Backup and disaster recovery, tested before you need it.
A backup you have never restored is a hope, not a plan. We run immutable, air-gapped backups on the 3-2-1-1-0 standard, with tiered recovery and restores we test, kept in-region inside the EU.
Backup protects your data; disaster recovery protects your operations: one restores files after an outage, the other brings whole systems back within a target time. In 2026 the difference turned urgent because ransomware now targets the backups first, so a copy that can be reached and deleted is not really a backup at all. Argus Root runs both for organisations that have to keep running through an incident, with immutable copies and a recovery you have rehearsed, operated and restored inside the EU.
In short
- Backup and disaster recovery are different jobs: backup restores data, DR restores operations within a target time — having one does not give you the other.
- Modern ransomware targets the backups first, so a copy that can be altered or deleted is not a backup; it has to be immutable (write-once, object-locked).
- Two numbers decide the design: RPO (how much data you can afford to lose) and RTO (how long you can be down) — everything else follows from them.
- The rule grew to 3-2-1-1-0: 3 copies, 2 media, 1 offsite, 1 immutable or offline, and 0 recovery errors confirmed by a tested restore.
- A backup job that shows green is not a recovery: an untested restore is an assumption, and DORA and NIS2 now require tested continuity with defined recovery targets.
Backup is not the same as recovery.
Most providers offer backup; the 2026 Kaseya report puts it at 79% of MSPs, the most common service there is. Far fewer can bring your operations back inside a deadline. Backup creates point-in-time copies you restore step by step, with recovery measured in hours to days. Disaster recovery replicates whole systems to standby infrastructure and fails over in minutes. The right answer is usually both, matched to how long each system can be down.
| Question | Backup (BaaS) | Disaster recovery (DRaaS) |
|---|---|---|
| Protects | Data | Operations |
| What it restores | Files, databases, system state | Whole systems, networking, apps |
| Recovery time | Hours to days | Minutes |
| Best for | Data loss, operator error | Ransomware, outage, site loss |
The reason the distinction matters is cost. Downtime is a meter running rather than an inconvenience: an hour of stopped production in a large plant has been measured at around $2.3 million, more than six hundred dollars a second, and even a modest business loses revenue, trust and staff time for every hour it cannot operate. Backup answers whether you can get the data back; disaster recovery answers how fast you can be working again, and it is the second question the meter is counting against.
Treating them as one thing is where organisations get caught. A business with diligent backups and no recovery plan can retrieve its files and still be down for a week while it rebuilds servers, reinstalls applications and reconnects systems by hand. The data was safe; the operation was not. We run both as one discipline because the point is not preserving data in the abstract but resuming work within a time the business can survive, which takes architecture and rehearsal rather than copies alone.
If ransomware can reach the backup, you do not have one.
Modern ransomware goes for the backups before it triggers, so a copy your administrators can delete is a copy an attacker can delete. The 3-2-1-1-0 standard answers that: three copies, on two media types, one offsite, one immutable, and zero recovery errors verified automatically. Immutable storage cannot be altered or deleted by anyone, including an administrator, and an air-gapped copy sits outside the reach of your production network entirely.
CISA now treats immutability as mandatory rather than optional, and the cost has dropped far enough that it is within reach for mid-sized organisations. We build it in by default, and we keep the immutable copies in-region so recovery never depends on a jurisdiction you do not control.
The threat has become deliberate. Ransomware is now written to hunt for backup files specifically, locating, encrypting or deleting them before the main payload triggers, because the attackers know a working backup is what lets you refuse to pay. A recovery strategy that has not changed since 2023 is carrying more risk than its owners realise, defending against the hardware failure of the past while the actual threat goes after the safety net first.
There is a subtler version of the same problem: the contaminated backup. When an intrusion has been spreading quietly for days or weeks before anyone notices, the most recent backups may already contain the attacker's foothold, so restoring the latest copy restores the compromise with it. A real recovery plan accounts for this, keeping enough clean history and the means to recover to a known-good point rather than blindly to the newest one. Immutability protects the copy; knowing which copy to trust is the other half.
