Coverage gaps are invisible
New services, config drift, and undocumented dependencies mean your DR plan fails silently until an incident reveals what it missed. By then, it's already a problem.
Resilience & Recovery
Know what's protected. Fix what isn't.
Most DR plans no longer reflect what's actually running in production. Coverage gaps are invisible. RTO and RPO targets are assumed, not validated. Oscar runs a cloud backup posture assessment against your live environment and surfaces every gap, with evidence, in days. No tagging required. No credentials shared.
Our AI agent Oscar Ops leverages the context graph to evaluate your live environment and deliver a complete Backup Posture Assessment in hours, not weeks.
The Problem
New services spin up, configurations drift, cross-region dependencies appear, and AI agents make infrastructure changes nobody documents. Most backup assessments rely on documentation that is already stale the moment it's written.
New services, config drift, and undocumented dependencies mean your DR plan fails silently until an incident reveals what it missed. By then, it's already a problem.
Recovery time objectives exist in policy documents, but no one has verified they match what's actually configured in production. Assumed targets are unvalidated risk.
Recovery drills require weeks to coordinate, produce stale results, and leave the organization exposed between cycles. AI agents are now making changes nobody scheduled.
Audits capture a moment in time. By the next quarter, new resources have appeared with no backup configuration, no owner, and no entry in your DR plan.
AI agents are making infrastructure changes that nobody documented. Resources they create, modify, or decommission may fall outside your backup coverage entirely.
A traditional consulting engagement to produce this picture takes 8-16 weeks and costs far more. By the time the report arrives, the environment has already changed.
What the Assessment Finds
Sample findings below are drawn from an illustrative assessment of a fictional healthcare enterprise, Vantara Health Systems, with 2,847 resources across 18 cloud accounts, scanned in a single read-only pass. The structure is exactly what you receive for your environment.
Sample finding. Illustrative environment.
47% of resources in scope had no vault lock configured, leaving backup data deletable by a threat actor moving laterally through the environment. 31% of resources were missing the workstream, environment, or classification tags that backup policy inheritance silently depends on. None of the critical remediations required architectural change.
HIPAA's Contingency Plan standard (45 CFR §164.308(a)(7)) requires demonstrable evidence of backup coverage, retention adequacy, and restore validity. 'We have AWS Backup running' is not evidence. A report generated from live API data is.
How It Works
Like every OpsCanvas assessment, the work runs as two scoped, deterministic, approval-gated phases: inventory discovery through approved connectors, then deterministic policy checks against that inventory. Oscar never performs open-ended network scanning, no credentials leave your perimeter, and no tagging is required. Five structured workstreams run on top of the Context Graph, with a human decision required before anything advances.
Oscar scans all systems, databases, apps, and endpoints across multi-cloud, hybrid, and on-premises environments. Assets are classified by criticality, compliance requirements (HIPAA, GDPR), and threat exposure, without requiring pre-existing tags or a manual inventory phase.
Agents verify RPO and RTO targets against actual system configurations and SLA commitments. Gaps between what your policy documents say and what's actually configured surface as named blockers requiring explicit human review before the assessment advances.
Reviews your existing backup architecture against the 3-2-1-1-0 standard across AWS, Azure, and GCP. Surfaces missing automation, absent encryption, and version management gaps. Identifies resources with no backup policy, no owner, or configurations that have drifted from policy.
Verifies that backups actually work by running controlled recovery tests and measuring real success rates and restoration times, not just assumed ones. Confirms immutability of offsite copies and air-gapped backups. Measures actual RTO against documented targets, not assumed performance.
Produces the final DR Plan with documented procedures, schedules, and personnel responsibilities. Sets up automated monitoring for backup performance, data growth, and compliance drift so your posture stays current between review cycles.
AWS Backup ListProtectedResources / RDS DescribeDBInstances / DynamoDB DescribeContinuousBackups / Azure Backup REST API / GCP Cloud Backup status endpointsUnder the Hood
What You Get
The assessment produces the Backup Posture Report: evidence your platform team can execute and your auditors can accept. Every deliverable is grounded in what Oscar actually observed in your live environment, not inferred from documentation or assembled from interviews.
Every resource across all accounts, regions, and providers and its backup status: protected, unprotected, or misconfigured, verified directly via API. Ownership mapped to the right team.
Recovery time and recovery point objectives checked against what is actually configured in each system today, not what the policy document says should be configured. Gaps surfaced as named, prioritized findings.
Every unprotected, misconfigured, or non-compliant resource organized by business workstream and priority, with business impact and ownership attached. Your platform team can execute directly without translating findings into tickets.
Estimated annual savings from retention alignment and storage tiering, with actions ordered by savings impact. Backup posture and backup spend, corrected together.
3-2-1-1-0 compliance verified with evidence, plus API-sourced control mappings for HIPAA, SOC 2, and HITRUST and a formal DR Plan. Formatted for regulators, boards, and cyber insurance renewal.
A governance template deployable across all accounts to prevent gaps from reappearing, with optional ongoing monitoring for backup performance, data growth, and compliance drift.
The Sample Report
A walkthrough of the report structure using the fictional Acme Systems sample environment. Every section is built from live API evidence.
