TL;DR: Backup speed alone can reintroduce compromised data and extend reinfection, according to Commvault’s discussion of mean time to clean recovery and isolated recovery environments. The operational shift is from restoring fast to restoring from verified clean data, because recovery without cleanliness is just repeat exposure.
NHIMG editorial — based on content published by Commvault: Redefining Cyber Recovery and mean time to clean recovery
By the numbers:
- Without an IRE, modern forensic teams need 24 to 72 hours to certify complex hybrid environments as clean.
- Enterprise backup solutions often deliver 10+ hours per terabyte recovery performance.
- The 2025 State of NHIs and Secrets in Cybersecurity found that 91% of former employee tokens remain active after offboarding.
Questions worth separating out
Q: How should security teams design recovery so they do not restore compromised state?
A: Security teams should restore into a separated clean environment, scan restore points for indicators of compromise, and validate identity dependencies before production return.
Q: Why do backups and restore speed fail as recovery metrics after a breach?
A: They fail because they measure how quickly data moves, not whether the restored state is safe.
Q: What breaks when identity dependencies are not validated before production return?
A: Partial recovery breaks business continuity because systems may come online with mismatched data, stale access paths, or unresolved trust relationships.
Practitioner guidance
- Separate recovery from production trust boundaries Build or validate an isolated recovery environment where restored systems can be scanned and tested before they rejoin business operations.
- Scan restore points for indicators of compromise Inspect backup sets before restoration so malicious payloads, poisoned configuration, and compromised credentials are removed from the restore path.
- Define minimum viable company acceptance criteria Set the specific business, identity, and integrity checks that must pass before a service is declared recovered.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- The recovery sequencing logic behind mean time to clean recovery and why each step must be validated in order.
- The practical distinction between cleanrooms, isolated recovery environments, and ordinary disaster recovery sites.
- The detailed business impact of 10+ hours per terabyte recovery performance across large enterprise estates.
- The collaboration points between SysOps, SecOps, and forensic teams when identifying clean backup sets.
👉 Read Commvault’s analysis of mean time to clean recovery and cyber resilience →
Mean time to clean recovery: is your recovery process actually clean?
Explore further
Clean recovery is now an identity governance problem, not only a backup problem. Recovery that restores data without proving trust state simply rehydrates compromise. That means access paths, tokens, and privileged relationships need to be treated as part of the recovery object, not as separate administrative detail. Practitioners should align recovery governance with identity governance, because the point of recovery is to re-establish trust, not just availability.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who is accountable for making recovery clean, not just fast?
A: Accountability should sit across backup operations, security, identity governance, and incident response, because clean recovery depends on all four. If any team treats recovery as only its own problem, the organisation can revive contaminated state. The practical answer is shared ownership with clear acceptance criteria before systems return to service.
👉 Read our full editorial: Mean time to clean recovery reframes cyber recovery priorities