Analytics & Cookies

We use self-hosted Matomo analytics. By default we measure anonymously with no cookies. Enable cookies to give us a clearer picture and help us improve your experience. You can change this anytime.

Backup Agent

Backup Agent — Streaming & Chained Modes

The ShadowCradle backup agent runs on Windows and Linux (macOS coming soon). Pair it with a ShadowCradle appliance and every recovery point becomes completely independent - no chains, no dependencies, maximum reliability. The appliance manages all snapshots, deduplication, and recovery operations to ensure maximum uptime and instant recovery from any point in your backup history.

Windows · Linux
Cross-platform (macOS soon)
AES-256-GCM
Per-block encryption
64 KB
Block granularity (configurable)
Unlimited
Local recovery cache

Snapshot Streaming Architecture

The agent streams blocks directly to the ShadowCradle appliance, where every recovery point is completely independent and fully restorable without any dependencies on prior snapshots.

With ShadowCradle Appliance

Snapshot Streaming

The agent streams blocks directly to the ShadowCradle appliance over HTTPS. The appliance manages all snapshots, deduplication, and metadata - so each recovery point is stored as a fully self-contained unit with no dependency on any other snapshot. Restore from any moment in history without first restoring an earlier point.

Agent
Appliance
HTTPS streaming · API key auth
  • Every snapshot is fully independent - no chains ever
  • Restore any point in time without traversing earlier snapshots
  • One corrupt snapshot never affects any other
  • Appliance manages deduplication, versioning & indexing
  • Live Migration - near-zero downtime recovery (brief reboot required)
  • Automatic monthly recovery testing built in
  • Multi-site replication of fully chain free based backup snapshots included
Best for
HQ & data centre environments · Compliance-heavy industries · VMware & KVM workloads · Mission-critical systems where every recovery point must be independently restorable
Backup Strategy

Three Backup Types. All Built In.

The agent automatically chooses the most efficient type based on what has changed since the last backup.

FullFirst backup
Every block on the drive is read and stored. Always the starting point - subsequent backups build from here.
DifferentialDefault
Reads all blocks changed since the last Full. No driver required. Fast restores: you only need the Full + one Differential.
IncrementalCBT driver required
Reads only blocks changed since the previous backup of any type. Smallest backup windows, lowest storage footprint. Requires the optional CBT driver (one reboot after install).
Optional CBT Driver - One Reboot Required
The Changed Block Tracker driver intercepts writes at the kernel level for true incremental tracking. Installation is optional and requires a single system reboot. Without it, differential backups are used automatically.
How It Works

Inside Every Backup Run

Six deterministic steps run in sequence each time the agent triggers a backup job.

Step 1 - Initiation
Scheduled trigger fires. Agent checks for any in-progress jobs on the appliance (concurrent limit respected per model).
Step 2 - VSS Snapshot
Windows Volume Shadow Copy creates an application-consistent point-in-time snapshot. SQL Server and Exchange VSS writers are notified to flush and quiesce.
Step 3 - Changed Block Scan
USN Journal (or CBT driver if installed) identifies which 64 KB blocks changed since the last backup. Only those blocks are read - typically 1–5% of the drive.
Step 4 - Encrypt & Transfer
Each block is individually AES-256-GCM encrypted with a unique nonce. Compressed blocks stream directly to the ShadowCradle appliance over HTTPS with full integrity verification.
Step 5 - Snapshot Created
The appliance atomically commits the snapshot. In fully chain free based backup mode, we independently store each section of each snapshot and map it to deliver minimum space usage, maximum performance, and optimal reliability - creating a fully independent recovery point with no prior snapshot required to restore.
Step 6 - Verify & Replicate
Post-write verification re-reads sampled blocks. If cloud replication is configured, the snapshot is queued for asynchronous upload to the cloud archive.

Enterprise Capabilities in Both Modes

Switching modes changes where data lands - not what the agent can do.

Block-Level Change Tracking
Block size is configurable (default 64 KB). On Windows the agent uses the NTFS USN Journal; on Linux, EXT4 journal + inotify. Alternative fast scan mechanisms (bitmap scan, full-surface scan) are also supported for filesystems or edge cases where journal-based tracking is unavailable. Only changed blocks are read and uploaded - 20–40x faster than re-reading the full drive.
AES-256-GCM Per-Block Encryption
Every 64 KB block is individually encrypted with a unique 12-byte nonce and a 16-byte authentication tag. Block offset is used as Additional Authenticated Data to prevent block-swapping attacks. Under 0.04% overhead.
Pre-Backup Ransomware Detection
Entropy analysis, sentinel file integrity checks (15 monitored files), and rapid modification detection. If ransomware behavior is detected, the backup halts immediately and an alert is raised - protecting your recovery points from corruption.
Flexible Backup Scope
Whole-drive imaging, system-partition-only (excluding user data), or a specific volume by drive letter or mount point. Each scope can have its own independent schedule.
Crash Recovery & Checkpointing
Progress checkpoints written every 1,000 blocks via atomic temp-file swap. If the agent crashes mid-backup it resumes from the last checkpoint - no partial blocks, no corrupt output.
Post-Write Verification
Configurable sampling verification (0–100%) re-reads written blocks and revalidates their content hashes. Catches storage-layer errors before they would silently corrupt a future restore.
Independent Full & Incremental Schedules
Cron-based scheduling lets you run a full backup weekly and incrementals every 6 hours independently. Retention policies automatically clean up old snapshots and release storage.
Prometheus Metrics Export
Per-backup counters for blocks written, throughput (MB/s), compression ratio, deduplication savings (bytes), and duration - ready for Grafana dashboards and PagerDuty alerting.

Cross-Platform Support

Windows
Server 2012 – 2025 · Windows 8, 10, 11
  • NTFS USN Journal - block-level tracking, configurable block size (default 64 KB)
  • Optional CBT driver for true incremental backups (requires one reboot)
  • VSS integration for application-consistent snapshots
  • SQL Server & Exchange VSS writer support
  • Physical drive & partition backup
Fully Supported
Server 2025Server 2022Server 2019Server 2016Windows 11Windows 10
Partially Supported
Server 2012 R2Server 2012Windows 8
Command-line pairing only. CBT driver and VSS not available on these versions.
Linux
Ubuntu 20.04+ · CentOS 8+ · Debian 11+
  • EXT4 journal + inotify for mounted filesystems
  • btrfs filesystem support
  • iSCSI volume backup with direct-to-cloud caching
  • Mount-point partition targeting
macOSComing Soon
macOS 10.15 Catalina and later
  • APFS filesystem with FSEvents change monitoring
  • Whole-drive and individual partition backup
  • Time-Machine-agnostic - runs independently
  • Configurable compression (lz4 / zstd)

Mode Comparison at a Glance

CapabilitySnapshot Streaming (Appliance)
Independent recovery points
Appliance hardware required✅ Yes
Storage destinationShadowCradle Appliance
Recent restore speed✅ Local appliance
Older snapshot restore✅ Appliance storage
Deduplication managed byAppliance
Multi-site replication✅ Built in
Ransomware detection
AES-256-GCM encryption
Crash recovery & checkpointing
Prometheus metrics

One Agent. Every Machine. Maximum Recoverability.

Pair the backup agent with a ShadowCradle appliance for truly independent recovery points - no chains, no dependencies, maximum reliability. Deploy in minutes on Windows or Linux.

No credit card required · Cancel anytime · 60-day free trial