Minimum viability, sometimes referred to as a “minimum viable company”, means having a keen understanding of just the most critical assets and what it takes to restore them to be operational after a cyberattack or incident.

The rise of cyberattacks is forcing organizations to rethink their recovery strategies. While detecting threats remains critical, a more significant challenge has emerged: making sure protected data is clean and available to bring a company back online.  And that’s the scope of minimum viabilitity.

Developing a plan for minimum viability starts well before an attack and has basically three main phases: first an accurate and aligned view of the core processes and dependent systems, then understanding the cost of downtime for those core resources, and finally making clear and actionable plan to restore critical systems, data, and processes.

Accurate and aligned view of the core processes and dependent systems requires a proper inventory of your resources. You must identify systems and services required to minimize downtime or business interruptions, to permit an organization to resume delivering its mission with minimal disruption.

Organizations usually tier applications and services by priority to the business. For example, ServiceNow’s Business Continuity Management model categorizes applications as: business critical, mission critical, non-critical. But is not a one-size-fits-all approach, as every organization and its mission is different.
The National Institute of Standards and Technology (NIST) offers a business impact analysis template to help in planning. 

Understanding the cost of downtime for those core resources is another problem: this is most commonly measured in cost per minute/hour/day, customer loyalty, patient care, brand impact, regulatory fines, and more. A 2024 report from Enterprise Management Associates puts the average cost of an outage at $14,056 per minute. But each company may have it’s onw metrics and cost analisys.

Making a clear and actionable plan it’s easy to say, but difficult to implement properly. This includes a focus on both cyber resilience and recovery, thereby maintaining continuity and trust.
As part of minimum viability, organizations must include the ability to automate, test, audit, and continually improve rapid restoration, confirming they are ready to remain resilient in the face of evolving threats.

Commvault offers capabilities to help different types of organization to get the minimum viability and beyond as quickly, clean, organic as possible. These include:

• Identity Recovery: Active Directory & Entra ID protection with forest-level recovery to rebuild the entire AD environment at scale required to rapidly establish minimum viability.
  Commvault offers automated, forest-level recovery of AD that includes the auto-generation of custom run books and point-and-click simplicity to recover complex AD environments in minutes or hours, rather than weeks.
• Communications Recovery: Backup and protection for Microsoft 365 and Google Workspace collaboration platforms.
• A huge coverage of protected workloads: On-prem, hybrid, and cloud workloads across apps, databases, VMs, files, objects, SaaS apps, and more.
• Cloud security with resource discovery and mapping: To find the hundreds or even thousands of cloud resources used by your organization, including serverless and containerized compute, NoSQL databases, ML and AI services, virtual networking, and more. Unprotected cloud resources, dependencies, and configurations extend the recovery times of restoring critical cloud infrastructure after an outage or attack – a risk that can be avoided with automated cloud resource discovery, mapping, and configuration protection. 
• Air-gapped, immutable backup storage: Keep data protected from ransomware attacks with airgapped copies.
• Isolated, on-demand testing via Cleanroom: On-demand recovery to secure, isolated locations on the cloud helped by automation, for testing, to conduct forensics, and initial production recovery directly from cloud-based immutable and indelible storage. 
• Cloud-scale recovery: Leverages cloud techniques (even for on-premises environments) to recover large datasets rapidly. Recovering critical data after a cyberattack requires a complex and cumbersome set of operations. However, modern cloud techniques – from the parallel nature of microservices-based to serverless scale – can help streamline large recovery processes to get businesses back online rapidly and reliably. 
  Commvault offers automated, cloud-scale recovery capabilities. From leveraging serverless functions for restoring billions of objects in cloud datastores to using containerized microservices to bring cloud-like speed and scale to on-prem recovery, Commvault gives customers cloud-scale recovery to enable reliable, rapid recovery at scale. 
• Recovery-as-code: Automates rebuilds of cloud application and infrastructure stacks (networking, DNS, compute) to accelerate restoring minimum viability.  
• Rapid recovery for AI workloads: Residing in object stores like Amazon S3 and S3-based data lakes. This kind of storage requires a new set of protection and recover capabilities to handle the necessary scale. Recovering billions of objects – and helping verify all objects are properly restored and correlated to a previous point in time – is a complex and compute-intensive set of operations.
 

To achieve those capabilities, some specific Commvault products can be used to improve the minimum viability, expecially:

• Cleanroom Recovery is a  new era in cleanroom technology introduced by Commvault on April 29th 2024 that allows continuous testing and refinement of cyber recovery processes, helping provide clean restores of critical applications in isolated cloud environments. Use the cloud’s elastic scale to store data, practice recovery, and conduct isolated forensic analysis to investigate and remediate threats. 
• Commvault Cloud Rewind continuously discovers cloud-based application workloads, automatically maps related network and security dependencies, and protects it all in a segregated, air-gapped environment. Rewind the application stack to a point in time before a breach or configuration error occurred, rebuilding environments through recovery-as-code that can easily integrate into CloudOps processes or CI/CD pipelines. 
• Commvault’s Clumio Backtrack offers protection of emerging workloads with S3 backend (for example AI workloads), making possible to recover billions of objects accurately, reliably, and with the speed necessary to minimum viability quickly. 

With all those Commvault products is possible to improve the minimum viability with clear and actionable plan to restore critical systems, data, and processes. This includes a focus on both cyber resilience and recovery, thereby maintaining continuity and trust.

But is not only product related… also people and process are crucial, expecially the focus on who does what and how the teams work together… Traning, learning, testing, prove, improve are important phases. This can be tabletop exercises, simulations, and actual testing of the technology involved so you know what to expect when the worst happens.


For this reason Commvault has introduced Recovery Range, powered by SimSpace, an in-person event providing hands-on training to restore critical business applications and data assets, not just simulate an attack. It integrates realistic attack simulations with essential cyber recovery exercises to unlock a new era in cyber preparedness. Teams of four will collaborate to recover from an attack on Tekbite, a global manufacturing and retail business with online and brick-and-motor storefronts.

This seems a promising and unique type of service that can be very useful to improve and increase the security culture. It will be premied at RSAC 2025 with a 45-minute teaser, followed by Commvault-hosted roadshow with 2-hour long simulation.

For more information see also the Commvault’s guide to minimum viability.