Veeam’s strength has always been aligning with market trends and building products that simplify difficult operational problems. At VeeamON 2026, the company leaned into the agentic era while connecting AI to the need for resilient operations. It’s recent product announcements recognize four key customer needs, including: 1) Broader visibility across backup and production data; 2) Governed access to data for both humans and agents; 3) An expanded scope across hybrid/distributed systems; and 4) A methodology to assess AI readiness and maturity in the context of business resilience.
These are practical enhancements and fit the current market need. But the market is changing rapidly and the architectural implications for storage and data in the AI factory era will require continuous innovation from firms like Veeam. Specifically, Veeam is rightly focused on data as the linchpin of business resilience. The next challenge and opportunity in our view will be to not only protect and recover data to bolster resilience, but to recover the actual state of a business.
The trend is your friend…
In the words of Jeremy Burton, “don’t fight fashion.” Veeam is a firm that was founded in the VMware era. Its timing was perfectly aligned to when backup and recovery were being redefined by virtualization. Its original appeal was to make virtual machine backup easier, faster and more reliable than the legacy backup products that were designed for physical infrastructure. Over time, Veeam showed it could move with the market. It expanded from VMware into Hyper-V, bare metal systems and public cloud workloads. It was the first by our recollection to protect SaaS applications such as Microsoft 365 and Salesforce, it acquired Kasten to go after container data protection and now it’s leaning into cyber resilience, data security posture, AI governance and agentic operations.
Importantly, what has set Veeam apart in our view is it did not just follow workload migration. It went after the control points of enterprise risk. The first major shift in that regard was operational recovery. Systems break, data gets corrupted, users make mistakes and organizations need to recover. Another example was ransomware, which forced CIOs and CISOs to treat backup as a fundamental part of their security strategy. Ransomware became the first catalyst that forced the CIO and CISO organizations to work together because the backup corpus became a key adversary target. The most recent catalyst is AI, which changes the speed, scope and blast impact of data corruption.
Data protection meets security
Backup, recovery and security are on a collision course. Rubrik and Bipul Sinha get the credit for being first and pushing the category aggressively toward cyber resilience, zero-trust data security and the CISO buyer. Cohesity, Commvault, Dell and Veeam have all moved in this direction because customers need it. Backup is now part of the security stack because recovery is the last line of defense when prevention, detection and containment aren’t enough. These pivots also have a valuation implication. Security businesses generally command stronger strategic and financial valuations than traditional infrastructure management companies because CISOs have more budget than backup admins and the pain of failure is much more damaging to a business. As such, while the spend and business case is still tied to risk reduction, because the expected loss is much higher in security, the durability of the software business around it is greater.
VeeamON 2026 shows Veeam is making explicit moves to reposition backup and recovery as a foundational capability tying together data resilience, cyber resilience and AI resilience. The implication in the company’s message is that these are interrelated disciplines. Operational failures, cyberattacks and AI-driven data changes are all happening together. Veeam’s implied premise is that the common denominator is trusted data. In other words, data must be governed and recovered cleanly, identities must be known and organizations must have visibility on who did what when and where. These factors are all part of business resilience. But the stakes are much higher at machine speeds and AI systems change the game.
Veeam’s core thesis is resilience becomes a data and AI control plane
The VeeamON announcements are best understood as a convergence story, a major theme of VeeamOn 2026. Veeam is bringing together its historical strength in backup and recovery with newer capabilities around data security posture management, governance, compliance, privacy, AI readiness and operational control.
The company previewed four main pieces of news:
- Veeam Data AI Command Platform – provides a centralized platform view across resilience, security, data security posture, governance, compliance, privacy and AI readiness. It gives customers a common operating view across backup data and production data, helping IT, security, risk and data teams better coordinate activities;
- Veeam Intelligent Resilience Operations – A new offering that combines data security posture context with recovery, starting with Microsoft 365 and Copilot-related use cases. This capability helps customers understand what data agents can touch, recover faster from mistakes and make better SLA decisions;
- Veeam Data Platform 13.1 – This is a major platform release with a hybrid SaaS control plane, identity resilience, OpenShift virtualized support, a backup admin agent and more comprehensive threat detection;
- Veeam Data and AI Trust Maturity Model – A free and well-thought-out maturity model. The company has developed the model with four pillars, five maturity outputs and 49 sub-dimensions, focused on AI trust and resilience. This tool gives customers a methodological way to assess AI blast radius, agent risk, recovery readiness and functional gaps. It also gives Veeam a stronger conversation starter with CISOs.
