Most enterprises already pay for backup execution and some form of posture scanning. The gap shows up at recovery time: jobs ran green, but nobody can prove cross-vendor separation, immutability, or clean-room restore outcomes when the auditor, examiner, or attacker asks. That is the enforcement gap — and it is why Forttic exists as a decision layer above the stack you already run.
Who this is for
Continuous Resilience Enforcement matters most when recovery proof is a board, regulator, or insurer requirement — not just an IT hygiene goal. This overview is written for:
- CISOs and security leaders who need continuous recovery proof without a war room for every posture question — see Why Forttic for the insurance and ransomware context.
- ResOps and backup engineering leads managing two to four backup vendors across AWS, Azure, and GCP — see vendor coverage for the full integration list.
- Compliance teams preparing DORA Article 11, NIS2, SOC 2 Type II, or ISO 27001 evidence — start with our DORA Article 11 playbook.
- Organizations facing cyber insurance renewal where underwriters audit control drift forensically — not just what you attested at application time.
Not sure where you stand today? Run the free 3-minute resilience assessment for a maturity snapshot against the CRE standard.
Three layers in your backup stack
Forttic's model — reflected across the product overview and Why Forttic pages — separates three adjacent layers. Understanding where each stops is the key to knowing what CRE adds.
1. Backup vendors execute
Veeam, Commvault, Druva, Clumio, Rubrik, Cohesity, AWS Backup, Azure Backup, and GCP Backup run jobs inside their own consoles. They excel at copy management within their stack. They cannot govern vendors sitting beside them, score 3-2-1-1-0 across the full estate, or produce unified cross-vendor evidence on demand.
2. Posture tools observe
Backup posture management (CBPM) tools and CSPM/DSPM platforms scan, map, and report. They surface drift — silent job failures, retention misalignment, coverage gaps — but the doing is left to your team. CBPM vendors are often backup vendors themselves; cross-vendor enforcement contradicts their commercial model. Observation without cross-vendor action leaves the hardest recovery decisions in a war room.
3. Forttic enforces
Forttic is the agentic enforcement layer above both. It discovers assets and backup state across clouds, scores drift against policy and regulation, remediates within guardrails you define, verifies recovery, and reports evidence on demand. As the homepage puts it: backup tools execute, posture tools observe, Forttic enforces.
Observation vs. enforcement
CBPM tools see the drift. Forttic closes the gap — bounded autonomy, audited every step, vendor-neutral by structure so it can govern Veeam and Commvault in the same loop. Low-risk drift auto-remediates; higher-impact decisions escalate with full before/after audit trails.
Enforcement vs. observation — at a glance
Forttic's positioning is consistent across the site. Here is how each category maps to what your organization actually needs at recovery time:
- Backup vendors (Veeam, Commvault, Druva) — execute jobs in their stack. Cannot govern cross-vendor or produce unified evidence.
- CBPM / posture tools — observe and report. Surface drift without cross-vendor enforcement or verified recovery proof.
- CSPM / DSPM — security and data-sensitivity lens. No recovery lens, no action on the backup estate. Forttic discovers cloud configuration natively — CSPM/DSPM findings are optional context, not a dependency.
- Forttic (CRE) — agentic enforcement above all. Cross-vendor, vendor-neutral by structure, proves recovery continuously, generates regulator-ready evidence.
For the decisions Forttic can delegate — clean-room test gaps, Object Lock tampering, DORA evidence on demand — see Ask Forttic and How Forttic Decides.
The CRE enforcement loop
What is Continuous Resilience Enforcement (CRE)? It is a five-stage decision cycle Forttic runs continuously across your estate — sense, decide, act, verify, audit. One loop. Every cloud, every vendor. Closing the gap between configured policy and live enforcement in minutes, not quarters.
- Discover — agentless inventory of cloud services (compute, databases, storage, network, IAM) and every backup job, snapshot, replica, and vault. Native discovery — no CSPM dependency required.
- Assess — risk and compliance scoring against policy, regulation (DORA, NIS2, SOC 2, ISO 27001), and business impact — re-evaluated as posture drifts, not on a quarterly schedule.
- Enforce — remediation skills execute within your guardrails: re-enable disabled jobs, correct retention, restore replication, re-apply encryption. High-impact actions escalate with full audit trails.
- Verify — tiered checks and clean-room restore validation; RTO/RPO measured where it matters. The blind restore problem ends here.
- Report — regulator-mapped evidence for DORA Article 11, NIS2, SOC 2 Type II, ISO 27001 A.12.3, and HIPAA — exportable on demand.
See the full loop and diagram on the CRE Framework page. Agentic architecture — knowledge, memory, triggers, skills, and tools — is detailed on How Forttic Decides.
