
Capacity efficiency on secondary data. Global variable-length deduplication, compression, and erasure coding make the Cohesity Data Cloud a very cost-effective consolidation point for backup data, archives, and other redundant data sets.
A broad resilience portfolio. DataLock WORM retention, quorum controls for critical actions, FortKnox cloud vaulting, and Helios anomaly detection give backup estates meaningful protection against tampering — because destructive data attackers routinely target backups.
If the problem you are solving is “consolidate and protect copies of everything,” Cohesity belongs on your shortlist. The comparison below is about a different problem: serving and defending the live unstructured data your users and missions touch every day.
Storage capabilities side by side
| Capability | RackTop BrickStor SP | Cohesity SmartFiles |
|---|---|---|
| Platform design center | Purpose-built secure NAS for primary and secondary data — Cyberstorage for live unstructured data | File and object services (SpanFS) on the Cohesity Data Cloud, a platform built around backup and secondary-data consolidation |
| Protocols | SMB, NFS, S3, and Web Drive from the same dataset, governed by one ABAC policy framework | SMB, NFS, and S3; no native browser-based file access |
| Snapshots and replication | Policy-driven immutable snapshots with sub-minute RPO; asynchronous replication to one or more BrickStor targets | Snapshots and replication with DataLock WORM retention for compliance holds |
| Capacity efficiency | Inline compression, thin snapshots and clones — sized for primary data | Global variable-length deduplication, compression, and erasure coding — a genuine strength, tuned for highly redundant backup data |
| Tiering | Patented Transparent Data Movement — policy tiering to on premises or cloud storage while files stay accessible at the original path | Cloud tiering and archive services; can also tier cold data off third-party Tier 1 NAS into the Cohesity cluster |
| Migration onto the platform | GHOST — users cut over first, in hours, and data migrates in the background with Cyberstorage protections active from the cutover line | Host-side copy or third-party migration tooling; planned cutover windows |
| Deployment models | Physical appliance, SAN gateway (iSCSI / Fibre Channel), or virtual appliance on KVM, Hyper-V, ESXi, AWS, Azure, and Google Cloud | Scale-out cluster nodes on certified hardware plus cloud editions |
| Fault isolation from data protection | A dedicated primary file platform — the backup and archive estate lives on separate systems, so a fault in one cannot take down the other | File services and DataProtect backup workloads can share the same cluster; public peer reviews caution that a platform issue can affect live shares and backup data together |
Security capabilities side by side
The decisive difference is where detection happens — inline in the data path as the attack executes, or in a cloud control plane after the data has changed — and therefore what it can see. Change-based detection cannot see data theft, because stealing data changes nothing.
| Capability | RackTop BrickStor SP | Cohesity SmartFiles + Helios / DataHawk / FortKnox |
|---|---|---|
| Detection model | Patented Active Defense — behavioral evaluation of every read, write, and delete, inline in the storage data path. UEBA-based anomaly detection tuned to each individual and role, on-controller with no external or cloud connectivity required | Machine-learning anomaly detection in the Helios / DataHawk control plane — change-rate and entropy signals evaluated during protection runs and audit analytics |
| Response model | Offending session terminated in under a second, before mass encryption or exfiltration spreads | Alerts and a recovery workflow; response centers on restoring from immutable snapshots after the fact |
| Data theft and exfiltration | Active Defense analyzes read behavior, not just writes — bulk copying, abnormal access patterns, and staged exfiltration are detected and stopped live | Anomaly detection is keyed to data change (change rates, entropy across protection runs) — but exfiltration changes nothing. Files read and copied out leave no change for the model to see. DataHawk adds user activity reporting after the fact, not prevention |
| Access control | AD/LDAP POSIX permissions with the ability to add native ABAC, enforced on every SMB, NFS, S3, and Web Drive operation | AD / POSIX permissions with RBAC, MFA, and quorum for administrative actions; no attribute-based policy in the data path |
| Immutability and cyber vaulting | Patented ImmutaVault — a virtual air gap inside the platform, no second environment to license or operate | DataLock WORM on-cluster; FortKnox cyber vaulting is a separate SaaS subscription vaulting to a Cohesity-managed cloud |
| Encryption | Up to two independent layers of FIPS 140-3 AES-256 with integrated key management | AES-256 at rest and in flight; single layer |
| Forensics and audit | Immutable, tamper-evident record of every file operation, streamed to SIEM / SOAR | Audit logs and Helios reporting with SIEM integrations |
| Air-gapped and disconnected operation | All Cyberstorage functions run on the controller — classified and disconnected-site friendly | Helios, DataHawk, and FortKnox are SaaS services; security capability is reduced without cloud connectivity |
| Cyber recovery | Patented Intelligent Bulk Remediation — surgical, file-level rollback driven by the platform’s own forensic record | Snapshot and backup restore workflows; the recovery point is the last clean protection run |
Performance architecture side by side
Neither vendor publishes audited head-to-head benchmarks, so honest performance comparison starts with what each data path was engineered to optimize.