How Veeam differentiates versus Rubrik, Cohesity, Commvault and Dell
The data protection market is converging around cyber resilience, but the vendors come at the problem from different starting points.
Rubrik has been the most aggressive in turning backup into a security story. Its differentiation is the CISO narrative around zero-trust data security, ransomware recovery, sensitive data discovery, threat monitoring and cyber recovery. Rubrik helped reframe backup from an insurance policy into a cyber resilience platform and gets credit for confounding the skeptics.
Cohesity’s history is scale-out secondary data management. Its value proposition has been consolidation – i.e. bringing backup, recovery, archives, cyber detection and secondary data services into a modern data platform. With its broader enterprise data protection goals, Cohesity has positioned around large-scale data estates and operational simplification. It’s acquisition of Veritas gave it more scale and access to a legacy installed base ripe for modernization. It also gave the company the potential to have a valuation at IPO more competitive to Rubrik.
Commvault has long been the broad enterprise incumbent with deep workload coverage, policy depth, enterprise recovery and growing SaaS delivery through Metallic and related offerings. Its cyber resilience and ResOps message from Commvault Go last year increasingly centers on clean recovery, cloud recovery, automation and reducing business downtime after an attack.
Dell is different because it is a full infrastructure provider. Dell can connect data protection to storage, servers, networking, cyber vaulting, edge infrastructure, services, data and AI infrastructure generally. Its differentiation is architectural breadth and its position as a broad infrastructure supplier. Dell can sell the recovery stack as part of the infrastructure stack, especially where customers want one accountable vendor across compute, storage, data protection and services.
Veeam’s differentiation in our view is practical breadth, workload portability and ease of adoption. Its core strength is not that it is the most security-native vendor or the deepest infrastructure supplier. Its strength is that it is widely deployed, extremely partner-friendly, operationally familiar to customers and highly useful across heterogeneous environments. Veeam has historically won by making recovery simpler for administrators and by expanding as customer estates expanded.
In our opinion, Veeam’s opportunity is to become the simplified control plane for resilience across hybrid enterprise estates. Its message is not rip and replace your security architecture. It’s really more about using the backup and recovery footprint you already trust, and then extending it into data context, governance, threat detection, AI readiness and agent recovery.
That is a defensible position and Veeam’s credibility has been proven over the years. But it also brings a challenge. Veeam must prove it can move beyond backup data into production data context without becoming too complex. This seems to be the goal of the Data AI Command Platform – i.e. to unify primary and secondary data context, understand the data graph, then connect that knowledge to rollback and recovery.
One of the company’s taglines is “Veeam doesn’t discriminate” by workload. This is strategically important in that the company can point to endpoint protection, production data, backup data and the possibility of discovering third-party agents through the Data AI Command Center.
That gives Veeam a pathway to differentiate from its competition, even though its following Rubrik into the security space and is using ResOps, a term we first heard from Commvault. But Veeam can simplify messy middle of enterprise computing with its expertise and proven products that work across VMware, Hyper-V, OpenShift, bare metal systems, M365, endpoints, cloud workloads, NAS, Unix, identity and eventually agentic workflows.
The promise of AI brings new challenges and opportunities.
The AI Factory changes the storage hierarchy and the definition of recovery
The larger architectural question is how all of this changes in the AI Factory era. This is where we want to think about how Veeam connect to the NVIDIA storage and systems transition.
In last week’s Breaking Analysis, we argued that NVIDIA is building a platform, not a chip line. CUDA, DGX, Mellanox, Grace/Hopper, Spectrum-X, Blackwell, Mission Control, Rubin, LPX and STX are part of a full-stack architecture designed to turn the rack into the new unit of computing. The AI Factory is not a collection of servers. It is a GPU/CPU/DPU fabric optimized for token production, inference, reasoning, context, data movement, security and recovery.
That architecture changes storage. In the classic enterprise model, tier-one storage sat near the top of the hierarchy. It was where mission-critical data lived, and backup and recovery vendors like Veeam built around protecting the data stored on arrays, file systems, databases, virtual machines and applications. In the AI Factory, the hierarchy becomes deeper and more dynamic. High bandwidth memory, SRAM, DRAM, low-power memory, KV cache, context memory, vector stores, graph stores, streams, object stores and traditional arrays all have roles. But the highest-value data may not live only in the traditional tier-one system. It may exist as context, embeddings, agent memory, policy state, tool history, reasoning traces and semantic state.
Specifically storage becomes context memory. The old SAN/NAS/object/backup model gives way to GPU-adjacent context memory, KV cache and agent memory, parallel vector and stream data paths, and DPU-based policy, security and integrity. In that model, traditional tier-one storage gets pushed down the hierarchy. It remains important, but it is no longer the key control point for enterprise state.
