Agentic enforcement — above every backup vendor and cloud

Backup tools execute. Posture tools observe. Forttic enforces.

Backups fail at recovery time. Forttic enforces 3-2-1-1-0 across every backup vendor and cloud, proves recovery, and codifies and enriches the tribal resilience knowledge continuously. Cross-vendor. Agentic intelligence. No rip-and-replace.

Three forces. One enforcement gap.
Ransomware targets backups. Regulators want continuous proof. Insurers audit drift forensically.
96%
of ransomware attacks target backup repositories (Veeam)
2.3×
median ransom demand when backups are compromised (Sophos)
DORA
Article 11 enforcement live since Jan 17, 2025
Governs every major backup tool — vendor-agnostic by design
VeeamCommvaultDruvaClumioAWS BackupAzure BackupGoogle Cloud BackupAWS Elastic Disaster RecoveryCommvault Air Gap Protect VeeamCommvaultDruvaClumioAWS BackupAzure BackupGoogle Cloud BackupAWS Elastic Disaster RecoveryCommvault Air Gap Protect
Why now

"Policy configured" used to be enough. Not anymore.

Ransomware operators, insurers, and regulators all caught up at the same time — and none of them accept quarterly attestation anymore.

01 · The attackers

Ransomware now goes for backups first.

Backups went from the recovery plan to the primary objective. 96% of attacks target backups; 76% succeed. When they do, the median ransom doubles to $2.3M. The safety net became the leverage.

02 · The carriers

Cyber claims get denied for what's missing on the day.

Modern denials aren't about exclusions — they're about the gap between what you attested at application and what was running at incident. 25–40%+ of cyber claims are now rejected for that drift.

03 · The regulators

Periodic evidence stopped counting.

DORA Article 11 in force since January 17, 2025 — names backup as a governance issue. NIS2 transposed across the EU. SOC 2 Type II demands operating effectiveness over time.

Any one of these would make continuous enforcement worth doing. All three at once make it inevitable.
Product Overview

Posture tools see drift. Forttic enforces outcomes.

Observation tells you what's drifting. Enforcement closes the gap. Forttic discovers, scores drift, acts within your guardrails, and verifies recovery — across every vendor and cloud. One loop. Continuously.

01 / DISCOVER

Multi-cloud asset graph

Agentless inventory of every backup asset and cloud service configuration — compute, databases, storage, network, IAM — so Forttic knows what's protected and what should be.

02 / ASSESS

Risk scoring that moves

Every asset scored against policy, regulation, and business impact — re-evaluated as posture drifts, not on a quarterly schedule.

03 / ENFORCE

Agentic remediation

Skills auto-execute against drift within your guardrails — with full audit trails and escalation for high-impact actions.

04 / VERIFY

Isolated recovery tests

Clean-room restoration of critical backups — proving RTO, RPO, and immutability without touching production.

CRE Framework

Five stages. One continuous loop.

Sense, decide, act, verify, audit. Every cloud, every vendor — closing the gap between configured policy and live enforcement in minutes, not quarters.

01
Discover

Inventory everything that affects recoverability.

02
Assess

Score drift by impact and urgency.

03
Enforce

Remediate within approval guardrails.

04
Verify

Prove RTO/RPO and restoration outcomes.

05
Report

Generate compliance and board evidence.

The Backup Standard

3-2-1-1-0 is the rule everyone configures. Nobody enforces it.

Every layer eliminates a specific class of data loss. Forttic makes continuous, auditable adherence provable across multi-cloud and hybrid environments.
3
Layer 01
Copies

Three distinct copies, with co-location detection. Copy-count drift detected the moment retention or replication fails.

2
Layer 02
Media types

Storage diversity enforced. Three buckets in one region won't pass. Cross-vendor concentration risk flagged before incidents reveal it.

1
Layer 03
Offsite

Geographic separation validated against cloud-provider metadata — not self-reported config. AZs don't count. Regions do.

1
Layer 04
Immutable

Object Lock continuously verified. Governance-mode tampering detected. The layer ransomware hunts for is the one we watch hardest.

0
Layer 05
Errors

Tiered verification — clean-room restores on tier-1 workloads. The only layer that determines whether your backup actually saves you.

Vendor Coverage

Keep your stack. Govern it as one system.

