Free backup risk assessment

Backup that attackers can't find
HBS × Airgap+

Ransomware can't encrypt what it can't reach. HBS Airgap+ physically disconnects your backup NAS from the network—every single backup cycle. Pair it with QuTS hero's ZFS WORM and your data is locked on write: untouchable, unalterable, and always recoverable.

Just three components: a QNAP NAS, a QHora router or QSW switch, and HBS Airgap+ enabled. View recommended configuration →

Assess your backup risk for free See how Full Isolation Backup works

Threat Landscape

Your backup is the #1 target of ransomware

Modern ransomware doesn't just encrypt files. It lurks for weeks, silently compromising your backup system before it strikes.
By the time you notice, your last line of defense may already be gone.

96% ^[1]

of ransomware attacks
target backup systems

US $4.40M ^[2]

Average cost
of a single data breach

Only 10% ^[3]

of organizations
recover more than 90% of data

[1] Veeam, 2024 Ransomware Trends Report, 2024
[2] IBM / Ponemon Institute, Cost of a Data Breach Report 2025, Aug 2025
[3] Veeam, Veeam Report Finds Close to 70% of Organizations Still Under Cyber Attack, 2025

When your backup sits on the same network as production, one breach is all it takes to wipe out both.
HBS Airgap+ physically removes the backup from the network. If attackers can't see it, they can't touch it.

With vs. Without HBS Airgap+

What changes when you enable HBS Airgap+?

Without HBS Airgap+, your source and backup NAS share a live connection during transfer. Ransomware can follow that path straight to your backup.
With HBS Airgap+, a Bridge NAS sits in between, and the two gates never open at the same time. Your backup NAS stays invisible.

During backup

Standard backup (no HBS Airgap+)

Direct connection during transfer

Source
NAS

Normal operation

Direct connection

Backup
NAS

Exposed to source-side threats

Risk: A live network path connects source to backup. Malware hiding on the source NAS can reach the backup directly, encrypting or destroying your data.

During backup

Backup with HBS Airgap+

Airlock isolation during transfer

Source
NAS

Normal operation

▶ Open

Bridge
NAS

Temporary relay

✕ Closed

Backup
NAS

Fully isolated

Protection: Gate A and Gate B never open simultaneously. The source NAS has no path to the backup NAS—ever. Even a fully compromised source cannot reach the backup.

Bridge NAS security: The Bridge NAS only runs HBS sync and backup tasks, exposes no services, and accepts no inbound connections. Gate control is managed via mTLS mutual authentication between HBS and QuRouter.

How HBS Airgap+ Works

The airlock principle: 5-stage isolation

Borrowed from semiconductor cleanroom design, HBS Airgap+ uses a Bridge NAS and a router or switch to create a physical airlock. Data passes through, but a direct connection never exists.

① Standby: everything disconnected

No active backup task. The Bridge NAS is offline, no connection exists between source and backup, and the backup NAS is completely invisible on the network.

See HBS Airgap+ in action (2 min)

QNAP HBS Airgap+ isolated backup walkthrough

Ready to enable HBS Airgap+?

Follow the step-by-step guide and get HBS Airgap+ running in about 10 minutes.

View setup tutorial

Immutable Backup

HBS + ZFS WORM: write once, tamper never

Isolation keeps attackers out. WORM keeps your data untouched.
QuTS hero locks backup data at the ZFS level the moment it's written. No one can modify or delete it during the retention period. Not administrators. Not attackers with root access. HBS triggers the lock automatically after every backup.

QNAP NAS with HBS backup to QuTS hero NAS with WORM folder

Mode	File-level protection	Folder deletion policy
Enterprise Mode	Files cannot be modified or deleted during the retention period.	Administrators can delete the entire WORM shared folder (management flexibility).
Compliance Mode	Files cannot be modified or deleted during the retention period.	No one, including administrators, can delete the folder (maximum protection).

Set up immutable backup in 6 steps

Create a shared folder

In QuTS hero Storage Manager

Enable WORM

Choose manual lock mode

Set retention period

Enter the lock period (days, months, or years)

Create backup job in HBS

Start a new backup job in HBS

Select WORM folder as destination

Choose the WORM-enabled shared folder as the backup target

Set up version management

Enable version management and set retention days

Start setting up immutable backup

Follow the step-by-step tutorial to configure WORM + HBS on your backup NAS.