This has profound implications for backup and recovery in our view.
Today, backup vendors are generally equipped to protect files, volumes, VMs, databases, SaaS objects, endpoints, cloud workloads, Kubernetes clusters, identities and selected application metadata. Some can do ransomware detection, anomaly detection, immutable backup, clean-room recovery, cyber vaulting and sensitive data discovery. These capabilities have proven essential for firms like Veeam to maintain relevance.
But we believe AI Factory recovery will require more than restoring data objects. It will require restoring the state of the business.
That state includes the data, but it also includes identity, permissions, policies, workflow status, agent plans, tool calls, approvals, context windows, embeddings, indexes, KV cache, model versions, prompts, fine-tuning data, API connections, database transaction lineage, orchestration state and human signoffs. In a revenue workflow, the critical recovery question may be, for example: “What did the agent know? What did it change? What systems did it touch? Which policy governed the action? What was the last safe state? Who approved the next step?”
This is why SaaS backup alone is necessary but may be insufficient. A Microsoft 365 or Salesforce backup may protect emails, documents, records, metadata and some configuration, depending on the vendor and API coverage. But it does not automatically preserve the full operational state of an AI-mediated business process. Application logic, workflow rules, approvals, identity relationships, agent memory and active reasoning state may live across multiple systems. Some of it may be ephemeral. Some may be in logs. Some may be in orchestration layers. Some may be in the model or agent framework. Some may be in the data platform. Some may be in the AI Factory control plane.
This is where Veeam’s Intelligent Resilience Operations is interesting to us. It points in the right direction because it starts connecting data posture, agent activity, recovery and context. Its Microsoft 365 and Copilot starting point is sensible. But the long-term requirement is perhaps broader in that recovery vendors will need to capture and reconstruct semantic state across applications, data platforms, identities, agents and infrastructure.
Our research has described this as semantic reconstruction. Traditional recovery restores systems, data and application state. AI recovery must support the safe resumption of reasoning workflows, agent decisions, context windows, policies, approvals and task state.
That is the future role of ResOps in our view. ResOps becomes the discipline that connects backup, cyber recovery, incident response, SRE, data governance, identity, AI operations and business continuity. It is not simply about whether a backup completed. It is about whether the enterprise can resume operations from a known-good business state. We think about this in terms of granular snapshots of the state of your business, with fine recovery points.
For firms like Veeam, Rubrik, Cohesity, Commvault and Dell, this is both a threat and an opportunity. The threat is that traditional backup boundaries get bypassed as state moves into AI-native layers. The opportunity is that recovery becomes more strategic. If the AI Factory becomes the operating foundation for the enterprise, the vendor that can map, protect, validate and restore business state, at highly granular levels, becomes a critical control point.
What Veeam must prove
Veeam has a very credible story, but as always there’s hard work ahead. The company has to prove that its Data AI Command Platform can see enough production context to make recovery smarter. It has to prove that Intelligent Resilience Operations can move beyond Microsoft 365 into other SaaS, cloud, endpoint, identity and application domains. It has to prove that its backup admin agent improves operations without creating new risk. And it has to prove that its maturity model is more than a workshop by tying assessment outputs to product action and measurable resilience improvement.
The good news for Veeam is: 1) It has proven that it ships products that work and are reliable; and 2) Customers do not want theoretical AI governance. They want operational answers. They want to know what data they have, what agents can access, what changed, what is sensitive, what is recoverable, how fast they can recover, and whether they can prove it to the board, regulators and insurers.
That has always been Veeam’s strength – i.e. taking a complex infrastructure transition and make it operational.
Action Item for CISOs
CISOs should treat AI resilience as an extension of cyber resilience, not as a separate AI governance side project. The immediate mandate is to map the blast radius of agents, copilots and automated workflows across identity, data, SaaS applications, endpoints, cloud workloads and backup repositories. Every AI initiative should have a recoverability plan that answers four questions: 1) What can the agent access; 2) What can it change; 3) How do we detect unsafe change; and 4) How do we restore the last trusted business state?
Specifically, CISOs should partner with CIOs and CDOs to build a recoverable AI operating model. That means classifying sensitive and redundant data before it enters AI workflows, enforcing least-privilege access for human and machine identities, validating immutable recovery points, testing recovery from compromised agents, and demanding evidence that backup, security, identity and data governance tools can work from the same operating context. The goal should be to think more broadly beyond recovery of data (e.g. files or systems). Think about recovering trust in the state of the business including its processes.
