Does Kymaros impact production workloads?

No. Every test runs in an ephemeral sandbox namespace with NetworkPolicy deny-all. Zero traffic to production. The namespace is automatically deleted after each test.

What backup tools does Kymaros support?

Kymaros supports Velero natively in the Community (free) tier. Kasten K10 and TrilioVault are available in the Team tier. The adapter interface is pluggable.

How is the confidence score calculated?

The score (0-100) is calculated across 6 validation levels: Restore Integrity (25 pts), Completeness (20 pts), Pod Startup (20 pts), Health Checks (20 pts), Cross-Namespace Dependencies (10 pts), and RTO Compliance (5 pts).

The Community tier is completely free and open source (Apache 2.0). It includes full Velero support, all 5 health check types, 6-level scoring, sandbox isolation, and a dashboard with 7-day history. The Team tier adds compliance reports, 90-day history, and multi-backup support.

Does Kymaros work with SOC 2 and DORA compliance?

Yes. Kymaros generates audit-ready evidence for SOC 2 (CC7.5), ISO 27001 (Control 8.13), DORA (Article 11-12), HIPAA, and PCI-DSS. It produces 365 documented DR tests per year automatically.

Open Source Kubernetes Operator

Know your backups actually work before disaster strikes

Name: Kymaros
Author: Kymaros

You back up everything. But have you ever tested a restore?
Kymaros continuously validates your Kubernetes backups so you never have to wonder.

Get Started Live Demo View on GitHub

restore-report.yaml

# RestoreReport output
apiVersion: kymaros.io/v1alpha1
kind: RestoreReport
status:
  phase: Completed
  confidenceScore: 94
  healthChecks:
    passed: 12
    failed: 0
    total: 12
  validationLevels:
    - restore, resources, pods, network, exec, data

The $800M blind spot in Kubernetes backup

The Kubernetes backup market will reach $2.1 billion by 2029. Companies invest heavily in Velero, Kasten, and TrilioVault to protect their clusters.

But there's a fundamental gap: every backup tool tells you the backup succeeded. None of them tell you the restore will work.

Backups degrade silently. Secrets get rotated. APIs get deprecated. PVC snapshots corrupt during writes. Schema migrations drift. When disaster strikes and the restore fails, teams discover these problems at the worst possible time.

Kymaros closes this gap. It's the validation layer that sits between your backup tool and your SLA guarantee.

$800M → $2.1B

K8s backup market (2025-2029)

Market data: Kubernetes data protection market analyses, 2024-2025

27.5% CAGR

Annual market growth

Market data: Kubernetes data protection market analyses, 2024-2025

0 tools

that validate restores automatically

Verified across all major K8s backup tools as of 2026

Your backups show ‘Completed’. But do they actually restore?

Every major K8s backup tool has a blind spot: none of them test whether a restore actually produces a working application. Here's what the industry data tells us.

38%

of K8s teams face high-impact outages weekly

Kubernetes environments experience frequent disruptions. Most teams lack automated validation to catch restore issues before they become incidents.

Source: Kubernetes reliability surveys, 2024-2025

177h

average annual downtime per organization

With an average of 5 engineers per incident and an estimated cost of $1M+/hour for critical outages, untested restores are a financial time bomb.

Source: Industry downtime benchmarks

backup tools validate restores automatically

Velero, Kasten, TrilioVault, Portworx — they all back up your data. None of them verify the restore actually works. That's the gap Kymaros fills.

Verified across all major K8s backup tools as of 2026

Everything you need to trust your backups

A complete validation framework built into your Kubernetes cluster as a native operator.

Free

Automated nightly validation

Schedule cron-based restore tests that run unattended. Every backup is restored into a sandbox and validated — every night, not once a year.

Free

Zero-impact sandbox isolation

Every test runs in an ephemeral namespace with NetworkPolicy deny-all and ResourceQuota. Fully isolated from production. Automatically cleaned up after every test.

Free

6-level confidence scoring

Not just 'did it restore?' — Kymaros validates restore integrity, resource completeness, pod startup, health checks, cross-namespace dependencies, and RTO compliance. Score: 0-100.

Free

Real RTO measurement

Measures actual time from restore trigger to application healthy. Compare against your SLA target. Know your real RTO — not your hoped-for RTO.

Team

Works with your backup tool

Native Velero support today. Kasten K10 and TrilioVault coming soon. Pluggable adapter interface — adding a new backup tool is implementing one Go interface.

Team

Audit-ready compliance reports

Generate PDF reports mapped to SOC 2 (CC7.5), ISO 27001 (8.13), DORA (Art. 11-12), HIPAA, and PCI-DSS. 365 documented DR tests per year — automatically.

How it works

From YAML to confidence score in four simple steps.

Define a RestoreTest CRD

Declare what to test: which backup, which namespaces, what health checks, what schedule. Commit to Git. Deploy with ArgoCD or Flux. Pure GitOps.

Kymaros creates an isolated sandbox

An ephemeral namespace with NetworkPolicy deny-all, ResourceQuota limits, and LimitRange defaults. Zero impact on production — guaranteed by Kubernetes network isolation.

Restores your backup and runs health checks

Triggers a Velero restore into the sandbox. Waits for pods to reach Ready. Runs your health checks: pod status, HTTP probes, exec commands, TCP connections, resource existence. Measures real RTO.

Generates a scored RestoreReport

Creates a Kubernetes CRD with a 0-100 confidence score, per-check results, resource completeness breakdown, RTO measurement, and 6-level validation detail. Alerts via Slack, PagerDuty, or webhook if score drops.

Define once, validate forever

A single RestoreTest CRD is all it takes. Define your backup source, health checks, and schedule. Kymaros handles the rest.

