Commvault urges four-step resilience against AI threats

Commvault has urged organisations to adopt a four-step resilience framework in response to the rise of frontier AI, warning that faster AI-led vulnerability discovery is shrinking the time available to respond to cyber threats.

The guidance focuses on assessing recovery risks, making isolated recovery and air-gapped copies standard practice, prioritising systems essential to business operations, and automating resilience testing. The company said the approach is needed because advanced AI models are identifying more vulnerabilities and helping attackers move from disclosure to exploitation far more quickly than before.

Research cited by Commvault points to a sharp increase in the volume of software flaws uncovered by AI cyber models. It added that once a vulnerability becomes known, AI-assisted exploitation can emerge within minutes rather than weeks, leaving companies with a much narrower remediation window.

That shift means cyber recovery must be treated as a day-to-day operational issue rather than a contingency plan reserved for major incidents, Commvault said, adding that no software vendor is insulated from the change in the threat landscape.

Nick Patience, Vice President and AI Practise Lead at Futurum Group, said the economics of vulnerability discovery had changed.

"Frontier models change the economics of vulnerability discovery. AI models will reveal exploitable vulnerabilities at such a fast pace, remediation programs must evolve," said Nick Patience, Vice President and AI Practise Lead at Futurum Group.

"While a rigorous patching strategy remains critical, the key now is also making sure readiness, resilience, and clean recoveries are top priorities," Patience said.

Four steps

The first part of the framework calls on IT and security teams to assess whether their current recovery posture can withstand rapid cycles of vulnerability discovery and exploitation. This includes testing whether critical systems can be restored in a clean state, whether recovery environments are separated from compromised production systems, and whether recovery plans reflect system dependencies.

The second step is to make isolated recovery and air gapping routine. Organisations should maintain immutable, isolated copies of critical data and workloads, separated from production identity, network, and management layers, so they can fall back on clean copies when patching or remediation cannot keep pace, Commvault said.

It also called for recovery time objectives and recovery point objectives to be tested against realistic attack scenarios rather than simple system failures. Targets set before autonomous exploitation became possible may no longer reflect current conditions, according to the company.

The third step focuses on identifying the systems a business cannot operate without. Companies should establish the order in which core platforms such as identity services, billing systems, operational databases, and cloud services must be restored. Businesses should also account for newer AI-related dependencies, including data pipelines, model repositories, vector databases, and agentic workflows, Commvault said.

The fourth recommendation is to automate resilience processes and test them continuously. Recovery plans should not remain static documents, the company said. Organisations should automate threat scanning, identification of clean recovery points, dependency-aware restoration, and orchestration of recovery steps. Those plans should also be tested regularly in isolated cleanroom environments before incidents occur.

Patience said organisations that adopt the framework would be in a stronger position to use AI while limiting exposure to related risks.

"Organisations that embrace this four-step process will be better suited to take advantage of rapidly evolving AI models while also mitigating the risks," Patience said.

The issue has also become a practical concern for large users of cyber recovery systems. Commvault included comments from BOK Financial on the operational demands of restoring systems after an incident.

"Resilience continues to be a high priority for us," said Jayson Morgan, Senior Vice President of Infrastructure at BOK Financial Corporation.

"What matters isn't simply whether backups exist, but whether we can recover cleanly, validate integrity, and resume operations fast when it matters most," Morgan said.

Operating model

Alongside the four-step framework, Commvault outlined a wider operating model it calls ResOps. The model is intended to make resilience measurable and continuous through regular testing, validation of recovery readiness, checks on clean recovery, and protection for both production and recovery environments.

The approach underpins business continuity during cyber attacks, outages, and disruptions linked to AI-driven threats, according to Commvault. It positions resilience as an operational discipline spanning technology, process, and regular testing rather than as a single product or backup function.

Bill O'Connell, Chief Security Officer at Commvault, said the pace of AI development was changing what organisations need from security and recovery planning.

"AI models will continue to evolve that accelerate remediation timelines and require a new approach to readiness," said Bill O'Connell, Chief Security Officer at Commvault.

"ResOps gives organizations a way to continuously validate readiness, advance clean recoveries, restore systems with confidence, and build resilience into the way they operate," O'Connell said.