Ransomware attackers have a clear playbook -- destroy the backup, then demand the ransom. At RSAC Conference 2026, Anthony Cusimano of Object First explains why absolute immutability is more than a marketing term and what it actually takes to make backup storage the layer that holds when everything else fails.
At RSAC Conference 2026, Anthony Cusimano, Chief Evangelist and Director of Solutions Marketing at Object First, joins Sean Martin on the show floor to break down what separates truly immutable storage from the checkbox version. The answer comes down to zero access: no command line interface, no root access, no administrative back doors at any layer -- for customers or for Object First itself.
Object First appliances are purpose-built for Veeam and ship with S3 protocol storage in automatic compliance mode, versioning, and object lock. Once data is written and a retention period is set, nothing -- no admin, no attacker, not even the vendor -- can touch it. Cusimano describes the architecture as a storage utility, not an administration platform: Veeam handles all backup policy and configuration; Object First handles one thing only, ensuring the data cannot be erased.
The statistics behind the design are sobering. According to Cusimano, 96 percent of ransomware attacks specifically target backup data -- a figure validated across four independent industry surveys. Organizations that rely on encryption alone, without immutable storage, are leaving a critical gap that attackers have learned to exploit. Many do not discover that gap until recovery is already underway.
Cusimano also makes the case for recovery testing as a security priority in its own right. He recommends full tabletop exercises that assume worst-case conditions: every admin credential compromised, active directory gone. Teams that run through this process discover gaps in their architecture that no amount of vendor documentation will surface. His practical tip -- collect coworkers' cell phone numbers before an incident -- reflects just how complete the communications blackout can be when directory services fail.
Two capabilities from Object First round out the conversation. Fleet Manager, launching May 6th, gives managed service providers and large enterprises a single SaaS dashboard to manage all Object First instances with unified telemetry and honeypot visibility -- with no backup data leaving the appliance. And the honeypot feature, included on every device at no cost, simulates a Veeam backup and replication server as a decoy. When agentic AI-driven attacks probe the environment, they interact with the honeypot exactly as they would a real target, triggering alerts that can surface threats days or weeks before a full attack develops.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Anthony Cusimano, Chief Evangelist & Director of Solutions Marketing, Object First
LinkedIn: https://www.linkedin.com/in/anthonycusimano89/
RESOURCES
Object First website: https://objectfirst.com
ITSPmagazine RSAC Conference 2026 coverage: https://www.itspmagazine.com/rsac-2026-conference-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Anthony Cusimano, Object First, Sean Martin, brand story, brand marketing, marketing podcast, brand spotlight, ransomware, immutable storage, backup security, Veeam, data protection, RSAC Conference 2026, cyber resilience, absolute immutability, ransomware recovery, Fleet Manager, honeypot detection, managed service providers, zero trust storage
The Backup Layer Is a Security Layer | A Brand Spotlight at RSAC Conference 2026 with Anthony Cusimano, Chief Evangelist & Director of Solutions Marketing at Object First
[00:00:10] Sean Martin: Here we are.
[00:00:11] Anthony Cusimano: Here we are,
[00:00:12] Sean Martin: Anthony.
[00:00:12] Anthony Cusimano: It's exciting,
[00:00:13] Sean Martin: right?
[00:00:13] Anthony Cusimano: Yeah.
[00:00:14] Sean Martin: And I, I, I got a new hat.
[00:00:16] Anthony Cusimano: You did?
[00:00:16] Sean Martin: I got a hat.
[00:00:17] Anthony Cusimano: Hey, it looks good on you.
[00:00:18] Sean Martin: I like the hat. I like the white hat. I like the purple. I, I'm a fan of purple. It's a good
[00:00:22] Anthony Cusimano: combo.
[00:00:23] Sean Martin: It's, I like the pen. I like the purple and the orange, uh, the orange contrast is good too. Mm-hmm. And you guys got it going on. So here we are. We're at RSAC Conference 2026. Anthony Cusimano, how are you?
[00:00:35] Anthony Cusimano: I'm doing great, Sean. How are you?
[00:00:37] Sean Martin: Good, good to see you. And, uh, the, the, the short flow, the floor show floor. There we go. If I can spit that out, is buzzing. You might hear a little bit in the background. Uh, good conversations this week so far.