View setup tutorial

Recommended Configuration

HBS Airgap+ Full Isolation Backup

Compatible router and switch models

HBS Airgap+ requires one of the following QNAP routers or switches. Third-party devices and other QNAP series are not supported.

Device type	Product series	Max speed	Recommended model
Managed Switch	QSW 7000 Series	100GbE	QSW-M7308R-4X
Managed Switch	QSW 3000 Series	10GbE	QSW-M3224-24T / QSW-M3212R-8S4T / QSW-M3216R-8S8T / QSW-IM3216-8S8T
QHora Router	QHora Series	10GbE	QHora-322
QHora Router	QHora Series	2.5GbE	QHora-321

●Switch Firmware: QSS Pro v4.3.0+ ●Router Firmware: QuRouter v2.4.2+ ●NAS OS: QuTS hero ●Backup Software: HBS v26.3.0121+

Deployment Recommendations

Pick the hardware that fits your team size. Enable HBS Airgap+, add ZFS WORM on the backup NAS, and you have a fully isolated, immutable backup: the strongest defense against ransomware.

Solution A

Small Office / Entry-Level

For teams under 10: fast to deploy, budget-friendly

Source NAS	Existing QNAP NAS
Bridge NAS	TS-264
Backup NAS	TS-855X QuTS hero
Router	QHora-321

The Bridge NAS is just a relay, so entry-level hardware is fine. The TS-855X runs QuTS hero with ZFS WORM and 8 bays of backup storage.

Recommended

Solution B

Mid-Sized Enterprise / Standard

For teams of 10–50: balances speed, capacity, and growth

Source NAS	Existing QNAP NAS
Bridge NAS	TS-264
Backup NAS	TS-1655 QuTS hero
Switch / Router (Choose one)	QSW-M3216R-8S8T or QHora-322

TS-264 handles relay duties. TS-1655 with a 10GbE switch or QHora-322 router delivers the speed and capacity mid-sized teams need.

Tip: The backup NAS must run QuTS hero for WORM support. The Bridge NAS is just a relay, so an entry-level model keeps costs down. Need a larger or rackmount deployment? Talk to our sales team.

Why HBS Airgap+ for enterprise backup?

High-speed transfer

Pair with a QSW switch (10/25/100GbE) to slash backup windows and minimize downtime during restores.

Faster recovery

Backups live on local NAS with high-speed networking. Restore in minutes, not hours, compared to cloud-based recovery.

Immutable backup

ZFS WORM on QuTS hero locks data the moment HBS writes it. No one can modify or delete it. Period.

Learn more ›

Scales with you

Hot-swap larger drives, add expansion units, or migrate to a bigger NAS. Your backup capacity grows as your business does.

Set it and forget it

Schedule once in HBS. HBS Airgap+ handles gate control, backup execution, and disconnection. Fully automated, zero manual steps.

Remote power control

Power NAS devices on and off remotely. No physical access needed.

FAQ

How do I set up HBS Airgap+ Full Isolation Backup?

Configure a QHora router or QSW switch in HBS, set up the HBS Airgap+ schedule and gate configuration. The whole process takes about 10 minutes. View HBS Airgap+ setup guide →

How do I use a WORM folder as my backup destination?

Create a WORM shared folder on your backup NAS (QuTS hero), set the lock mode and retention period, then select it as the destination in your HBS backup job. Note: WORM must be enabled at folder creation; it cannot be added later. View WORM setup guide →

What is mTLS and why does HBS Airgap+ use it?

mTLS (Mutual TLS) requires both sides of a connection to verify each other's identity with certificates. In the HBS Airgap+ architecture, HBS uses mTLS to securely communicate with QuRouter for gate control, ensuring only authenticated systems can open or close the airlock. Learn about mTLS in QuRouter →

Why can't I delete WORM-protected files to the Recycle Bin?

That's WORM doing its job. During the retention period, files are locked at the ZFS layer. All delete and modify operations, including moving to the Recycle Bin, are blocked by the system. Learn about WORM file protection →

How is the WORM retention period calculated?

The retention clock starts when a file is committed (locked), not when it's created. You can set retention in days, months, or years. Files become modifiable only after the period expires. Learn about retention periods →

Ready to go air-gapped?

Talk to a QNAP solution expert and get a tailored HBS Airgap+ deployment plan, from hardware to activation.

Book a free 30-min consultation

Backup that attackers can't findHBS × Airgap+