Commvault at TFDx RSAC 2026: Clean Recovery Is a Different Problem Than Fast Recovery

Everyone has a plan until they get punched in the mouth — Mike Tyson

One organization Chris Bevil worked with had a genuinely good disaster recovery program. Tabletop exercises, tested runbooks, the whole thing. When ransomware hit, it took them 284 days to fully recover. And then, six months after that, they got hit again — because in those 284 days, nobody had confirmed the recovered data was actually clean.

Bevil, Commvault’s Global Head of Cyber and AI Resiliency and a recovering CISO by his own description, told that story at TFDx RSAC 2026 to make a specific point: “Disaster recovery today does not equal cyber recovery.” A good DR plan tells you how to get the lights back on. It does not tell you whether what you’re turning back on is trustworthy.

That distinction is the organizing idea behind everything Commvault presented at RSAC this year.

The Gap Nobody Talks About at the Tabletop

Bevil’s argument isn’t that DR is useless. It’s that DR and cyber recovery are solving different problems, and treating them as the same thing creates a specific kind of false confidence that’s genuinely dangerous.

Disaster recovery is built around speed. Something catastrophic happened, get back to operational as fast as possible. The threat model is hardware failure, natural disaster, data center outage. The data itself is assumed to be fine.

Cyber recovery is built around trust. Something adversarial happened, and your first question can’t be how fast you can recover — it has to be whether the data you’re recovering from has been tampered with. Ransomware operators don’t just encrypt your production data. They dwell. They move laterally. They establish persistence. The backup you’re about to restore from may have been protecting infected machines for weeks before anyone noticed.

Bevil’s other story made this concrete: a major retailer, a conversation with the VP of IT infrastructure, and a question halfway through that stopped him cold. The VP asked whether their organization should have an incident response plan. Bevil’s reaction was unambiguous: “I about fell out of my chair.” The point wasn’t that the VP was incompetent. It was that IT and security were operating in separate worlds, neither of which had thought to ask if the other had covered this.

ResOps: A Name for the Thing That Was Missing

Commvault is calling their answer to this “ResOps,” short for Resilience Operations. The core idea is that cyber resilience isn’t a backup problem or a security problem. It requires IT, security, cloud, and the C-suite working as one function, testing together, and assuming from the start that compromise is going to happen.

Bevil was direct about what that means in practice: “Testing is critical. If we don’t test and we don’t know where we are and what we’re gonna do, we’re going to be in a very, very difficult situation.” Not tabletop testing at the executive level only. Actual technical testing, at the people who will be executing the recovery at 2am when the call comes in.

ResOps is also a product framework, and Michael Fasulo, Commvault’s Senior Director of Portfolio Marketing, walked through the technical layers that back it up. But the concept first — because the technology only matters if the organizational problem has been acknowledged.

The Technical Answer to the Clean Recovery Problem

The most interesting product announcement in the session was synthetic recovery, and it addresses the specific failure mode Bevil’s 284-day story describes.

The conventional approach to ransomware recovery is to find the last clean backup and roll back to it. The problem is that “last clean backup” might be weeks old, and you lose everything since. Alternatively, you pick a more recent backup and hope that the infected files haven’t gotten into anything critical yet. Either way, you’re making guesses and accepting data loss.

Synthetic recovery does something different. Rather than picking a point-in-time snapshot, Commvault’s platform scans across the entire backup history, identifies the last known clean version of each individual file, and constructs a composite recovery point from those. You get back to something close to current, without restoring the infected versions. It’s automated, it’s a single operation, and it’s built on the same indexing and threat detection that Commvault has been developing for over a decade.

Fasulo’s framing: “You don’t have to do step-three stores anymore. You don’t have to hunt through all of your different backups to find the latest copy of that data.” Senior Product Manager David Cunningham ran a live demo of synthetic recovery during the session, walking through the full sequence from ransomware detection to clean recovery in the product. Whether or not you find the marketing language around it compelling, the underlying capability is real, and it’s genuinely different from what most backup platforms offer.

Backup as a Security Instrument

One thread running through the session that doesn’t always get surfaced in backup vendor presentations: Commvault is positioning the backup infrastructure itself as a detection platform, not just a recovery one.

The threat scanning layer has been in development for over a decade. It runs multiple engines, including anomaly detection, signature scanning, YARA rules, file-level hashes, and a deep scan capability that can detect polymorphic malware and zero-days. The depth matters because Fasulo noted something that should get attention from anyone running an EDR: “We had several customers call us up that their EDR didn’t pick it up, but we picked it up in the backup with our deep threat scanning.”

That’s not a boast about replacing EDR. It’s an observation that backup data has a different vantage point than endpoint detection, and that vantage point catches things that endpoint tooling misses. The signals generated by Commvault’s platform feed bidirectionally into SIEMs, SOAR platforms, and now Microsoft Sentinel’s data lake with Security Copilot layered on top. As Fasulo put it, “incident response is a team sport, and we can’t do it alone.”

A Few Other Things Worth Knowing

Commvault acquired Satori Cyber a few months before RSAC, and the integration was faster than most acquisitions of that type. Satori adds structured data discovery and classification (Snowflake, Amazon RDS, Databricks) to Commvault’s existing unstructured data capabilities, and it adds something newer: real-time data access governance that can sit inline in an AI/RAG pipeline, blocking PII from entering an LLM and generating signals when it tries to.

Identity resilience also got an expansion. Active Directory and Entra ID have been supported for a while. Okta is now added to the mix, with the same immutable protection and surgical point-in-time recovery that those other identity workloads get. The recovery is object-level, not full forest. If an account was compromised, privilege was escalated, and changes were made to the domain admins group, you can roll back exactly those changes rather than recovering an entire directory from scratch.

The Plan Problem

The 284-day story lands because it’s specific and because it has a second act. The organization had a plan. They executed it. They recovered. And then they found out the plan wasn’t built for the actual threat, because nobody had verified whether the recovered environment was clean before putting it back in production.

Most organizations in 2026 have a DR plan. Fewer have a cyber recovery plan. Fewer still have tested the difference between them. That’s the gap Commvault is building toward, and the honest version of the pitch isn’t “buy our platform.” It’s: figure out whether your plan has been tested against the thing that’s actually coming. And then, if the answer is no, start there.

The technology follows from that. The plan has to come first.