Your backups are the first target. Make them the hardest one.
STACK Anchor turns your backup chain into cryptographically attested, air-gapped snapshot streams with restore-time integrity proofs — so ransomware can't quietly poison the recovery you depend on.
Immutable isn't the same as untampered
Object Lock and WORM prevent deletion. They don't prove the bytes you're restoring are the bytes you captured. Modern ransomware operators know exactly where the gap is.
Cryptographic Attestation
Every snapshot signed at capture by hardware-rooted keys. Merkle-tree commits anchored to a transparency log you can audit, replay, and prove in court.
Air-Gapped Replicas
Diode-pushed copies to write-once media or an isolated trust domain. Even with full admin compromise, the attacker can't reach the recovery copy.
Restore Integrity Proofs
Every byte verified against capture-time signatures before it touches production. Silent corruption surfaces in seconds, not after the first failed transaction.
Backup-Chain Threat Detection
Snapshot deletion attempts, retention shortening, and policy bypass on the backup plane treated as high-fidelity intrusion signals.
Zero Standing Privilege
Snapshot creation, deletion, and lifecycle changes require ephemeral, witness-attested authorization. No admin role can quietly drop your recovery window.
Compliance Evidence
NIST 800-209, ISO 27040, DORA backup integrity, HIPAA contingency plan, FFIEC business continuity — mapped to live cryptographic signatures, not screenshots.
→ Signature: HSM-rooted Ed25519 VALID
→ Merkle root: anchored to Rekor log entry 14,872,113
→ Block hashes: 8,442 / 8,442 match
→ Air-gap replica: SHA-256 diff identical
→ Capture witness: signed at 2026-05-15T03:14:22Z by hsm-prod-2
→ PROOF emitted to compliance.evidence.json — auditor-signable
From signed snapshot to provable restore, in three weeks
Anchor is a sidecar to your existing backup tool, not a replacement. Veeam, Cohesity, Rubrik, Velero, Druva keep doing what they do — Anchor adds the cryptography on top.
1. Map
Read-only inventory of every backup job, target, retention policy, and replica path. Anchor scores each chain for tamper-resistance.
Week 12. Sign
Sidecar deployed at the backup agent. Every new snapshot signed at capture; Merkle root anchored to your private Rekor instance.
Week 23. Prove
First end-to-end restore drill. Auditor-signable evidence pack generated. Air-gapped replica brought online with bit-verified parity.
Week 3Questions teams ask before deploying
Straightforward answers about scope, integration, data handling, and rollout.
Doesn't Veeam, Cohesity, or Rubrik already do immutable?
They do Object Lock and WORM — write-once retention. They don't cryptographically prove restored data matches capture-time data. Object Lock can be bypassed by a sufficiently privileged identity. Signed Merkle proofs can't.
What about S3 Object Lock?
Object Lock prevents deletion. It does nothing if a compromised backup agent writes garbage to the bucket — the garbage is then locked. Anchor signs at the source, before bytes hit any target.
What's the operational overhead?
Capture-time signing adds ~3ms per snapshot block. Verification at restore runs in parallel with rehydration. Net zero impact on RTO. Storage overhead under 0.1% for signatures.
Does it work on-prem and air-gapped?
Yes — the whole product runs on-prem. The transparency log can be a private Rekor instance. Air-gapped deployments use a one-way diode for replica push and offline signed-attestation export.