Loading

Join the Cohesity Community

Connect with peers, share expertise, build skills, and enhance your product knowledge in the new Cohesity Community.

Learn more
Free Trial

Minimum Viable Company

Define, secure, and protect the essential elements of your business. Recover faster by focusing on core systems and processes. 

Read the blog
Work with our cyber experts
MVC hero ISO
Overview

Strengthen your cyber resilience by recovering what matters most quickly, safely, and with intent.

The Minimum Viable Company (MVC) is the smallest combination of business services, people, technology, data, facilities, suppliers, and decision-making capabilities required to maintain critical operations after a major disruption, including a destructive cyberattack.

It is your organization’s safe operating core: enough to serve customers, protect people, meet legal obligations, preserve cash flow, maintain trusted communications, remediate threats, and guide a return to full operations. 

The 5 concepts required to define your MVC

These concepts turn Minimum Viable Company into an actionable, testable capability. 

Clarity on critical services

Map every system back to the business value it creates. Define what must function in the first 24 hours, 72 hours, and first week, including serving customers, handling payments, complying with regulations, and preserving records. Identify dependencies for each component. 

A trusted foundation
(Tier 0) 

Establish your most critical foundation first: identity systems, networking, security tooling, privileged access, and secure out-of-band communications. These are Tier 0 capabilities. Without them, nothing else can be trusted. 

Isolation of recovery assets

Pre-position immutable backups, a hardened Digital Jump Bag™, known-good configurations, playbooks, and contact lists in an air-gapped environment. Assume primary systems are compromised. Your recovery assets must remain pristine and isolated.

Clean room recovery capability 

In a destructive cyberattack, you cannot safely recover directly into production – you need an isolated environment to rebuild systems without reintroducing compromise. A clean room enables investigation, validation, and verification first, ensuring your MVC operates in a trusted state from day one: critical services run safely, decisions are reliable, and you confidently scale back to full operations. 

Validated ability to operate

Recovery without proof is just hope. Regular testing and simulations confirm that your critical services, dependencies, and processes actually work when primary systems are compromised or offline. This validation builds confidence that your MVC can deliver trusted operations under real stress. 

Why organizations adopt the MVC approach

Organizations adopt the Minimum Viable Company approach to maintain operations during disruption, not pause until recovery is complete. You keep critical services running, serve customers, process payments, and meet obligations even when large parts of your environment are unavailable or untrusted. By rebuilding from known-good, isolated assets and verifying before production, you remove attacker persistence and restore operations in a trusted state.

This approach also reduces decision latency during high-pressure events. With predefined governance, out-of-band communications, and a hardened Digital Jump Bag™, your team acts with clarity and control. At the same time, alignment with frameworks such as DORA and NIS2 helps demonstrate resilience and compliance. Built-in metrics and lessons learned support continuous improvement, strengthening your architecture, policies, and partner ecosystem over time.

Cohesity turns your MVC from concept into capability 

Work with Cohesity to define, validate, and operationalize your MVC strategy. 

Backup and recovery

Protect all Tier 0 data sources for your Minimum Viable Company with unified backup and recovery. 

Cyber recovery orchestration

Automate response and recovery workflows to accelerate recovery time objectives (RTOs). 

Cyber vault

Ensure MVC components, your most critical assets, remain recoverable, even in a worst-case scenario. 

Clean room

Use this isolated environment to rebuild systems without reintroducing risk. 

Threat protection

Detect and investigate threats to reduce the risk of reinfection during MVC recovery.

FAQs for Minimum Viable Company 

A Minimum Viable Company (MVC) is a cyber resilience strategy that identifies the smallest dataset and critical systems an organization needs to restart operations after a ransomware attack, cyberattack, or disaster. The MVC concept includes the minimal dataset needed to restart operations post-disruption, including core applications like CRM and ERP, essential employee data, supply chain information, and basic infrastructure configurations.

By defining the MVC, enterprises can reduce downtime, accelerate ransomware recovery, ensure business continuity, and safeguard mission-critical workloads — turning cyber recovery planning into a rapid, policy-driven restoration workflow.

The Cohesity Data Cloud platform underpins a Minimum Viable Company (MVC) strategy by mapping directly to Cohesity's Five-Step Cyber Resilience Framework©: protect all data, ensure data is always recoverable, detect and investigate threats, practice application resilience, and optimize data risk posture. 

  • Protect all data: Cohesity Data Cloud safeguards 1,000+ mission-critical workloads — CRM, ERP, databases, VMs, cloud, SaaS — all with immutable backups stored in a modern data platform. 
  • Ensure recoverability: FortKnox cyber vaulting isolates MVC data in an air-gapped, immutable vault for clean recovery in a worst-case scenario. 
  • Detect and investigate threats: AI-powered anomaly detection, threat intelligence, YARA rules, and threat hunting identify malware before restoring your MVC. 
  • Practice application resilience: Cohesity’s cyber recovery orchestration helps automate clean room drills and cyber recovery runbooks. 
  • Optimize risk posture: Cohesity DSPM classifies sensitive data, ensuring compliance and continuous risk reduction. 

Combined with Cohesity CERT incident response, MVC data stays recoverable, compliant, and resilient — accelerating business continuity, disaster recovery, and cyber resilience outcomes. 

A traditional disaster recovery (DR) plan restores full IT environments from the most recent backup after natural disasters, hardware failures, or human error. A Minimum Viable Company (MVC) plan is built for ransomware and destructive cyberattacks, where recovering the latest configurations and data can re-introduce vulnerabilities, cause reinfection, and prolong downtime. Instead, an MVC prioritizes the minimal dataset — core applications, credentials, and configs — needed to "reboot the company" from a clean, immutable copy. Unlike DR's IT-only failover, MVC requires active collaboration between IT, Security, and business leaders. Additional capabilities such as - cyber vaulting, forensics, clean-room validation, and orchestrated cyber recovery – are required for MVC, but not DR. 

Defining a Minimum Viable Business (MVB) or Minimum Viable Company (MVC) state is critical to cyber resilience because it forces organizations to prioritize the systems, applications, and data that must come back online first after a ransomware attack or destructive cyber incident. Rather than attempting to recover everything at once, the goal is to restore only what is most critical to maintain core operations  -  protecting revenue, customer trust, and regulatory compliance with frameworks like NIST CSF, DORA, and ISO 22301. An MVB/MVC state enables faster recovery time objectives (RTOs), reduces downtime costs, and transforms business continuity planning into a proactive, resilience-first strategy. 

image

Ready to get started?

Start your 30-day free trial or view one of our demos.

Start your trial
Browse demos
daashboard
Loading