Critical Capabilities for Backup and Data Protection Platforms
ARCHIVED
9 July 2025 - ID G00826616 - 35 min read
By Jason Donham, Rizvan Hussain, and 3 more
Hybrid multicloud environments, SaaS workloads and evolving ransomware threats require new capabilities from backup and data protection platforms. I&O leaders can use this research to compare 12 vendors’ backup and recovery products based on 12 critical capabilities in six use cases.
Overview
Key Findings
Multiple backup vendors are focusing on security and recovery from cyberattacks by including AI-based threat detection capabilities, in-line and backup data anomaly and malware detection, and virtual machine (VM) encryption detection.
Most backup vendors continue to add generative AI (GenAI) features to their offerings to provide AI-guided troubleshooting and administrative support. These GenAI implementations help customers simplify and automate repetitive administrative tasks to varying degrees.
Leading backup vendors are pairing customer-managed hybrid solutions with backup as a service (BaaS) to provide the optimal mix of data protection technology while keeping customer experience intact.
Vendors continue to organically develop support for more SaaS applications. Several vendors offer stand-alone products that support multiple SaaS applications, but many of these are not integrated with their vendor’s primary backup platform.
Backup vendors are enhancing recovery orchestration capabilities for cloud and on-premises to cloud to support application-level and operational recovery.
Recommendations
Infrastructure and operations (I&O) leaders responsible for backup and data protection should:
Improve RFP and proof of concept (POC) outcomes by prioritizing features that minimize the time to detect cyberattacks and offer rapid clean room recovery.
Implement solutions that use AI features to simplify the day-to-day operations of developing and maintaining backup policies, troubleshooting, testing recoveries and securing the entire solution.
Combine hybrid cloud and BaaS data protection delivery models to best protect the growing amount of data spread across data centers, public clouds, edge platforms, SaaS offerings and containerized applications.
Choose hybrid multicloud backup solutions that best integrate and administer SaaS application protection.
Be prepared to deploy point solutions for SaaS or other emerging applications if your primary backup solution does not meet all of your protection requirements.
Strategic Planning Assumptions
By 2029, 75% of enterprises will use a common solution for backup and recovery of data residing on-premises and in cloud infrastructure, compared with 25% in 2025.
By 2029, 80% of enterprises will prioritize backup of SaaS applications as a critical requirement, compared with 20% in 2025.
By 2029, 95% of backup and data protection platform products will include embedded technology to detect and identify cyberthreats, compared with 55% in 2025.
By 2029, 85% of large enterprises will adopt BaaS, alongside on-premises tools, to back up cloud and on-premises workloads, compared with 25% in 2025.
By 2029, 90% of backup and data protection platform products will integrate generative AI to improve management and support operations, compared with fewer than 25% in 2025.
By 2029, 35% of enterprises will implement agentic AI capabilities to perform autonomous backup operations, up from less than 2% in 2025.
By 2029, 30% of enterprises will integrate backup copies as a data source for analytics and inference, up from less than 5% in 2025.
What You Need to Know
Protecting and recovering application data, regardless of the underlying infrastructure type and location, such as on-premises or hybrid/multicloud, is critical for I&O leaders. This requirement continues to evolve as new application types, new locations and new threats emerge.
Since last year’s publication of this research, updates have been made to several existing critical capabilities, while two new capabilities have been added: SaaS integration and BaaS. To help clients understand the suitability of different backup platforms, this Critical Capabilities research evaluates vendors based on six use cases:
Hybrid
Multicloud
SaaS
Data services
Disaster recovery
Ransomware protection, detection and recovery
We assess the ability of 12 vendor products to address these use cases by evaluating each one against 12 critical capabilities:
AI and ML
Data center integration
AWS integration
Azure integration
GCP integration
Other public cloud integration
SaaS integration
Recovery and orchestration
Ransomware detection
BaaS
Platform data services
Platform architecture and security
Several vendors covered by this research feature multiple backup and recovery products. This research only evaluates a single product from each vendor.
Analysis
Critical Capabilities Use-Case Graphics
Vendors’ Product Scores for Hybrid Use Case
Vendors’ Product Scores for Multicloud Use Case
Vendors’ Product Scores for SaaS Use Case
Vendors’ Product Scores for Data Services Use Case
Vendors’ Product Scores for Disaster Recovery Use Case
Vendors’ Product Scores for Ransomware Protection, Detection and Recovery Use Case
Vendors
Arcserve UDP
Arcserve Unified Data Protection (UDP) is a scale-up backup and recovery platform available as software or as an integrated appliance from Arcserve. It is complemented by Arcserve Cyber Resilient Storage, a new software-defined storage offering, which provides integrated immutable backup storage. Arcserve UDP provides coverage of on-premises and data center environments, as well as limited support for public cloud infrastructure as a service (IaaS) and platform as a service (PaaS) applications. Arcserve SaaS Backup is available for multiple SaaS applications.
