Detection attackers can’t avoid — decoys that expose reconnaissance and scans that certify recovery points clean before anything restores.
How it’s rated
Full scoreboard ↓Quick answer
Commvault's threat-defense pair attacks the two blind spots of every ransomware plan. Threatwise (from the TrapX acquisition) plants realistic decoys — fake servers, shares, credentials — across the estate; attackers doing reconnaissance touch one and expose themselves in minutes, in a phase where every legitimate user has no reason to be. Threat Scan hunts inside backups: malware signatures and indicators found in recovery points before you restore them, so the recovery never re-imports the infection. Detection where attackers can't avoid it; hygiene where recovery can't skip it — both riding the platform you already run.
This page covers Threatwise + Threat Scan. The rest of the eight-product portfolio:
Most product pages skip this. We start here — so you buy a capability, not a buzzword.
Cyber deception plants realistic fake assets — servers, shares, credentials — that only an attacker would touch: reconnaissance becomes self-exposure, with near-zero false positives.
Backup threat scanning hunts malware inside recovery points, so the restore that follows an incident never re-imports the infection it’s escaping.
What consolidation actually replaces, dimension by dimension.
| Dimension | EDR alone + assumed-clean backups | Deception + scanning (Commvault) |
|---|---|---|
| Recon phase | The attacker's quiet advantage | A minefield of decoys — exposure in minutes |
| Alert quality | SOC drowning in maybes | Decoy touches are always real |
| Stolen credentials | Indistinguishable from users | Lure credentials finger their user instantly |
| Which point is clean? | Forensics weeks or a guess | Scan + anomaly data, answered in minutes |
| The restore | Re-imports the implant with the data | Infected points flagged, quarantined |
| Deployment | Another standalone security stack | Rides the platform you already run |
| Lateral movement | Reconstructed after the fact | Narrated live by decoy touches |
| Detection + recovery | Two teams, two truths | One platform, one motion |
Adoption is hours of seeding plus scan policies — and the first red-team exercise proves the tripwires sing.
Vendors love diagrams; buyers need to know what they’re actually operating. Here’s the whole platform, demystified.
Realistic fake servers, shares, databases and credentials seeded across the estate — indistinguishable from real assets to a scanning attacker.
A decoy touch is a near-certain intrusion — alerts route to SOC/SIEM with the context of what was probed, from where, how.
Recovery points examined for malware signatures and IoCs — infected points flagged before anyone restores them.
Scan results plus anomaly telemetry identify which recovery points predate compromise — the question every incident asks, answered with data.
Deception alerts inform recovery decisions; scan verdicts gate Cleanroom entry — detection and recovery on one platform, one motion.
One agent on every machine, one console over all of them — modules attach without a second operational world.
The pair converts the attacker’s quiet phase into exposure — and the recovery’s blind spot into a scanned gate.
Fake servers, file shares, databases and IoT that look real to reconnaissance — the attacker's map gets salted with landmines.
Fake credentials and connection breadcrumbs planted where attackers harvest — using them fingers the intruder instantly.
Attackers must scan to move; decoys make scanning fatal — detection days before encryption, in the window that matters most.
No legitimate user has any reason to touch a decoy — every alert is real, and SOC fatigue finally gets a category that doesn't cry wolf.
What was probed, from which host, in what sequence — the lateral-movement narrative your IR team usually reconstructs after the fact, live.
Threat Scan examines recovery points for signatures and IoCs — the implant hiding in Tuesday's backup gets found before Friday's restore.
Scan verdicts gate what enters Cleanroom Recovery — the isolated rebuild stays clean because the inspector stands at the door.
Scan and anomaly data pinpoint the recovery point that predates compromise — 'when were we last clean?' answered in minutes, not forensics weeks.
The classic failure — restoring the malware with the data — dies here: infected points are flagged, quarantined from recovery flows.
Deception alerts and scan verdicts flow to Splunk/Sentinel/your SOAR — the backup platform becomes a sensor grid the SOC actually trusts.
Decoys are infrastructure, not endpoint agents — deployment is hours of seeding, and no user machine grows another agent.
Detection that lives where recovery lives — alerts inform point selection, scans gate rebuilds, and the whole loop is one vendor's one motion.
Official walkthroughs — the scanning motion, the full cyber-recovery loop and a customer’s telling.
Threat Scan and clean-recovery selection — the hygiene half of the pair.
The full attack-to-recovery loop the pair feeds.
The threat-defense stack in a real estate's words.
Want a live, India-context walkthrough on your own fleet?
Book a guided demo →Here’s what genuinely sets the Commvault pair apart from the alternatives.
EDR watches known-bad behaviour; attackers rehearse against EDR. Nobody rehearses against a fake file share they don't know exists — deception detects the reconnaissance every intrusion requires.
Decoys have no legitimate traffic, so a touch is an intrusion — near-zero false positives in a SOC world drowning in them. Small teams get enterprise-grade detection they can actually staff.
Encryption is the finale; reconnaissance and lateral movement run for days first. Decoys convert that quiet phase from the attacker's advantage into their exposure.
Threat Scan answers the incident's hardest question — which recovery point is actually safe? — with scan data instead of guesswork, and blocks the re-import failure entirely.