What do we run for you?
Copies that survive an attack, recovery sized to impact, and proof it works.
Immutable & air-gapped backups
The 3-2-1-1-0 standard built in: copies that cannot be changed or deleted, with an air-gapped layer outside the production network.
Tiered recovery
Hot, warm and cold targets matched to each system: near-real-time replication for the critical few, measured failover for the rest, so you pay for speed only where it earns it.
Tested restores
Automated boot verification and scheduled failover drills, because the only proof a backup works is watching it come back. If it does not boot, it is not a backup.
RTO / RPO engineering
Recovery targets set per system from a business-impact read, then the architecture built to hit them rather than aspired to on a slide.
DORA & NIS2 evidence
Documented continuity policies and test results that satisfy the resilience-testing duties under DORA and NIS2, and the proof cyber insurers now ask for. See compliance →
In-region retention
Backups and recovery environments kept inside the EU, so a restore never hinges on data sitting under foreign jurisdiction.
We measure minutes of recoverability, not gigabytes backed up.
Plenty of providers can show you a green backup dashboard. The number that matters is how long it takes to bring a real workload back, and whether anyone has checked lately. We run the backups on infrastructure we operate inside the EU, test the restores on a schedule, and report recovery in the terms a board and an auditor understand: time to recover, data at risk, and the date of the last successful test.
# nightly backup to EU object storage, object-lock = immutable $ restic -r s3:eu-central.example.com/acme backup /srv /etc --tag nightly # object-lock is enforced provider-side, so ransomware cannot delete it # the part most skip: prove the restore actually works $ restic -r s3:... restore latest --target /restore-test --include /srv/db $ sha256sum -c /restore-test/srv/db/checksums.sha256 # integrity # RTO drill: time the full bring-back of one critical system — monthly
3-2-1-1-0, and why the rule grew.
The backup rule used to be simpler. For years 3-2-1 was the standard, three copies, on two kinds of media, with one offsite, and it was enough when the worst case was a failed disk or a flood. Ransomware broke it, because an attacker who reaches your network can delete every copy that network can reach, offsite or not, so redundancy without isolation stopped being resilience.
So the rule grew two digits. The framework now recommended by CISA and its partner agencies is 3-2-1-1-0: the original three copies on two media with one offsite, plus one immutable or air-gapped copy that no user can alter, plus zero recovery errors confirmed by automated testing rather than assumed. The added one is the layer ransomware cannot touch; the zero is the admission that a backup nobody has tried to restore is not yet a backup. We build to the full standard rather than the historical one, because the historical one no longer survives the threat it now faces.
RTO and RPO: the two numbers that decide everything.
Every recovery decision comes down to two numbers. The Recovery Time Objective is how long a system can be down before the damage is unacceptable; the Recovery Point Objective is how much data you can afford to lose, which sets how often it must be backed up. Set them honestly and the architecture follows; guess at them and you either overspend protecting what does not matter or under-protect what does. The old defaults of an eight-hour RTO and a daily RPO were built for hardware failure and do not survive a ransomware scenario.
The numbers are not the same for every system, which is why we tier them. The handful whose loss means immediate financial or regulatory damage, the payment path, the core platform, justify near-real-time replication and an RTO measured in minutes; business-critical applications get a measured failover; supporting functions can tolerate a longer, cheaper recovery. The classification comes from what the business cannot do without rather than from what the IT team finds interesting, so the spend lands where the impact is rather than spread evenly across things that do not need it.
A green checkmark is not a restore.
The most dangerous backup is the one everyone believes in. The dashboard shows a green tick next to every job, the logs say success, and then the day comes to restore and the files are corrupted, the permissions are broken, a dependency is missing, or the copy is months stale because a job quietly stopped working and alerted no one. A backup that has never been restored is a guess wearing the costume of a safeguard.
