NetBackup Flex Appliance 7.0: Control your backup infrastructure before attackers get there first

NetBackup Flex Appliance is a turnkey cyber-hardened appliance platform that offers scalable, and cyber-resilient backup storage. Now generally available, Flex 7.0 builds on that foundation with stronger security controls, enhanced governance and even more consistent protection across core data center, departmental, and edge environments.

According to the recent Cohesity Cyber Resilience survey report, only 54% of organizations apply their backup policies and controls the same way everywhere. This inconsistency can create gaps that attackers are quick to exploit. Flex 7.0 helps close those gaps by embedding zero-trust principles directly into the appliance. It delivers built-in protection you can rely on, and greater confidence when recovery matters most.

Cyber resilience: Zero trust controls are built-in, not bolted on

Flex 7.0 enforces secure-by-default behaviors that must be intentionally overridden, helping to close the gaps most commonly exploited by social engineering, credential theft, and insider threats.

• Multi-person authorization (MPA): No single compromised admin account can delete, rotate encryption keys, or modify access policies. Sensitive operations require quorum-based approval, and every request, approval, and denial is immutably logged. When threat actors gain admin credentials (the top attack vector), MPA ensures they still can't destroy your recovery capability, even from the inside.
• Custom, granular RBAC: With overprivileged accounts, a single compromise can turn into a breach. Flex 7.0 separates network operations, upgrade management, and backup administration into scoped roles, making least privilege enforceable. This minimizes the risk of accidental or malicious compromise and helps ensure that compromising one account doesn't grant access to destroy backups.
• Instance-level Network Access Control (NAC): Attackers gain footholds in your enterprise, move laterally from breached systems, and pivot through any open path to reach your backup systems. That’s why every containerized NetBackup service now has its own allow-list of permitted IPs, ports, and traffic, creating hard isolation boundaries that prevent compromised clients from reaching backup systems.
• Integrated malware scanning: Restoring infected backups reintroduces threats, and external scanning infrastructure adds fragility during incidents when time is critical. Flex 7.0 now runs NetBackup’s built-in malware scanners in isolated containers directly on the appliance, supporting your efforts to detect threats before restoring without external dependencies that can fail or be targeted by attackers.
• Self-encrypting drives (SED): Unencrypted backups at rest create breach risk if drives are stolen, improperly decommissioned, or misconfigurations go undetected. SEDs are now standard across 5372 Flex platforms, with API-level telemetry that proactively detects key drift or misconfigurations before they become incidents.
• Explicit WORM mode governance: Both Enterprise mode and Compliance mode are now surfaced per instance in the UI and APIs, letting you align each backup domain to the right immutability policy for its workload and easily prove it to auditors.
• Platform hardening defaults: Opt-in security configurations rarely get enabled consistently, leaving exploitable gaps during upgrades or maintenance:
  • MFA opt-out now requires a recorded justification.
  • Enterprise lockdown is active from the first boot container.
  • MAC addresses stay stable to prevent firewall breaks.
  • Parallel upgrades cut maintenance windows by ~1 hour, keeping security active unless deliberately disabled with an audit trail.

Hardware refresh: Flex 5270 and 5372 (Next-gen platforms)

Flex 7.0 arrives alongside two new appliance platforms, the Flex 5270 and Flex 5372, both powered by Intel's latest Emerald Rapids processor generation. Faster backup completion and accelerated recovery times help strengthen your resilience posture, protecting critical data quickly and getting it back in production when you need it most.

• The Flex 5372 is the core enterprise platform, replacing the 5360, 5362, and Access 3360 with a single consolidated system. It's a meaningful step up in raw capability, delivering more throughput than its predecessor. Critically, every drive ships SED-ready as standard hardware. Organizations moving off the 5340 generation can achieve TCO reductions and a smaller physical footprint.
• The Flex 5270 replaces the 5260 for department and enterprise workloads on the same Gen5 platform, with faster performance than the previous generation, and expandable storage up to approximately 1 PB with additional high-density 20 TB drives across six expansion shelves. It delivers greater capacity in less rack space with the same hardened Flex platform underneath.
• Streamlined Flex software bundles: With this release, Flex now aligns updated software bundles with the new 5270 and 5372 platforms, packaging long-term retention with cyber resilient features and capacity into preset options so users can pick a bundle that aligns with their needs instead of stitching together individual licenses.

Simplified operations: Less manual work, faster recovery, lower risk

Security and operational resilience are not separate concerns. Every hour your team spends manually patching, configuring firewalls, or managing scanner infrastructure is an hour they aren't spending on threat response. Flex 7.0 deliberately reduces that overhead.

• Application QoS lets you allocate guaranteed CPU and memory to each  NetBackup or Malware Scanner instance, resolving the noisy neighbor problem where a high-volume job monopolizes I/O, other jobs stall, and backup windows slip without a clear cause.
• Long-Term Retention is now available directly on Flex appliances, eliminating the architectural complexity of maintaining separate infrastructure to meet compliance retention requirements for data like financial records, healthcare data, and legal archives. With this release, Flex Appliances are the next generation of Access 3360 appliances.
• Dynamic FC Rescans allow new Fibre Channel (FC) devices to be discovered without restarting application instances. This eliminates the maintenance windows that FC topology changes previously required, while parallel upgrade execution cuts roughly an hour from cluster update windows with zero-day NetBackup release support.

Running NetBackup on your own infrastructure

If you're running NetBackup on your own infrastructure with separate primary servers, media servers, and third-party storage—you already know the operational cost. Sometimes referred to as BYO (Bring Your Own) infrastructure, every component requires its own hardening, patching, monitoring, and skills. 

The security controls in Flex 7.0 including multi-person authorization, Network Access Control, integrated malware scanning, and SED enterprise lockdown by default—are all platform behaviors, not software features you can retrofit onto a fragmented stack. They work because the hardware, OS, networking, and NetBackup software are integrated and governed together.

The question isn't whether BYO can be made secure and continuously maintained. It can, but at a significant ongoing cost and complexity.

Many organizations are now exploring ways to simplify operations and reduce the effort required to manage multiple layers of infrastructure. Flex 7.0 brings these capabilities together in a converged, hardened system where many security and operational controls are already built in. With the latest 5270 and 5372 generation, the TCO equation has evolved, making it worth revisiting how Flex can streamline operations while maintaining the control teams expect. 

The bottom line

Flex 7.0 is the answer to a specific question security teams are increasingly being asked: Can you prove that a compromised backup admin account cannot destroy your recovery capability?

The answer with Flex 7.0 is yes. It builds the auditable governance layer that makes the foundation laid by previous generations defensible. If your backup infrastructure isn't there yet, now is the time to consider Flex-based appliances to close the gap.