Veeam at TFDx RSAC 2026: Three Generations of Resilience (And You Need to Prepare for All of Them)

Rick Vanover, CTO of Veeam, opened his segment at Tech Field Day Extra RSAC 2026 with a statement that was either refreshingly honest or a very good bit of self-aware marketing: “Our audience has a very highly calibrated BS meter. I’ll be the first to say that. I live in a world of technical proof points.”

The thing is, he’s right. The crowd in that room — delegates, practitioners, industry analysts — does not come to nod along. If there’s a gap between the slide deck and the reality, someone in that room will find it and make things very uncomfortable for the presenter. So when Rick said that Veeam, the company most people associate with VMware virtual machine backup, is now in the business of primary data, DSPM (Data Security Posture Management), AI governance, and what he called “end-to-end resilience,” the room leaned in rather than checked out.

Let’s be honest about what this is: Veeam is in the middle of a strategic pivot. They haven’t finished making it. But after spending a few hours listening to Rick, Emily Taos, and Michael Cade walk through where the product is today and where it’s headed, I think the direction is right. Here’s why.

The three-generations problem

Emily Taos laid out the most useful framework I heard all day, and it’s worth keeping. She described three generations of resilience threat:

• Generation 1 — Operational resilience: the fire, flood, and hardware-failure era. Your tapes fell off the truck. You restored to the latest clean backup and got on with your life. Recovery time was the only metric that mattered.
• Generation 2 — Cyber resilience: ransomware, targeted exfiltration, the whole ugly decade-plus we’ve been living through. Your recovery point is now unknown; you don’t know when the threat actor got in, so you don’t know how far back you need to go. Speed of recovery is actually the wrong goal here. Fast recovery into a reinfected environment just means you fail faster.
• Generation 3 — AI resilience: overprivileged agents, non-human identities, and the reality that automation now allows organizations to make catastrophic mistakes at machine speed.

Emily’s kicker was the uncomfortable part: “It’s not just ‘cause we fixed one we could go to the other. We still need to prepare for all three. And maybe for all three to be taking place at once.”

Most IT shops I know are still trying to get Generation 2 right. The idea that Generation 3 is already lapping them is either alarming or irrelevant depending on where your organization sits. For many, it’s both.

“Clean” is in the eye of the beholder

Emily also drew a distinction that gets glossed over in most vendor conversations. When IT operations says backup data is “clean,” they generally mean: we have it, we can restore it. When security says backup data is clean, they mean something considerably more paranoid: has it been tampered with, are there backdoors lurking in it, and are we about to reinfect our own environment by restoring it?

These are not the same definition, and treating them as if they are is how you end up calling a ransomware incident contained when it isn’t. Veeam’s answer involves scanning at three different points in the backup lifecycle — before, inline during, and post-backup — plus integrations with over 60 security partners who can flag suspicious data before recovery begins. A new integration with Pure Storage, just GA’d weeks before the event, extends this to storage-level anomaly detection feeding directly into backup status flags. The ecosystem play here is genuinely broad.

You don’t know what data you have

Michael Cade walked through Veeam’s DSPM acquisition, a tool they’re calling Security AI, and introduced what he kept calling the “social network of data”: a graph database that maps across 350-plus connectors to show you what data you have, where it lives, who has access to it, and how sensitive it is. He made a claim that should land for anyone who’s ever done a data audit: “I guarantee when you implement Security AI and add all your data systems, you’re gonna find some God mode privileges out there still in 2026.”

That checks out. The data hygiene problem (what Michael calls ROT data: Redundant, Obsolete, Trivial) is real, and the pitch here is a two-fer: reduce storage costs and shrink your attack surface. If a threat actor exfiltrates a bunch of data that nobody’s touched since the Obama administration, that’s a very different regulatory and reputational problem than if they grab current customer PII. Rick made the same point from a different angle: once you’ve cleaned up the junk, the data you have left becomes more explainable, which matters enormously when you’re trying to answer the question “what exactly did they take?”

Toddlers with dynamite

The sharpest exchange of the day happened when Tech Field Day delegate Tom Hollingsworth asked the obvious question: what does Veeam actually offer to prevent AI agent disasters, not just recover from them? Tom’s framing was the most quotable thing said all day: “You’re giving toddlers dynamite and hoping that they figure it out. Yes, there is a perfect path to that, but there’s a lot of ways that things can get really messy.”

Rick’s response was equally direct: “We need tools as fast as the problem.”

That’s the right answer. Whether Veeam has those tools yet is the more honest question. Agent Commander, their recently announced product bridging DSPM-level visibility with surgical recovery, is real but early. The MCP integrations that let admins query backup status in natural language and pipe incidents into ServiceNow are in technical preview. The agents-governing-agents capabilities are still being built.

None of that is a criticism. It’s just where we are. The AI agent threat is outpacing the tooling designed to manage it across the entire industry, not just at Veeam. The difference is that Veeam is at least asking the right questions.

The bottom line

Veeam’s core job hasn’t changed: give you options when things go wrong. What’s changed is the definition of “things going wrong,” and that definition is now wide enough to drive a truck through. The three-generations framework Emily laid out isn’t just a good slide. It’s a practical reminder that the threat landscape is layered and cumulative, and that the backup conversation and the security conversation are, increasingly, the same conversation. Veeam is betting their entire messaging pivot on that being true. Having sat through their session at RSAC, I think they’re right.¹