Arcserve UDP’s key strengths are broad on-premises workload support. This includes agentless backup of multiple hypervisor platforms such as VMware, Microsoft Hyper-V and Nutanix AHV, as well as broad operating system integrations, including bare-metal recovery for Windows Server, Red Hat Enterprise Linux, SUSE Linux and Ubuntu Linux. Additional on-premises integrations include network-attached storage (NAS) platforms from vendors such as NetApp, Nutanix, Dell Technologies and Hewlett Packard Enterprise. Arcserve UDP integrates with Microsoft Defender to provide malware detection. Arcserve SaaS Backup provides comprehensive SaaS application coverage through its partnership with Keepit. It protects Microsoft Entra ID, Microsoft 365, Microsoft Power Platform, Microsoft Azure DevOps, Zendesk, Salesforce, and Google Workspace.
Customers evaluating Arcserve UDP should be aware of its limited deployments in large enterprise organizations and those operating in a hybrid cloud model. Its agent-based requirement provides limited support for IaaS and PaaS workloads in AWS, GCP and Microsoft Azure public clouds. Arcserve UDP also lacks anomaly detection to warn of potential cyberattacks, and support for modern databases — such as MySQL, MongoDB and NoSQL — and workloads built on container platforms.
Arcserve UDP has good performance in the SaaS integration use case and fair performance in all other use cases.
Cohesity DataProtect
Cohesity DataProtect is an integrated offering consisting of backup and recovery software built on an immutable file system. DataProtect is available as a customer-managed physical appliance, a virtual appliance for both on-premises and cloud deployments, and can also be delivered as a vendor-managed BaaS. As a customer-managed cloud solution, DataProtect can be deployed in public cloud environments such as AWS, Microsoft Azure and GCP. Cohesity’s control plane, Helios, can be consumed as a SaaS-based service or as an on-premises deployment, allowing for management of all instances of Cohesity DataProtect and data protection operations.
Cohesity DataProtect’s key differentiators include a scale-out architecture to provide high-performance backup ingests, instant recovery of many workloads, and broad protection of on-premises workloads. Cohesity Data Cloud mitigates risks posed by ransomware and other threats by providing an air-gapped secured vault. DataProtect provides improved sensitive data analysis and malware detection capabilities that are integrated with Cohesity’s DataHawk and FortKnox managed data vault solution. This is augmented with Cohesity’s cyber event response team (CERT), which provides incident response services partnered with third-party incident response (IR) providers to assist with recovery coordination and remediation.
Customers evaluating Cohesity DataProtect should be aware of its limitations, including its lack of support for Microsoft Azure DevOps and Power Platform, and limited full stack cloud discovery and recovery capabilities for infrastructure-as-code (IaC) deployments.
Cohesity DataProtect has excellent performance in all use cases except the SaaS integration use case, where performance is good.
Commvault Cloud
Commvault Cloud is a backup and data protection solution based on a three-tier backup architecture of backup agents, media servers and a management server. The product can be purchased as a BaaS offering hosted in Microsoft Azure or AWS, as an appliance from Commvault’s HyperScale X family, and as stand-alone software for installation on the customer’s own infrastructure.Recent additions include forest-level recovery for Microsoft Active Directory, and Cloud Rewind.
Commvault’s key differentiators include support for a broad range of workloads hosted on-premises and on public cloud, including Azure, AWS, GCP and Oracle Cloud Infrastructure (OCI), plus extensive support for major SaaS applications. Commvault Cloud features SaaS-delivered cyber incident response capabilities, such as Threatwise, an early-warning ransomware detection service. Cleanroom Recovery, with recovery orchestration, is a SaaS-delivered, on-demand, isolated recovery environment that allows for sandbox restoration and data validation.
Customers evaluating Commvault Cloud should be aware of the product complexity and difficulty with initial product implementations. Care should be taken in the design of software-onlydeployments to ensure the selected data protection system is properly secured with least privileged access, immutability, and performance sized to meet RPO and RTO requirements. Customers should also be aware that administration of the product is not available from a single user interface, and that multiple consoles are required for complete management.
Commvault Cloud has excellent performance in all use cases.
Dell PowerProtect Data Manager
Dell PowerProtect Data Manager is an enterprise data center backup and recovery product that protects a broad range of workloads, including physical servers, VMs, databases and NAS backup. Dell PowerProtect Data Manager is available as a stand-alone version packaged as a VM paired with PowerProtect Data Domain physical and virtual storage appliances, or as a fully integrated backup appliance. Snapshot-based backup of public cloud instances in AWS, GCP and Microsoft Azure is supported by Dell’s PowerProtect Cloud Snapshot Manager. Backup for SaaS applications (Microsoft 365, Google Workspace and Salesforce) is supported through Dell PowerProtect Backup Services.Dell Technologies has also introduced Managed Detection and Response, a service that includes CrowdStrike Falcon licensing and integration with PowerProtect Data Manager and PowerProtect Data Domain. Dell’s service analyzes and alerts customers to indicators of compromise based on detected activity.
Dell PowerProtect Data Manager’s key differentiators include its DD Boost-enabled optimized backup for Dell’s storage products, which help protect latency-sensitive, large application data. Other strengths include Microsoft AD granular recovery, enhanced SAP HANA support and VMware transparent snapshots. In addition, Dell PowerProtect Cyber Recovery with CyberSense now features AI-based ransomware analytics for PostgreSQL databases, along with corruption and encryption detection capabilities across other VMs and databases.
