Object First at TFDx RSAC 2026: If You Can Turn It Off, It Wasn't Immutable
- Teren Bryson
- Tfd , Object first , Security
- April 9, 2026
“When I use a word, it means just what I choose it to mean — neither more nor less.”
— Humpty Dumpty, Through the Looking-Glass (1871)
I’ve lost count of how many storage conversations I’ve sat through where immutability was presented as the answer and I nodded along without asking the obvious follow-up: immutable to whom? And what does it actually take to turn it off?
Object First has been asking that question since they were founded four years ago, and at TFDx RSAC 2026, Anthony Cusimano and Geoff Burke made the case that for most of the market, the honest answer is “an admin with the right credentials,” and in the context of a ransomware attack, that is not immutable. It’s a speed bump, or a bad and unexpected shot from a friend just as you’re trying to leave the bar. Looking at you here, Brandon.
The distinction matters more than it sounds. Ransomware operations aren’t smash-and-grab. They’re closer to a long con: get in quietly, sit for weeks or months, map the environment, find the credentials, escalate privilege, and then on a Friday night when the team is short-staffed, disable whatever’s in the way and pull the trigger. Backup storage is a primary target in 96% of attacks because the people running these operations understand what everyone should understand: if you can’t recover, you pay. Disabling immutability is just part of the pre-work.
The Company Behind the Claim
Object First was founded by Ratmir Timashev and Andrei Baranov, who also founded Veeam. That context matters here because, in building the backup software market, they observed that in nearly every ransomware incident affecting Veeam customers, Veeam did its job. The software held. The storage failed. Not because storage vendors were shipping defective products, but because every available option either had an administrative override reachable with enough privilege, or it lived in the same trust domain as the backup software, meaning one compromised layer took everything with it.
So they built a company to fill that gap. And in January 2026, Veeam acquired them.
If you want one honest measure of whether Object First’s claim about the market’s immutability problem is real, that acquisition is it. Veeam integrates with most of the storage market. They understand the competitive landscape as well as anyone. They didn’t acquire Object First for revenue or market share. They acquired the company their own founders built to solve a specific problem in the Veeam ecosystem. That’s a direct statement about how seriously they take the gap.
What “Absolute Immutability” Actually Means
Cusimano drew a hard line early: “The definition of immutable means it cannot be changed, altered, updated, or deleted. And if an admin could come in and, using their administrative privilege, disable immutability, it’s not immutable.” He introduced the term “absolute immutability” to distinguish what Object First does from what most vendors offer. Three things make the case.
The first is using S3 object lock in compliance mode, not governance mode. The difference: governance mode allows an authorized administrator to remove or shorten the lock period. Compliance mode doesn’t. Nobody shortens it: not the customer, not Object First, not Amazon. Object First builds their appliance around compliance mode only and doesn’t surface governance mode as an option. The attack vector of escalating privilege to flip the immutability flag doesn’t exist on their hardware because the flag isn’t accessible to anyone.
The second is zero-time immutability. A number of storage systems buffer incoming data before committing it to immutable storage. That creates a window, however brief, where the data is unprotected. Object First writes directly to immutable storage. The data is protected from the moment it hits disk. Burke’s framing on this was blunt: “We don’t want slim chances or big chances.” The whole point of designing around zero trust is that you stop measuring risk in terms of how unlikely the bad scenario is.
The third is the hardware appliance itself. Virtual storage and cloud storage inherit the trust relationships of whatever runs above them. Compromise the hypervisor layer or escalate to AWS IAM admin, and you can potentially reach the storage underneath. Object First’s answer is on-premises hardware with no command-line access, no BIOS access, and no destructive operations available to anyone, including their own support staff. Support access requires four-person validation: two from the customer side, two from Object First. Their position is that vendor privilege is a trust assumption they’re not willing to leave in place.
They’ve had NCC Group stress-test the whole thing. Full access: source code, credentials, everything. The finding: even with complete knowledge of the system, an attacker cannot modify data on the appliance. Object First publishes these reports publicly because, as Cusimano put it, security through obscurity is not a strategy. Burke’s summary of the NCC result was short: “Don’t trust me, trust NCC.” Given that they’ve been acquired by the company with the most at stake in this outcome, I’m inclined to take it seriously.
Where Zero Trust Meets Backup
Cusimano and Burke organized much of the session around Zero Trust Data Resilience, which Veeam has been developing as an extension of zero trust principles into the data protection stack. The short version: segment backup software from backup storage, assume breach at every layer, minimize what any principal can do by default. Burke’s analogy for why segmentation matters was a house. Getting through the front door doesn’t get you into the safe if the interior doors are also locked. It sounds obvious when stated that way. It’s considerably less obvious in most production environments, where backup software and backup storage tend to sit in the same trust zone because that was easier to configure at the time.
Built for Veeam. Full Stop.
Object First is purpose-built for Veeam, using Veeam’s Smart Object Storage API (SOS API). The integration handles capacity visibility across nodes, load balancing, and the performance requirements of Veeam’s instant recovery feature, which lets you run VMs directly off backup files while you work on a proper restore. Burke put the stakes plainly: “No one cares about backups. They only care about successful restores. You will be unknown if all your backups are successful. You will become known very quickly if your restore did not work.” That feature only works well if the storage layer is built around how Veeam thinks about data placement and retrieval. Object First built the appliance around those requirements from the start, rather than treating Veeam compatibility as a certification to earn later.
The 2am Design Requirement
Burke closed with something that doesn’t show up often enough in vendor presentations. Ransomware hits late Friday night. Long weekends. When the team is short, tired, and running on whatever’s left in the tank after a full week. He’s been doing data protection and recovery work for fifteen years and noted, without much embellishment, that “I have never been on an IT team in my whole career that was overstaffed.” He’s been on enough of those late-night recovery calls to know that even skilled, experienced people make bad decisions under that kind of pressure. The 15-minute setup time and the deliberate decision to limit what any user can do by default aren’t just security measures. They’re design choices made specifically for the conditions under which someone will actually need to use them.
Most storage products are designed for normal operations. Burke’s point is that the one you need to get right is designed for the worst night you’ve had in your career.
That framing, and the technical architecture behind it, is why Object First earned the acquisition. The immutability problem is real. They built a serious answer to it. And their core contribution, if you strip everything else away, is insisting that “immutable” means exactly what it says, not whatever a vendor decides it means that week. The proof that the problem was worth solving is in who bought them.
