Veeam is trying to pull off a major transition at the right AI wave moment. The company started as the practical backup and recovery standard-bearer in the VMware era, broadened into physical, cloud, SaaS and Kubernetes protection, then leaned into ransomware resilience with immutable backups, malware detection and SLA-backed recovery. Now it’s making its biggest bet yet, using the Securiti acquisition to push up the stack into security and create a new category in what Anand Eswaran is calling “Data + AI Trust,” built on five pillars: security, governance, compliance, privacy and resilience.
We believe the ambition is directionally right, the timing is fortuitous and the capabilities Veeam is touting are much needed; but plenty of work still needs to be done to operationalize platforms like Veeam’s. In particular, Veeam needs to clearly communicate its new market opportunity and the value prop to customers as it brings these five pillars together; and it brings backup and recovery to security.
Tailwinds and market forces
The fundamentals are in the company’s favor. Agentic systems have changed the threat model and the failure mode at the same time. As non-human identities begin to outnumber human ones and with agents operating at machine speeds, the impact of failures increases, especially if agents are over-privileged. In this new world, “restore the last safe snapshot” is a sort of blunt instrument. Recovery has to become more precise – e.g. undo the five seconds of bad agent action, versus rewinding the business three days.
Veeam’s big move is to bring data protection and security together to make trust a first-class layer in the AI stack – not by protecting the agent, but by understanding and making trust follow the data. While this approach is credible, it brings Veeam into new territory and the company must thread the needle between its heritage as a backup and recovery vendor and what is now a security-adjacent company. It has to leverage the advantages of being a security player while at the same time carving out enough new territory that is distinct from traditional security markets. And it needs to convince CISOs that backup, recovery and data protection are a fundamental discipline that must be part of a security posture.
Our view is this is do-able but Veeam needs to lay out a strong vision as to where the industry is headed and where its new category fits. Specifically, there are critical pieces missing from the AI stack; in particular what we call the enterprise System of Intelligence (SoI). This is the layer that harmonizes process context, semantics and real-time state across the business so agents can act confidently and enterprises can recover “state,” not just files. Veeam is positioning itself as creating a new category (AI + Data Trust). Its contention is this is the missing layer in the emerging AI software stack. But in our view, the SoI is the missing layer. Veeam is actually a piece of the harness and scaffolding around the SoI, not the missing piece in and of itself.
The bottom line is Veeam is angling to be the company that makes data, identity, policy and recovery coherent and safe enough for agents to operate safely. There is a market there and it’s a new TAM for the company, but the target needs some clarity, which we’ll try to provide later in this post.
But first let’s take a look at Veeam’s business.
Veeam’s business momentum
Veeam is indicating it is seeing the kind of business momentum that investors look for in a durable, IPO-ready software and security company. Veeam claims its 2025 ARR ended at $2B+ with what was likely a solid but undisclosed growth rate. Our estimates would put the company’s revenue growth in the mid teens to 20% range but that is unconfirmed. Veeam has claimed for a while that it is profitable. It has a large customer base and is making another run in earnest at penetrating larger firms. That combination of scale, steady growth, and profitability is suggests Veeam is expanding its market presence and, under the new ownership structure, likely has much stronger operating discipline.
Veeam has transitioned its business to a recurring revenue model and its newer Veeam Data Cloud offering is reportedly gaining solid traction. We suspect its cloud business is growing well into the triple digits from a much smaller base but the company has not released such details and is likely waiting until it’s closer to IPO.
Veeam makes another run at enterprise markets
Enterprise traction appears to be another major growth opportunity. Our survey data and data from our ETR partners suggest Veeam has a credible presence in G2000 accounts but nowhere near the account dominance it has overall. The two charts below tell the story. The graphics below show Net Score or spending momentum on the vertical axis and Overlap % which represents the account penetration in the ETR sample of more than 1,700 IT decision makers (ITDMs).
The first chart represents pure play competitors in two sectors: Storage (backup/recovery) + security. The first chart represents all enterprise sizes. While Rubik and Commvault are showing higher Net Scores, note the degree to which Veeam dominates on the horizontal axis, indicative of its large 550,000 customer installed base.