Customers evaluating Dell PowerProtect Data Manager should be aware of its lack of native vendor-developed GenAI for backup administration. The product also has limited support for protecting non-Dell storage systems and its backup target storage support is limited to PowerProtect Data Domain.
Dell PowerProtect Data Manager has good performance in all use cases.
Druva Data Security Cloud
Druva Data Security Cloud is a managed BaaS offering delivered on AWS, providing backup storage in AWS or Microsoft Azure. It protects data across on-premises, public clouds, edge devices and SaaS applications. Core services include backup and recovery, disaster recovery, and features for cyber resilience, data security, data governance, anomaly detection, threat hunting, curated recovery, e-discovery, and legal hold. The product leverages AI and ML to simplify common management tasks. These capabilities are offered through Dru Assist, an AI copilot for enhancing user experience with interactive reporting, guided workflows and intelligent troubleshooting, and Dru Investigate, a security-focused AI tool for detecting insider threats, investigating anomalies, analyzing potential indicators of compromise (IOCs), and accelerating incident response.
Druva’s strength lies in its fully managed SaaS model, which eliminates the need for traditional backup components and automatically scales infrastructure based on customer needs. Its Managed Data Detection and Response (MDDR) service provides 24/7 monitoring, detection and response using predefined playbooks. It includes support for Microsoft Entra ID, Microsoft Dynamics 365, Azure SQL and Nutanix AHV.
Customers evaluating Druva should be aware of certain limitations, such as no support for customer-managed storage, no native integration with MongoDB and Cassandra, and limited support for non-x86 workloads. The product also requires an agent installed for Google Cloud Engine (GCE) VMs and Hyper-V image-based backups.
Druva Data Security Cloud has good performance in all use cases.
Huawei OceanProtect
Huawei OceanProtect DataBackup is a software and integrated appliance solution for backup and data protection of on-premises, IaaS and PaaS environments. It can also be combined with its target-based OceanProtect Backup Storage for additional storage options. OceanProtect DataBackup integrates well with on-premises environments supporting multiple hypervisors, physical servers and enterprise databases. As a customer-managed deployment, its SaaS protection includes Microsoft Entra ID and Microsoft 365. Huawei Cloud Backup and Recovery provides a BaaS solution for protection of workloads in Huawei Cloud. Management of Huawei’s backup and data protection portfolio is coordinated through its Data Management Engine console, which includes GenAI-enhanced capabilities to simplify administrative tasks.
OceanProtect DataBackup’s key differentiators include its portfolio of flash-based appliances, offering multiple storage capacity options, optimized deduplication rates, and high-performance backup and recovery operations. It offers broad coverage of multiple big data sources, including HDFS, HBase, Hive, Elasticsearch and Huawei Cloud MRS and FusionInsight. The product also provides agentless protection of Huawei Cloud and Alibaba Cloud workloads. OceanProtect DataBackup provides clients with highly effective multilayer ransomware detection capability through integration with Huawei network, storage and the OceanCyber Data Security appliance. This appliance provides unified security policy configuration and management, as well as ransomware detection and analysis across multiple Huawei storage systems.
Customers evaluating Huawei OceanProtect DataBackup should be aware it lacks integrated malware scanning and threat hunting across backup data and offers limited agentless support for AWS, Azure and GCP IaaS and PaaS workloads. It also does not support Red Hat OpenShift Virtualization, Solaris, VMware Tanzu or software cluster offerings, such as VMware vSphere High Availability clusters and Veritas Cluster.
Huawei OceanProtect DataBackup has good performance in the hybrid, multicloud, SaaS integration and data services use cases and fair performance in all other use cases.
HYCU R-Cloud
HYCU R-Cloud is a hybrid, multicloud BaaS platform that supports on-premises, IaaS, SaaS and PaaS workloads hosted on VMware, Nutanix AHV, AWS, Microsoft Azure and GCP. It can store backup data on-premises or in AWS, Azure, GCP or other S3-compatible targets, where storage is billed directly by the cloud provider, storage costs are not part of the BaaS offering, and backup data remains under customer control.
HYCU R-Cloud’s key differentiators are its ease of use for multicloud distributed data and its control plane BaaS delivery model, which supports backup and disaster recovery between clouds for all three public cloud providers. Its architecture allows customers to choose their own backup storage, including on-premises or cloud targets. Database as a service (DBaaS) and PaaS support is improved with additions such as Amazon DynamoDB and Google Cloud’s AlloyDB. HYCU offers capabilities to support multiple SaaS applications through its R-Cloud initiative. This includes added support for Jira, Atlassian Jira Service Management, Atlassian Confluence, Atlassian Bitbucket, Okta, Docusignand monday.com. HYCU also introduced R-Shield for ransomware detection and secure recovery across environments, and expanded coverage to include Azure Stack HCI and integration with DD Boost from Dell.