[00:00:49] Anthony Cusimano: Oh my gosh, yeah, it's nonstop. Uh, you know, last night they did the big opening, the floodgates opened. I've never seen so many people in a little corner of a show floor in my life, but, uh, it was just. I'm surprised I have a voice.
[00:01:03] Sean Martin: There you go. That's a good sign. Yeah. You get, you get to have some good conversations. Uh. Elevator pitch for Object First, just so we kinda level set folks what they're gonna hear about today as we, as we chat.
[00:01:14] Anthony Cusimano: Right? So if you haven't heard of Object First before, uh, you might have heard of Veeam Data Protection. Uh, the largest data protection vendor on the planet. So Veeam is excellent at what they do, but when it came to, uh, Veeam customers and the storage they were using, they needed a little bit more. And that's exactly where we come in. Object First is simply resilient storage for Veeam. Uh, I would even go so far as say, the best storage for Veeam and what we deliver is absolute immutability.
[00:01:44] Sean Martin: Absolute immutability.
[00:01:45] Anthony Cusimano: Yes.
[00:01:45] Sean Martin: And uh. We had a nice chat about this before the show
[00:01:49] Anthony Cusimano: we did,
[00:01:49] Sean Martin: so I'm gonna encourage everybody to listen to that conversation, but brief word, what that actually means.
[00:01:54] Anthony Cusimano: Right. Well, unfortunately, immutable immutability and just immutable storage in general has become a little bit of a buzzword marketing term. Uh, you can go look on a website and control f immutability, you'll find it there, but oftentimes it's not actually immutable. If an admin can come in and disable it, that's not immutability, that's just a checkbox, right? Uh, if you can come in at a different layer and say the operating system, the ESX host, the VMware layer, you can delete that machine. It's not really immutable. So we had to create a new term to describe something that is absolutely immutable, meaning once the data is written, nobody, no matter, uh, the amount of privilege admin, hacker. Uh, AI powered ransomware or even the vendor themselves can delete, destroy, or update that data once it is written.
[00:02:47] Sean Martin: So in the world of security, when, when we start to make bold claims.
[00:02:54] Anthony Cusimano: Right,
[00:02:54] Sean Martin: right,
[00:02:55] Anthony Cusimano: right.
[00:02:56] Sean Martin: You have to be able to back it up.
[00:02:58] Anthony Cusimano: You absolutely. So
[00:02:58] Sean Martin: how do, how do you do that?
[00:02:59] Anthony Cusimano: So, for us, it's twofold, right? You know, Object First are physical appliance. We only do physical appliances by the way. Um, it is a purpose-built solution. We only support Veeam. In fact, Veeam did acquire us earlier this year. Um, so that makes it really easy. We're consuming one ingestion engine from Veeam. We know exactly how they're gonna send us the data over their smart object storage API, we receive that data. We put it in our immutable object storage. And that's that, but that's not enough, right? Like we have to consider all of the layers, like I mentioned before, right? So we do what's called a zero access approach. Zero access for any destructive actions to be taken against the storage layer, the operating system, the firmware, the bios, or uh, any, any typical way that someone could get into, uh. A platform, command line interface, root access. Yep. We offer none of that.
[00:03:54] Sean Martin: Okay.
[00:03:54] Anthony Cusimano: Both for our customers.
[00:03:55] Sean Martin: Those are all hardened off
[00:03:56] Anthony Cusimano: also for ourselves.
[00:03:57] Sean Martin: Straight out the gate.
[00:03:58] Anthony Cusimano: Exactly. Okay. And that wasn't enough. We do run on a hardened Linux operating system that we've customized. Our storage layer is object storage. We're using S3, uh, communications protocol, but in addition, it's automatically in compliance mode. We use versioning and object lock. So once that data is written, it truly cannot be unwritten. Yeah, for whatever the time period you set it to be.
[00:04:20] Sean Martin: Very cool. Very cool. So there is the proof.
[00:04:22] Anthony Cusimano: There is the proof.
[00:04:23] Sean Martin: And then, and then the other side of the proof is, or where we often would talk about security is like, well, it's so locked down,
[00:04:32] Anthony Cusimano: right?
