Object First aims to turn backup immutability into something that doesn’t rely on complex configurations or the expertise of the current administrator. Founded in 2022 by Ratmir Timashev and Andrei Baranov, the creators of Veeam, the company has built its offering around Ootbi, an storage appliance specifically designed for Veeam environments and intended to protect backups against ransomware, internal errors, and threats from privileged users.
The commercial promise is ambitious: “absolute immutability.” In practical terms, Object First claims that data stored on Ootbi cannot be modified, deleted, or encrypted—even if an attacker gains administrative credentials for the backup environment. This is a strong statement in a market where many providers speak of immutable copies, but where real protection often depends on how storage is configured, who has access, and whether there are alternative ways to delete or alter data.
Why Backup Has Become a Top Priority Target
The fundamental change has been driven by ransomware. For years, many companies viewed backup storage as a secondary component: important but not part of day-to-day operations. Deduplication appliances gained ground because they allowed storing large volumes of data in a compact form, even if full recovery could be slow. When major incidents were rare, this trade-off seemed acceptable.
Ransomware changed that logic. Attackers learned that encrypting production systems isn’t enough if the organization can quickly restore from clean copies. Therefore, they began to seek out, delete, or encrypt backups before launching the main attack. If a company discovers the problem only after its production systems are locked and its backups have also been compromised, its ability to recover is severely diminished.
Additionally, internal threats increase the risk. Disgruntled employees, contractors with excessive permissions, or stolen privileged accounts can cause damage from within. In these cases, backup security can’t rely solely on trusting administrator users. It must also restrict what even an admin can do.
Object First addresses this scenario with a closed, highly focused architecture. Unlike more generic storage solutions, Ootbi is designed solely for Veeam. This decision reduces flexibility but also minimizes attack surfaces. Fewer protocols, fewer use cases, and fewer layers of complexity mean fewer entry points for an attacker.
Third-Party Validation of Immutability
The most sensitive aspect of their proposition is validation. Object First asserts that its immutability isn’t just marketing hype and commissions regular testing by NCC Group, a UK-based cybersecurity firm. According to published information from Techzine, NCC Group conducts penetration tests every six months with broad access to the system, including source code, and publishes results without Object First being able to influence the outcome.
One key conclusion from sector analysis is particularly clear: even if attackers know all the secrets—admin credentials and bucket access—they cannot modify data within Ootbi appliances. This doesn’t mean that a company’s entire environment is automatically protected; Veeam servers, networks, production systems, and retention policies still require robust security architecture. However, it reinforces the idea that the backup repository can be isolated against certain high-impact attacks.
Technically, Object First combines several measures. One is preventing remote root access. To log in as root, physical presence at the device with keyboard and monitor is required. It also enforces an “eight eyes” process for permanent data deletion: approval from two authorized customer contacts and two Object First employees, plus physical presence. The purpose is to prevent fraudulent requests, stolen credentials, or social engineering calls from resulting in critical backups being erased.
Integration with Veeam utilizes SOSAPI, the Smart Object Storage API. This API allows Veeam to access information from the S3-compatible repository, system capabilities, storage status, and features such as immutability or more efficient repository management. For Ootbi, Object First claims this integration enables activation of immutability, load balancing, and performance enhancements without complex manual configuration.
Fast Deployment and Prioritized Recovery
Another key selling point is rapid deployment. The company guarantees that Ootbi can be operational within about 15 minutes from unpacking to making the first backup. The process involves connecting power and network, configuring IP addresses and cluster name, generating S3 keys via the web interface, creating buckets, and pointing Veeam Backup & Replication to that destination. Immutability is active from the start.
Simplicity is not a minor detail. Many backup failures stem from misconfiguration rather than faulty tools. Hardened Linux repositories, compatible S3 appliances, permissions, users, retention policies, object lock, and access policies all work well if properly managed—but require technical expertise. Object First seeks to remove that burden and provide a hardened system tailored to a specific use case.
Performance is also part of the message. Each Ootbi node delivers up to 2 GB/s of throughput, with claims of linear scaling as nodes are added. Clusters can expand to 7 PB using Veeam’s scale-out repositories, which appear as a single storage unit to administrators. This architecture aims to facilitate fast recoveries, including instant VM restores.
Object First states it can simultaneously power brand new VM restores for at least 25 virtual machines directly from the backup storage using Veeam’s Instant VM Recovery. Unlike traditional deduplication appliances, the advantage lies in avoiding heavy rebuilding procedures during recovery. In a real incident where downtime costs money and reputation, speed of restore is as critical as the existence of the copy.
Additionally, the company is extending this approach to distributed environments. In October 2025, they launched Ootbi Mini, a compact version for small offices, remote branches, and edge locations, with capacities of 8, 16, and 24 TB. It maintains the same security and immutability guarantees as larger models but in a form suitable for locations without dedicated IT staff.
This week, Object First announced the general availability of Fleet Manager, a cloud service to manage distributed Ootbi deployments in Veeam environments. The platform allows centralized management of both standard and Mini appliances—a helpful tool for organizations with multiple sites, managed service providers, or those seeking a unified backup infrastructure view.
The commercial growth indicates the problem is well understood. Object First reported a 183% year-over-year increase in bookings for 2025, with EMEA as its strongest region, where growth hit 515%. Demand primarily comes from mid-market sectors and industries where rapid recovery and data protection are critical, such as healthcare, manufacturing, financial services, and organizations with many locations.
The solution doesn’t replace a comprehensive resilience strategy. No appliance can substitute for a well-executed 3-2-1-1-0 policy, restore testing, network segmentation, MFA, privilege controls, offline copies, or offsite replication. However, Object First highlights a specific problem: many organizations use Veeam but lack equally protected backup storage solutions.
The advent of appliances like Ootbi underscores a market shift from pure efficiency to secure recovery. Saving less and compressing more is no longer enough. The crucial question now is whether a company can recover its systems after an attacker has attempted to destroy their copies.
Frequently Asked Questions
What is Object First Ootbi?
Ootbi is a backup storage appliance built exclusively for Veeam. The name derives from “Out-of-the-Box Immutability,” emphasizing its capability to offer immutable S3 storage from deployment day.
What does “absolute immutability” mean?
Object First uses this term to indicate that data cannot be modified, deleted, or encrypted—even if an attacker has administrative credentials. The company supports this by commissioning regular testing from NCC Group.
Does Ootbi replace Veeam?
No. Ootbi does not replace Veeam backup software. It functions as an optimized, immutable storage repository designed specifically for Veeam Backup & Replication environments.
Who is Ootbi Mini suitable for?
Ootbi Mini targets remote offices, small branches, edge setups, and distributed sites that require local immutable backup without deploying complex infrastructure.