Forttic sits above your vendors and clouds so policy is enforced consistently across the entire estate.

Veeam
Enterprise backup platform
Vault config Replication Immutability
Commvault
Includes Air Gap Protect & Threatwise
Cleanroom Air gap WORM
Druva
SaaS-delivered data resilience
SaaS Multi-cloud
Clumio
Cloud-native backup & archive
Snapshot discovery Archive
AWS Backup
Including Elastic Disaster Recovery
Vault Lock Cross-region
Azure / GCP Backup
Native Microsoft & Google services
Soft delete Geo-redundant
How Forttic Decides

Agentic architecture built for resilience decisions.

Knowledge supplies the rules. Memory supplies context. Triggers fire on real events. Skills act. Tools execute — every decision auditable and mapped to the regulation it satisfies.

01

Knowledge

Control standards and regulations codified into decision logic.

02

Memory

Operational context retained across incidents and team changes.

03

Skills

Prebuilt actions execute remediation and verification workflows.

04

Triggers

Event-driven responses to drift, tampering, and risk signals.

05

Tools

Native integrations across backup vendors and cloud platforms.

Ask Forttic

Resilience decisions you can finally delegate.

A backup console answers "did the job run?" Forttic answers the questions from your CISO, CFO, auditor, and incident commander — in plain English, from live data.

Incident Mode
"Ransomware suspected at 2 AM. Show me clean recovery options ranked by RTO for affected workloads."
→ Sub-minute response · verified clean recovery points
Regulatory
"Generate the DORA Article 11 evidence package for our EU regulator visit on Tuesday."
→ Mapped controls · time-stamped audit trail · examiner-ready PDF
Board-Level
"CFO is asking before the board call: are we ransomware-safe? Generate the defensible one-page answer."
→ Executive synthesis · dollarized exposure · top risks

See all example decisions →

Where Forttic sits

Forttic doesn't replace any tool you own. It enforces what they do.

Every adjacent layer does its job. None enforces cross-vendor, cross-cloud. That's Forttic.

What each layer does (observation)

Backup posture tools — scan, map, report. See the drift; the doing is left to you.
Backup vendors — execute inside their own stack. Can't govern vendors next to them.
CSPM / DSPM — security and data lens, not recovery. Not built for backup proof.
+

What Forttic adds (enforcement)

Closes the gap observation surfaces — bounded autonomy, audited every step
Vendor-neutral by structure — governs across every backup vendor
Continuous evidence mapped to DORA, NIS2, SOC 2, ISO 27001, HIPAA
The 3-minute resilience readiness assessment

If a forensic auditor, an examiner, or an attacker opened your environment tomorrow — would your evidence hold?

Most enterprises attest to controls. Few can prove they were live in between. Map where you fall on the maturity curve — from application-only attestation to continuously enforced, audit-proof recovery.

Start the free assessment →
Pricing

Per-account economics. No surprise overages.

Priced by cloud account. Not by resource, not by API call, not by backup copy. Predictable.

Professional
Discover
Platform teams getting a baseline
Per account
Custom pricing — contact us for quote
Get a quote
  • Continuous Discover + Assess loop
  • 3-2-1-1-0 estate scoring
  • Multi-cloud (AWS, Azure, GCP) discovery
  • Up to 3 backup vendor integrations
  • Drift detection & alerting
  • Quarterly compliance reports
Enterprise / Sovereign
Sovereign
Regulated, public sector, multi-region
Custom
Annual commitment, SLA-backed
Talk to us
  • Everything in Enforce, plus:
  • Single-tenant / sovereign deployment options
  • Custom data residency (EU, UK, US, APAC)
  • Dedicated technical account manager
  • Custom regulatory framework mappings
  • API and SIEM integration
  • Executive readiness reviews
  • 24×7 support

Not sure where you sit? Run the free resilience assessment — we'll map your maturity and recommend a starting tier.

Talk to us

See continuous enforcement on your own stack.

Renewal coming? DORA examination ahead? Briefing in 30 minutes.

Send us your questions

Go deeper

Full guides for every part of the platform

Everything above is the snapshot. These pages go deeper on the case for enforcement, the CRE framework, agentic architecture, example decisions, vendor coverage, and the readiness assessment.

Frequently asked questions

Everything most teams ask in the first 30 minutes.