[00:04:33] Sean Martin: You can actually use it. Yes. So how, how does that scenario play out on the other side of the program?
[00:04:37] Anthony Cusimano: Probably the most common conversation I have here with security minded folks, because I'm telling them, Hey. You can't do anything with our product. And they're like, I don't like that. And the conversation is twofold. One, it lends to incredible simplicity. Our box can be rack, stacked and set up in less than 15 minutes because we really only let you do a couple of things. You can turn on MFA, you can create an S3 key. You can create an S3 bucket. You can turn on our honeypot feature, which is a nice little detection trap, right? But it's just turning things on. There's no turning things off. There's no deletion. And that does rub some people the wrong way. Yeah, it's incredibly easy. But what I tell them is this, we are the storage utility, right? You're sending your data to our box and we're gonna keep it immutable. We're not limiting your control from the Veeam side of things. A Veeam admin still has the ability to turn on encryption, set up their scale out backup repositories the way they want to, uh, all of those settings that can be tweaked, optimized, managed from Veeam. We let Veeam handle all of that. Our job is just to make sure once the data lands on us, it cannot be deleted in any circumstance. So yes, you are sacrificing a little bit on the storage end, but it's storage.
[00:05:50] Sean Martin: Right?
[00:05:50] Anthony Cusimano: Right. How much do you need to administrate your storage anyway? You need to be focused on your backup,
[00:05:54] Sean Martin: focused on other things anyway.
[00:05:55] Anthony Cusimano: Right. Exactly.
[00:05:56] Sean Martin: If you're running a business. So let's talk about the business. Yeah. Um, what are some of the sectors you work in? Um, well, let's start that. Obviously regulated organizations probably have requirements to do some of the things you offer, so let's talk about that space first.
[00:06:12] Anthony Cusimano: Veeam has such a large footprint when it comes to, you know, they're the largest data protection vendor on the planet, and when I started at Object First four years ago, we only had a 64 terabyte box and 128 terabyte box. So kind of limited, you know, you could build a four node cluster of 128 and get just about a petabyte of data. We have since expanded in both directions. So we've got the Mini, which is a small tower form factor. We've also got our 432, which is a two U, that has 432 terabytes of data. And with Veeam Scale Out Backup Repository, you can get beyond seven petabytes of storage using us. So that means we fit in a lot of spaces.
[00:06:51] Anthony Cusimano: Now I talk to a lot of folks in the education space. Because educators, they're limited IT budget, they're limited IT staff, they see us and like, oh, it's easy and it's secure.
[00:07:02] Sean Martin: Simplicity. Yeah.
[00:07:03] Anthony Cusimano: Yeah. And you can prove it. And we've actually seen this with some of our customers. They've been hit by ransomware and like a school district was taken out, they Sunday night show up. They're like, what's going on? We have no access to our network. We have no access to our virtual machines. Everything's down. FBI shows up and they're like, Hey, what's that thing with the orange bezel over there? Like that's our Object First device. That's the only thing standing. And they had to recover everything from our box 'cause that was all that was left. So I, I would say really we fit wherever ransomware dwells. Which is pretty much everywhere.
[00:07:35] Sean Martin: Yeah. You know, I know it's hard to hide from that.
[00:07:37] Anthony Cusimano: It really
[00:07:38] Sean Martin: is hard to hide from ransomware. So the different types of organizations, some that are mature, take security seriously. Some who have good risk management program in place that actually do back up. What, what's the range of organization that you find and they, and they either come to realize they need secure backup in storage and recovery, or they already have something but they need something better and why do they need something better? So maybe talk through some of those scenarios.
