Ransomware Recovery Survivability Analyzer

01 — Identity Authority

Can recovery authenticate without production identity systems? If recovery depends on the same Entra ID or Active Directory instance ransomware just encrypted, recovery cannot begin — regardless of how strong backup or storage architecture is. The analyzer evaluates identity provider independence, offline account availability, and production dependency.

02 — Credential Authority

Can recovery retrieve the credentials it needs once the incident has started? A production-only vault that ransomware can reach is a single point of failure for every downstream recovery step. The analyzer evaluates vault isolation, break-glass account architecture, and offline retrieval capability.

03 — Control Plane Authority

Can recovery execute if the management plane itself is unavailable? vCenter, Prism Central, Cohesity, Rubrik, Veeam, Azure Portal, AWS Console — if the platform used to orchestrate recovery is encrypted or unreachable, recovery cannot initiate even when backups and identity survive intact. This is the most commonly underestimated authority domain. The analyzer evaluates platform independence and offline orchestration capability.

04 — Backup Authority

Can backups be reached and restored once ransomware has activated? Backup infrastructure reachable from the production network is in the same blast radius as the systems it exists to protect. The analyzer evaluates network segregation and immutability architecture.

05 — Governance Authority

Can recovery proceed without a live approval workflow? Organizations that require full change-management sign-off during a declared ransomware event add a structural delay into the first hours of recovery, when speed determines blast-radius containment. The analyzer evaluates pre-authorization and decoupled approval paths.

06 — Storage Authority

Is backup storage isolated from the systems ransomware compromised? Object lock, immutable repositories, and air-gapped vaults frequently become the final recoverability boundary in real incidents — not because they’re unimportant, but because they’re assumed to be safe until tested. The analyzer evaluates network isolation and access independence.

Blast-Radius Overlap

The most common authority failure: the systems that hold recovery authority — identity providers, credential vaults, management consoles — sit in the same blast radius as the ransomware event they exist to recover from. An attack that encrypts production storage also frequently reaches the backup console used to restore it.

Authority Concentration

Recovery authority concentrated in a single person creates a Bus Factor of 1. The one engineer who can execute recovery is on vacation. The one administrator with vault access is part of the incident. Concentration risk caps how resilient an organization can become, regardless of how strong its technical controls are.

Steady-State Design

Recovery runbooks written during normal operations assume normal operations. They assume the control plane is reachable. They assume the identity provider is healthy. They assume approval workflows function. None of these assumptions survive the scenario most likely to trigger recovery in the first place.

Ransomware Event

Targets backup infrastructure, credential stores, and identity systems directly. Critical domains: Identity, Credential, Backup, Storage.

Identity Provider Compromise

Removes SSO-dependent access paths across every environment that trusts the compromised IdP. Critical domains: Identity, Credential, Control Plane, Governance.

Management Plane Failure

Takes down vCenter, Prism Central, Azure Portal, or AWS Console — the orchestration layer recovery depends on. Critical domains: Control Plane, Bus Factor.

Insider Action

A malicious or negligent individual with elevated access disrupts recovery authority from inside the trust boundary. Critical domains: Identity, Credential, Governance.

Backup Repository Loss

Ransomware encrypts or destroys the backup targets directly, independent of identity or control plane state. Critical domains: Backup, Storage.

Would Recovery Start?

Binary YES/NO verdict derived from whether critical authority domains survive the selected scenario. The first output, displayed at maximum scale — because the question a board asks in the first hour of an incident is not “what is our score?” It is “can we recover?”

Authority Survivability Score (AIS)

0–100 weighted composite across six domains. Four tiers: Authority Resilient (81–100), Authority Hardened (61–80), Authority Degraded (31–60), Authority Broken (0–30). Identity and credential authority are weighted most heavily — and a simultaneous failure in both collapses AIS to zero regardless of how the remaining domains score.

Recoverability Horizon

A time estimate, not a quality score: how long can recovery authority sustain before cascading failures make recovery impossible? Calculated independently from identity, credential, backup, and storage authority plus bus factor — not derived from AIS. An organization can score well on AIS and still face a short horizon if backup and storage authority are weak. Executives understand time. They don’t naturally understand authority concentration.

Recovery Kill Switch

A single statement naming the first authority dependency that would stop recovery before it starts — not a fixed priority order, but the lowest-surviving authority layer given your specific declarations. Every architect immediately understands it. Every executive understands it. Every auditor understands it. It becomes the first thing discussed after the assessment.

Recoverability Gap Ladder

The signature visualization — six authority domains rendered as a causal chain in authority-first order (Identity → Credential → Control Plane → Backup → Governance → Storage), with the first domain that cannot survive the selected scenario marked as a structural break. The first failed stage is highlighted — not the aggregate score — because that’s the stage that actually stops recovery.