Cohesity has integrated ‘next-generation’ malware scanning powered by Sophos directly into Cohesity Data Cloud. The feature detects zero-day, polymorphic, and fileless threats hidden in backup data, and runs pre-restore inspections to prevent reinfection after cyberattacks. It is included in Cohesity Data Cloud Enterprise Edition at no additional cost.
Backup data has long been considered a safe haven. That assumption is increasingly outdated. As ransomware and supply-chain attacks grow more sophisticated, malware can lurk inside backup data undetected, creating reinfection risks during recovery. Global ransomware attacks rose 32 percent in 2025, and according to Sophos State of Ransomware data, 54 percent of victims who restored from backups represented the lowest backup recovery rate in six years. Cohesity is now addressing the threat directly at the backup layer.
Today, Cohesity announced the general availability of Sophos-powered malware scanning, embedded natively into Cohesity Data Cloud. The Sophos X-Ops threat intelligence engine, spanning tens of millions of endpoints and hundreds of thousands of firewalls worldwide, backs the detection. It uses signature-based detection, heuristic analysis, and file emulation to catch threats that bypass conventional tools. Zero-day, polymorphic, and fileless malware are all in scope.
Vasu Murthy, chief product officer at Cohesity, described the approach: “By deeply integrating market-leading Sophos next-generation malware detection into Cohesity Data Cloud, we’re giving customers a single, seamless experience that helps them uncover hidden threats in backup data and recover with confidence.” The result is snapshot-level inspection that goes beyond approaches that just take in metadata. Earlier this year, Cohesity also expanded its security collaboration with Google Cloud, adding threat intelligence from Google Mandiant to Data Cloud.
Three scanning scenarios
The Sophos engine scans backups at three distinct points: during routine backups, before restoration, and when indicators of compromise (IOCs) or YARA-based matches are detected. Incremental scanning keeps operational overhead low while maintaining continuous visibility into backup integrity. Pre-restore scans validate recovery points before they are used, specifically to prevent reinfection.
The feature ships with Cohesity Data Cloud Enterprise Edition and requires no separate Sophos license. Simon Reed, chief security officer at Sophos, pointed to the scale of the risk: “Attackers are sophisticated. They have proven time and again that no environment is off limits, including what was once considered the safe haven of backup and recovery systems.” Cohesity plans to demonstrate the capability at RSAC 2026, running from March 23 to 26.