Resilience & Recovery

Backup Posture Assessment

Know what's protected. Fix what isn't.

Most DR plans no longer reflect what's actually running in production. Coverage gaps are invisible. RTO and RPO targets are assumed, not validated. Oscar runs a cloud backup posture assessment against your live environment and surfaces every gap, with evidence, in days. No tagging required. No credentials shared.

Evidence-backed, not consultant spreadsheets
No tagging or pre-work required
Audit-ready DR Plan included
AWS, Azure, and GCP
$4.88M
Average cost of a data breach, with backup gaps as a key factor (IBM, 2025)
12+mo
Most enterprises haven't validated DR plans against live state (Forrester, 2026)
Days
Not months. How long our assessment takes vs. traditional consulting engagements
6
Verified deliverables including coverage map, gap report, and audit-ready DR Plan

The Problem

Your backup plan reflects last year's environment.

New services spin up, configurations drift, cross-region dependencies appear, and AI agents make infrastructure changes nobody documents. Most backup assessments rely on documentation that is already stale the moment it's written.

Coverage gaps are invisible

New services, config drift, and undocumented dependencies mean your DR plan fails silently until an incident reveals what it missed. By then, it's already a problem.

RTO/RPO targets are assumed

Recovery time objectives exist in policy documents, but no one has verified they match what's actually configured in production. Assumed targets are unvalidated risk.

Testing is manual and infrequent

Recovery drills require weeks to coordinate, produce stale results, and leave the organization exposed between cycles. AI agents are now making changes nobody scheduled.

Compliance is point-in-time

Audits capture a moment in time. By the next quarter, new resources have appeared with no backup configuration, no owner, and no entry in your DR plan.

AI agents are changing your environment

AI agents are making infrastructure changes that nobody documented. Resources they create, modify, or decommission may fall outside your backup coverage entirely.

Manual discovery takes months

A traditional consulting engagement to produce this picture takes 8-16 weeks and costs far more. By the time the report arrives, the environment has already changed.

What the Assessment Finds

This is what the deliverable looks like.

Sample findings below are drawn from an illustrative assessment of a fictional healthcare enterprise, Vantara Health Systems, with 2,847 resources across 18 cloud accounts, scanned in a single read-only pass. The structure is exactly what you receive for your environment.

Sample finding. Illustrative environment.

312 resources had no backup policy attached, including 23 HIPAA-scoped clinical databases, verified via 3 independent API checks returning null. 418 resources were over-retained 2-10x beyond their governance tier, an estimated $287K in annual recoverable spend.

47% of resources in scope had no vault lock configured, leaving backup data deletable by a threat actor moving laterally through the environment. 31% of resources were missing the workstream, environment, or classification tags that backup policy inheritance silently depends on. None of the critical remediations required architectural change.

312
Resources with no backup policy attached
23
HIPAA-scoped clinical databases among them
$287K
Annual recoverable spend from retention waste
47%
Of resources with no vault lock configured
What's at Risk

HIPAA's Contingency Plan standard (45 CFR §164.308(a)(7)) requires demonstrable evidence of backup coverage, retention adequacy, and restore validity. 'We have AWS Backup running' is not evidence. A report generated from live API data is.

How It Works

Five workstreams. Agent-driven discovery. Human-approved at every gate.

Like every OpsCanvas assessment, the work runs as two scoped, deterministic, approval-gated phases: inventory discovery through approved connectors, then deterministic policy checks against that inventory. Oscar never performs open-ended network scanning, no credentials leave your perimeter, and no tagging is required. Five structured workstreams run on top of the Context Graph, with a human decision required before anything advances.

  1. 1

    Data Inventory & Risk Mapping

    Oscar scans all systems, databases, apps, and endpoints across multi-cloud, hybrid, and on-premises environments. Assets are classified by criticality, compliance requirements (HIPAA, GDPR), and threat exposure, without requiring pre-existing tags or a manual inventory phase.

  2. 2

    Define Recovery Requirements

    Agents verify RPO and RTO targets against actual system configurations and SLA commitments. Gaps between what your policy documents say and what's actually configured surface as named blockers requiring explicit human review before the assessment advances.

  3. 3

    Solution Audit & Gap Analysis

    Reviews your existing backup architecture against the 3-2-1-1-0 standard across AWS, Azure, and GCP. Surfaces missing automation, absent encryption, and version management gaps. Identifies resources with no backup policy, no owner, or configurations that have drifted from policy.

  4. 4

    Testing & Validation

    Verifies that backups actually work by running controlled recovery tests and measuring real success rates and restoration times, not just assumed ones. Confirms immutability of offsite copies and air-gapped backups. Measures actual RTO against documented targets, not assumed performance.

  5. 5

    Policy & Monitoring Setup

    Produces the final DR Plan with documented procedures, schedules, and personnel responsibilities. Sets up automated monitoring for backup performance, data growth, and compliance drift so your posture stays current between review cycles.