3-2-1-1-0 in practice
The modern backup standard everyone configures — three copies, two media types, one offsite copy, one immutable copy, zero errors verified through recovery proof — is rarely enforced continuously across multi-vendor estates. Forttic does not redefine the standard; it makes auditable adherence provable. Each layer eliminates a specific class of data loss:
- 3 copies — copy-count drift detected the moment retention or replication fails, with co-location detection.
- 2 media types — storage diversity enforced; three buckets in one region will not pass. Cross-vendor concentration risk flagged before incidents reveal it.
- 1 offsite — geographic separation validated against cloud-provider metadata, not self-reported config. Availability zones do not count; regions do.
- 1 immutable — Object Lock continuously verified; governance-mode tampering detected. The layer ransomware hunts for is the one CRE watches hardest.
- 0 errors — tiered verification across copies; clean-room restores on tier-1 workloads on a defensible schedule. The only layer that determines whether your backup actually saves you.
Conventional practice verifies at configuration time. Forttic detects drift, decides what to fix, and enforces — within minutes, not quarters. Full layer breakdown on the CRE Framework page.
Why enforcement is inevitable now
Three forces converged on the same gap — and they explain why observation alone no longer satisfies boards, regulators, or carriers:
- Ransomware targets backups first. 96% of attacks target backup repositories; 76% succeed. When they do, the median ransom doubles. Backups went from the recovery plan to the primary objective.
- Regulators and insurers want continuous proof. DORA Article 11 has been in force since January 17, 2025. NIS2 and SOC 2 Type II demand operating effectiveness over time. Cyber insurers audit forensically — 25–40%+ of claims are now denied for control drift.
- No single tool governs across vendors. Backup vendors execute. Posture tools observe. Neither acts cross-vendor. Continuous enforcement is the layer nobody else builds — and Forttic is vendor-neutral by structure so it can.
The full market context — denial-defense evidence, silent-failure detection, ROI — is on Why Forttic.
Vendor-neutral by structure
Forttic governs the backup stack you already run — it does not replace it. Integrations span every tool on the vendor coverage page: Veeam, Commvault, Druva, Clumio, AWS Backup (with Elastic Disaster Recovery), and native Azure and GCP backup.
- No production agents — read-only IAM into cloud and backup-vendor APIs.
- Agentic enforcement — knowledge, memory, skills, triggers, and tools decide and act within guardrails you define. See How Forttic Decides.
- Per-account pricing — predictable economics at any scale. See the pricing page.
Week one, in practice: read-only connection, automatic discovery, posture scoring within 24–48 hours, and first isolated-recovery records once guardrails are agreed with your team — the same onboarding path on the homepage.
Frequently asked questions
What is Continuous Resilience Enforcement (CRE)?
An agentic enforcement layer that continuously discovers, scores drift, acts, verifies recovery, and reports — across every cloud and backup vendor. It sits above observation tools (CBPM, CSPM). Vendor-neutral by structure. See the CRE Framework for the full loop.
Do I need to replace my existing backup vendor?
No. Forttic is a decision layer, not a backup tool. Keep Veeam, Commvault, Druva, Clumio, or whatever you run today — Forttic uses their APIs to extract value you cannot extract manually. Consolidation takes years; Forttic governs all vendors in the meantime.
How is Forttic different from CBPM tools?
Observation vs. enforcement. CBPM tools scan, map, and report. Forttic acts — remediating drift within guardrails, verifying restores, and producing timestamped evidence. CBPM vendors are typically backup vendors themselves; cross-vendor enforcement contradicts their model.
How is CRE different from CSPM or DSPM?
CSPM observes cloud from a security lens. DSPM observes data from a sensitivity lens. Forttic observes the same cloud plus the backup estate from a recovery lens — then acts. Forttic discovers cloud configurations natively; CSPM/DSPM integrations are optional context.
I already pay for backup. Why also Forttic?
Backup vendors execute jobs inside their own stack. They do not produce cross-vendor evidence, and they cannot govern the vendors next to them. Forttic does — and remediates silent failures inside guardrails your team defines.
How does Forttic help with cyber insurance?
Denial defense. Modern claim rejections focus on control drift between application and incident. Forttic's Verify-stage record is the timestamped artifact that defeats a misrepresentation denial. Details on Why Forttic.
What regulations does Forttic help with?
DORA Article 11, NIS2, SOC 2 Type II, ISO 27001 A.12.3, HIPAA. Continuous, time-stamped evidence mapped to specific controls. See our DORA Article 11 guide for a compliance-focused deep dive.
Does Forttic make decisions without human approval?
Only ones you authorize. Low-risk drift auto-remediates. Higher-impact decisions escalate. Every action is logged with before/after state — auditable, reversible where possible, mapped to the regulation it satisfies.
Does Forttic require agents on production workloads?
No. Read-only IAM into cloud and backup-vendor APIs. No agents on production. Decision execution is limited to the backup estate. No production data stored.