Customers considering HYCU R-Cloud should be aware of its limited support for on-premises enterprise capabilities.HYCU R-Cloud lacks image-based backup capabilities for Microsoft Hyper-V, Red Hat OpenShift Virtualization, and Proxmox hypervisors. Support for containerized applications is also lacking for on-premises, Azure and AWS cloud environments.
HYCU R-Cloud has good performance in all use cases.
IBM Storage Defender
IBM Storage Defender is a hybrid multicloud software platform that supports on-premises and cloud workloads with other IBM software components. IBM Storage Defender Data Protect provides immutable data protection for workloads running on VMs and containers, along with relational and NoSQL databases. The Storage Defender offering is complemented by IBM’s Storage Protect, Storage Protect Plus and Storage Protect for Cloud, which includes support for Amazon EC2 and VMware Cloud on AWS, Salesforce, Microsoft 365, Microsoft Entra ID, and Microsoft Azure VMs, Files, and Blob Storage, along with GCP and OCI virtual machines. IBM Storage Protect focuses on traditional data center infrastructure, offering agent-based protection of physical and non-x86 systems, file systems, applications and VMs. IBM Storage Protect for Containers focuses on Red Hat OpenShift container protection.
IBM Storage Defender’s key differentiators include its integration of AI, automatic recovery group generation, application-aware threat scanning for applications such as SAP HANA, VMware, Oracle, and Epic, improved integration with third-party platforms, and Red Hat OpenShift container and virtualization support. IBM Storage Defender also supports modern databases such as MongoDB.
Customers evaluating IBM Storage Defender should be aware that it does not support solutions such as DynamoDB, Amazon Redshift, Amazon S3 objects, Amazon EFS, Amazon FSx, Azure Cosmos DB, Redis, and Azure Database for MariaDB. Customers will find that identifying which subcomponents support specific cloud platforms or solutions is confusing, given the support sets of each component of the Defender product family.
IBM Storage Defender has excellent performance in the ransomware protection, detection and recovery use case and good performance in all other use cases.
OpenText Data Protector
OpenText Data Protector is a software-based solution that protects various traditional data center workloads. It is part of the OpenText portfolio of products that offer a range of security and data protection offerings.
The main strength of OpenText Data Protector, in both its Express and Premium Editions, is its overall coverage of traditional data center environments. This includes the ability to protect metadata and content in OpenText Documentum, and the ability to integrate with the snapshot capabilities of major storage arrays. The product also offers broad support for a variety of hypervisors and backup targets, including purpose-built deduplication appliances, tape and object storage systems. OpenText Data Protector for Cloud Workloads provides IaaS and SaaS protection.
Customers evaluating OpenText Data Protector should be aware of limitations such as a lack of support for disaster recovery (DR) features, including continuous data protection (CDP) replication and restore-to-cloud capabilities. Additionally, OpenText Data Protector for Cloud does not support public cloud file services, such as Azure Files or Amazon EFS. It also lacks support for Oracle OCI, while SaaS application support is limited to Microsoft 365.
OpenText Data Protector has fair performance in all use cases.
OpenText did not respond to requests for supplemental information. Gartner’s analysis is therefore based on other credible sources.
Rubrik Security Cloud
Rubrik Security Cloud is a scale-out backup and recovery platform available as software deployed on qualified hardware from Rubrik’s partners or as a vendor-suppliedappliance. Rubrik Security Cloud can be self-managed in AWS, Microsoft Azure and GCP cloud environments. It also offers a BaaS solution for Microsoft 365, Entra ID and Dynamics 365, as well as Salesforce and GitHub.
Rubrik Security Cloud’s key differentiator is its unified platform on a centralized control plane, providing protection of data across on-premises, cloud and SaaS. It offers protection of backup data against ransomware and malware, isolated recovery testing and quarantine of malware to prevent reinfection. Rubrik Security Cloud offers several additional components that provide anti-ransomware capabilities, such as VM-level encryption detection and recovery, anomaly detection for Azure VMs, and advanced threat hunting. Rubrik has identity-focused features that include Microsoft AD forest recovery and protection of Entra ID. Rubrik also offers a GenAI chatbot using data on the Rubrik Security Cloud through its Annapurna RAG solution.
Customers evaluating Rubrik Security Cloud should be aware that it consists of integrated backup and storage software that cannot be deployed as a software-only offering, limiting the use of bring-your-own-storage (BYOS) options. It also has limited support for Google Anthos, Google Cloud SQL, Google Kubernetes Engine (GKE) and Amazon Elastic Container Service (Amazon ECS). Also, Rubrik’s Live Mount feature is not supported for database snapshots backed up from databases with high file count.
Rubrik Security Cloud has excellent performance in all use cases except the multicloud and disaster recovery use cases, where performance is good.
Unitrends Backup Software
Unitrends Backup Software is a scale-up backup platform that can be deployed as software on customer-provided hardware or as a vendor-supplied appliance to protect on-premises and data center environments. It is complemented by Unitrends Backup for AWS and Unitrends Backup for Azure for VM protection in Azure and AWS. Unitrends Backup Software includes Unitrends UniView for centralized management of multiple appliances and is further complemented by add-ons such as Unitrends Forever Cloud for long-term retention, and Spanning for SaaS backup and recovery.
