Acronis Cyber Protect Cloud

Acronis Cyber Protect Cloud is Acronis' flagship MSP and enterprise SaaS platform. It collapses what used to be five or six separate tools — backup, anti-malware, EDR, email security, DLP, patch management and remote support — into a single cloud-managed agent and a single multi-tenant console. The platform is sold pay-as-you-go on a per-workload basis, which makes it operationally and financially flexible: you only pay for what you actually protect, and you can scale up or down month over month without locked annual commitments.

Multi-tenant by design. Each customer lives in an isolated tenant with its own administrators, policies, branding, billing meter and data residency. MSPs running dozens or hundreds of customers on Cyber Protect Cloud rely on this isolation model — every tenant has its own audit trail, its own GDPR data-processor boundary and its own ISO 27001 evidence trail. The platform also supports tenant hierarchies (partner > sub-partner > customer), which mirrors how distribution channels actually operate in the EU, UK and US markets.

A single agent, all workloads. The Acronis agent runs on Windows (10/11/Server 2016+), macOS 12+ (Apple silicon native), and major Linux distributions (RHEL, Ubuntu, SUSE, Debian, Oracle Linux). It backs up physical machines, VMware vSphere and Microsoft Hyper-V VMs, virtual desktops (Citrix, VMware Horizon), Microsoft 365 mailboxes/OneDrive/SharePoint/Teams, Google Workspace mailboxes/Drive/Shared Drives, databases (MS SQL, Exchange, Oracle, SAP HANA, PostgreSQL, MySQL/MariaDB) and even mobile devices. The same agent doubles as the anti-malware scanner and the EDR telemetry sensor — eliminating driver conflicts, reducing CPU footprint and shrinking the attack surface.

3-2-1 backup rule out of the box. Cyber Protect Cloud encourages the 3-2-1 backup rule by default — three copies of data, on two different media types, with at least one copy offsite. A common deployment is local NAS or appliance (copy 1 and 2 on different media) plus Acronis Cloud (copy 3, offsite, immutable). Immutable storage (object lock) prevents ransomware from encrypting or deleting cloud backups even with administrator credentials. For organizations under GDPR Article 32, HIPAA 164.308, PCI-DSS Requirement 9.5.1 or SOC 2 CC8.1, the 3-2-1 architecture with Acronis immutable cloud closes a major audit control.

Anti-ransomware: Active Protection. The Active Protection engine is behavioral, not signature-based. It watches process behavior on protected endpoints and detects ransomware encryption patterns in real time — even from previously unseen malware families. When detected, the offending process is killed, its file changes are automatically rolled back from a self-protected cache and the latest backup is verified to be ransomware-free. In SE Labs and AV-TEST evaluations Active Protection has consistently caught 100% of tested ransomware samples without false positives.

EDR built in. The Advanced Security + EDR module (sold per-workload on top of base Cyber Protect Cloud) converts the same agent into an EDR sensor. Attack chains are visualized as MITRE ATT&CK-mapped graphs; suspected lateral movement, persistence and exfiltration paths are surfaced automatically. From a single console an analyst can isolate the host, kill the process, quarantine the file and — uniquely to Acronis — instantly restore the affected files or the whole machine from a known-good backup. The post-incident recovery loop, which usually involves multiple tools and several hours, collapses to a few clicks.

Disaster Recovery (DRaaS). The integrated Disaster Recovery module replicates production VMs to Acronis Cloud as cold or hot standbys. Hot DR achieves RPO under 15 minutes and RTO in single-digit minutes; cold DR is cheaper but slower. Failover is orchestrated by runbooks that define startup order, IP remapping, DNS updates and post-failover scripts. Test failover runs the recovered workloads in an isolated test network — production stays untouched while you validate the runbook. EU (Frankfurt), UK (London) and US data center choices keep DR within the data-protection boundary required for GDPR Article 44 cross-border transfer rules.

Microsoft 365 and Google Workspace backup. The M365 module backs up Exchange Online mailboxes (including shared mailboxes and public folders), OneDrive for Business, SharePoint Online (including OneNote and site templates) and Microsoft Teams (channels, files, chats — including private 1:1 chats where licensing permits). The Google Workspace module covers Gmail, Drive, Shared Drives, Calendar and Contacts. Both are API-based — no MX changes, no domain reconfiguration, no on-prem proxy. Restore granularity goes down to a single email, a single file version or a single Teams channel message. For GDPR right-to-be-forgotten and HIPAA record-retention requests this granularity is critical.

Advanced Email Security (Perception Point). An optional module powered by Perception Point delivers BEC, phishing, malware and account-takeover detection on top of Microsoft 365 or Google Workspace. Detection uses dynamic next-gen sandbox, image-recognition for QR phishing, language-model anomaly detection and threat intelligence. The module integrates over Graph API — no MX flip — and reports into the same Cyber Protect Cloud console.

Advanced Management. Patch management (Windows + 3rd-party apps such as Chrome, Adobe, Java, Zoom), software/hardware inventory, drive-health monitoring (S.M.A.R.T. predictive alerts), remote assistance and backup-validation automation are bundled into the Advanced Management module. For MSPs this is the IT operations layer that complements the security/backup layer — one agent, one console, one billing meter.