Why 'Run a Script' Isn't Enough
Manual checks and scheduled scripts give you a point-in-time snapshot. The moment your environment changes, the snapshot is stale. Here is what that costs.
$4.88M average cost of a data breach with backup gaps as a contributing factor (IBM, 2025).
45 CFR §164.308(a)(7): the HIPAA Contingency Plan standard a script output cannot satisfy.
$287K recoverable annual waste found in a single 2,847-resource sample scan.
82% of resources with no restore confirmed in the past 90 days.
12+ months since most enterprises last validated backup posture against live state (Forrester, 2026).
False confidence is worse than no check at all. A script that returns green gives your team permission to stop looking. But a script checks what it was written to check, not every resource added since it was last updated, not the resources created by AI coding tools, not the pipeline-provisioned infrastructure that never got a backup policy attached.
Why OpsCanvas
Traditional backup assessments require your team to compile inventories, gather configurations, run manual queries, and coordinate across teams before the consulting firm even begins analysis. That process takes weeks and produces a picture that's already stale.
OpsCanvas starts from a scan of your live environment. The Context Graph builds automatically across resources, dependencies, ownership, backup status, and AI agent activity, so every deliverable is grounded in what Oscar actually observed, not what your documentation says.
How It Compares
What Comes Next
The Backup Posture Assessment surfaces the gaps. The DR Workflow closes them. And ongoing monitoring keeps your posture current as your environment changes. Each step builds on the same live Context Graph Oscar built during the assessment. It is the entry point to the full Resilience solution.
Oscar scans your environment, builds the Context Graph, and delivers your gap report, RTO/RPO validation, and DR Plan.
Quarterly, monthly, or continuous reassessment keeps your posture current and surfaces drift as your environment evolves.
The AI-governed remediation engine that closes the gaps the assessment surfaced. Agents execute. Humans approve every material change.
The Backup Posture Assessment is the front door to a continuous resilience program: verified backup and DR posture, business continuity confidence, ongoing monitoring, and governed remediation, all on the same Context Graph.
Frequently Asked Questions
A cloud backup posture assessment is a structured review of your cloud environment that verifies backup coverage, retention alignment, and restore validity across every resource, using live API data, not documentation. It identifies which resources are unprotected, which retain data outside their compliance window, and which have never had a restore confirmed.
AWS Backup and Azure Backup execute your backup strategy and confirm that jobs ran. The OpsCanvas Backup Posture Assessment verifies that every resource in your environment is actually protected, not just the ones your backup tool was configured to cover. Oscar reads directly from cloud APIs across all accounts and surfaces gaps, retention mismatches, and resources your existing tooling was never pointed at.
No. Oscar connects with read-only credentials. No changes are made to your environment, no resources are modified, and no credentials are stored centrally. Setup takes under one hour of your team's time across AWS, Azure, and GCP.
The Backup Posture Assessment covers HIPAA (45 CFR §164.308(a)(7) Contingency Plan standard), SOC 2, and HITRUST. For each framework, findings are mapped to the specific control requirements, not just flagged as gaps. The report includes an audit-ready evidence package formatted for regulators.
Setup takes under one hour of your team's time. The report is delivered in days, not weeks, not a consultant engagement. A scan of 2,847 resources across 18 cloud accounts was completed in a single read-only pass, where a traditional consulting engagement for comparable coverage typically takes 8-16 weeks.
No. Oscar scans your live cloud environment and infers resource ownership, dependencies, and backup status from runtime behavior and IaC repositories. No tagging is required, and no manual inventory work is needed before the assessment begins. This is one of the core ways OpsCanvas differs from traditional consulting approaches.
No. Oscar performs no open-ended or autonomous network scanning. The assessment runs as two scoped, deterministic, approval-gated phases: inventory discovery through approved connectors using existing permissions, then deterministic policy checks against that inventory. No action executes without explicit human sign-off.
The 3-2-1-1-0 standard requires three copies of data, on two different media types, with one copy offsite, one copy offline or air-gapped, and zero unverified backups. The OpsCanvas Backup Posture Assessment verifies each of these requirements against your live environment, checking immutability of offsite copies, encryption, version management, and backup success rates across AWS, Azure, and GCP.
Yes. OpsCanvas is complementary to Rubrik, Veeam, Cohesity, AWS Backup, and Azure Backup. It does not replace them. Those tools store and restore your data. OpsCanvas validates your posture: whether your backup configurations match your recovery objectives, where coverage gaps exist, and whether your DR plan reflects what's actually running in production.
After the assessment, OpsCanvas can set up ongoing monitoring to track backup coverage, data growth, and compliance drift on a quarterly, monthly, or continuous basis. For teams ready to close the gaps the assessment identified, the DR Workflow is the AI-governed remediation engine that implements the findings, with Oscar discovering, agents executing, and humans approving every material decision. The full program is described on the Resilience solution page.
Get Started
Talk to us about a Backup Posture Assessment. We'll walk through your environment, scope the engagement, and show you what Oscar finds in your first session. No tagging required, no credentials shared.
Complementary to Rubrik, Veeam & AWS Backup · AWS, Azure & GCP · Audit-ready DR Plan included