| Capability | RackTop BrickStor SP | Cohesity SmartFiles |
|---|---|---|
| Workload design point | Primary, latency-sensitive mixed workloads — user shares, project data, media, engineering, and analytics pipelines | Throughput-oriented consolidation — backup ingest, archives, digital libraries, rich media, and video surveillance |
| Latency-sensitive and high-I/O workloads | Built for hot primary shares — home directories, project and engineering data, media, and metadata-heavy workloads — served from all-flash or hybrid storage | Public peer reviews caution that SmartFiles is not suited to applications needing high I/O or low latency; Cisco’s validated design describes the target as “non-latency-sensitive use cases” |
| Data path | Direct file serving with security policy evaluated inline on the controller — no external hop in the I/O path | I/O flows through a global deduplication and erasure-coding pipeline engineered for capacity efficiency rather than latency |
| Where the security work happens | On-controller, per-operation — protection without a separate analytics tier | In the Helios control plane, out of band — no inline cost, but no inline protection either |
Comparison based on publicly available product documentation and analyst material. Vendor capabilities evolve — contact us if you believe any entry is out of date and we will validate against the current release. For workload-specific performance, run a proof of concept against your real data profile.
What the public record says about SmartFiles as primary NAS
To be clear about what the record shows: SmartFiles reviews on Gartner Peer Insights and PeerSpot are strong for the workloads it is deployed for. The public critique is not “SmartFiles is bad” — it is specific, and it is about workload class.
Workload fit. Cisco's validated design for SmartFiles describes its audience as deploying for “non-latency-sensitive use cases” — backup target storage, replication, archiving, and file services. Peer reviewers echo the same boundary, cautioning that the platform is not suited to applications needing high I/O or low latency. Cohesity's own file-and-object positioning leads with backup, archive, content management, multimedia, analytics, and video surveillance. None of that is criticism; it is the platform's design center, stated by the vendor, its hardware partners, and its users consistently.
Shared fate with the backup estate. Peer reviews also caution that running file services and DataProtect on the same cluster means a platform failure can threaten both at once. For secondary storage that is an inconvenience; for primary NAS — where users and applications depend on live share availability — it collapses two fault domains that most architectures deliberately keep separate, including the very recovery layer you would lean on during an incident.
Operational fit for Tier 1. Public deployment guidance and reviews also flag the operational texture of running SmartFiles at the front of the client path: DNS round-robin and virtual-IP client distribution that Cisco's design recommends validating from multiple clients, plus reviewer comments on patching friction and reporting gaps for quota, chargeback, and capacity planning. Every platform has operational texture — but for primary NAS, client pathing, maintenance windows, and file-growth visibility are the daily job, not an edge case.
BrickStor SP is the other side of that boundary. It is a purpose-built primary file platform: engineered for hot, latency-sensitive shares, with Active Defense, ABAC, ImmutaVault, and the forensic audit record running inline on the same controller that serves the I/O — and with the backup estate kept on separate systems, where a fault in one can never take down the other.
Detection tied to the backup window is detection after the damage
Cohesity's anomaly detection is real and useful — for the problem it was built for. Machine learning in the Helios control plane watches change rates and compressibility across protection runs and flags backups that look encrypted. That tells you, with good confidence, that ransomware ran since the last clean backup.