Unitrends Backup Software’s highlights are its global job monitoring and policy management via UniView, and its support for disaster recovery (DR) orchestration. DR orchestration includes support for VMware, Microsoft Hyper-V and Microsoft Azure recovery operations to Unitrends Forever Cloud or Azure environments. It also offers access to its “white-glove” DRaaS-managed service for failover and recovery, as well as testing. Unitrends Backup for Microsoft Azure includes egress charges and failover to Unitrends Cloud as part of its subscription fee.
Customers evaluating Unitrends Backup Software should be aware of limited support for multicloud workloads. Its SaaS application protection is limited to Microsoft 365, Salesforce and Google workspace. Unitrends Backup Software does not support the protection of containerized applications, while its support for MySQL, Progress, Paradox, Postgres and SAP is limited to file system backup.
Unitrends Backup Software has fair performance in all use cases.
Unitrends did not respond to requests for supplemental information. Gartner’s analysis is therefore based on other credible sources.
Veeam Data Platform
Veeam Data Platform (VDP) is a solution designed for backup and data protection across hybrid and multicloud environments, offering capabilities such as data backup, recovery, data portability, data security and data intelligence. It integrates various Veeam products — including Veeam Backup & Replication — for a wide range of workloads, Veeam Kasten for Kubernetes for containerized applications, Veeam ONE for monitoring, analytics and alerting, and Veeam Recovery Orchestrator (VRO) for disaster recovery and cyber recovery orchestration. VDP also offers separate solutions for Microsoft 365 and Salesforce, which can be deployed in the customer’s infrastructure or consumed as a service through Veeam’s network of service provider partners. VDP provides a vendor-managed BaaS offering for Microsoft 365, Azure, Entra ID and Salesforce.
Key differentiators of VDP include broad workload coverage across virtual, physical, cloud and containerized environments, and integration for optimized backups with multiple storage products and cloud providers. It offers fast and flexible recovery options, with instant recovery and granular restore capabilities. It also provides comprehensive ransomware and cyber resilience capabilities. Veeam offers advanced threat detection, including AI-powered inline scanning, signature-based malware detection through Veeam Threat Hunter, YARA rule-based scanning, and IoC detection. Veeam provides data portability with a self-describing backup format and the ability to restore across different platforms, including cross-hypervisor and cross-cloud environments. The platform leverages AI and ML through Veeam Intelligence for proactive issue resolution, reporting and analytics.
Customers evaluating VDP should be aware of dependence on Microsoft Windows Server infrastructure, and that self-managed deployment requires the customer to select and configure underlying infrastructure components, including compute, storage and security hardening. VDP also lacks packaged orchestration for Microsoft AD forest-level recovery and a web-based control plane. Additionally, Veeam’s SaaS backup support for Microsoft is limited, lacking integration with Microsoft Power Apps, Azure DevOps and Dynamics 365.
VDP has excellent performance in all use cases except the SaaS integration and data services use cases, where performance is good.
Context
Backup and data protection are business-critical processes that present multiple challenges. Data volumes continue to grow and move toward the edge, applications are becoming more dynamic and new types of cyberattacks are on the rise. As a result, restoration performance, data source coverage and recovery orchestration are top concerns for many organizations.
Backup architectures are focused on hybrid solutions that blend on-premises, BaaS, cloud and multicloud elements. In addition to the on-premises challenges, multicloud and hybrid environments — including PaaS, IaaS and those outsourced to SaaS — demand equal levels of protection. These diverse requirements are prompting organizations to evaluate comprehensive backup solutions that can protect a wider range of applications and data, rather than relying on multiple point solutions. Selecting a backup product that can meet the needs of the business during the next three to five years is now an important strategic exercise.
Market Definition
Gartner defines enterprise backup and recovery software solutions as technology that captures a point-in-time copy (backup) of enterprise data in on-premises, hybrid, multicloud and software as a service (SaaS) environments. These solutions write this data to one or more secondary storage targets for the primary purpose of recovering it in case of loss.
Protecting and recovering business application data, irrespective of the underlying infrastructure type and its location, is more important than ever. As enterprises move toward more complex environments that include large and expansive amounts of business-critical data, enterprise backup and recovery software solutions protect these workloads, whether they reside in on-premises, hybrid, multicloud or software as a service (SaaS) environments.
These solutions are vital to organizations’ ability to recover data following events that cause it to become inaccessible. Whether such an event is accidental, malicious or environmental, organizations use these solutions to recover and restore access to the affected data accurately and efficiently.
Solutions must offer effective capabilities to simplify the management of data protection across complex enterprise environments. They must also ensure reliable recovery not just from accidental or operational errors but also from data loss arising from constantly changing threats, and expedite and orchestrate data recovery responses to traditional disaster and ransomware events.
Must-Have Capabilities
Must-have capabilities of enterprise backup and recovery software solutions include:
Backup of data and systems across on-premises and hybrid multicloud environments. On-premises requirements include protection of operating systems, files, databases, virtual machines and applications. Cloud requirements include protection of infrastructure as a service (IaaS), platform as a service (PaaS), database as a service (DBaaS) and SaaS.