[00:08:10] Anthony Cusimano: It's funny 'cause it's either a conversation about education. I'm usually telling them, Hey, we've got a lot of data that says, you know, 64% don't have immutable storage today. Like, well, I don't need it. I click the secure encryption. I got encryption. I'm good. It's like, that is not right. Encryption is not enough. Right. So on the, on the, let's just say the sort of less informed side, it's usually a conversation about education. Okay. Listen, uh, 96% of attacks, and this is actually a statistic that has been validated by, I think, four different surveys now, not just from us, but from a lot of vendors. 96% of ransomware attacks go after the backup data. Yeah. Because they know if I can take out that backup data, I've got you, you're gonna pay the ransom. You cannot recover. Right? So when they're trying to figure things out, I usually try to say, Hey, listen, think about your storage. What would happen if you lost it? What's your recovery plan? Have you even tested a recovery plan? And generally the conversation's known. So then it's, okay, how do we get you in there? How do we fit in what you're doing? And that's a pretty easy conversation to have. We're pretty good at sizing, scaling and figuring out how much immutable storage a prospect needs.
[00:09:09] Anthony Cusimano: It's not something that's very easy to figure out on your own, sadly, because you gotta think about how long do I want to keep it? If it's a full, incremental, incremental and another full, like all that math has to be done, we do have a system that helps people figure out what's the right size for you. Now, on the other side,
[00:09:33] Marco Ciappelli: yeah,
[00:09:33] Anthony Cusimano: I know everything about cybersecurity. Then it becomes a conversation really about, lemme tell you what we're doing to ensure this isn't just secure today. This is secure for the future. And a big thing we focus on is third party penetration testing. Okay? So once a year we take both our hardware as well as our source code, and we give it to a really reputable third party penetration tester and say, go nuts. They get a month with our box, they get a month with our source code, they give us a report back of any flow vulnerabilities. We will then go fix it, give them back everything, say all right, try again. And they give us a clean bill of health. We actually take all of that information and post it publicly.
[00:10:12] Sean Martin: Okay.
[00:10:12] Anthony Cusimano: Because it's not just to trust us, it's trust them. Right? Yeah. Like we are very much a zero trust organization and you should be questioning
[00:10:19] Sean Martin: trust but verify. Yeah.
[00:10:20] Anthony Cusimano: All the claims of your vendor and we, we make all of that public.
[00:10:23] Sean Martin: Okay.
[00:10:24] Anthony Cusimano: No secrets here.
[00:10:25] Sean Martin: Yeah. And in terms of, uh, recover, 'cause you said,
[00:10:31] Anthony Cusimano: right?
[00:10:31] Sean Martin: Have you tested that?
[00:10:32] Anthony Cusimano: Yeah.
[00:10:33] Sean Martin: Um, the recovery process doesn't always work
[00:10:37] Anthony Cusimano: right?
[00:10:38] Sean Martin: And, and whether or not you tested properly is another thing. So talk to me about some of that. And you, you mentioned the school. Are there other uses or use cases like that you can touch on?
[00:10:49] Anthony Cusimano: Sadly, I think this is an area where there's just not enough attention. Mm-hmm. And it's likely due to the fact that a lot of IT staff are completely overworked and there's just not enough time. You know, I come from the world of data protection. I've been in it for over 15 years now, and it doesn't matter where I am. Yeah, testing recovery is never the priority and really it should be because going through those operations, making sure one, you actually have backed up everything you need, going through a tabletop exercise saying, Hey, if we lost everything, active directory, right? Our complete vSphere environment, uh, our source code repository, how long does it take us to get back online? Because you could have the backup, but if you hadn't run through the operations. It's almost like where's Waldo? And that's not a fun game to play when you are under the gun.
[00:11:33] Sean Martin: Yeah. Trying to recover. What are some scenario or pieces that organizations often miss?
[00:11:39] Anthony Cusimano: Yeah, so this is where I start giving advice, basically saying, if you can carve out the time and you should carve out the time, run through a full tabletop exercise, and assume the worst breach imaginable. Assume you yourself, if you're the IT admin, all your credentials are leaked to everything. What does that mean for you? Like write everything down, disable your access to all of that, and run through a full recovery in a safe environment. Like if you can create a test environment, run through that. Does it power on, uh, does it connect? Like how does your DNS look like afterwards? And it's such an illuminating process. Because they're gonna find every single gap. Right. Which will actually help them then go back into their architecture and say, Hey, we need a lot more zero trust in here. We need a lot more segmentation. Mm-hmm. Uh, another tip I offer everybody is make sure you have added all of your coworkers on LinkedIn and have their cell phone numbers because you are losing active directory every single time. Yeah. Or Entra ID or whatever it is. You have that communications protocol, it's going to be gone. So. Thinking about all of those steps ahead of time, assuming the absolute worst, that will get you to a better state of recovery. The problem really comes down to, can I find the time to do this right? And that's really a conversation I recommend everyone have with their directors, their managers push that upwards and say, Hey, if we're down, we're expecting two weeks of recovery time. Yeah, we could get it down to three days, but we gotta carve out the time to prioritize getting there.