But on the primary tier, everything between those two points in time is the incident: the files encrypted, the data staged and exfiltrated, the intellectual property read by an account that should never have touched it. A control plane that learns about the attack from the next protection run cannot interrupt any of it — its remedy is restore, and its recovery point is the last clean backup.
And that is the best case, because change-based detection only fires when data changes. Data theft changes nothing. An attacker or insider who reads and copies out terabytes of files leaves the data byte-for-byte identical — identical change rate, identical entropy, an identical next backup. There is no anomaly for the model to find, and no snapshot to restore your stolen data back out of the attacker's hands. With double extortion now leading with theft rather than encryption, a defense that only sees writes is blind to the half of the attack that restore can never fix.
BrickStor SP moves the decision into the I/O itself.
Active Defense evaluates the operation while it is happening — reads as well as writes — and terminates the offending session in under a second. For ransomware, that means the blast radius is a handful of files, not a backup window, and Intelligent Bulk Remediation uses the platform's own forensic record to roll back exactly the files that were touched. For data theft, it means the bulk read pattern is detected and the session is cut off while the data is still yours — the one moment when exfiltration can actually be stopped. The disclosure conversation starts from “we stopped it” rather than “we restored most of it.”
Pick the platform that matches the job
Choose Cohesity SmartFiles if
Your problem is secondary-data consolidation: you want backup targets, archives, digital libraries, rich media, or surveillance footage on one capacity-efficient, scale-out platform — especially if you already run the Cohesity Data Cloud for data protection and want fewer silos around it. You are comfortable with security analytics, threat scanning, and vaulting delivered as cloud SaaS subscriptions, and your latency-sensitive primary workloads live somewhere else.
Choose BrickStor SP if
Your problem is the live data itself: primary unstructured data that has to be served fast and defended in real time against ransomware, insider misuse, and exfiltration. You need ABAC on SMB, NFS, S3, and Web Drive for federal, regulated, or coalition workloads; sub-minute recovery points; vaulting without a SaaS dependency; and a platform that keeps every security function on the controller — including in air-gapped and disconnected environments. Many organizations run both: Cohesity protecting the backup estate, BrickStor SP defending the primary tier it backs up.
Two companies, two missions
- 2010
RackTop founded by veterans of the U.S. Intelligence Community to build storage with security embedded in the data path.
- 2013
Cohesity founded, pioneering hyperconverged secondary storage for backup and data protection.
- 2018
RackTop coins CyberConverged™ Storage and ships the first NAS with security built into the storage layer.
- 2019
Cohesity announces SmartFiles — file and object services running on its backup-optimized platform.
- 2021
Gartner introduces the term “Cyberstorage.”
- 2022
Cohesity launches FortKnox (SaaS cyber vaulting) and DataHawk (SaaS data security).
- 2024
Active Defense patent issued — U.S. Patent No. 11,868,495 B2 (Jan 9, 2024). Cohesity completes its merger with Veritas’ data protection business (December 2024).
- 2025
ImmutaVault patent issued — U.S. Patent No. 12,216,779 B2 (Feb 4, 2025). Transparent Data Movement patent issued — U.S. Patent No. 12,333,173 B2 (Jun 17, 2025).
- 2026
Intelligent Bulk Remediation patent issued — U.S. Patent No. 12,561,437 B2 (Feb 24, 2026).
BrickStor SP vs. Cohesity SmartFiles — answered
- SmartFiles is positioned by Cohesity for consolidating unstructured data on the Cohesity Data Cloud — backup targets, archives, digital libraries, rich media, video surveillance, and tiered-off cold data from Tier 1 NAS. It can serve general-purpose shares, but the platform’s design center is capacity-efficient consolidation of secondary data. The public record draws the same boundary: Cisco’s validated design for SmartFiles targets “non-latency-sensitive use cases,” and peer reviewers caution that it is not suited to applications needing high I/O or low latency. That is why most organizations keep latency-sensitive primary workloads on a dedicated NAS platform. BrickStor SP is that dedicated primary platform, with Cyberstorage defense built into the data path.