Recovery of data and systems from any failure or data loss scenario, such as operational, system or application failure, accidental error, natural disaster and cyberattack. This demands capabilities to implement backup and data management policies to support an enterprise’s business requirements for recovery point objectives (RPOs), recovery time objectives (RTOs), resilience, data life cycle and compliance.
Integration with immutable backup storage target(s) or delivery of vendor-provided immutable storage.
Standard Capabilities
Standard capabilities of enterprise backup and recovery software solutions include:
Protection of critical data in SaaS or PaaS applications, such as Google Workspace, Microsoft 365, Microsoft Entra ID, Salesforce applications, and other sources including object storage and containers.
A centralized console for management of distributed backup solution infrastructure across hybrid and multicloud environments.
Enhanced security capabilities, such as integration with privileged access management solutions, multifactor authentication, role-based access controls and multiperson change validation; security information and event management (SIEM) and security orchestration, automation and response (SOAR) integration; and advanced security reporting and logging.
Enhanced cyber recovery readiness capabilities, such as vendor-developed or third-party integrated anomaly and entropy detection; malware and signature-based detection; and immutable data vault and isolated recovery environment offerings.
Orchestration of disaster and cyber recovery testing and processes.
Optional Capabilities
Optional capabilities of enterprise backup and recovery software solutions include:
Protection of additional workloads and support for use cases such as edge/remote branch office sites, endpoints and large language model (LLM) infrastructure and data.
A vendor-hosted, SaaS-based control plane to manage and orchestrate complex and distributed environments.
A vendor-hosted backup as a service (BaaS) offering to deliver backup and recovery services for hybrid and multicloud environments.
Generative AI features to simplify administration, improvesupport services, and accelerate backup and recovery procedures.
Support for expanded data backup use cases to assist data discovery, security, compliance, copy data management, testing and development, and e-discovery processes.
Product/Service Trends
Backup and data protection platforms deliver point-in-time copy (backup) of data in on-premises, hybrid, multicloud and SaaS environments. These solutions write this data to one or more secondary storage targets for the primary purpose of recovering it in case of loss. They are vital to an organization’s ability to recover data following events that cause it to become inaccessible.
Critical Capabilities Definition
Vendor products will be evaluated against the following critical capabilities for each of the use cases listed in the use-case definition.
AI and ML
Evaluates the capabilities related to the use of artificial intelligence and machine learning within the backup platform.
Data Center Integration
Evaluates the integration with, and support of, such things as deployment, scalability, storage arrays, hypervisors, operating systems and enterprise applications commonly found in enterprise datacenters, co-location and edge.
AWS Integration
Evaluates the integration with, and support of, such things as deployment, scalability, cloud-native technologies, storage offerings, hypervisors, operating systems and enterprise applications commonly found in Amazon Web Services (AWS).
Azure Integration
Evaluates the integration with, and support of, such things as deployment, scalability, cloud-native technologies, storage offerings, hypervisors, operating systems and enterprise applications commonly found in Microsoft Azure.
GCP Integration
Evaluates the integration with, and support of, such things as deployment, scalability, cloud-native technologies, storage offerings, hypervisors, operating systems and enterprise applications commonly found in Google Cloud Platform (GCP).
Other Public Cloud Integration
Evaluates the integration with, and support of, such things as deployment, scalability, cloud-native technologies, storage offerings, hypervisors, operating systems and enterprise applications found in other public cloud providers such as Oracle, IBM, Alibaba Cloud, Tencent and Huawei Cloud.
SaaS Integration
Evaluates the support for backup and recovery of customer data stored in Google Workspace, Microsoft 365, Salesforce and other SaaS applications such as, but not limited to, GitHub, ServiceNow, Okta, Workday, Atlassian, and Microsoft Azure DevOps, Dynamics 365 and Entra ID.
Recovery and Orchestration
Evaluates the capabilities designed to support and orchestrate disaster recovery from multiple scenarios.
Ransomware Detection
Evaluates the features designed to offer insights and remediation steps to anomaly and malware activity within a customer environment.
BaaS
Evaluates the availability and scope of backup and data protection platform capabilities in a backup-as-a-service (BaaS) delivery model.
Platform Data Services
Evaluates the scope of data management, insights and access capabilities within the backup and data protection platform.
Platform Architecture and Security
Evaluates the scope of features related to the backup and data protection platform architecture, scale, management, security and other characteristics in hybrid and multicloud environments.
Use Cases
Gartner has evaluated the products for six typical backup and data protection platform use cases. In most enterprise environments, the products will likely be used for multiple use cases at the same time, so organizations should not view them in isolation.
As organizations continue to move toward hybrid and multicloud infrastructure, it is crucial that they protect and recover business applications, irrespective of the underlying infrastructure type and location. Furthermore, with enterprise digital business transformation programs leading to the creation of new application and data types, protecting new workload types is important. The use cases presented here are selected with this rapidly changing application and infrastructure landscape in mind.
Hybrid
This use case involves protecting applications and data in data centers, co-location sites or edge, on physical or virtual platforms and strategic cloud platform services.