Deception technology from the category pioneer, delivered without another standalone stack — riding the backup platform and console the estate already runs.
The pair feeds Cleanroom's gate and the clean-point picker — detection that lives where recovery lives means the incident response and the rebuild share one source of truth.
Where would reconnaissance look? Decoy placement is designed against your real topology — TechBag runs the workshop free.
Threatwise decoys and lures live in hours; Threat Scan policies attach to the crown-jewel backup sets.
A controlled recon exercise validates placement — the pentester's report doubles as tuning input. SIEM routing confirmed.
Decoys wait (they're cheap at it), scans certify recovery points continuously, and every alert that fires is real. TechBag manages renewals.
Trusted across regulated industries in 100+ countries
Modelled on Gartner Peer Insights structure. *Counts and breakdowns are illustrative pending verified review collection.
“The decoy share got touched at 02:14 on a Sunday. By 02:40 we'd isolated the foothold. The encryption stage never arrived — that's the whole pitch, lived.”
“In eight months, every single Threatwise alert has been real. Our EDR cries wolf hourly; this thing has never once lied to us.”
“Post-incident, Threat Scan found the implant in eleven days of backups we'd assumed clean. We restored from day twelve. No reinfection.”
“Deception used to mean a TrapX-style standalone deployment. Getting it as a platform feature — same console as backup — made the business case trivial.”
“Fake credentials in the password vault fingered a compromised contractor account the day it went active. Uncomfortable meeting; short incident.”
“It's deception + backup scanning, not an EDR — we run it beside SentinelOne, and the layers complement rather than compete.”
“Scan verdicts gating the cleanroom is the quiet genius — the rebuild environment stays clean without anyone remembering to check.”
“Seeding decoys well takes thought — put them where attackers actually look. TechBag's placement workshop was worth the day.”
Analyst firms bury this view behind paywalls, and G2 retired its Grid. So here’s TechBag’s synthesis of the threat defense market — tap any vendor to see why it sits where it does.
Execution strength vs product vision — the classic market map, minus the paywall.
Deception + recovery hygiene on the platform — this page's subject.
The grid nobody publishes — signal quality vs whether detection actually informs the rebuild.
Unique recovery integration at platform-attach lightness.
Positions are TechBag’s illustrative synthesis of public review-platform data and vendor documentation — not a reproduction of any analyst graphic. Verify before relying on it.
Suite modules, the identity-deception benchmark and the DIY mirage — honest lanes for each.
| Dimension | Commvault pair | SentinelOne (Attivo) | Zscaler Deception | Rapid7 (InsightIDR) | DIY honeypots |
|---|---|---|---|---|---|
| What it is | Deception + backup scanning | Identity-deception suite | Deception in SSE | Deception features | A weekend project |
| Backup/recovery integration | The whole point | None | None | None | None |
| Identity-deception depth | Credential lures | The benchmark | Good | Basic honeyusers | Manual |
| Deployment weight | Rides the platform | Within S1 estate | Within Zscaler | Within InsightIDR | All yours |
| Signal fidelity | Near-zero FP | Near-zero FP | Near-zero FP | High | High if maintained |
| Economics | Platform attach | Suite module | Suite module | Bundled | Free + your weekends |
| Best fit | Commvault estates & lean SOCs | S1 estates, identity-first | Zscaler-fabric shops | InsightIDR SIEM users | Security hobbyists |
Honest fit signals — because the fastest way to lose your trust is to pretend one product wins every scenario.
Drag the sliders (count monitored systems; IT-hour cost as loaded SOC rate). Estimates assume ~3 hours per system per year across false-positive triage, clean-point forensics and manual threat hunts, with ~65% absorbed by zero-FP signals and scan data — the dwell-time reduction is the real prize. Illustrative.
Loaded cost = salary + overheads per productive hour. Illustrative only — your TechBag quote models actual device counts and modules.
The pair prices as platform attaches (and ships in the Cyber Recovery package). TechBag maps the fit in one GST quote.
Best for the detection gap
Best for recovery hygiene
Best as the full motion
Whatever the list prices above, TechBag negotiates a significantly better deal — with GST-compliant INR invoicing and local support. Ask us for your discounted quote.
Tell us your device counts and current tools — we’ll model it against what you spend today.
Take this into your next vendor call — including ours.
Decoys work where recon looks — design placement against your actual topology, not a template.
Have a pentester (or an internal exercise) run discovery — every decoy they DON'T touch teaches you something.
Decoy alerts must reach a human fast — wire and drill the SIEM/on-call path in the PoC.
Run Threat Scan across recovery points you believe are clean. The results calibrate your confidence honestly.
Verify scan verdicts actually gate Cleanroom entry — the integration is the differentiator; test it.
This complements EDR, never replaces it — map which layer owns which detection before the SOC asks.
Fake credentials must look real and stay unused — review lure freshness quarterly.
A decoy touch means live intrusion — pre-write the isolation playbook that alert triggers.
Scope a placement workshop and red-team-validated PoC, or bring last quarter’s alert counts and let a TechBag advisor show the zero-FP math.
Stats, ratings, review counts and pricing are illustrative and sourced from public materials; verify before purchase.