Recovery, Resilience & Cyber Recovery
Backup integrity, immutable snapshots, cyber-recovery vaults, restore orchestration, BCM/DR, tabletop exercises, ransom-scenario restoration drills.
What is Recovery, Resilience & Cyber Recovery?
Recovery, resilience, and cyber recovery is the discipline of restoring an organization to working order after a security incident — and doing it without re-inheriting the compromise. NIST CSF 2.0 elevated Recovery to a first-class function in 2024 for a reason: post-ransomware-decade, the question 'how do we get back to operational state in a known-clean environment?' turned out to be a fundamentally different problem from detection or response.
The operational core is layered: immutable backups (write-once-read-many storage that can't be rewritten by attackers with admin credentials), air-gapped or isolated cyber recovery vaults (Dell PowerProtect Cyber Recovery, Rubrik Security Cloud, Cohesity FortKnox), integrity verification (cryptographic checks that backups haven't been tampered with), and rehearsed restore orchestration (the SOP for which systems come up first, in what order, on what infrastructure). The 3-2-1 backup rule (3 copies, 2 different media, 1 off-site) became 3-2-1-1-0 (add 1 immutable copy, 0 errors after recovery testing) once ransomware groups started hunting backups specifically.
The discipline also covers Business Continuity Management (BCM), Disaster Recovery (DR), Recovery Time and Recovery Point Objectives (RTO/RPO), tabletop exercises (the rehearsals that surface gaps before a real event), and the legal/regulatory dimension of breach notification timelines. After Colonial Pipeline (2021) and the Change Healthcare attack (2024), recovery is no longer a checkbox under IT operations — it's a board-level program with its own funding, staffing, and tested cadence.
Why it matters
Every detection program eventually produces a confirmed compromise, and every confirmed compromise eventually requires a restore. Recovery is the only function whose quality is measured in actual hours of business downtime — and the difference between three days and three weeks usually comes down to whether the team rehearsed.
Recovery sits downstream of every other security function — when prevention, detection, and response have all run their course, recovery is what determines whether the business survives the rest of the quarter. It bridges cybersecurity and operational resilience, and it depends on architecture decisions made years before the incident.
Detect, Test & Respond
Watch, hunt, attack ethically, analyse, and respond — classical and AI.
Other domains in this layer
Standards and frameworks
Curated resources
Authoritative sources we ground Recovery, Resilience & Cyber Recovery questions in — frameworks, research, guides, and tools.
NIST SP 800-160 Vol. 2 Rev. 1 — Developing Cyber-Resilient Systems
Cyber-resiliency engineering framework. Covers deception, diversity, dynamic positioning, and other techniques for systems designed to operate through compromise. The systems-engineering view of active defense.
NIST SP 800-184 — Guide for Cybersecurity Event Recovery
The federal recovery playbook. Covers recovery planning, validation of restored services, post-event improvement. Pairs with NIST CSF Recover function.
NIST SP 800-34 Rev. 1 — Contingency Planning Guide for Federal Information Systems
Comprehensive contingency planning: BIA, recovery strategies, plan testing, training, and maintenance. The reference for RTO/RPO and recovery tier questions.
ISO 22301 — Business Continuity Management Systems
International standard for business continuity management systems. Defines requirements for establishing, implementing, and maintaining a BCMS. Often paired with ISO 27001 for combined audits.
CISA #StopRansomware
Federal hub for ransomware prevention, mitigation, and recovery guidance. Joint advisories with FBI/MS-ISAC, no-cost CISA services, and the ransomware-specific recovery checklist.
CISA Cyber Resilience Review (CRR)
No-cost CISA assessment of operational resilience and cybersecurity practices for critical infrastructure operators. Maps to NIST CSF for gap analysis.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
Amazon Web Services Certified Solutions Architect - Professional
Amazon Web Services Certified Solutions Architect - Professional
Certified Cloud Security Professional
Cloud security architecture: shared responsibility, identity, data protection, crypto, and cloud-native detection.
EC Council Disaster Recovery Professional
EC Council Disaster Recovery Professional
Also touched
AWS Certified Security — Specialty (SCS-C02)
Deep AWS security: IAM, data protection, detection, incident response within AWS primitives.
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
Education and certifications
More in Cybersecurity
Test what you know about Recovery, Resilience & Cyber Recovery
40 questions available. Beginner to expert questions, scored against the global leaderboard.