This includes protection of on-premises hardware platforms, operating systems, virtualization platforms, enterprise applications and public cloud-based IaaS and PaaS offerings.
Multicloud
The multicloud use case involves the ability to protect applications and data hosted in multiple strategic cloud platform services.
This includes protection of public cloud-based IaaS and PaaS offerings.
SaaS
The SaaS use case involves the ability to protect SaaS application data.
This includes protection of major SaaS applications such as Google Workspace, Microsoft 365 and Salesforce, as well as an expanding list of other SaaS applications, such as Microsoft Entra ID, ServiceNow, Slack, Microsoft Dynamics 365 and Okta.
Data Services
The data services use case involves the ability to handle selected aspects of data management within the backup and data protection platform.
This includes backup data tiering, migration, search and indexing, life cycle management, data insights and access.
Disaster Recovery
This use case involves the ability to support disaster recovery processes and automation in response to traditional on-premises, hybrid and multicloud disaster scenarios.
Ransomware Protection, Detection and Recovery
This use case involves the ability to support ransomware recovery processes and automation in response to ransomware scenarios.
This includes incidents such as cyberattacks or ransomware encryption.
Vendors Added and Dropped
Added
Huawei (OceanProtect) was added to this year’s Critical Capabilities report.
Dropped
Microsoft (Azure Backup) was dropped from this year’s research, as it didn’t meet all mandatory feature requirements.
Veritas (NetBackup) was dropped from this year’s research as a result of the completed transaction to merge Veritas’ enterprise data protection business with Cohesity in December 2024.
Inclusion Criteria
The following criteria represent the specific attributes that analysts believe are necessary for inclusion in this research:
The vendor’s qualifying backup and data protection platform must meet all “Mandatory” features as defined in the Market Definition.
The vendor’s qualifying backup and data platform multicloud requirement must support protection of infrastructure as a service (IaaS) on TWO public cloud environments that had qualified for inclusion in the 2024 Magic Quadrant for Strategic Cloud Platform Services. Those vendors are Alibaba Cloud, Amazon Web Services, Google, Huawei Cloud, IBM, Microsoft, Oracle, and Tencent Cloud.
The vendor must have at least one qualifying backup and recovery solution commercially available for use by enterprises for three calendar years prior to 1 April 2025, i.e. it must have been commercially available at least as early as 1 April 2022.
The vendor must meet at least one of the following revenue criteria. Revenue must be derived solely from its backup and recovery product portfolio. This revenue should not include revenue generated from implementation services or through managed services provider (MSP) sales.
The vendor must have generated over $75 million in reported Annual Recurring Revenue (ARR) on February 28, 2025, OR
The vendor must have generated over $30 million in reported ARR on February 28, 2025, combined with a year-on-year (28 February 2024 vs. 28 February 2025) ARR growth rate of 20%.
The vendor must serve an installed base of at least 1,000 customers within the market. In addition, at least 250 of the 1,000 customers must have deployed the backup solution for a minimum of 100 physical servers or 300 virtual servers in a single deployment site or cloud region. This excludes endpoint backups.
The vendor must actively sell and support its backup and data protection platform products under its own brand name in at least three of the following major geographies: North America, EMEA, Asia/Pacific and Central/South America. At least 25% of total ARR must originate from outside of its major geography.
The vendor must have a minimum of 50 brought to revenue customers, installed and in production use of its qualifying backup and data protection platform product or solution, in each of at least three of the following major geographies (North America, EMEA, Asia/Pacific and Central/South America). Twenty of the 50 customers, per geography, must have deployed the backup solution for a minimum of 100 physical servers or 300 virtual servers. This excludes endpoint backups.
The vendor’s qualifying backup and recovery solution(s) must be sold and marketed primarily to upper-end midmarket and large enterprise organizations. Gartner defines the upper-end midmarket as being 500 to 999 employees, and the large enterprise as being 1,000 employees or greater.
New products or updates to existing products that were released in the last 12 months must be generally available before 01 April 2025 to be considered for evaluation. All components must be publicly available, shipping and included on the vendor’s published price list as of this date. Products shipping after this date will only have an influence on the Completeness of Vision axis.
The vendor must employ at least 100 full-time employees, dedicated to backup and data protection platforms, in engineering, sales and marketing functions combined as of 28 February 2025.
The following exclusion criteria apply:
Vendors offering products or solutions whose software is sourced primarily from a third-party ISV.
Products that serve only as a target or destination for backup but do not actually perform the backup and restore management function. Examples include purpose-built deduplication appliances, SAN, NAS or object storage.
Vendors whose main source of product revenue (more than 75% of total revenue) is from hosting data centers and managed service providers.
Products or solutions designed and positioned mainly as solutions for homogeneous environments — such as tools designed to back up only Amazon S3, Amazon EC2, Azure Blob, Azure Virtual Machines, Microsoft Hyper-V, VMware, Red Hat or containers.
Products or solutions that are designed and positioned mainly as solutions to back up only SaaS applications.
Products or solutions that are designed and positioned mainly as solutions for backing up endpoints such as laptops, desktops and mobile devices.
