N-able adds real-time alerts to protect backup policies

N-able has expanded anomaly detection in its Cove Data Protection backup product, adding alerts that flag suspicious or unauthorised changes to backup policies. The update responds to identity-driven attacks in which intruders use stolen credentials to weaken or disable backups before deploying ransomware.

Credential compromise

The new feature generates real-time notifications when it detects unusual behaviour tied to policy changes in backup environments. It focuses on events such as changes to retention rules, exclusions that remove important data from protection, and actions that remove devices from backup coverage.

Backup platforms have become a prime target in modern ransomware incidents because they sit at the centre of recovery planning. Attackers who gain administrative access can reduce the scope and duration of backups, increasing the likelihood that victims will have limited restore points-or no viable recovery path-after encryption. Because backup systems are often treated as resilience tools rather than frontline security, day-to-day monitoring can leave blind spots.

Identity-based techniques have also become more prominent across the threat landscape. The 2025 Verizon Data Breach Investigations Report found that roughly 88% of basic web application breaches involved stolen credentials. That trend has sharpened the focus on credential theft, phishing, and misuse of legitimate access, rather than software vulnerabilities alone.

In backup environments, credential compromise can be hard to spot. Attackers can make small changes that look routine and may not trigger immediate alarms: shortening retention, removing servers from protection, or excluding critical datasets from schedules. These changes can happen weeks before a ransomware event, with victims discovering the damage only when recovery fails.

Managed service providers and IT teams often oversee backups across multiple customers and environments. That model increases the need for consistent reporting on configuration changes, especially when several administrators have access and changes can occur outside scheduled maintenance windows. Event-based notifications create a record of what changed and when, supporting review and remediation.

Security Layer

N-able says the expanded anomaly detection gives IT teams immediate visibility into potential indicators of compromise and misconfiguration in Cove Data Protection. It also says the tool can help catch internal mistakes, not just malicious activity. Misconfiguration remains a common cause of security incidents and resilience failures, particularly in complex environments where policies evolve over time.

The update builds on an earlier Cove Data Protection anomaly detection feature called Honeypots, which N-able describes as an always-on mechanism for detecting brute-force attacks on backup infrastructure. The latest addition shifts the focus to policy integrity and administrative actions, which can be difficult to distinguish from normal operational work without dedicated monitoring.

Neil Douglas, CIO at UK-based managed IT services provider Network ROI, said backups have become a direct target rather than a secondary victim of ransomware.

Douglas said, "It's no longer just active systems under attack - backups are firmly in the crosshairs. If attackers gain access to the backup platform, they don't always strike immediately. They can quietly manipulate backups, alter retention policies, or delete servers, then sit undetected for weeks (or even months). When they finally launch their attack, recovery can be impossible. In the past, we had no visibility into those subtle changes happening behind the scenes.

"Now, with real-time, event-based alerts for even the smallest alteration, we know the moment something suspicious occurs. That not only protects us from malicious actors but also guards against accidental misconfigurations. It's a powerful step forward in strengthening our overall data resilience."

Customer Impact

Cove Data Protection is part of N-able's product set for IT teams and service providers managing backup and recovery operations. Providers in this market face increasing customer scrutiny around recovery objectives and proof of recoverability after high-profile ransomware incidents. Tools that highlight policy drift and unauthorised administrative behaviour are increasingly used to demonstrate operational control.

Chris Groot, General Manager of Cove Data Protection at N-able, said the real-time alerts are intended to reduce the risk that backup changes undermine recovery.

Groot said, "A new wave of threats is targeting businesses through stolen identities. Real-time alerts to backup policy changes give customers peace of mind by protecting them from risky changes that could affect recovery, whether that change was caused by attackers or employees. By catching these changes as they happen, organizations can stop identity-driven attacks and misconfigurations before recovery is compromised."

The move reflects a wider shift in cyber defence in which identity is treated as a primary control point. As organisations harden endpoints and networks, attackers increasingly seek valid logins and administrative privileges. Backup systems sit within that same identity plane, and changes to their policies can have outsized consequences when an incident occurs.

N-able says the expanded anomaly detection focuses on policy-level events and immediate notifications, aiming to give teams earlier warning when backup settings change in unexpected ways.