So we prove it rather than trust it. Restores are tested instead of assumed: automated boot verification confirms a backup genuinely comes up, and scheduled failover drills rehearse bringing whole systems back, with documented results each time. The zero in 3-2-1-1-0 is exactly this, recovery errors caught by testing before they are discovered in an emergency. The measure we care about is minutes of proven recoverability rather than gigabytes copied, because only one of those is any use when production has stopped.
What does a real recovery look like?
When something fails, a recovery runs on a plan rather than improvisation. The systems are brought back in the order the business depends on them, the critical path first, with each restore verified before the next is trusted, and the people who have to make decisions, declare a disaster, choose a recovery point, accept a degraded mode, have made them before in a drill. The runbook is the difference between a recovery measured in the hours you planned for and one that drifts into days because every step is being worked out live.
The hardest case has its own path. When the failure is a ransomware attack that may have been present before the last backup, the plan does not restore blindly to the newest copy; it recovers to a clean point, in an isolated environment where the restored systems can be checked before they rejoin production, so the recovery does not reintroduce the attacker. Planning for the contaminated-backup case in advance is what separates a recovery that ends the incident from one that restarts it.
The cloud is not a backup.
A common and expensive assumption is that the cloud takes care of this. On its own, it does not. Backing up cloud data inside the same cloud account creates copies, not protection: one set of compromised credentials, or one provider-side problem, can reach the production data and the backup together. Real protection needs separation, a copy held outside that account, ideally on different infrastructure, beyond the blast radius of a single failure or breach.
The gap most often missed is SaaS. The data in a hosted email or productivity suite, and the identity configuration that governs access to it, is yours to protect rather than the provider's, under a shared-responsibility model most organisations have never read closely. The provider keeps the service running; recovering your data after you delete it, an account is compromised, or a retention window lapses is on you. We extend backup to those systems rather than leave the assumption that someone else is handling it, because the assumption is usually wrong and only tested at the worst moment.
In-region recovery, and the jurisdiction trap.
A backup is only as sovereign as the place it is restored from. Copies held in a US-controlled cloud, even on European soil, sit under foreign jurisdiction, which means a recovery for a regulated workload can hinge on data that a foreign authority could in principle compel, or that falls outside the rules you are held to. For the same reasons that drive the rest of our work, that is a dependency worth removing from the one process you turn to when everything else has failed.
So the backups and the recovery environments stay inside the EU, on infrastructure we operate, and the residency is documented rather than assumed. The moment of a disaster is the worst time to discover that your recovery path crosses a border you did not account for. Keeping the whole chain in-region means the restore answers to your rules and your jurisdiction alone, which is exactly when that certainty earns its place.
How does onboarding work?
Onboarding starts with the two questions that should have been asked first: what would it cost you to lose this system, and how long could you survive without it. From those answers we classify the estate into tiers, set an RTO and RPO for each, and map the current backups against them, which usually reveals the systems with no real recovery path and the SaaS data nobody was protecting. The first output is an honest picture of how recoverable you are now, which is rarely as recoverable as the dashboard suggested.
From there we build to the targets: immutable, in-region backups on the 3-2-1-1-0 standard, tiered recovery matched to the classification, and a documented runbook with the test schedule that keeps it honest. The drills then run on a cadence, quarterly for most and monthly for the critical, each producing the evidence DORA, NIS2 and a cyber insurer ask for. The aim is recoverability you have watched work rather than assumed, with the proof on file before anyone asks for it.
The human side of a recovery.
The technology is half of a recovery; the other half is people making fast decisions under stress. Someone has to declare a disaster, which starts the clock and the plan; someone has to choose the recovery point and accept the data lost beyond it; someone has to decide whether to run degraded or wait for full restoration, and to keep customers, staff and regulators informed while the work happens. A plan that names who does each of these, and has had them practise, recovers faster than one that is technically sound but silent on who is in charge.
This is why a drill rehearses the decisions rather than the mechanics alone. The first time a team makes these calls should not be during a real outage with the meter running and everyone watching. We define the roles, the escalation and the communication in the runbook and exercise them, so when it is real the question is which step we are on rather than who is supposed to be doing what. A recovery fails as often on confusion and hesitation as on a backup that would not restore.
