Commvault adds threat-hunting tools to backup scans

Commvault has expanded the threat-hunting features in its Cloud Threat Scan product, adding two new scanning modes for backup data.

The update is intended to help organisations identify compromised data before recovery begins and reduce the risk of restoring infected files into production systems.

Threat Scan now includes Hyper Threat Hunting and Deep Inspection. Hyper Threat Hunting lets teams search backup data using known threat artefacts, including hashes and YARA rules. Deep Inspection applies file-level analysis using malware signatures, machine learning, heuristic analysis and encryption detection aimed at ransomware-related activity.

Both modes can be used for recurring scans or targeted searches during an active incident. The detection tools are also linked with Synthetic Recovery technology, which is designed to remove compromised datasets during recovery while restoring data judged to be clean.

The changes reflect a growing focus on the integrity of backup environments after cyber attacks. Commvault cited industry data showing that the median dwell time for a non-actor-disclosed breach is 24 days, giving attackers time to place malicious code across multiple systems before discovery.

Backup checks

This has increased pressure on security and IT teams to inspect backup data as part of incident response rather than treat backups as automatically safe. Without a way to verify the state of stored data before restoration, organisations risk extending outages and reintroducing threats into live systems.

The latest product changes are intended to bring threat hunting and recovery into a single workflow. Commvault positioned that approach as part of its broader ResOps model, which aims to connect IT and security operations during resilience planning and incident handling.

Blue Yonder, which uses Commvault technology, said the ability to validate recovery data against current threat indicators has become more important as attackers change tactics.

"In an era where attacks adapt faster than defences, our priority is to get ahead of every threat. Being able to validate recovery data against current threat indicators is one way to stay ahead of it - ensuring we have more control in an unpredictable landscape," said Dr. Erika Voss, Chief Security Officer, Blue Yonder.

Analysts are also watching closer links between cyber detection and recovery tools as vendors try to address customer concerns about restoring clean systems after ransomware incidents.

"We're seeing a fundamental shift in how organisations approach recovery operations. The market is demanding integrated solutions that combine threat detection with recovery workflows, and Commvault's layered approach to verified clean recoveries represents where the industry is heading," said Fernando Montenegro, VP and Practise Lead Cybersecurity, The Futurum Group.

Wider push

The release is part of a broader effort by Commvault to position backup and recovery as a central part of cyber resilience rather than a separate IT function. Threat Scan is sold as a standalone product and is also included in the company's cyber resilience bundle.

The new threat-hunting features are generally available worldwide and will be offered at no extra cost to existing Threat Scan customers. That may help broaden use of the product among organisations that already rely on Commvault's backup and recovery tools.

Pranay Ahlawat, Commvault's senior technology executive, said the aim is to give security and IT teams a common operating model during incidents.

"Security and IT teams need to operate from the same playbook during an incident. Threat intelligence at scale is increasingly table stakes - what sets us apart is what happens next. By layering our proprietary signal correlation and AI-enabled algorithms on top of targeted threat hunting, and connecting that directly to verified recovery, we give organizations something powerful: not just the ability to find threats fast, but the confidence that what they restore is clean," said Pranay Ahlawat, Chief Technology and AI Officer, Commvault.