There’s a moment in many executive war rooms when a CISO realizes their organization’s carefully maintained disaster recovery plan is completely useless. The backup system that would have saved them from a flood, a power outage, or a botched software update has just restored something far more dangerous than lost data: an attacker’s back door.
Walter Angerer has seen this scenario play out across industries, continents, and boardrooms. As chief development officer at Cohesity, the data security company formed from the merger of Cohesity and Veritas in late 2024, Angerer owns the product vision of one of the industry’s most-watched platforms. But his path to that office is anything but conventional.
A master’s degree in atomic and nuclear physics from Johannes Kepler University in Austria. Multiple patents in data compression and deduplication. A stint evaluating deals at Toba Capital. A VC-backed startup. A self-funded AI company. A vice president role at Veritas leading the NetBackup product line. And early career time at Siemens, where he first encountered the stakes of critical infrastructure security. This unconventional career arc is precisely why Angerer thinks differently about cyber resilience: It’s not a technology problem, but an operational one.
“I’m not approaching this only from a pure technology side,” Angerer says, “but actually more from understanding the operational challenges that our customers are facing. Many times, we as vendors like to provide technology, and we sometimes miss the understanding of what it means operationally to deploy this and make it work.”
The disaster recovery delusion
The first thing Angerer wants CDOs and CISOs to understand is a distinction that sounds obvious until you realize how many organizations are still getting it wrong: disaster recovery and cyber recovery are not the same thing.
Classic disaster recovery assumes your environment is clean and that you’re recovering from data loss, not data compromise. A cyberattack destroys that assumption entirely. Ransomware doesn’t just encrypt your files. It first spends days, sometimes weeks, silently mapping your environment, creating privileged accounts, planting dormant payloads, and building a blueprint of your infrastructure.
When you restore from a backup made during that dwell period, you don’t get your company back. You get your company back with all of its attacker-installed vulnerabilities intact, plus a set of keys that no longer belong to you.
“When you recover those,” Angerer explains, “I’ll just walk back through the same door I came in the last time and repeat my game.”
Cohesity’s cyber vault approach targets exactly this gap. Rather than a straight restore-to-production model, the cyber vault creates an isolated, air-gapped recovery environment where teams rebuild and verify a clean copy of the business before it ever touches live infrastructure.
Angerer describes a Swiss bank with branches in Hong Kong where compliance auditors required the institution to demonstrate it could run live banking transactions from exactly such a vault, entirely without touching production systems. The bank had to prove what Angerer calls a “minimum viable business”: a skeleton of critical applications running cleanly in isolation, before anyone gave the all-clear.
That audit requirement, he notes, originated in APAC. It won’t stay there.
The operational side of that recovery workflow is where Cohesity’s recently launched Recovery Agent comes into play. This AI-native system orchestrates the recovery process and handles what has traditionally been the most manual and most error-prone part of incident response: figuring out what was clean, when it was last clean, and what a safe recovery environment actually looks like. When the platform detects an anomaly, the Recovery Agent automatically spins up an isolated clean room and moves the suspect asset into it for forensic analysis — without waiting for a human to initiate the process. Security teams can then detonate flagged but unconfirmed files in a sandboxed environment through a Google VirusTotal integration, getting a verdict on whether they’re dealing with genuine malware before making any restore decisions.
Many organizations, Angerer says, are still “stuck in the ‘disaster recovery world’,” confident that two data centers and a nightly backup schedule constitute resilience. They don’t. Increasingly, regulators agree.
The cloud you don’t know you have
The disaster recovery confusion is the known problem. What concerns Angerer more is the one most enterprises haven’t fully registered yet: the cloud they think they understand, but don’t.
He tells the story of a large German client, a company that repeatedly insisted to Cohesity’’s team that it was “all on-prem” with no meaningful cloud footprint. A year of conversations later, the team finally got access to the part of the organization that actually managed cloud infrastructure.
They had 14,000 cloud accounts.
This is not an outlier. Across enterprise organizations, cloud adoption began as a developer convenience, a fast lane for engineering teams operating outside the governance structures that traditional infrastructure demanded. Applications and data followed. Security governance, too often, did not.
“A good portion of what makes up your entire business is now in the cloud,” Angerer says, “and the ability to recover that from a cyber attack is not anywhere at the level, usually, what the on-prem solutions are, and they’re quite exposed.”