Backup, retention, and the difference between them.
Backup and retention are easily confused and serve different ends. A backup exists to bring you back to yesterday after a failure; retention exists to keep data for as long as a regulation, a contract or a legal hold requires, which can be years. Conflating them leads to either keeping every backup forever at needless cost, or deleting data a rule still required you to hold. The two need separate policies sitting on the same well-run foundation.
So we set retention deliberately rather than by accident of the backup schedule: how far back the recovery points reach, how long copies are kept, and when they are securely disposed of, aligned to the obligations that genuinely apply to you. Keeping the right history also serves recovery, since the clean point you need after a slow-burning intrusion may be weeks old. The aim is enough history to recover and to comply, without the cost and exposure of hoarding everything indefinitely.
What an unrecoverable incident really does.
The reason all of this matters is that a failed recovery is often a terminal event. A business that cannot get its systems and data back does not merely lose a week; a significant share of organisations that suffer major data loss without a working recovery never fully reopen, undone by the lost revenue, the broken customer trust and the regulatory consequences that follow. The backup nobody tested becomes the reason the company does not survive the incident it was meant to survive.
Recoverability is therefore a continuity-of-the-business question rather than an IT line item, which is why the targets come from leadership rather than the server room. The investment in tested, immutable, tiered recovery is small against the cost of being unable to come back, and it is the cheapest insurance most organisations are underbuying. We frame it that way because the decision is a business one: how much downtime and data loss can you survive, and what is it worth to guarantee you stay inside that.
Can you recover from ransomware without paying?
The whole point of immutable, tested, clean recovery is the ability to say no. An organisation that can restore to a clean point on a timeline it can survive does not have to negotiate with an attacker or fund the next attack with a ransom; it recovers and moves on. An organisation without that capability is left choosing between paying criminals and losing the business, which is not a position any amount of detection alone can rescue you from once the data is encrypted.
So recovery is the backstop that makes the rest of a security program credible. Detection and response reduce how often you are hit and how far an attack gets; recoverability decides what happens when one lands anyway, as eventually one will. We build the recovery side so a successful attack is an expensive, documented disruption rather than an existential choice, which is the difference between a bad week and a closed company. The ability to recover is what removes the hold an attacker would otherwise have over you.
Who needs this?
The clearest case is an organisation under DORA or NIS2, which now have to demonstrate tested continuity with defined recovery targets rather than merely own a backup. Close behind are businesses whose cyber insurer or largest customers require evidence of a tested recovery plan before they will renew or sign. Any organisation whose operations stop when its systems do, which is most of them now, has a recoverability question whether or not it has answered it.
What they share is a gap between the backup they think they have and the recovery they would really get. A business running nightly backups it has never restored, or trusting a cloud provider to protect data the provider's own terms say is the customer's, is the typical fit. Where an organisation genuinely has tested, immutable, tiered recovery already proven, it does not need us; where it has a green dashboard and an untested assumption, it does, and the first assessment usually makes which one it is uncomfortably clear.
Questions buyers ask.
What is the difference between backup and disaster recovery?
What is the 3-2-1-1-0 rule?
What do RTO and RPO mean?
Why do immutable backups matter for ransomware?
How often should disaster recovery be tested?
Does this help with DORA and cyber insurance?
How much does an hour of downtime cost?
If we back up to the cloud, isn't that enough?
What if our most recent backup is infected?
How do you tier recovery by system?
Where is our data kept?
Who decides to declare a disaster?
How long do you keep backups?
Can you help us recover without paying a ransom?
How is backup and disaster recovery priced?
Do you back up databases and applications, or files alone?
How quickly can recovery be set up?
Pick a critical system. We'll prove how fast it comes back.
Tell us what you cannot afford to lose. We assess your current backups, run a verified restore on one critical workload, and report the real recovery time, before you commit to anything.