Schrödinger's Backup: If You Haven't Tested a Restore, You Don't Have a Backup — CoPilot Blog
    Neura MarketNeura Market/CoPilot
    ChatGPTChatGPTClaudeClaudeGeminiGeminiCursorCursorGrokGrokPerplexityPerplexityCoPilotCoPilot
    DeepSeekDeepSeekStable DiffusionStable DiffusionMidjourneyMidjourney
    View All Directories
    OverviewRulesPromptsMCPsAgentsBlogVideosGuidesCoursesCommunityPluginsTrendingGenerate
    CoPilotBlogSchrödinger's Backup: If You Haven't Tested a Restore, You Don't Have a Backup
    Back to Blog
    Schrödinger's Backup: If You Haven't Tested a Restore, You Don't Have a Backup
    cybersecurity

    Schrödinger's Backup: If You Haven't Tested a Restore, You Don't Have a Backup

    Hugo | DevOps | Cybersecurity April 14, 2026
    0 views

    Let me introduce you to Schrödinger's Backup: the condition of your corporate data is simultaneously...

    Let me introduce you to Schrödinger's Backup: the condition of your corporate data is simultaneously pristine and completely destroyed until you actually attempt a bare-metal restore. I have sat in entirely too many incident response war rooms where a company gets hit by LockBit or BlackCat. The CEO is panicking, but the IT Director smugly crosses his arms and says, "Don't worry, we use Veeam. We'll just restore from last night." Ten minutes later, the blood completely drains from the IT Director's face. He realizes that the backup server was joined to the exact same Active Directory domain that just got compromised. The attacker used their stolen Domain Admin credentials to log into the backup repository and encrypted the backups, too. You didn't have a disaster recovery plan. You just had a really expensive secondary target. ### The Mechanics: Destroying the Safety Net Modern ransomware is not a dumb script that just blindly encrypts `C:\Users`. It is a human-operated, highly targeted "living off the land" operation. The absolute *first* thing a competent threat actor does after escalating privileges is hunt down your safety net. They query Active Directory for servers with "backup", "veeam", "rubrik", or "datto" in the hostname. They log into your hypervisors. They run `vssadmin delete shadows /all /quiet` to nuke your local Volume Shadow Copies. They log into your network-attached storage (NAS) and format the volume. Only *after* they have systematically dismantled your ability to recover do they push the button to encrypt your production environment. If your backup system relies on the same authentication perimeter (Active Directory, shared local admin passwords) as your production system, it will fall the second your domain falls. ### The Fix: Immutability and the 3-2-1-1 Rule The old 3-2-1 backup rule (3 copies, 2 media, 1 offsite) is dead. You need 3-2-1-1: the final "1" stands for **Immutable**. Immutable storage is Write-Once-Read-Many (WORM). Once the data is written, it is physically and cryptographically impossible to delete, modify, or encrypt it for a specified retention period. It doesn't matter if the attacker gets Domain Admin. It doesn't matter if the attacker gets the literal AWS root credentials. The storage API will simply reject any delete or modify requests until the timer expires. The modern Senior Engineer approach is to push your secondary backups to a cloud bucket with strict Object Lock enabled in Compliance Mode. ### The Code & Config Here is how you actually build an immutable vault. This Terraform snippet creates an AWS S3 bucket and locks it down with a 30-day compliance retention policy. ```hcl # THE REAL ENGINEER'S WAY (Immutable S3 Storage) # If an attacker compromises your entire datacenter and AWS keys, # they STILL cannot delete these backups for 30 days. resource "aws_s3_bucket" "immutable_backups" { bucket = "corp-airgapped-backups-2026" } # 1. Enable Object Lock (Must be done at bucket creation) resource "aws_s3_bucket_versioning" "backup_versioning" { bucket = aws_s3_bucket.immutable_backups.id versioning_configuration { status = "Enabled" } } resource "aws_s3_bucket_object_lock_configuration" "backup_lock" { bucket = aws_s3_bucket.immutable_backups.id ``` --- > **⚠️ DECLASSIFIED / TRUNCATED VERSION** > You are reading a truncated version of this technical guide. > To read the full, unedited deep-dive (including all configuration files, architecture diagrams, and high-res images), **[visit the original post on Valters IT Docs](https://www.valtersit.com/guides/security/schrodingers-backup-if-you-havent-tested-a-restore-you-dont-have-a-backup/)**.

    Tags

    cybersecuritydisasterrecoverybackupsransomware

    Comments

    More Blog

    View all
    Minimalist EKS: The Easy Waykubernetes

    Minimalist EKS: The Easy Way

    Amazon EKS manages the Kubernetes control plane, but you remain responsible for provisioning the...

    J
    Joaquin Menchaca
    Never forget to enter the Stern Grove lottery again!ai

    Never forget to enter the Stern Grove lottery again!

    Browser automation with Playwright, Python, GitHub Actions, and Entire to auto-enter San Francisco Stern Grove concert lotteries each week!

    L
    Lizzie Siegle
    A Free Screenshot Editor That Never Uploads Your Imagetypescript

    A Free Screenshot Editor That Never Uploads Your Image

    A free screenshot and image editor that runs entirely in your browser. Keeping every edit reversible and handling big phone photos, in plain TypeScript and Canvas2D.

    M
    Martin Stark
    I built a CLI to break my highlights out of Apple Booksshowdev

    I built a CLI to break my highlights out of Apple Books

    A macOS CLI + MCP server that exports Apple Books highlights to Markdown and gives AI assistants direct access to your reading notes.

    A
    Andrey Korchak
    A Developer's Guide to Agent Hooks in Antigravity CLIai

    A Developer's Guide to Agent Hooks in Antigravity CLI

    Motivation To be quite honest, "Hooks"—the shell commands we trigger at specific points...

    T
    Tanaike
    Tactical vs. Strategic Agentic AI Development — A Playbook for Developersagents

    Tactical vs. Strategic Agentic AI Development — A Playbook for Developers

    The Strategic Engineer: Why Writing Code Is No Longer Your Most Valuable Skill ...

    A
    Adewumi Saheed Adewale

    Stay up to date

    Get the latest CoPilot prompts, rules, and resources delivered to your inbox weekly.

    Neura Market LogoNeura Market

    Discover the best AI prompts, plugins, and resources for CoPilot and more.

    Content Types

    • Rules
    • Prompts
    • MCPs
    • Agents
    • Guides

    Platforms

    • ChatGPT Directory
    • Claude Directory
    • Gemini Directory
    • Cursor Directory
    • Grok Directory
    • Perplexity Directory
    • DeepSeek Directory
    • CoPilot Directory
    • Stable Diffusion Directory
    • Midjourney Directory
    • All Directories

    Resources

    • Blog
    • Documentation
    • Help Center
    • Marketplace

    Legal

    • Privacy Policy
    • Terms of Service

    © 2026 Neura Market. All rights reserved.

    |

    Not affiliated with any AI platform vendors.