Part of the problem is a fundamental misunderstanding of the shared responsibility model. Cloud architects, Angerer observes, tend to assume that data protection is an on-premises concern and something the cloud service provider handles. It isn’t. The provider secures the infrastructure. You secure the data. And then there’s the basic hygiene issue: backup copies sitting in the same cloud tenant as the production data they’re supposed to protect, accessible to any attacker who’s already inside.
“My biggest worry,” Angerer says simply, “is that they don’t know how it’s being protected.”
Cohesity addresses the cloud visibility problem with two pillars. The first is the Cohesity Data Cloud platform, the unified architecture that the Veritas merger brought together. Angerer describes it not as a backup tool but as a common data platform from which cyber resilience, DSPM, and AI services all operate.
The second is Cohesity DSPM (data security posture management), the company’s data classification and governance layer. It is powered by Cyera, a classification engine Angerer singles out as one of the first solutions that can operate at genuine enterprise cloud scale, rather than the subset-scanning approach that older classification tools targeted.
For organizations navigating data sovereignty — a concern that has moved from compliance checkbox to geopolitical flashpoint, particularly across APAC markets where Singapore and Indonesia keep tightening localization requirements — Cohesity’s FortKnox offers a self-managed, sovereign-deployable vault architecture for enterprises that cannot legally route data through shared public cloud environments.
Cohesity has built out a network of in-country sovereign cloud partnerships to underpin it: the company serves as a launch partner for AWS’s European Sovereign Cloud, holds Sovereign Ready Solutions Partner status with Google Cloud. It also has potential deployments with SingTel’s RE:AI in Singapore, Micrologic in Canada, and AntemetA in France, with further sovereign partners in the pipeline.
When the weapon is a sentence
The threat landscape is also shifting in a direction that makes existing detection tooling largely irrelevant. Angerer’s team at Cohesity’s REDLab is watching the emergence of a new attack vector: natural language.
An IBM data breach report from 2025, found that 97% of surveyed organizations experienced breaches related to AI. At the Black Hat conference in August 2025, researchers demonstrated how a poisoned calendar invite could hijack an agentic AI workflow and take over an enterprise bot — one that, by design, already had elevated access to core systems.
The implications are serious. Traditional security tooling looks for code signatures: hashes, patterns, anomalous binaries. It has no framework for flagging a malicious instruction written in plain English.
“Your weapon is no longer code,” Angerer says. “You can actually use clear text instructions to hijack that specific agent. The kill chain is changing.”
Agents executing business workflows, from scheduling and IT ticketing to data retrieval and communications, already carry the access privileges needed to do real damage. Compromising them only requires a sufficiently clever prompt.
Cohesity embeds its answer to this threat in its ecosystem strategy rather than a standalone product. Partnerships with ServiceNow and products like DataHawk enable real-time monitoring of agentic activity patterns, flagging workflow signatures that deviate from normal behavior and triggering an automated response chain when something looks wrong. The ServiceNow integration goes further: when teams confirm an anomaly, the workflow moves from detection to ticketing to orchestrated recovery without human handoffs at each stage. For polymorphic malware, strains that deliberately mutate their fingerprints to evade hash-based detection, a Sophos integration applies file emulation and heuristic analysis to identify threats that look different but behave the same.
The hash-based threat hunt capability built into the Cohesity platform lets teams track when a newly identified malicious hash has appeared historically across backup snapshots. “We can show the timeline,” Angerer explains. “Like it showed up first in Singapore, and then it propagated to Hong Kong, and then it got over to the U.S.” Teams can add new threat intelligence to the hunt list and match it instantly, without rescanning or recalculating past backups.
The one decision that matters
If there’s a single architectural call Angerer would urge every CISO and CDO to make today, it’s this: audit every asset hosted in the cloud, from SaaS applications to IaaS environments, and verify that each one carries the same protection standard as on-premises infrastructure.
“Do a deep audit of what’s going on with everything you use in the cloud,” he says, “and make sure you’re comfortable that that is at the same level that your requirements are, because many times it’s not.”
For many organizations, that audit will surface the same uncomfortable truth that Cohesity keeps encountering with its own customers: a sprawling, underprotected cloud footprint that nobody in IT, security, or even the board, has a complete picture of.
Working in conjunction with the Data Cloud platform, the Cohesity DSPM layer makes that picture visible: it classifies data by sensitivity and regulatory exposure, enforces governance rules during backup and restore processes, and prevents accidental cross-border data movement that could trigger a regulatory violation while the organization is already in crisis mode.
The real question for every CDO and CISO is whether they find their gaps before the attackers do — or after.
Image credit: iStockphoto/Moor Studio
Click Here For The Original Source.