Source: ETR, April 2026
The second chart shown below cuts the data by G2000 and you can see Veeam’s position on the horizontal axis is surpassed by both Rubrik and Commvault. Combining Veritas and Cohesity puts their G2000 account penetration comparable to that of Veeam.
Source: ETR, April 2026
Observers may recall, mid last decade, former CEO Peter McKay was brought in to take Veeam more deeply into enterprise markets. Two plus years into the effort, Veeam senior management at the time decided to pull back on the initiative. The industry scuttlebut was that Veeam didn’t have the appetite to fund the expensive go to market machine and support infrastructure required to build a successful enterprise business. As well, it’s very possible that the founders decided to optimize EBITDA by cutting expenses prior to the sale of Veeam to Insight Partners.
While the background on this bit of history is speculative, what’s clear is that under the recent leadership of Anand Eswaran, Veeam is very much committed to competing up market. The company has brought in more enterprise-focused talent, built a professional services team to support enterprise customers, tuned partnerships to support enterprise selling and developed comprehensive incentive programs for sellers and partners that are “enterprise-grade.” This TAM expansion strategy is crucial in our view and will support a much higher market capitalization than would a company largely focused on SMB markets. Over time, we would expect to see this effort show up in the ETR data.
All together, Veeam’s steady financials, transformation into resilience and security and the renewed enterprise push suggests Veeam has the profile of a company that is prepared for the public markets – i.e. large ARR scale, strong recurring revenue, strong profitability, cloud acceleration, and growing enterprise relevance. While timing remains a board and management decision, the data suggests Veeam is positioning itself to be IPO-ready when it hones the story for Wall Street and the market conditions are right.
Veeam’s transformation from backup/restore to data + AI trust
By way of review, Eswaran laid out three eras that map to how enterprise risk has evolved:
- Era 1 – backup and recovery (“assume restore”)
The original promise was when something breaks, bring it back. Veeam’s brand was built on simplicity, faster RTOs and broad workload coverage as data spread across VMs, physical, cloud, SaaS and Kubernetes. - Era 2 – ransomware resilience (“if breach then recover”)
The board-level shift was to assume compromise and design for containment and rapid recovery. Optimize around clean recovery via immutable backups, inline malware detection and incident response. - Era 3 – the agentic era (“assume autonomy”)
The new reality is bringing together production data (e.g. transaction systems) with unstructured data and having agents reach directly into systems of record, pull metadata context from data, take actions across workflows, and do it at machine speed. The risk by the way includes a wrong decision executed by agents with speed and confidence before anyone notices.
Veeam is essentially positing that the world changed faster than the trust infrastructure did. AI deployment is scaling at hyper speed. AI trust on the other hand is not.
The missing layer Veeam is trying to attack
A main message from Eswaran is the AI stack has plenty of investment across compute, models, orchestration and vertical agents ($700B+ from the hyperscalers and model firms), but it lacks an enterprise-grade trust layer that sits between models and the rest of the stack. His premise is that there’s a missing version of the emerging AI stack and Veeam intends to fill it. Here’s a picture of his view of the AI stack from a less than ideal screenshot from the audience:
Esweran’s version of that layer is Data + AI Trust, built as one platform where five domains operate as one, including:
- security
- governance
- compliance
- privacy
- resilience
The key technical enabler is the knowledge graph, acquired from Securiti, which they described as an “intelligence graph” that understands data at a granular level (down to data elements), ties it to identity and policy, and keeps it coherent across live estates and backups. The company refers to this as “context” but like data management before it, context can mean many different things to different people. Our take is Veeam is currently capturing relevant technical and operational metadata and putting it into a knowledge graph. It is not reaching into the underlying application and process logic that resides in SaaS systems.
Veeam’s premise is that in the agentic era, controlling the agent is insufficient. You’re only protected from the agents you know about. Shadow agents don’t show up in registries. Data does. Let’s dig into this premise a bit more below.
Veeam’s premise is the control point is data, not agents
Eswaran puts a stake in the ground saying the perimeter didn’t shift, it essentially collapsed. Zero trust assumed humans were the main actors. Agents bring AI directly to data, which forces the enterprise to open access paths for work to occur. In that world, the control point becomes the data itself.
