Veeam · Software · YoctoIT tech page

Threat & AI

Inline scanning, anomaly detection and an AI assistant: the backup becomes a security sensor — often the first to notice.

FOCUS · THE BACKUP THAT TELLS ON THEMEntropy, IoCs and malware scans: the attack seen from the data while copying it
YoctoIT material for clients and partners · Veeam, Kasten, Coveware and the other products mentioned are trademarks of Veeam Software.
01 · What it is

Threat detection & AI, made clear.

The backup reads all the data every night: the perfect position to notice the attack. The Data Platform exploits it: inline entropy analysis (the encryption in progress shows in the patterns), IoC and antimalware scanning on the restore points, SIEM integration and the AI assistant helping to query the platform.

Inline
the entropy analyzed during the backup: the encryption seen that night
Clean restore
the restore point scanned: you restart clean, not reinfected
YARA
the rules on the restore points: the IoC hunt in the data's history
Threat detection & AI
OFFICIAL VEEAM BRANDING · THREAT & AI
CONSOLE REALE · VEEAM THREAT CENTER · FONTE: VEEAM
REAL CONSOLE · VEEAM THREAT CENTER · SOURCE: VEEAM
02 · How to use it well

The things that make the difference.

The sensor

The production dataread every night by the backup
Entropy analysis
Malware scan
IoCs & YARA
the symptom · the verdict · the hunt
Alerts → SIEM & NOCthe signal in the right flow
The certified clean pointwhere to restart safely from
The copy that checks the original

Tuned thresholds

Entropy has false positives (compression, legitimate encryption): the tuning that makes the alert credible.

In the incident flow

The Veeam alarm inside our 24/7 process: the ransomware night is already written in the runbooks.

The clean point sought

At restart, the scan finds the last healthy point: no restoring the malware along with the data.

SIEM integration

The events toward Sentinel/Splunk: the backup among the SOC's sensors.

03 · In depth

Detection inside the backup: how it works

Security is inside the platform: the inline malware detection analyzes the blocks during the backup (entropy and encryption patterns), the Threat Hunter scans the restore points with signatures, the Incident API receives the alerts from the EDR/SIEM and marks the suspicious points, the Security & Compliance Analyzer verifies VBR's posture against the best practices, the Veeam Threat Center aggregates the state; the recovery thus picks the clean point, not the latest one.

  • Inline detection — entropy and patterns observed in the flow: the encryption seen right away
  • Threat Hunter — the signatures on the restore points: the sleeper found in the backup
  • Incident API — the EDR flags, Veeam marks: the compromised point labeled
  • Clean restore point — the recovery from the indicated healthy point, not from a random latest
  • Compliance Analyzer — VBR's posture verified: the best practices measured
  • YARA — the custom rules on the points: the targeted hunt in the past
04 · Numbers and lifecycle

The numbers that matter.

inline
the detection during the backup: zero extra passes
100%
of the points scannable after the fact
SIEM
integrated via API: the backup in the SOC
h
from the detection to the orchestrated clean restore
The backup is a sensor too: detection, markings and clean restores — integrated in our response flow.
05 · Use cases

Where it really pays off.

Early detection

The attack seen from the side the attacker neglects.

A clean restart

The certified restore without guests.

Threat hunting

The data's history queryable with YARA.

The backup sees everything, every night: with the detection on, it's your second line of sensors.