Verified viaAWS Backup ListProtectedResources / RDS DescribeDBInstances / DynamoDB DescribeContinuousBackups / Azure Backup REST API / GCP Cloud Backup status endpoints

Under the Hood

How every OpsCanvas assessment works.

How OpsCanvas assessments work: Oscar deploys inside your network, queries your systems of record, builds and analyzes the context graph, produces an approved assessment report and remediation plan, and executes until your cloud infrastructure returns to green
Sample assessment, illustrative data.

What You Get

The Backup Posture Report. Six deliverables, all backed by live data.

The assessment produces the Backup Posture Report: evidence your platform team can execute and your auditors can accept. Every deliverable is grounded in what Oscar actually observed in your live environment, not inferred from documentation or assembled from interviews.

Full Per-Resource Coverage Map

Every resource across all accounts, regions, and providers and its backup status: protected, unprotected, or misconfigured, verified directly via API. Ownership mapped to the right team.

RTO/RPO Validation

Recovery time and recovery point objectives checked against what is actually configured in each system today, not what the policy document says should be configured. Gaps surfaced as named, prioritized findings.

Workstream Remediation Roadmap

Every unprotected, misconfigured, or non-compliant resource organized by business workstream and priority, with business impact and ownership attached. Your platform team can execute directly without translating findings into tickets.

Cost Optimization Model

Estimated annual savings from retention alignment and storage tiering, with actions ordered by savings impact. Backup posture and backup spend, corrected together.

Audit-Ready Evidence Package

3-2-1-1-0 compliance verified with evidence, plus API-sourced control mappings for HIPAA, SOC 2, and HITRUST and a formal DR Plan. Formatted for regulators, boards, and cyber insurance renewal.

Add-on

Governance Template & Monitoring

A governance template deployable across all accounts to prevent gaps from reappearing, with optional ongoing monitoring for backup performance, data growth, and compliance drift.

The Sample Report

See the Backup Posture Report in 60 seconds.

A walkthrough of the report structure using the fictional Acme Systems sample environment. Every section is built from live API evidence.

Sample assessment, illustrative data. Sound is off by default; use the controls to unmute.

Why 'Run a Script' Isn't Enough

Your scripts work. Until they don't.

Manual checks and scheduled scripts give you a point-in-time snapshot. The moment your environment changes, the snapshot is stale. Here is what that costs.

The incident you could not prevent

$4.88M average cost of a data breach with backup gaps as a contributing factor (IBM, 2025).

The audit you could not pass

45 CFR §164.308(a)(7): the HIPAA Contingency Plan standard a script output cannot satisfy.

The waste you kept paying for

$287K recoverable annual waste found in a single 2,847-resource sample scan.

The restore that was never tested

82% of resources with no restore confirmed in the past 90 days.

The question you could not answer

12+ months since most enterprises last validated backup posture against live state (Forrester, 2026).

False confidence is worse than no check at all. A script that returns green gives your team permission to stop looking. But a script checks what it was written to check, not every resource added since it was last updated, not the resources created by AI coding tools, not the pipeline-provisioned infrastructure that never got a backup policy attached.

Why OpsCanvas

The same picture. In days, not months.

Oscar builds the discovery automatically. That's the difference.

Traditional backup assessments require your team to compile inventories, gather configurations, run manual queries, and coordinate across teams before the consulting firm even begins analysis. That process takes weeks and produces a picture that's already stale.

OpsCanvas starts from a scan of your live environment. The Context Graph builds automatically across resources, dependencies, ownership, backup status, and AI agent activity, so every deliverable is grounded in what Oscar actually observed, not what your documentation says.

No tagging or pre-work required before the assessment begins
Works alongside Rubrik, Veeam, and AWS Resilience Hub. Extends them, doesn't replace them
Every finding attributed to a specific resource, owner, and configuration state
Human approval required at every gate. Nothing advances without a decision on record
Capability
OpsCanvas
Discovery method
Live scan, no pre-work
Tagging requirement
None required
Time to deliver
Days
RTO/RPO validated against live config
Yes. Verified, not assumed
3-2-1-1-0 compliance check
Yes. Automated, evidence-backed
AI agent activity included
Yes. Agents tracked in Context Graph
Audit-ready output
Yes. Formal DR Plan included
Ongoing monitoring option
Yes. Quarterly to continuous

How It Compares

OpsCanvas vs. manual assessment and scripts.

What matters
Manual assessment / scripts
OpsCanvas Backup Posture Assessment
Evidence source
Interviews, docs, and spot-check scripts
Live cloud API calls
Coverage
Sampled or scope-limited
Every resource across all accounts
Time to report
Weeks to months
Days
Audit-ready output
Manual formatting required
HIPAA / SOC 2 / HITRUST evidence package
Cost optimization
Not typically included
Retention waste model included
Stale-data risk
High: any change creates false confidence
None: findings reflect live state
Remediation roadmap
Generic recommendations
Per-resource steps by workstream

What Comes Next

Assessment to remediation on the same Context Graph.

