📝NOTE: The availability of this feature may be limited based on the license type, region, and other criteria. To access this feature, contact support.
🛡️ What is Threat Watch?
Threat Watch is your early warning system. It continuously scans your backup data to find Indicators of Compromise (IoCs)—digital fingerprints left by hackers, such as specific malicious file extensions or unique file IDs (hashes).
The following video provides an overview of the Threat Watch feature.
Why it Matters
Backups often reside outside the scope of primary security tools, creating a vulnerability where dormant or hidden threats can persist. This can lead to serious issues, such as 0-Day attacks or ransomware with extended dwell periods, as these threats remain undetected within the backup environment.
If you accidentally restore a backup that contains these hidden threats, you could re-infect your entire system. Threat Watch prevents this by identifying and isolating infected snapshots before you ever try to use them.
Supported Platforms
Threat Watch is currently available for the following environments:
Cloud: Amazon EC2 & EBS Volumes, Azure Virtual Machines.
Data Centers: VMware Virtual Machines.
Access Path
To access this feature, from the Druva Cloud Platform Console, go to the Global Navigation menu > Cyber Resiliency > Posture & Observability > Threat Watch. Click Threat Watch. You will be redirected to the Threat Watch dashboard page.
Licensing and permissions
You must have a Premium Security SKU license and have a Druva Cloud Administrator role to access this feature.
How does it work?
Step 1: Backup - New data is backed up successfully and the snapshot/restore point is indexed (Threat Scan eligibility for snapshot/restore point).
Step 2: Automated Scan using all the IOCs (Files Hashes and File Extensions) from the IOC Library. Automated Scans are of two types:
Continuous Scan which is initiated at an interval of 8 hours (3 times daily) to catch the newly added/ changed recent data.
Rescan is initiated on the last 30 days of data whenever new IOCs are added to the global library.
Step 3: Alerts - Threat Watch - Match Found alert type alert is generated on detection of IOC matches during the scan.
If subscribed to the emails for alerts, a high-priority email notification is sent instantaneously with the subject: Threat Watch: Match Found if there is an IOC Match found in a snapshot.
Step 4: Auto-Quarantine Settings option, if enabled, automatic isolation or quarantine of infected snapshots/restore points to prevent restore of infected data.
Automated Scan
⚙️ How Scanning Works
Druva uses two primary methods to scan your data:
Scan Type | Frequency | What it Does |
Continuous Scan | Every 8 hours (3 times daily) | Continuously scans every 8 hours (3 times daily) to catch newly added/changed recent data quickly. |
Rescan - Retrospective Scanning (New IOCs) | When new IOCs are added | Performs a deep dive of the last 30 days of data whenever new IOCs are added to the global library. |
Alerts and automated quarantine in case of threats
🚨 Immediate Alerting
Security is time-sensitive. Upon a confirmed IOC match within any resource’s snapshot/restore point, the system generates an immediate Threat Watch - Match Found alert.
💡Tip: Click on the alert (bell) icon on the top main console bar to view alerts.
If you have subscribed to the emails for alerts, a high-priority email notification is sent instantaneously with the subject: Threat Watch: Match Found if there is an IOC Match found in a snapshot.
These alerts can be integrated into your external SIEM/SOAR workflows via API. For more information, see
✅ Action: Quarantine (Isolation)
Automated Quarantine: If enabled in Auto-Quarantine Settings option, Druva will automatically lock infected snapshots. By default, it is enabled.
Manual Quarantine: Admins can manually isolate snapshots to prevent them from being used in any restore operations.
Visualization and Reporting
🖥️ Understanding Your Threat Watch Dashboard
The Threat Watch dashboard gives you a high-level summary of your security health. It includes Scan Summary tab and Impacted Resources tab.
Scan Summary tab
Provides a summary of threat scan results for all resources.
1. Last Scan Summary (The Big Picture)
Resources Scanned: The total number of resources scanned for threat.
Files Scanned: The total volume of individual files checked for threats.
Last Scan Status: Shows exactly when your last checks (Rescan or Continuous Scan) were completed.
2. Threat Results for a period of 30 days (The Warnings)
Impacted Resources: Shows a breakdown of which platforms (like VMware, Azure, or AWS) have detected threats.
Impacted by IOC Sets: Identifies specific types of malware found (e.g., "Petya" or "LockyBit") based on Druva’s global threat library.
3. Impacted IOC Sets - It provides an IOC Centric View of ransomware activity. Users are presented with a timeline graph that illustrates the infection trend and the count of files detected as matching the Indicators of Compromise (IOCs).
Impacted Resources tab
Provides a summary and detailed view of threat results for each impacted resource.
Impacted Resources Summary view
Resource Name - Name of the resource.
Resource Type - The resource type. It can be VMware, Azure VM, EC2 and EBS Volumes, and so on.
File Matches - The total number of file matches found.
Impacted Snapshots - Total number of impacted snapshots.
IOC Set - The IOC Set details used for scan.
First Matched On - The date and time stamp of when the first match was found.
Last Matched On - The date and time stamp of when the last match was found.
Use the Filter icon, to search and filter the list based on Resource Type and IOC Set criteria.
Impacted Resources Detailed view
Click on the resource name to view the following details for that specific resource:
Resource Details
Scan Summary
Snapshot Status
Use the Quarantine option to perform manual quarantine of infected snapshots.
Download Report: In the Snapshot Status section, select a specific snapshot and click Download Report to get a detailed report for further investigation.
🚦 Scan Results: What the Icons Mean
As Druva scans, it labels your "snapshots" (saved versions of your data) with colored icons:
🟢 Clean: No threats were found. These are safe to restore.
🔴 Impacted: Malicious files were detected. You should investigate these before recovery.
🔘 Quarantined: These snapshots are isolated. They cannot be restored, preventing you from accidentally re-infecting your system.
Download Report for Threat Watch
You can use the Download Report option to download Threat Watch snapshot level detailed reports for offline investigation and auditing purposes.
The data is downloaded in a compressed file format when you click the Download Report option. Following is an example of the file naming convention of the downloaded file:
ThreatWatch-Snapshot_Tue_Dec_30_04_58_42_2025 (1).zip
What information does the Report contain?
The Report includes the following information:
Threat Scan Data and Time
Resource Name
Snapshot Name
Snapshot Size (Bytes)
Snapshot Status
Number of impacted files
File Name
File Extension
File Path- Location of the malicious or infected file
Match Criteria used to scan the file
Match Details - This displays the file hash and or file extension value. File hash can be either SHA1, SHA-256, or MD5.
SHA1 Checksum: The SHA1 value of the file being scanned.
Track and monitor all the Threat Watch activities from Audit Trails.
❓ FAQ’s
How does Druva know what to look for?
It uses an IOC Library which is a constantly updated list of known malware signatures gathered from global security sources powered by Google Mandiant, CISA & ReconX Labs) + Bring Your Own IOCs!
Can I isolate threats automatically?
Yes. By enabling Auto-Quarantine Settings, Druva will automatically lock down any snapshot where a threat- IOC Match is found.
What if I need more details?
You can click on any Resource Name in the dashboard to see exactly which files were flagged and the date they first appeared.
Can I use my own threat intelligence (IOC) for scans?
Yes. In addition to Druva’s global threat library, you can upload your own custom Indicators of Compromise (IOCs). This allows you to run personalized scans against your backups to identify specific threats unique to your environment.