General FAQs: Understanding the Basics
What exactly is a Cyber Recovery Plan or runbooks?
Cyber Recovery Plans—a new tool that transforms recovery from a slow, manual process into an automated, threat-aware operation. While traditional disaster recovery is built for power outages or hardware failures, this feature is specifically engineered to defeat modern cyber threats.
It has two modes:
Scheduled Cyber Recovery Testing (SCRT): Think of this as a Fire Drill for your data. The system automatically runs a test on your schedule (Quarterly, semi-annually, or Yearly) to make sure everything works perfectly before an emergency happens.
Live Incident Recovery (LIR):This is your Emergency Button. If an attack occurs, this plan restores your critical operations into a secure environment, preventing re-infection and getting you back to business fast.
For more information, see Get Started with Cyber Recovery Runbooks.
What is the "Sandbox" (Isolated Recovery Environment)?
Imagine a digital quarantine room. The Sandbox is a secure area where your virtual machines are turned on, but they are not allowed to talk to the internet or your main office network. This ensures that if there is still a virus on the backup, it cannot spread. This is applicable for VMware resources only.
How does the system know the backups are "clean"?
The plan uses an IOC Scan (Indicator of Compromise). This is like a digital fingerprint scanner that looks for known traces of malware or ransomware before the virtual machine is allowed to fully start up.
How It Works: Testing vs. Emergencies
What is the difference between a "Scheduled Test" and a "Live Incident"?
Scheduled Testing: Think of this as a Fire Drill for your data. The system automatically runs a test on your schedule (Quarterly, semi-annually, or Yearly) to make sure everything works perfectly before an emergency happens.
Live Incident Recovery (The Real Deal): This is the Emergency Button you press during an actual attack to get your business back up and running in a safe environment.
Creating Your Plan: What You Need to Know
How many virtual machines can I include in one plan?
For Scheduled recovery testing plan, you can group up to 10 Virtual Machines per plan.
How many M365 resources can I include in one plan?
You are limited to 5% of your total user licenses, up to a maximum of 200. This limit applies to each workload every quarter.
Which "Snapshot" should I choose?
A snapshot is just a "save point" in time. We recommend choosing "Latest Clean Snapshot" for VMware and Exchange Online and Curated Snapshot for OneDrive and SharePoint resources.
What are "Post-Restore Scripts"?
These are tiny automated helpers. Once a virtual machine is turned on, these scripts can do things like rename the virtual machine or change its internal settings so it works correctly in the new recovery environment without a human having to log in and do it manually. This is applicable for VMware resources only.
Management and Compliance
Do I get proof that these tests are happening?
Yes. After every run, the system generates a Recovery Report. This is a Compliance-Ready document you can hand to auditors or cyber-insurance providers to prove your business is protected. It shows:
Which resources were recovered.
Results of the malware scans.
How long the recovery took.
Can I stop a scheduled recovery plan?
Absolutely. If your team is doing maintenance, you can Pause a plan at any time and Unpause it when you are ready to resume the schedule.