The Last Known-Good State Is a Decision

The last backup is not necessarily the last trustworthy state. Selecting a recovery point requires evidence, authority and consequence analysis.

The answer

Teams speak of the last known-good state as if it were a timestamp waiting to be discovered. Good for what? The data may be complete while an administrator was already compromised.

Teams speak of the last known-good state as if it were a timestamp waiting to be discovered.

Good for what? The data may be complete while an administrator was already compromised. The system may be clean while missing essential transactions. A backup date is evidence, not a decision.

Balance three losses

- Security loss from restoring hostile persistence.

- Business loss from discarding valid activity.

- Evidential loss from overwriting the period that explains the incident.

Value object — The Recovery-Point Decision Record

- Candidate state and evidence.

- Known compromise window.

- Business transactions lost.

- Reconciliation plan.

- Decision authority.

- Monitoring and rollback.

Restore in controlled rings

Bring back identity, observation and essential records before broad connectivity. Reconcile lost activity from independent sources.

The last known-good state is the state the institution can defend as trustworthy enough for the next controlled action.

Where this breaks

The phrase known-good often reflects confidence rather than evidence. Choosing the newest backup protects productivity; choosing the oldest protects against persistence; neither automatically protects the institution.

The operating move

Make the trade-off explicit. Use forensic evidence, business records and recovery tests to select a state, then plan reconciliation for what is intentionally discarded.

Document the compromise window.

Quantify valid activity lost.

Reissue privileged credentials.

Monitor the restored ring.

The test

Present two plausible recovery points to the incident authority. If the team cannot explain the consequence of each, the choice is still technical guesswork.

Sources

  1. NIST Digital Identity GuidelinesNIST Digital Identity Guidelines

    Primary authority

  2. NIST SP 800-34 Rev. 1: Contingency Planning GuideNIST SP 800-34 Rev. 1: Contingency Planning Guide

    Primary authority

  3. FINMA: Revised circular on operational risks and resilienceFINMA: Revised circular on operational risks and resilience

    Primary authority

Adam J. De CollibusFounding Partner, Svperior / Systems Engineering

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry
The Last Known-Good State Is a Decision \