The Backup Posture Assessment surfaces the gaps. The DR Workflow closes them. And ongoing monitoring keeps your posture current as your environment changes. Each step builds on the same live Context Graph Oscar built during the assessment. It is the entry point to the full Resilience solution.

  1. 1

    Backup Posture Assessment

    Oscar scans your environment, builds the Context Graph, and delivers your gap report, RTO/RPO validation, and DR Plan.

  2. 2

    Ongoing Monitoring

    Quarterly, monthly, or continuous reassessment keeps your posture current and surfaces drift as your environment evolves.

  3. 3

    DR Workflow

    The AI-governed remediation engine that closes the gaps the assessment surfaced. Agents execute. Humans approve every material change.

The Bigger Picture

Part of the OpsCanvas Resilience solution.

The Backup Posture Assessment is the front door to a continuous resilience program: verified backup and DR posture, business continuity confidence, ongoing monitoring, and governed remediation, all on the same Context Graph.

Frequently Asked Questions

Common questions about the Backup Posture Assessment

What is a cloud backup posture assessment?

A cloud backup posture assessment is a structured review of your cloud environment that verifies backup coverage, retention alignment, and restore validity across every resource, using live API data, not documentation. It identifies which resources are unprotected, which retain data outside their compliance window, and which have never had a restore confirmed.

How is the OpsCanvas Backup Posture Assessment different from AWS Backup or Azure Backup?

AWS Backup and Azure Backup execute your backup strategy and confirm that jobs ran. The OpsCanvas Backup Posture Assessment verifies that every resource in your environment is actually protected, not just the ones your backup tool was configured to cover. Oscar reads directly from cloud APIs across all accounts and surfaces gaps, retention mismatches, and resources your existing tooling was never pointed at.

Does the assessment require changes to our cloud environment?

No. Oscar connects with read-only credentials. No changes are made to your environment, no resources are modified, and no credentials are stored centrally. Setup takes under one hour of your team's time across AWS, Azure, and GCP.

What compliance frameworks does the assessment cover?

The Backup Posture Assessment covers HIPAA (45 CFR §164.308(a)(7) Contingency Plan standard), SOC 2, and HITRUST. For each framework, findings are mapped to the specific control requirements, not just flagged as gaps. The report includes an audit-ready evidence package formatted for regulators.

How long does the Backup Posture Assessment take?

Setup takes under one hour of your team's time. The report is delivered in days, not weeks, not a consultant engagement. A scan of 2,847 resources across 18 cloud accounts was completed in a single read-only pass, where a traditional consulting engagement for comparable coverage typically takes 8-16 weeks.

Does the assessment require AWS tagging or a manual inventory phase?

No. Oscar scans your live cloud environment and infers resource ownership, dependencies, and backup status from runtime behavior and IaC repositories. No tagging is required, and no manual inventory work is needed before the assessment begins. This is one of the core ways OpsCanvas differs from traditional consulting approaches.

Does Oscar scan our network to find resources?

No. Oscar performs no open-ended or autonomous network scanning. The assessment runs as two scoped, deterministic, approval-gated phases: inventory discovery through approved connectors using existing permissions, then deterministic policy checks against that inventory. No action executes without explicit human sign-off.

What is 3-2-1-1-0 compliance and does the assessment check for it?

The 3-2-1-1-0 standard requires three copies of data, on two different media types, with one copy offsite, one copy offline or air-gapped, and zero unverified backups. The OpsCanvas Backup Posture Assessment verifies each of these requirements against your live environment, checking immutability of offsite copies, encryption, version management, and backup success rates across AWS, Azure, and GCP.

Does this work with the backup tools we already use?

Yes. OpsCanvas is complementary to Rubrik, Veeam, Cohesity, AWS Backup, and Azure Backup. It does not replace them. Those tools store and restore your data. OpsCanvas validates your posture: whether your backup configurations match your recovery objectives, where coverage gaps exist, and whether your DR plan reflects what's actually running in production.

What happens after the Backup Posture Assessment?

After the assessment, OpsCanvas can set up ongoing monitoring to track backup coverage, data growth, and compliance drift on a quarterly, monthly, or continuous basis. For teams ready to close the gaps the assessment identified, the DR Workflow is the AI-governed remediation engine that implements the findings, with Oscar discovering, agents executing, and humans approving every material decision. The full program is described on the Resilience solution page.

Get Started

Your backup plan says one thing. Your live environment may say another.

Talk to us about a Backup Posture Assessment. We'll walk through your environment, scope the engagement, and show you what Oscar finds in your first session. No tagging required, no credentials shared.

Complementary to Rubrik, Veeam & AWS Backup · AWS, Azure & GCP · Audit-ready DR Plan included