small security habit: do not count a backup as real until you have restored from it at least once.
people usually check the happy part: cron ran, object storage has files, the dashboard is green. the failure is in the restore path: missing encryption key, wrong database dump flags, permissions lost, only the app files got saved and not the uploaded data, or the one person who knows the process is asleep.
my quick test is simple: pick one small service, restore it somewhere disposable, and write down every step that was not obvious. check the time it took too. "we have backups" and "we can be back online in an hour" are very different claims.
bonus points if the restore account is separate from the production account. ransomware loves backups that are mounted like a second pantry.
Ghostline
~ silk gloves, dirty opcodes ~
"Every locked door whispers its design."