Cyberattacks continue to accelerate in scale and sophistication, and backup infrastructure has become a priority target. Threat actors understand that compromising backup environments can limit recovery options, conceal malicious activity, and increase pressure during extortion attempts. As a result, organizations need deeper visibility into the servers and systems that support backup and recovery.
Recon Scanner, powered by Coveware by Veeam, helps organizations achieve this visibility. It analyzes activity across Veeam Data Platform servers, detects known adversary behaviors that other security tools might miss, and maps those behaviors to the MITRE ATT&CK framework. With lightweight deployment and contextual analytics, Recon Scanner enhances the resilience of the entire backup environment.
What’s New: Enhanced Visibility and Faster Investigation
The latest release of Recon Scanner introduces several upgraded designs to make threat detection more intuitive and investigation faster. These enhancements strengthen visibility across the backup environment and improve how IT and Security teams triage, analyze, and respond to suspicious activity.
Triage Inbox: A Unified View of Findings
The new Triage Inbox consolidates all Recon Scanner findings into a single, streamlined dashboard. Analysts can quickly sort, filter, and prioritize suspicious activity without switching screens or reviewing individual scan reports.
Each finding includes a severity score, behavioral context, and associated MITRE ATT&CK tactics. Users can flag findings for follow-up, archive completed investigations, and filter results by time and risk level. This unified workflow reduces investigation time and gives teams a clearer understanding of what’s happening across the Veeam environment.
Integration with Veeam ONE and Microsoft Sentinel
Recon Scanner findings now feed directly into the Veeam ONE Threat Center and Microsoft Sentinel, giving organizations consistent visibility across both IT operations and the SOC.
- In Veeam ONE, Recon findings join operational insights, configuration checks, and backup monitoring to provide a holistic view of environment health and security.
- In Microsoft Sentinel, analysts can correlate Recon Scanner detections with broader security telemetry, including identity activity, endpoint events, and network behavior.
These integrations eliminate manual data handoffs and make it easier for teams to understand the full lifecycle of suspicious activity — from initial behavior in the backup environment to downstream impact across production systems.
Limit Noise with Suppression Rules and Archiving
To reduce alert fatigue and maintain cleaner workflows, the latest release includes suppression rules and archiving capabilities.
- Suppression Rules hide alerts triggered by known or expected activity, helping teams focus attention on true anomalies
- Archiving allows users to remove findings that have already been reviewed or resolved, keeping the Triage Inbox organized and manageable over time
These enhancements streamline daily operations and ensure that analysts stay focused on the findings that matter most.
Additional Capabilities That Strengthen Detection
Beyond the new features, Recon Scanner continues to provide several core capabilities that enrich detection and improve visibility across the backup environment.
- MITRE ATT&CK Mapping: Recon Scanner aligns findings with the MITRE ATT&CK framework, helping teams quickly understand the potential intent behind suspicious behaviors. This includes tactics such as brute force attempts, unauthorized file execution, unusual network connections, and potential reconnaissance or exfiltration activity.
- Threat Intelligence from Coveware: Detection logic is continuously updated with real-world ransomware insights from Coveware. As new indicators of compromise emerge from active investigations, Recon Scanner automatically incorporates them — ensuring customers stay aligned with evolving attack patterns.
- Lightweight Deployment with Minimal Impact: Recon Scanner uses minimal system resources and operates independently from backup processes, making it safe to run across production environments. Its simple deployment and low overhead help organizations enhance visibility without introducing operational risk.
Getting Started with Recon Scanner
Recon Scanner is included with Veeam Data Platform Premium Edition at no additional cost. With deeper visibility, streamlined investigation, and enriched threat context, Recon Scanner strengthens organizations’ ability to detect and respond to suspicious activity targeting their backup environment. This helps teams stay one step ahead of evolving threats and reinforces the resilience of their backup and recovery strategy.