A Fortune 100 organization got hit hard. Attackers used stolen credentials and native tools — no malware. They deleted thousands of endpoints and virtual clusters. Traditional defenses never fired.
But the data layer? Untouched.
That's the story Brandon Willitts, Director of Cyber Resilience at Everpure, keeps coming back to. Not because it's a good marketing story — though it is — but because it illustrates a shift in how security and engineering teams need to think about recovery.
"We don't ship storage," Willitts told me. "We ship trust."
How That Fortune 100 Organization Actually Recovered
Willitts didn't want to speculate on how the attackers pulled it off. But he was direct about how recovery happened — and it's worth paying attention to the specifics.
"We trained a customer engineer in 20 minutes to recover snapshots," he said. Not days. Not a war room of 15 people with a 200-page runbook. Twenty minutes.
That's possible because of how SafeMode snapshots work. The configuration is out-of-band — no single admin, machine, or human being can reach in and misconfigure or delete that access and control point. The snapshots are immutable and indelible. When the attack hit, the attacker had global admin privileges everywhere else. They had nothing at the storage layer.
"Your identity system is going to be compromised. Your endpoints are going to be compromised. Your network is going to be compromised," Willitts said. "But what happens when it gets to the storage and there's an entire deletion of that data? How do you recover?"
If you have SafeMode configured, you already know the answer.
The Gap Between "DevOps Backup" and Actual Recovery
Most developers think about backup as a checkbox. Snapshots. S3 buckets. Maybe an off-site copy. Willitts isn't dismissive of that — he just says it misses the point.
"You take backups for a lot of different reasons," he said. "But there's been a disconnect between where IT operations sits in an organization versus the business outcomes they're trying to support."
He gave a concrete example: a hospital where nurses can't see patients because the system is down. Recovery isn't about retrieving data. It's about opening the doors tomorrow — processing loans, seeing patients, running payroll.
"We aren't just recovering from a backup. We're making sure you can recover your business."
That reframe matters for developers and platform engineers. Backup is not a one-size-fits-all problem. The question isn't whether you have a copy of your data. It's whether you can get to the right copy, fast, and know it hasn't been tampered with.
The Human-in-the-Loop Isn't a Bottleneck
One detail in Everpure's architecture that caught my attention: the Human-in-the-Loop (HITL) requirement. For a developer audience that's used to automation handling everything, mandatory human authorization sounds like a recovery killer.
Willitts pushed back on that reading. The HITL requirement applies to deletion, not recovery. You don't need multi-party authorization to restore your data. You need it to delete it.
"We're providing a security layer for the event that your credentials are compromised," he said. "If you want to delete your data, you need multiple parties present. You don't need multiple parties present to recover your data."
SafeMode is auto-on by default. The snapshot capability is always there. The human layer is protection against a compromised identity or a rogue agent — not a gate between you and your data when you need it back.
On AI: The Velocity Changed, Not the Playbook
Willitts has an interesting take on AI-accelerated attacks that's worth hearing directly. He's not an alarmist.
"The attack patterns aren't changing. It's the velocity with which you're seeing attacks that's changing."
Wiper attacks aren't new. Credential harvesting isn't new. What AI does is put those things on hyper drive. The attack window, he said, is now down to 15 minutes in some cases.
"Security is no longer compliance," he said. "You're not waiting around for someone to eventually patch that system. You're doing it now because the attack window is 15 minutes."
That has a practical implication: the controls you configure today need to hold up against an attacker moving at machine speed. Which is exactly why out-of-band configuration and immutable snapshots aren't nice-to-haves anymore.
If you're an SRE or platform engineer thinking about the "outside-in" model — assuming perimeter failure as your baseline — Willitts had a straightforward answer.
Start with your primary. Configure your basic security controls and resilience policies. Then set up a secondary site, whether public cloud or on-prem, and replicate across sites. Turn SafeMode on. And then — this is the part most teams skip — test it.
"Test it, and test it, and test it," he said. "You build that muscle. The more you sweat in peace, the less you bleed in war."
He drew the comparison to Netflix's chaos engineering approach — injecting failure modes in a production environment until recovery becomes muscle memory. You start in dev and staging. You work up to production. The goal is making it easy to do the right thing, not adding another tax on your engineers.
"We all love bridges and roads and we hate taxes," he said. "Same is true with security. You have to make it easy to do the right thing."
What the 1touch Acquisition Actually Adds
Everpure's acquisition of 1touch isn't just about data discovery as a feature. It's about business context — specifically, knowing what depends on what before the incident.
"Everybody is independent," Willitts explained. "You're asking Steve to ask Alicia to ask Stan what they think is important. And everyone is incented to think their stuff is most important."
But an ERP system that sits idle most of the quarter might be mission-critical on the last day. Without knowing the dependency map between applications, data, and business outcomes, recovery becomes guesswork.
The 1touch integration is meant to replace that guesswork with a policy-driven unified view — arrays, applications, regions, protection policies — surfaced in a single control plane. No one has to ask what's most important. The policies already know.
The Metric That Actually Matters
Willitts closed with the reframe that his team keeps pushing: downtime, not intrusion, is the number that matters.
He's not saying stop investing in the perimeter. The opposite. "Continue to invest," he said. "Lock your doors and lock your safe." Defense in depth still applies. But if you're not equally serious about what happens after the breach, you're building a security program that can detect a fire and has no sprinklers.
"Resilience and security are two sides of the same coin," he said. "Especially in today's day and age."
That's the ask. Not a replacement for what you're already doing. An honest look at whether you can recover — and how fast — when the thing you're defending against actually happens.
Tom will be covering Everpure Accelerate next month. Stay tuned for more from the event.