[00:13:07] Sean Martin: What are some of the most mature organizations look like, because I know we talk about best practices and networking. You segment the network and you control access. Yeah. And you have MFA and all that. Are there best practices like that that you recommend? And are there like really mature organizations that say, we're gonna run our core infrastructure in one environment, and that's one backup. And then our, our front office is in a different place. And what are some things you see there,
[00:13:33] Anthony Cusimano: you know, who has this the hardest is managed service providers and service providers, just in general. Because
[00:13:38] Sean Martin: so many instances of
[00:13:40] Anthony Cusimano: right, they have their own cooking they're working on, and then every single one of their clients. And I'll give you a little bit of a sneak preview on May 6th, we're actually launching a new utility called Fleet Manager. Okay? And what that does is it allows you to hook up all of your Object First instances, both onsite, offsite, to a SaaS cloud application that we've created, uses Entra ID. So you simply log in as long as telemetry is enabled on your device, it will create a visibility report for every single device you have.
[00:14:10] Anthony Cusimano: So if you are a service provider, managed service provider, and you've got hundreds of clients. It's probably a nightmare, right? Already just to manage everything you've got in there. We're trying to make that a little bit easier. Okay. On the backup storage side, so you get a complete holistic view. All of your data, all of your health, but none of the backup data goes there. We understand like some things need to stay secret, so we're only sending up our telemetry health data. You get that full report, you get that full understanding if your customers have honeypot enabled.
[00:14:38] Sean Martin: I want to talk about
[00:14:39] Anthony Cusimano: that. Yeah. And they're getting that trap data. Someone's trying to do a brute force entry that's gonna show up.
[00:14:44] Sean Martin: Yeah.
[00:14:44] Anthony Cusimano: So you get that single pane of glass view for everything in your environment and that is truly the hardest thing. Yeah. The bigger you are, the more you scale. Even if you're not a service provider, you're still a large enterprise. You've got multiple sites, you've probably got multiple IT teams. That unification, especially when you've got all kinds of different vendors everywhere, just becomes a management nightmare.
[00:15:05] Sean Martin: And when I wanna talk, we briefly touched on it in the last chat. Yeah. The honeypot. And I love that technology and it's so powerful. Um, you don't wanna wait for
[00:15:16] Anthony Cusimano: No.
[00:15:16] Sean Martin: The need to recover.
[00:15:18] Anthony Cusimano: Right.
[00:15:18] Sean Martin: If you can alert, and this is where it kind of, the security folks should love this capability.
[00:15:23] Anthony Cusimano: Absolutely.
[00:15:24] Sean Martin: If I can get an alert where maybe the endpoint detection and protection piece didn't pick it up, and it's clearly something going after my data. Mm-hmm. That's, that's a powerful thing. So describe how the honeypot,
[00:15:37] Anthony Cusimano: so we just like everything else, we made it really easy. Uh, you go into our settings, you click enable Honeypot, and if you wanna give it a custom IP address, you can, and it's on. And what it does is it actually simulates a Veeam backup and replication server in a segmented portion of our appliance. So there's no risk of it leading into any of your backup data. Not that there was any risk of that anyway, but we always try to make that clear. This is completely segmented, right? When it's on, it looks. It smells, it acts like a VBR server. So if a bad actor is probing the environment, hey, that looks like the first thing I wanna take out. And we know ransomware likes to dwell, it likes to hang out and take its time. But it is probing, it is trying to see what it can get into. This is a great way to detect something days, if not even weeks early.
[00:16:26] Sean Martin: Yep.
