Object First, founded by the creators of Veeam, provides immutable backup storage designed exclusively for Veeam environments. With the promise of “absolute immutability” and an out-of-the-box installation that takes just 15 minutes, the appliance aims to be the answer to the growing threats of ransomware and insider threats. We spoke with Stéphane Berthaud, Director of EMEA Sales Engineering, about this.
Object First was founded in 2022 by Ratmir Timashev and Andrei Baranov. After selling Veeam to investment fund Insight Partners in 2020, the company identified a significant market gap. As backup software, Veeam has traditionally been deliberately flexible and agnostic regarding the underlying storage. That freedom offers advantages, but it also means the end user is entirely responsible for the configuration and the security of the chosen storage solution.
In practice, the two gentlemen found no storage solution designed exclusively for Veeam that also met strict modern security requirements by default. To bridge that gap, Object First developed the Ootbi appliance: Out-of-the-Box Immutability.
Ransomware and data theft as a turning point
According to Berthaud, the threat landscape changed fundamentally with the arrival of the first large-scale ransomware attacks. Before that, slow recovery speeds with backup storage were hardly a pain point. Deduplication appliances were highly popular because they could efficiently and compactly store data. It was accepted that these systems performed poorly during recovery due to the need to reconstruct compressed blocks. Full restores simply occurred rarely.
With the professionalization of cybercrime, that reality changed drastically. “Attackers quietly encrypted the backups before attacking the production data,” explains Berthaud. After all, an encrypted production environment is immediately noticeable, but compromised backups can go unnoticed for a long time. The moment production data becomes locked, the organization is hopelessly lost if the backups are also unusable.
In addition, Berthaud points to the rise of insider threats and data theft. He illustrates this with a general incident at a bank, not a specific Object First client. What initially appeared to be a standard ransomware attack turned out, after investigation by the CERT team, to be the work of a disgruntled employee who had deliberately caused damage and masked his tracks to make it look like an external hack.
Data theft followed by extortion also requires a new approach, in which encrypting backup data at the source is becoming increasingly crucial. Here, traditional deduplication appliances hit a technical limit. Encrypted data breaks the deduplication algorithm because similar data blocks are no longer recognized as such. Because Object First’s Ootbi appliances are based on object storage, they can receive and store encrypted data without sacrificing performance or efficiency.
Absolute immutability truly proven
Object First consistently refers to “absolute immutability.” The company aims to guarantee that data cannot be modified, deleted, or encrypted under any circumstances. No one, not even an administrator, can modify the firmware, operating system, storage layer, or backup data. Berthaud is adamant on this point: “Regardless of the breach of your IT system and regardless of the level of compromise, we ensure that the data remains intact.” Even if all login credentials for the backup software and the Ootbi appliance fall into the hands of malicious actors, the data remains secure.
To ensure this isn’t just an empty marketing claim, Object First employs a transparent validation method. Every six months, the British cybersecurity firm NCC Group conducts an extensive penetration test on the appliances. For this, the testers are granted full access to the systems, including the source code. The findings are published by the NCC Group, regardless of the outcome, and without Object First being able to influence them.
Technically, this absolute immutability is built on multiple layers of security. A crucial measure is the exclusion of root users from network access. Anyone wishing to log in as root must be physically present at the device with a keyboard and monitor. In addition, the company adheres to a strict “eight eyes” principle for data deletion. Before data can be permanently deleted, approval is required from two authorized contacts on the customer side and two Object First employees, combined with physical presence. This strict procedure also makes social engineering—where attackers impersonate the customer to force actions—virtually impossible.
Deployed in fifteen minutes
The decision to design Ootbi exclusively for Veeam is a deliberate trade-off between security and performance. Other object storage appliances on the market are broad platforms that support multiple protocols and use cases. While this offers flexibility, Berthaud notes that it inevitably increases the attack surface. By focusing solely on Veeam, Object First maintains a minimal attack surface and can achieve much deeper integration.
This integration relies heavily on the Veeam SOSAPI (Smart Object Storage API). Through this API, features such as immutability, load balancing, and performance optimization are automatically enabled. The result is a remarkably short time to deployment. It typically takes only 15 minutes from unpacking the hardware to the first Veeam backup running.
The process is designed for simplicity. After connecting power and network, the administrator configures the IP addresses and cluster name via a text interface. An intuitive web UI then takes over to generate S3 access keys and create S3 buckets. In the Veeam Backup Server, a task simply needs to be pointed to this bucket. Immutability is enabled by default from the very first second. According to Object First, this means that no extensive Linux or storage knowledge is required to manually set up and maintain hardened repositories.
Performance and scalability for instant recovery
In addition to security, recovery speed is the most important pillar of the Ootbi architecture. The appliances offer linear performance scalability. Each node in a cluster delivers a throughput of two gigabytes per second. As soon as nodes are added, this capacity scales immediately. Through a scale-out backup repository, clusters can be expanded to a capacity of seven petabytes. In Veeam, this simply appears as a single, easy-to-manage repository.
With this high throughput, Object First aims to enable powerful recovery scenarios. Object First guarantees that at least 25 virtual machines (VMs) can be booted simultaneously and directly from the backup storage using Veeam’s Instant VM Recovery feature. Such performance is not achievable with traditional deduplication appliances due to their time-consuming reconstruction processes.
Additional capabilities at the edge
To address the needs of distributed environments, Object First introduced the Ootbi Mini in October 2025. This is a compact version of the appliance, specifically designed for small offices, remote offices, and edge locations. The Mini is available in capacities of 8, 16, and 24 terabytes, but offers exactly the same security and immutability guarantees as the large enterprise models. In addition to SMBs, Berthaud sees significant potential for these units at remote or mobile locations, such as ships and oil platforms.
For organizations dealing with a large number of locations and devices, Object First offers the Fleet Manager. This cloud-based management tool, which became available this week, enables administrators to monitor and manage a mixed environment of Minis and standard Ootbi appliances from a single centralized dashboard.
Explosive growth in EMEA
Object First launched operations in the EMEA region in the second half of 2024, and market adoption is progressing rapidly. Berthaud reports that revenue in 2025 grew 515 percent year over year in the EMEA region. This reflects the company’s global trend, which reported booking growth of 183 percent for all of 2025, with EMEA proving to be the strongest-performing region.
The Ootbi appliance is particularly popular within the mid-market segment. Sectors such as healthcare (hospitals and healthcare groups) are strongly represented, as are internationally operating companies that require reliable, local backup storage across multiple locations. Customers often adopt the solution when the support contracts for their existing storage infrastructure expire.
Although Veeam recently launched its own software appliance (delivered as an OVA file), Berthaud views the solutions as highly complementary. Whereas with a software appliance, the customer remains responsible for the physical security of hardware management interfaces, Object First’s Ootbi completely eliminates that concern. It delivers a ready-to-use, hardened system, allowing the IT department to shift its focus back to data security rather than storage management.