DeviceLock DLP. The Advanced DLP (DeviceLock) module enforces data loss prevention on endpoints — controlling USB, Bluetooth, clipboard, printers, screen capture and uploads to cloud services. It includes pre-built classifiers for GDPR personal data (national IDs, IBANs, passport numbers), HIPAA PHI (medical record numbers, ICD codes) and PCI-DSS card data. Auditors looking for endpoint DLP coverage as part of ISO 27001 A.8.3 or SOC 2 CC6.7 can document the control with DeviceLock policies and logs.

Pay-as-you-go licensing. No annual SKU lock-in — the platform meters workloads and consumption (GB stored, GB transferred, M365 seats, EDR workloads, DR resources). Monthly invoices follow consumption; sub-tenant billing makes it trivial for MSPs to pass cost through to customers with margin. For seasonal businesses (retail, hospitality, accounting practices) the elasticity matters — backup count for a 3-month tax season can ramp up and back down without renegotiation.

Compliance posture. Acronis Cloud holds SOC 1, SOC 2 Type II, ISO 27001, ISO 27018, HIPAA, GDPR and PCI-DSS attestations. The platform itself helps customers meet GDPR (data residency, encryption at rest and in transit, right to be forgotten, breach notification), HIPAA (BAA available, PHI encryption, audit logs), PCI-DSS (encryption, key management, immutable storage, role-based access), SOC 2 (audit trail, change management, incident response) and ISO 27001 (Annex A controls coverage). Sora Yazilim provides the compliance mapping and audit-evidence packs as part of the deployment.

Anti-malware: more than just signatures. The Acronis anti-malware engine combines signature-based detection (refreshed multiple times per hour), behavioral analysis, machine-learning classification and cloud-based reputation lookup. The same engine has consistently passed AV-TEST and SE Labs evaluations with 99.5%+ detection rates and near-zero false positives. Because the engine shares the agent with backup, it benefits from a feature unique to the platform: backup scanning. Mounted backup archives are scanned for malware in the background — so a restore from a backup taken before the malware infiltrated is verified to be clean before being brought online. The platform refuses to restore a backup that contains the known compromise — closing a long-standing blind spot in legacy backup tools.

Vulnerability assessment and patch management. Beyond backup and security, Cyber Protect Cloud runs a continuous vulnerability assessment against every protected workload. Missing OS patches, outdated third-party software (Chrome, Adobe, Java, Zoom and 300+ more), known CVEs and end-of-support OS detection are surfaced in a single dashboard. The Advanced Management module then deploys patches with failsafe rollback — a pre-patch snapshot is taken automatically so a broken patch can be reverted with one click. For organizations under PCI-DSS 6.2 (patch within one month of release) or HIPAA 164.308(a)(5)(ii)(B) (protection from malicious software) requirements, this provides documented patch evidence.

Backup encryption and key management. All backups are encrypted with AES-256 at rest and TLS 1.2+ in transit. Two encryption modes exist: password-based (the customer supplies a password, derives the key, Acronis never has the key) and certificate-based (X.509 certificate-managed). For PCI-DSS Requirement 3.5 (key management) and HIPAA 164.312(a)(2)(iv) (encryption) the customer can opt for full self-managed keys — Acronis Cloud stores ciphertext only, with no ability to decrypt. The trade-off is that lost passwords mean lost backups; Sora Yazilim manages key escrow with separation-of-duties controls so this risk is mitigated without giving up the security property.

Notarization (blockchain-based backup integrity). A differentiating capability: backup files can be cryptographically notarized — the hash of every backup is anchored into a public blockchain (Ethereum). This produces tamper-evident proof that a backup existed in its current state at a specific point in time. For legal hold (eDiscovery), financial-records retention (SEC 17a-4, FINRA, Sarbanes-Oxley) and dispute-resolution scenarios, this notarization is admissible evidence that data has not been altered. Auditors evaluating data-integrity controls under ISO 27001 A.8.3 or SOC 2 CC8.1 can document the control with notarized backup evidence.

Integrations with the broader IT and security stack. Cyber Protect Cloud ships native integrations for PSA/RMM platforms commonly used across EU/UK/US MSP markets — ConnectWise PSA/Manage and Automate, Datto Autotask, Kaseya VSA, NinjaOne and SyncroMSP — so alerting, ticketing, billing reconciliation and customer onboarding flow into the MSP's existing tools without double bookkeeping. For SOC integration, the platform exports event and alert data via syslog (CEF, LEEF), REST API and webhook into Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM, LogRhythm and Arcsight. Identity integrations cover Microsoft Entra ID (Azure AD), Active Directory Federation Services, Okta and Google Workspace SSO; conditional access policies travel with the federated identity. Cloud-storage integrations include AWS S3 (with object-lock for immutability), Azure Blob (with immutability policies), Google Cloud Storage and Wasabi — letting customers keep ownership of cloud-side storage when contractual or cost reasons warrant.

Sora Yazilim managed service. For customers who prefer not to build internal backup/recovery operations, Sora Yazilim offers a fully managed Cyber Protect Cloud service. Our certified engineers operate the platform on the customer's behalf — including 24/7 monitoring, backup-failure triage, restore drills, DR test runs, monthly compliance reports and incident response. The 15-minute first-response SLA, monthly health reports, quarterly DR runbook tests, annual full-restore exercises and on-call incident-response engineering are part of the standard package. The same team handles licensing, renewal, growth sizing, M&A onboarding (new acquired entities added to the protection scope) and divestiture (tenant cleanly extracted and handed over).