Rubrik · Security · YoctoIT tech page

Anomaly Detection

Machine learning watching your backups: anomalous encryption, mass deletions and suspicious patterns surface in hours — with the blast radius already computed.

FOCUS · THE ATTACK SEEN FROM THE DATAEvery snapshot compared with history: when data changes strangely, you know right away
YoctoIT material for clients and partners · Rubrik and the other products mentioned are trademarks of Rubrik, Inc.
01 · What it is

Anomaly Detection, made clear.

Modern ransomware works in silence: it encrypts at low intensity, deletes the copies, then strikes. Anomaly Detection analyzes every backup with ML models trained on entropy, change rates and deletion patterns: when something is off, the alert arrives with the exact list of files and systems involved — the blast radius — and the last clean recovery point already identified.

Hours
not weeks: the time to notice creeping encryption
Blast radius
impacted files and systems, listed — not estimated
0 impact
analysis runs on backups, not on production
Anomaly Detection
OFFICIAL BRANDING RUBRIK
OFFICIAL RUBRIK UI · THREAT SUMMARY · SOURCE: RUBRIK
OFFICIAL RUBRIK UI · THREAT SUMMARY · SOURCE: RUBRIK
02 · How to use it well

The things that make the difference.

The data radar

Every new backupsnapshot after snapshot
Entropy
Change rates
Delete patterns
ML trained on YOUR data history
Anomaly Detectionthe continuous comparison
Actionable alertblast radius + suggested clean point
The attack seen before the disaster

Personal baseline

The model learns the normal rhythm of YOUR data: fewer false positives, more signal.

SOC integration

Alerts to SIEM/SOAR and our NOC: the anomaly enters the process, not a lost inbox.

One-click diagnosis

Which VMs, which shares, which files: the damage count ready for incident response.

Suggested clean point

The last healthy snapshot pointed out by the platform: recovery starts without debates.

03 · In depth

How ML recognizes encryption in backups

At every snapshot the platform computes per-file and per-system features: content entropy (encrypted data is statistically distinguishable), create/modify/delete ratios, new extensions and mass renames; models compare against each workload's historical baseline and flag deviations; analysis is retroactive across the catalog: you see WHEN the anomaly began, the exact perimeter and the recovery point immediately before it.

  • Per-file entropy — encrypted content doesn't lie: statistics unmask it
  • Per-workload baseline — the busy DB isn't a false alarm: the model knows it
  • Retroactive analysis — when did it start? The catalog answers with a date
  • Exact perimeter — the list of files and systems: the basis of incident response
  • Webhooks & SIEM — the alert where the SOC works: Splunk, Sentinel, our NOC
  • Zero production impact — everything runs on the copies: no agents, no load
04 · Numbers and lifecycle

The numbers that matter.

24/7
every backup analyzed, no window uncovered
dd→h
typical detection time drop: from days to hours
100%
of the catalog queryable retroactively
1 click
from blast radius to recovery plan
Noticing late is the real cost of an attack: your backups see everything — you just have to listen.
05 · Use cases

Where it really pays off.

Silent ransomware

Low-intensity encryption discovered in hours.

Insider

Mass deletions: seen, traced, reversible.

Incident response

Blast radius and clean point: the count ready.

Would your backup tell you today if you're under attack? With Anomaly Detection it would — let's talk.