Declarative - Define your restore tests as Kubernetes resources
GitOps native - Store in your repo, deploy with ArgoCD or Flux
Flexible checks - Mix and match health check types per test

restore-test.yaml

apiVersion: kymaros.io/v1alpha1
kind: RestoreTest
metadata:
  name: production-daily
spec:
  schedule: "0 3 * * *" # Every day at 3 AM
  backupSource:
    provider: velero
    scheduleName: prod-backup
  namespaces:
    - api
    - database
  healthChecks:
    - type: httpGet
      path: /healthz
      port: 8080
    - type: exec
      command: ["pg_isready", "-U", "app"]
  notifications:
    slack:
      channel: "#platform-alerts"

Your auditor asks for DR test evidence. Kymaros generates it every night.

SOC 2, ISO 27001, DORA, HIPAA, PCI-DSS — they all require documented disaster recovery testing. Today you scramble to produce evidence once a year. With Kymaros, every night is a documented DR test.

SOC 2

Availability TSC — CC7.5

ISO 27001

Control 8.13 — Backup & recovery

DORA

Art. 11-12 — ICT resilience testing

HIPAA

§164.308 — Contingency plan testing

PCI-DSS

Req. 12.10 — Recovery procedure testing

365

DR test evidence per year

Generated automatically. No manual effort. No consultants.

20h

saved per audit cycle

No more reconstructing DR evidence from memory and Confluence pages.

100%

namespace coverage

Every namespace with a RestoreTest is validated continuously — no gaps.

Your backup tool doesn't do this

Velero, Kasten, TrilioVault, and Portworx are great at backing up your data. None of them validate that a restore produces a working application.

Capability	Velero	Kasten K10	TrilioVault	Kymaros
Backup K8s resources
Backup persistent volumes
Scheduled backups
Automated restore testing
Sandbox isolation
Health check validation
Real RTO measurement
Confidence scoring
Compliance reports

Kymaros is not a backup tool. It's the validation layer that sits on top of your existing backup tool. Install alongside Velero (or Kasten, or Trilio) — not instead of.

Simple, honest pricing

Start free with full functionality. Upgrade when you need compliance reports and enterprise features.

Community

Free

Open source — Apache 2.0

Full backup restore validation for individual SREs and small teams.

OPERATOR
Full Velero support
Unlimited RestoreTests
All 5 health check types
6-level validation scoring (0-100)
Sandbox isolation (NetworkPolicy deny-all)
Prometheus metrics
Slack & webhook notifications
Multi-namespace restore
DASHBOARD
Overview dashboard
Report detail
Score trend — 7 days
SUPPORT
GitHub issues
Community Slack

Get Started

Team

€299

/mo per cluster · billed annually €3,588/yr

For platform teams who need to prove resilience to management and auditors.

Everything in Community, plus:
OPERATOR
Kasten K10 support
TrilioVault support
Regression detection & smart alerts
PagerDuty integration
DASHBOARD
Score trend — 90 days
Compliance page (SOC 2, ISO 27001, DORA)
Heatmap calendar
Test execution timeline
Score breakdown
RTO trend analytics
Score history export (CSV)
SUPPORT
Email support (48h SLA)
Onboarding call (30 min)
14-day free trial

Start Free Trial

Enterprise

Custom

From €15,000/year

Volume discounts for 5+ clusters

For CISOs and regulated industries who need certified compliance evidence and enterprise controls.

Everything in Team, plus:
SCALE
Multi-cluster management
SSO / OIDC authentication
RBAC multi-tenant
Air-gapped deployment support
COMPLIANCE & REPORTING
PDF compliance reports (audit-ready)
SOC 2 / ISO 27001 / DORA templates
SIEM API integration
Vanta / Drata connector
Full audit trail
Custom report branding
SUPPORT
Priority support (4h SLA)
Dedicated Slack channel
Quarterly business review
Custom onboarding & training

Contact Sales

A single failed restore costs more than 10 years of Kymaros Team. The average Kubernetes outage costs over $1M/hour.

Frequently asked questions

One Kubernetes cluster where the Kymaros Operator is installed. Development, staging, and production each count as separate clusters. We offer discounts for non-production clusters.

Yes. The Team tier comes with a 14-day free trial. Install Kymaros, enable Team features, and see compliance reports and 90-day analytics before committing. No credit card required for the trial.

Your RestoreTests and operator configuration stay unchanged. You'll lose access to the Compliance page and your score history will be limited to the last 7 days. All historical data remains in your cluster as RestoreReport CRDs — you can always query them with kubectl.

The Operator is fully open source (Apache 2.0). You get unlimited RestoreTests, all 5 health check types, full scoring, and a working dashboard. The only limits are 7-day history in the dashboard and no compliance reports. There's no telemetry, no usage tracking, no data leaving your cluster.

Yes. Contact us for startup pricing (50% off Team for the first year) and non-profit pricing.

What teams discover with Kymaros

Real patterns found by teams running automated restore validation for the first time.

“3 out of 12 production namespaces had broken restores. Missing Secrets that were rotated after the last backup.”

Common finding — Secret rotation drift

“Our declared RTO was 30 minutes. Kymaros measured 47 minutes on the first test. We never would have known without automated measurement.”

Common finding — RTO gap

“Two Deployments used deprecated Kubernetes API versions. The restore applied successfully but pods crash-looped. Velero showed 'Completed'.”

Common finding — Silent API deprecation

Start proving your backups work. Tonight.

Install Kymaros in your cluster in 2 minutes. Your first RestoreReport arrives by morning. No credit card. No signup. Just a Helm install.

$ kubectl apply -f https://raw.githubusercontent.com/kymaroshq/kymaros/main/dist/install.yaml

Read the Docs GitHub Join the Community