What is Continuous Resilience Enforcement (CRE)?

An agentic enforcement layer that continuously discovers, scores drift, acts, verifies recovery, and reports — across every cloud and backup vendor. Sits above observation tools (CBPM, CSPM). Vendor-neutral by structure.

How is this different from CBPM tools like Eon?

Observation vs. enforcement. CBPM tools scan, map, and report. Forttic acts. CBPM vendors are typically backup vendors themselves — cross-vendor enforcement contradicts their model. Forttic is vendor-neutral by structure.

I already pay for backup. Why also Forttic?

Backup vendors execute jobs inside their own stack. They don't produce cross-vendor evidence, and they can't govern the vendors next to them. Forttic does — and remediates silent failures inside guardrails.

Our enterprise is consolidating backup vendors. Does Forttic still apply?

Yes. Consolidation takes years. Most enterprises run two to four vendors at once. Forttic governs all of them — and enforces the survivors when consolidation finishes.

How does Forttic help with cyber insurance?

Denial defense. 25-40%+ of cyber claims are now rejected for control drift. Forttic's Verify-stage record is the timestamped artifact that defeats a misrepresentation denial.

What does Forttic do about ransomware?

Three things: verifies immutability in real time, enforces backup-credential isolation, runs clean-room restore tests for tier-1 workloads. 96% of attacks target backups; when they fall, the ransom doubles. Forttic removes the lever.

We're in the US, not the EU. Does Forttic still apply?

Yes. DORA and NIS2 are EU-only — but SOC 2 Type II demands operating effectiveness over time, US insurers audit drift forensically, and ransomware doesn't care about geography. Same evidence artifact satisfies all of them.

Does Forttic make decisions without human approval?

Only ones you authorize. Low-risk drift auto-remediates. Higher-impact decisions escalate. Every action is logged with before/after state.

How does the architecture work in practice?

Knowledge supplies the rules. Memory supplies context. Triggers fire on real events. Skills act. Tools execute. Every decision is auditable, reversible where possible, mapped to the regulation it satisfies.

Do I need to replace my existing backup vendor?

No. Forttic is a decision layer, not a backup tool. Keep Veeam, Commvault, Druva, Clumio, or whatever you run today — Forttic uses their APIs to extract value you can't extract manually.

What kinds of decisions can I actually delegate to Forttic?

Cross-vendor recovery exposure. Clean-room test gaps. Object Lock changes by user. DORA Article 11 evidence on demand. Region-failure RTO simulation. Duplicate-coverage cost analysis. Backup consoles can't decide; Forttic can.

What does recovery verification actually look like?

Tiered. Lightweight checks continuously. Clean-room restores for tier-1 workloads (typically quarterly). On-demand full drills when needed. Credible — not theater.

How is Forttic different from Veeam, Commvault, or Druva?

Forttic doesn't execute backup jobs — those vendors do. Forttic sits above them and makes cross-vendor decisions no single console can.

Does Forttic need CSPM or DSPM to work?

No. Forttic discovers cloud configurations natively — compute, databases, storage, network, IAM — alongside every backup asset. CSPM/DSPM findings can be ingested as context, but optional.

How is CRE different from CSPM or DSPM?

CSPM observes cloud from a security lens. DSPM observes data from a sensitivity lens. Forttic observes the same cloud plus the backup estate from a recovery lens — then acts.

How does Forttic save money if it's an added layer?

Three payback paths: (1) duplicate backup coverage you're paying twice for; (2) retention right-sizing beyond compliance minimums; (3) eliminated audit-prep cycles.

Does Forttic require agents or production access?

No. Read-only IAM role into cloud-provider and backup-vendor APIs. No agents on production. Decision execution limited to the backup estate.

What regulations does Forttic help with?

DORA Article 11, NIS2, SOC 2 Type II, ISO 27001 A.12.3, HIPAA. Continuous, time-stamped evidence mapped to specific controls.

What does week one look like?

Read-only IAM connection, automatic asset discovery, initial posture scoring within 24–48 hours. First isolated-recovery records typically inside the first week. Skills activate once decision guardrails are defined with your team.

Stop hoping backups recover.
Prove it — continuously.

Book a 30-minute briefing to walk through the CRE framework on your estate — or start with the free assessment if you want a maturity snapshot first.