Products or solutions that are designed and positioned mainly as solutions to back up remote offices, edge locations and lower midmarket/SMB environments.
Products or solutions designed and positioned mainly to back up specific storage or hyperconverged systems vendors.
Products that serve only as replication and disaster recovery tools.
Products that serve primarily for managing snapshot and replication capabilities of storage arrays.
Products that are positioned mainly for copy data management or DevOps testing.
Products that are positioned mainly for continuous data protection.
Weighting for Critical Capabilities in Use Cases
Critical Capabilities
Hybrid
Multicloud
SaaS
Data Services
Disaster Recovery
Ransomware Protection, Detection and Recovery
AI and ML
5%
5%
5%
10%
10%
10%
Data Center Integration
26%
0%
0%
5%
6%
0%
AWS Integration
4%
13%
0%
5%
6%
0%
Azure Integration
4%
13%
0%
5%
6%
0%
GCP Integration
4%
13%
0%
5%
6%
0%
Other Public Cloud Integration
2%
6%
0%
5%
6%
0%
SaaS Integration
0%
0%
45%
5%
0%
0%
Recovery and Orchestration
15%
15%
0%
0%
40%
25%
Ransomware Detection
15%
15%
15%
0%
0%
40%
BaaS
5%
10%
35%
0%
0%
0%
Platform Data Services
0%
0%
0%
40%
0%
10%
Platform Architecture and Security
20%
10%
0%
20%
20%
15%
As of 23May 2025
Source: Gartner (July 2025)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.
Critical Capabilities Rating
Each of the products/services that meet our inclusion criteria has been evaluated on the critical capabilities on a scale from 1.0 to 5.0.
Product/Service Rating on Critical Capabilities
Critical Capabilities
Arcserve UDP
Cohesity DataProtect
Commvault Cloud
Dell PowerProtect Data Manager
Druva Data Security Cloud
Huawei OceanProtect
HYCU R-Cloud
IBM Storage Defender
OpenText Data Protector
Rubrik Security Cloud
Unitrends Backup Software
Veeam Data Platform
AI and ML
1.3
3.9
4.0
3.5
3.7
2.9
2.8
3.7
2.1
3.8
2.0
3.8
Data Center Integration
2.8
4.3
4.4
3.8
3.0
3.7
3.2
4.1
3.3
4.2
3.2
4.3
AWS Integration
2.6
4.3
4.4
4.0
4.2
3.3
3.7
3.2
1.8
4.3
2.0
4.3
Azure Integration
1.7
4.1
4.1
3.3
3.3
3.0
3.3
3.7
1.6
4.2
2.0
4.5
GCP Integration
1.7
3.8
4.5
4.1
2.5
3.3
4.4
2.9
1.8
3.7
1.0
4.5
Other Public Cloud Integration
1.0
3.0
4.3
2.4
1.0
3.2
1.5
2.5
1.0
1.3
1.0
2.8
SaaS Integration
4.2
4.0
4.2
3.7
3.8
3.7
4.1
4.3
3.6
4.1
3.3
3.8
Recovery and Orchestration
2.5
4.0
4.1
3.2
3.0
2.3
3.0
4.0
2.9
4.0
3.1
4.3
Ransomware Detection
2.4
4.4
4.1
3.8
3.9
2.7
2.6
4.4
1.9
4.5
2.3
4.4
BaaS
3.1
3.5
4.1
4.0
4.3
3.5
3.7
3.5
2.9
3.8
2.6
3.7
Platform Data Services
1.7
4.1
4.3
3.5
4.1
3.1
3.4
3.8
1.4
4.3
1.5
3.3
Platform Architecture and Security
2.9
4.1
4.4
3.8
3.7
3.3
3.9
4.1
3.3
4.2
3.5
4.1
As of 23 May 2025
Source: Gartner (July 2025)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.
Product Score in Use Cases
Use Cases
Arcserve UDP
Cohesity DataProtect
Commvault Cloud
Dell PowerProtect Data Manager
Druva Data Security Cloud
Huawei OceanProtect
HYCU R-Cloud
IBM Storage Defender
OpenText Data Protector
Rubrik Security Cloud
Unitrends Backup Software
Veeam Data Platform
Hybrid
2.50
4.11
4.26
3.66
3.37
3.15
3.27
3.94
2.71
4.08
2.79
4.19
Multicloud
2.22
4.00
4.23
3.63
3.37
3.02
3.32
3.61
2.18
3.91
2.23
4.16
SaaS
3.40
3.91
4.14
3.82
3.99
3.43
3.68
3.97
2.99
4.03
2.84
3.83
Data Services
2.07
4.03
4.28
3.57
3.62
3.19
3.43
3.75
2.07
4.04
2.13
3.72
Disaster Recovery
2.28
4.00
4.22
3.45
3.15
2.87
3.23
3.78
2.61
3.87
2.68
4.15
Ransomware Protection, Detection and Recovery
2.29
4.18
4.17
3.59
3.64
2.76
3.01
4.12
2.34
4.22
2.58
4.15
As of 23 May 2025
Source: Gartner (July 2025)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.
Critical Capabilities Methodology
This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.