The stopwatch is the product.
Anyone can tell you their backups are fine. A drill is the only way to know. Every quarter, we restore your critical systems from immutable backup into an isolated environment, time it to the second, and document everything.
What a drill looks like
- 06:00
Drill opens. Backup integrity verified, isolated restore environment provisioned. Your production systems are never touched.
- 06:15
Tier 1 restore begins: databases, business applications, file shares, in your priority order.
- ~10:30
Functional verification: can you log in, run a transaction, pull a patient record, process a payment? “Restored” means working, not just copied.
- 11:42
Clock stops. Measured RTO recorded against target.
- +48h
Evidence Package delivered and walked through with you: what passed, what was slow, what we're fixing before next quarter.
What’s in the Evidence Package
- Measured RTO per system tier vs. your stated targets, pass/fail
- Restore logs, screenshots, and configuration verification
- Signed attestation from your fractional CSO
- Plain-English executive summary (one page — written for your insurance broker, not your IT guy)
- Gap list with remediation owners and dates
What the Evidence Package looks like
Page one of an actual quarterly package, client details redacted. Nine pages of restore logs, screenshots, and verification follow it.
SAMPLE — REDACTED CLIENT
BREACHBACK · QUARTERLY EVIDENCE PACKAGE
BB-EV-2026-014 · CONFIDENTIAL · PREPARED FOR [REDACTED] MEDICAL
Q1 2026 RESTORE DRILL · GRAND RAPIDS, MI · DRILL DATE 2026-03-14
1 · EXECUTIVE SUMMARY
On March 14, 2026 we restored this practice’s five critical systems from immutable backup into an isolated environment and timed each one to the second. Every system came back working within its target window. The electronic health record system was usable in just over two hours. If this practice were hit by ransomware tomorrow, it could see patients again the same morning. One documentation gap was found and is assigned below.
2 · MEASURED RESTORE TIMES VS. TARGET
| SYSTEM | MEASURED | TARGET | RESULT |
|---|---|---|---|
| EHR DATABASE | 2h 14m | ≤ 6h | ✓ PASSED |
| BILLING | 3h 05m | ≤ 6h | ✓ PASSED |
| FILE SHARES | 4h 51m | ≤ 12h | ✓ PASSED |
| PHONES / VOIP | 5h 42m | ≤ 12h | ✓ PASSED |
| LEGACY ARCHIVE | 14h 02m | ≤ 72h | ✓ PASSED |
| GAP — restore order documentation outdated · owner: BreachBack · due: next drill | |||
3 · ATTESTATION
I witnessed this drill live, end to end. The times recorded above were measured by stopwatch against running, verified systems.
J. ████, vCISO · witnessed live · 2026-03-14
✓ PASSED
Why quarterly
Because your systems change constantly — new software, new vendors, staff turnover — and because the proposed HIPAA Security Rule update calls for documented, recurring backup testing. An annual drill proves what was true a year ago. A quarterly cadence proves a capability.
Questions we get
- Will this disrupt my business?
- No. Restores run into an isolated environment. Production is never touched. Most clients' staff don't know a drill happened.
- What if we fail the drill?
- Then we found out in a drill instead of a breach — which is the entire point. Failed drills come with a fix plan, and the re-test is included.
- Do you drill cloud/SaaS systems too?
- Yes — Microsoft 365/Google Workspace data, line-of-business SaaS exports, and on-prem servers are all in scope. We drill whatever your Critical Systems Map says matters.
Book your baseline drill
The baseline drill is $2,500 standalone and credits toward onboarding. One scheduled morning, one stopwatch, and you'll know your real restore time — with the paperwork to show for it.