- Cohesity’s anomaly detection runs in the Helios control plane using machine learning on metrics like data change rate and compressibility (entropy), evaluated during protection runs, plus file-level audit analytics. That means detection is tied to when data is backed up or when analytics jobs process the audit stream — and the response is an alert plus a recovery workflow. BrickStor SP’s Active Defense evaluates every file operation inline at the storage layer and terminates an offending session in under a second, before mass encryption or bulk exfiltration spreads. One model tells you an attack happened; the other stops it while it is happening.
- Cohesity’s flagship anomaly detection watches for changes in data — change rates and compressibility evaluated across protection runs. Exfiltration is a read operation: an attacker who copies out terabytes of files leaves the data unchanged, so there is no change-rate or entropy anomaly to detect, and the next backup looks identical to the last one. DataHawk adds user activity tracking and data classification, which help scope an incident after the fact, but nothing in the platform sits in the file data path to stop a bulk read while it is happening. BrickStor SP’s Active Defense analyzes read behavior live — bulk copying, abnormal access patterns, and staged exfiltration trigger inline response, terminating the session while the data is still in your possession. That distinction matters because double-extortion attacks now lead with theft: recovery-centric defenses can restore encrypted files, but no restore returns stolen data.
- Helios, DataHawk, and FortKnox are SaaS offerings that depend on cloud connectivity. In disconnected, classified, or intentionally isolated environments, those capabilities are reduced or unavailable. BrickStor SP runs all Cyberstorage functions — Active Defense, ABAC, ImmutaVault, Intelligent Bulk Remediation, and the forensic audit record — locally on the controller, which is why it is deployed in air-gapped federal and defense environments.
- The two platforms solve different problems and are frequently deployed together. Cohesity protects copies of your data after the fact; BrickStor SP protects the live data itself — detecting and stopping ransomware, insider misuse, and exfiltration as it happens, on the primary tier where the attack actually lands. Keeping Cohesity for backup while putting the highest-risk live file data on BrickStor SP also improves the backup estate: the data flowing into your protection jobs is already defended, audited, and policy-controlled at the source. And it preserves fault isolation — peer reviews caution that consolidating file services onto the same cluster as DataProtect means a platform issue can threaten live shares and backups together. Keeping the primary tier on a separate, purpose-built platform avoids collapsing those two fault domains.
- No, and it is not trying to. Cohesity’s global variable-length deduplication is genuinely strong on backup data, where dozens of copies of the same blocks make very high reduction ratios possible. Live primary unstructured data has far less redundancy, so dedup yields much less on any platform. BrickStor SP uses inline compression and thin snapshots and clones — the efficiency techniques that pay off on primary data — and patented Transparent Data Movement to tier cold data to cheaper storage without moving it out of the namespace.
- Cohesity completed its merger with Veritas’ enterprise data protection business in December 2024, making it one of the largest data protection vendors in the industry. That is the point: the company’s center of gravity — engineering, roadmap, and go-to-market — is protecting and recovering copies of data. SmartFiles rides on that platform. RackTop’s entire platform is engineered around defending live unstructured data in real time. Both are legitimate missions; they are different missions.
- Neither vendor publishes audited, head-to-head benchmarks against the other, so any specific numbers you see in a comparison should be treated with suspicion. What can be compared honestly is architecture: BrickStor SP serves files directly with policy evaluated inline on the controller, while SmartFiles I/O flows through a deduplication and erasure-coding pipeline designed for capacity efficiency on secondary data. For your workloads, the right answer is a proof of concept — we will run one against your real data profile.
Go deeper
BrickStor SP →
The flagship Cyberstorage NAS — full architecture, capabilities, and use cases.
Cyberstorage vs. Cyber Vaulting →
Why an immutable recovery copy is not the same as active defense on live data.
BrickStor SP vs. the field →
Twelve-capability grid covering NetApp, Dell PowerScale, VAST Data, and Pure FlashBlade.
See Live Data Defense Next to Your Backup Estate
In a 30-minute demo, we'll show Active Defense stopping an attack inline, ImmutaVault's virtual air gap, and Intelligent Bulk Remediation — and map where BrickStor SP fits alongside an existing Cohesity deployment.