He argued the industry is trying to “wrap controls around the agents” and monitor/intercept them at runtime, but that this is insufficient because by then the data may already have entered the agent’s context window. He then said “the control point is the data” and that Veeam is trying to “put control into the data” so the agent never gets access in the first place.
The emphasis and sequence put forth is:
- classify and label sensitive data at scale;
- bind identity, entitlements and policy to data over its lifecycle;
- enforce policy before an agent touches data;
- recover precisely when an agent does something wrong.
This is where the Securiti acquisition becomes strategic and is put in play. Specifically around discovery and classification, access and entitlement context, policy evaluation, regulatory mapping, and privacy controls like consent and DSAR workflows, with resilience integrated as a first-class citizen rather than a separate console.
Our take is Veeam isn’t the missing layer, it’s the harness for it
Veeam makes a powerful analogy saying that trust becomes the grid when intelligence becomes the utility. But we would draw a more nuanced line on what this “missing layer” actually is. It’s not the Data + AI trust layer. It’s the system of intelligence (SoI) that’s missing from the AI software stack.
- What Veeam fills well
The trust scaffolding: technical and operational metadata, identity awareness, permissioning, policy enforcement, auditability, and recoverability – including the shift toward precision resilience where recovery is about undoing the specific bad action, not rolling back the state of the enterprise. - What Veeam doesn’t fill yet
The process-level, business-state context – the SoI layer George Gilbert architected and others describe as the digital representation of the enterprise in motion. When enterprises start running real agentic workflows end-to-end, “context” stops meaning “files + metadata.” It becomes the operational logic and business state of the company – processes, approvals, semantic reconciliation, and real-time truth across systems.
That’s the next horizon. Once customers trust agents enough to deploy them broadly, they will start building enterprise digital twins. At that point, we predict Veeam’s recovery mandate will expand to capture and restore state at a granular level – including the underlying process and application logic that made the business correct before it broke.
We can see Veeam positioning itself so that when that shift happens, it’s already in the control path.
Category creation is hard – but the TAM expansion is real
Creating a new category is always a knife fight. “Data + AI Trust” competes with existing budgets, existing platforms, and a lot of vendor marketing noise. But the direction is credible because it maps to the new risk profile brought on by autonomous action at machine speed.
If Veeam can make the five pillars operate as one platform, explain clearly how it’s bringing backup as a security discipline – and prove that precision remediation works in real customer environments – it expands the market well beyond backup. In our opinion, that’s the right strategic move for a ~$2B ARR company.
On valuation, if Veeam executes this transition and shows accelerating and durable growth, an IPO case could land north of Rubrik’s current ~$12B mark. Much of this will depend on its growth rate and detailed financial metrics. Nonetheless, in this “bubblicious” market, if investors can get past the idea that LLMs will eat all SaaS, a $10B+ valuation is not crazy. Longer term prospects depend on proving that trust is not just a message, it’s a fundamental and measurable component of an AI operating model.
Bottom line
Veeam is evolving from a “recovery when systems break” to “a trust when agents act” company. The Securiti acquisition gives it a real shot at owning what we call the harness layer around the emerging AI software stack – i.e. bringing security, governance, compliance, privacy and resilience, unified through a knowledge graph, across a horizontal ecosystem. We believe the company’s near term test is can it convince CISOs that business resilience is all about data + AI trust. Its longer term test is whether it can extend that foundation from technical context to business-state context as enterprises move toward agentic workflows and real time digital twins. If it does, Veeam’s TAM expands dramatically, and the company’s posture shifts from backup vendor to one of the control points of the AI era.
Action Item
Veeam’s core IT buyers should reach out to SecOps teams and push them to think differently about business resilience. Specifically, challenge CISOs to incorporate recovery as a fundamental component of their data + AI trust agenda, rather than treating it as an adjacency or afterthought. Practitioners should stress test Veeam’s knowledge graph outcomes with the capabilities of competitive offerings to determine the degree to which it not only provides enhanced visibility on data assets, but also how well it fits with AI initiatives and future visions of an AI operating model.