[00:16:27] Anthony Cusimano: So not only do you get that detection. We're telling our customers like, look, this is gonna help you bridge the conversation between your backup admin and your security team. Yeah. Like, we're gonna help you guys out. Yeah. And I think that's a good thing. We want to see backup and storage become more ingrained with security. That's why we're at RSAC Conference. Yeah. We see it as a very key part of your security strategy, and honeypot is a great way to start that conversation, but also say we're helping out here.
[00:16:54] Sean Martin: So the bad actors are smart,
[00:16:56] Anthony Cusimano: right?
[00:16:57] Sean Martin: Right. And they have tools.
[00:16:58] Anthony Cusimano: Yes.
[00:16:58] Sean Martin: And technology.
[00:16:59] Anthony Cusimano: Yes, they do.
[00:17:00] Sean Martin: I'll say the two letters we have, I won't say 'em, but the two letters we
[00:17:03] Anthony Cusimano: know,
[00:17:03] Sean Martin: I knew you were going there that feed everything. But I guess the point is they can detect some of these things, but because you know that environment so well, you can present it in a way that it can be hard to detect that it's
[00:17:17] Anthony Cusimano: not a
[00:17:17] Sean Martin: real one.
[00:17:17] Anthony Cusimano: You know, that's the goal. Right. And I think the advantage here with the two letter word, we're not gonna say, that's becoming so aggressive.
[00:17:26] Sean Martin: Right?
[00:17:26] Anthony Cusimano: Right. These agentic attacks where it is little servers talking to other little servers and they're all multi-prong approach, just reaching their tentacles into everything. They're not smart enough to know that a honeypot's not real.
[00:17:39] Sean Martin: Right.
[00:17:39] Anthony Cusimano: Right. So you're gonna be able to detect things even earlier than even when, say a human was doing it. Right. 'cause it's not programmed to think that way.
[00:17:46] Sean Martin: Yeah.
[00:17:46] Anthony Cusimano: It just sees, oh, this is a VBR server.
[00:17:48] Sean Martin: Yep.
[00:17:48] Anthony Cusimano: I don't know any different.
[00:17:49] Sean Martin: Yep.
[00:17:50] Anthony Cusimano: And the second that happens, we're sending up alerts. We're sending out emails. Hey, you're getting probing activity here. There's like brute force logins happening here. We should probably look at this service inside your infrastructure and just make sure it's okay. Everything's behaving the way you want it to be. But I think it is a great addition, and again, it takes seconds to turn on. It costs nothing to do it, and we've included it with all of our Object First devices. So every single one of our customers just gets it at no cost.
[00:18:17] Sean Martin: Even the little tower,
[00:18:19] Anthony Cusimano: even the little guy. Yes. Yes. The little guy does it too.
[00:18:22] Sean Martin: I love it.
[00:18:23] Anthony Cusimano: Our Object First Mini.
[00:18:25] Sean Martin: Mini, ah. Well, Anthony, it's always great chatting with you. I'm gonna give you the, the final word. What, what's the common thing customers say after they either take on your new technology or have to use it for recovery. So is there a common theme there?
[00:18:46] Anthony Cusimano: There, there, actually, it's kind of funny because the conversation getting to the sale is always about, we are secure. We're gonna give you something that is absolutely immutable. There's no way that a bad actor or even you can get in there and destroy your data. So they, you know, they believe us on that, and they should, they should trust us. Although zero trust. But every single time I talk to a customer that's set up one of our boxes, they're like, holy cow, I, that took five minutes. Like I did not, could not believe how easy it was. To configure this thing and get it hooked into Veeam. I was writing my backup data in 10 minutes time and it just simplifies my operations and I don't have to worry about it.
[00:19:26] Sean Martin: It's powerful.
[00:19:26] Anthony Cusimano: Yeah,
[00:19:26] Sean Martin: it's powerful. Well, it's great chatting with you.
[00:19:29] Anthony Cusimano: Always great chatting, Sean.
[00:19:29] Sean Martin: Good luck at the show.
[00:19:30] Anthony Cusimano: Thank you.
[00:19:31] Sean Martin: Thanks everybody for watching. Stay tuned for more. Please connect with Anthony and the Object First team. If you're here at the show,
[00:19:38] Anthony Cusimano: come get a hat.
[00:19:39] Sean Martin: You can get an authentic Object First hat. Alright, thanks everybody.