Backups have been a last-resort lifesaver for years when everything else fails. But in the era of ransomware and polymorphic malware, they have also become a silent hiding place: threats that weren’t detected in time can remain buried in historical data and reemerge just when an organization tries to restore critical systems. This is the “blind spot” that Cohesity aims to close with its latest update.
On February 5, 2026, Cohesity announced a significant expansion of its protection capabilities within Cohesity Data Cloud, incorporating contextual information from Google Threat Intelligence and adding sandbox analysis supported by Google Private Scanning. The stated goal is for teams to identify, analyze, and eradicate malware before restoring, preventing reinfections and reducing the risk of reintroducing malicious files into production at the most critical moment: recovery.
Why backups have become a security issue (besides being a solution)
The shift in mindset is substantial. Traditionally, backup security relied on “post-hoc” scans, external tools, static signatures, and manual processes. However, according to Cohesity itself, this approach falls short when attackers operate long-term: “low-and-slow” campaigns, persistent intrusions, supply chain compromises, and malware that evolves enough to evade conventional signatures.
Practically, the risk is twofold. On one hand, a file infected from a historical backup can reinfect already cleaned systems. On the other hand, backups can contain valuable evidence of a prolonged intrusion that went unnoticed at the time. Cohesity suggests that this evidence shouldn’t be “out of the security teams’ radar” during an incident.
Threat intelligence “inside” the console: context without switching tools
The first part of the announcement is the integration of Google Threat Intelligence into the Cohesity Data Cloud interface. The message is clear: fewer handoffs, fewer screens, more context in the same place where recovery decisions are made.
According to the company, these embedded capabilities allow querying Indicators of Compromise (IOCs), reputation data, and threat details without changing platforms. Moreover, Cohesity notes that these insights include learnings from Mandiant, Google’s incident response and intelligence division, aiming to add “investigative context” to findings.
As Cohesity product director Vasu Murthy states, the core issue is that malware hiding in backups can not only reinfect but also reveal attacks that “evade traditional detection” if analyzed with appropriate tools at the right time.
The game-changing leap: detonate suspicious files in a private sandbox before restoring
The second piece—and probably the most striking—is the secure sandbox analysis enabled by Google Private Scanning. The idea: when a file is suspicious, teams can launch a copy in an isolated environment and observe its behavior without risking the production infrastructure or the recovery environment itself.
Cohesity asserts that this approach provides detailed behavioral analysis: system changes, network activity, registry modifications, and other payload behavior indicators. The promise is to give recovery teams a more solid basis to decide whether to restore, block, or isolate a set of data. All this with a repeated emphasis on the communication: privacy and data sovereignty, as the analysis occurs in a “private” scan scheme.
The operational nuance is important: Cohesity positions this within the cyber resilience layer, not as a separate service reserved for SOC teams. In other words, it brings “frontline tools”—commonly used in incident response—closer to where decisions are made on whether a business’s systems are safe to bring back online or should remain at risk.
Promised benefits: speed, coordination, and “no extra complexity” resilience
The announcement groups the impact into four axes: faster identification and remediation; actionable insights thanks to sandbox detonations; improved collaboration between IT and security teams with shared intelligence views; and enhanced cyber resilience by lowering the risk of restoring infected data.
Beyond the list, the underlying message remains consistent for serious incidents: recovery time isn’t just about RTO and RPO. It’s also about trust. Restoring quickly is pointless if you restore badly.
From Google Cloud, Miton Adhikari (OEM alliances security lead) emphasizes this blind spot: attackers hide malicious payloads where “traditional tools don’t look,” including backups. The integration aims for organizations to “detect what others can’t see” and recover more swiftly and securely.
FortKnox and the “cyber vault” concept: an isolated copy for the worst day
These improvements are part of a broader roadmap between Cohesity and Google Cloud. Cohesity notes that its partnership with Google expanded in mid-December, incorporating resilience and availability initiatives on Google Cloud.
Within this framework, Cohesity FortKnox appears, described as a managed “cyber vault” solution that maintains an air-gapped copy of critical data to ensure clean recoveries even if primary systems and traditional backups are compromised. Cohesity states that FortKnox is available on Google Cloud, aligning with scenarios where isolation and immutability are the last line of defense when everything else has failed.
Availability: now in production and also on Marketplace
Cohesity affirms that both the Google Threat Intelligence integration and sandbox analysis are generally available within Cohesity Data Cloud. The offering can also be found on the Google Cloud Marketplace, making it easier for organizations already operating parts of their resilience or workloads on Google Cloud to adopt.
Frequently Asked Questions
Why can malicious malware still hide in historical backups even if the system appears clean?
Because backups preserve “snapshots” of the past. If the infection existed when the backup was taken, it can remain stored and reappear upon restore, especially in persistent and “low-and-slow” attacks.
What does a private sandbox add in analyzing malware before restoring a backup?
It allows launching a suspicious file in an isolated environment to observe its behavior (network activity, system changes, etc.) before reintroducing it into production, increasing confidence in the recovery process.
How does Google Threat Intelligence (including Mandiant) help within Cohesity Data Cloud?
It provides context and threat intelligence directly within the console: IOCs, reputation data, and investigative details, speeding up decision-making between IT and security without manual workflows.
What is an “air-gapped” cyber vault like FortKnox, and when does it make sense?
It’s an isolated data vault holding an immutable copy, separated from vulnerable environments. It’s used to ensure a clean recovery in extreme scenarios like ransomware attacks affecting both primary systems and conventional backups.
via: cohesity