As someone who has spent many years researching attacks and supporting incident response teams, I’ve seen one question come up again and again:
How do we return to a verified clean state after an intrusion?
In every ransomware case, in every targeted espionage operation, that’s the final challenge. Once the attacker is out, you need to rebuild — but rebuild on what? Can you really trust your backups? Are they clean, or are they carrying the same tools and traces that caused the compromise in the first place?
That’s why I personally find this integration between Veeam and THOR so powerful. It addresses exactly this problem: ensuring that restored systems are not just available but verified. For me as Head of Research at Nextron, this is one of those rare use cases that perfectly demonstrate why forensic scanning matters — and how valuable it is to detect the subtle signs of compromise that traditional antivirus tools will always miss.
It’s a use case that feels almost obvious once you’ve seen it in action. But to those of us who have spent years chasing hidden persistence in breached networks, it’s nothing short of essential.
The Problem
Backups are the last line of defense during a cyber incident — especially in cases of ransomware or targeted intrusions. Yet even the most reliable backups can hide traces of compromise: misconfigurations, persistence mechanisms, or backdoors left behind by attackers. Restoring such data can silently re-introduce the adversary into a rebuilt environment.
Traditional recovery workflows focus on availability, not integrity. And that gap can turn the most trusted recovery plan into a risk.
The User Benefit View
Backups stop being just a last-resort copy when they become a verified source of truth. The Veeam–Nextron integration adds exactly that layer of assurance. By scanning Veeam backups with our forensic scanner, organizations gain visibility into artefacts that standard antivirus engines simply don’t target.
This brings a new analytical perspective: THOR uncovers attacker tools, scripts, and configurations that remain invisible to conventional detection.
As shown in our recent blog post titled “The Blind Spot Scanner”, THOR identified hundreds of threats missed by more than 70 antivirus engines — proving how forensic depth translates into real-world coverage.
Statistics from “The Blind Spot Scanner” blog post
Practical Impact
In practice, this integration makes life easier for admins and incident responders.
Instead of crafting ad-hoc scripts or trying to adapt Indicators of Compromise to closed AV formats, teams can simply feed their own forensic IOCs into THOR and scan Veeam backups directly. This makes it possible to verify whether traces of a known breach still exist in stored restore points — reliably and repeatably.
Traditional AV and EDR tools each have blind spots: AV engines focus on known malware, while EDRs observe runtime behavior. THOR bridges this gap by analyzing data at rest, detecting the configuration changes, scripts, and tools that typical products overlook.
Think of it as combining a blood test with an X-ray: one checks for the obvious, the other reveals what’s hidden. Together they provide a complete diagnostic view — ensuring that the systems you recover are truly clean, both reactively after incidents and proactively through scheduled scans.
Use cases and scenarios
The value of the integration becomes tangible when looking at real-world scenarios. Four common cases stand out where forensic backup scanning makes a decisive difference:
1. Ransomware incident recovery
When disks are encrypted and production systems become unusable; backups are often the last line of defense. But restoring them blindly carries the risk of bringing back attacker footholds along with the data. Many response teams assume that simply “going back far enough” in the backup chain will ensure safety — yet in practice it is rarely obvious which restore point is uncompromised. Without verification, even a carefully chosen backup may still contain backdoors, webshells, or attacker tools.
By scanning backups before recovery, organizations can ensure that they are not re-introducing the very mechanisms that enabled the initial compromise. This makes the difference between a restoration that truly resets the environment to a trusted state, and one that silently carries forward the attacker’s access.
2. APT response and parallel rebuilds
In many targeted attacks, intrusions go so deep that trust in the existing domain is permanently lost. In such cases, incident response teams often build a parallel clean environment — with new domain controllers, new accounts, and fresh infrastructure — and gradually migrate systems over.
THOR has long been used as the “disinfection lane” in this process: every system or backup passing from the compromised to the clean environment is scanned with sensitive rules and custom IOCs derived from the ongoing investigation. This ensures that none of the attackers’ backdoors, tools, or traces are carried into the new domain. It’s a proven, practical use case that has repeatedly shown its value in the field.
3. Compliance and audit requirements
For many organizations, it is not enough to simply claim that backups are safe — they need verifiable evidence. Running forensic scans on stored restore points provides exactly that: auditable proof that recovery data was actively checked for threats. This strengthens compliance postures and supports reporting to regulators, auditors, or insurers who increasingly expect demonstrable backup integrity.
4. Preventive scanning of backup data
Not every scan has to wait for an incident. With Veeam and THOR, organizations can also scan their daily or weekly backup sets proactively, directly on the central backup infrastructure. This offers several advantages: it puts no additional load on production endpoints, avoids any stability risks on critical servers, and still provides deep visibility into attacker artefacts that traditional AV or EDR solutions might miss.
Unlike AV engines that treat backups as collections of files, THOR understands system artefacts such as registry hives or event logs and applies its specialized modules to them — which means it can reveal attacker traces even inside complex backup data. Even without volatile data such as memory contents or live network traces, the vast majority of relevant attacker tools and backdoors are detectable in the static backup sets.
This makes preventive scanning a highly efficient way to add assurance across the entire environment: one central process produces a single THOR report that highlights anomalies or threats across all systems — without touching them in production.
A partnership that makes sense
The integration was developed in close cooperation with Veeam to make forensic backup scanning straightforward and reliable.
The joint approach is already featured in Veeam’s Community Script Library, where users can find a practical example of how to combine Veeam’s Data Integration API with THOR.
Running Backup Scan
Running Backup Scan Details
Conclusion
By combining Veeam’s proven backup technology with Nextron’s forensic depth, organizations can move beyond recovery and gain confidence in the integrity of their restore points.
THOR brings the visibility needed to uncover attacker traces hidden in backup data, while Veeam provides the reliability to restore clean systems quickly and safely.
Together, they enable a new level of assurance — one where availability and security go hand in hand, ensuring that every restore truly marks the end of an incident.
Marc Hirtz
Franziska Ploss
Pierre-Henri Pezier
Florian Roth
