Dynamic adaptation of backup policy schemes based on threat confidence

What is claimed is: 1 . A method comprising: generating a first backup of a computing system at a first time; generating a first confidence score of a compromise level for the first backup, comprising: identifying at least one of system anomalies, intrusion detection data, or indicators of compromise as input metrics, assigning a weight to each of the input metrics based on an infrastructure of the computing system, and calculating the first confidence score using a scoring algorithm that combines the weighted metrics; storing the first backup along with metadata comprising the first confidence score of the compromise level; in response to a determination that the first confidence score of the compromise level exceeds a risk allowable threshold, modifying a backup policy of the computing system to retain the first backup and a second backup, wherein the second backup corresponds to an immediately preceding backup relative to the first backup; training a machine learning (ML) model for forensic analysis using historical system data and a selected training algorithm; determining a likelihood of a breach by analyzing the first and second backups using the ML model, comprising: extracting a feature set from the first and second backups, the feature set comprising the first confidence score associated with the first backup, a second confidence score associated with the second backup, and one or more security incident metrics, providing the feature set as input to the trained ML model, and determining the likelihood of a breach based on inference from the trained ML model; and in response to a determination that the likelihood exceeds a defined threshold, sending a notification of the detected breach and the modified backup policy to one or more other computing systems. 2 . The method of claim 1 , wherein the first confidence score of the compromise level is determined based at least in part on at least one of (i) system anomalies; (ii) intrusion detections; or (iii) indicators of compromise. 3 . The method of claim 1 , wherein the backup policy, before modification, specifies to delete the second backup upon generation of the first backup and expiration of a defined time interval. 4 . The method of claim 1 , further comprising: in response to a determination that the first confidence score of the compromise level is a minimum across existing backups of the computing system, retaining the first backup of data. 5 . The method of claim 1 , further comprising: generating a second backup of the computing system at a second time, wherein the second backup is an immediately preceding backup relative to the first backup; storing the second backup with metadata comprising a second confidence score of the compromise level of the computing system at the second time; and comparing an increase from the second confidence score to the first confidence score with one or more significance criteria. 6 . The method of claim 5 , further comprising: in response to determining that the increase satisfies the one or more significance criteria, retaining the first backup and the second backup for forensic analysis. 7 . The method of claim 1 , further comprising: in response to a determination that the likelihood exceeds the defined threshold, initiating a third backup of the computing system, comprising at least one of capturing current states of the computing system, generating a new backup of the computing system, or recording relevant metadata. 8 . The method of claim 1 , wherein the one or more other computing systems are in a clustered system with the computing system. 9 . The method of claim 1 , wherein the one or more other computing systems share access to data stored in one or more backup sets with the computing system. 10 . A system, comprising: one or more computer processors; and one or more memories collectively containing one or more programs which when executed by the one or more computer processors performs an operation, the operation comprising: generating a first backup of a computing system at a first time; generating a first confidence score of a compromise level for the first backup, comprising: identifying at least one of system anomalies, intrusion detection data, or indicators of compromise as input metrics, assigning a weight to each of the input metrics based on an infrastructure of the computing system, and calculating the first confidence score using a scoring algorithm that combines the weighted metrics; storing the first backup along with metadata comprising the first confidence score of the compromise level; in response to a determination that the first confidence score of the compromise level exceeds a risk allowable threshold, modifying a backup policy of the computing system to retain the first backup and a second backup, wherein the second backup corresponds to an immediately preceding backup relative to the first backup; training a machine learning (ML) model for forensic analysis using historical system data and a selected training algorithm; determining a likelihood of a breach by analyzing the first and second backups using the ML model, comprising: extracting a feature set from the first and second backups, the feature set comprising the first confidence score associated with the first backup, a second confidence score associated with the second backup, and one or more security incident metrics, providing the feature set as input to the trained ML model, and determining the likelihood of a breach based on inference from the trained ML model; and in response to a determination that the likelihood exceeds a defined threshold, sending a notification of the detected breach and the modified backup policy to one or more other computing systems. 11 . The system of claim 10 , wherein the first confidence score of the compromise level is determined based at least in part on at least one of (i) system anomalies; (ii) intrusion detections; or (iii) indicators of compromise. 12 . The system of claim 10 , wherein the backup policy, before modification, specifies to delete the second backup upon generation of the first backup and expiration of a defined time interval. 13 . The system of claim 10 , wherein the operation further comprising: generating a second backup of the computing system at a second time, wherein the second backup is an immediately preceding backup relative to the first backup; storing the second backup with metadata comprising a second confidence score of the compromise level of the computing system at the second time; and comparing an increase from the second confidence score to the first confidence score with one or more significance criteria. 14 . The system of claim 13 , wherein the operation further comprises: in response to determining that the increase satisfies the one or more significance criteria, retaining the first backup and the second backup for forensic analysis. 15 . The system of claim 10 , wherein the one or more other computing systems are in a clustered system with the computing system. 16 . A computer program product comprising one or more computer-readable storage media collectively containing computer-readable program code that, when executed by operation of one or more computer processors, performs an operation comprising: generating a first backup of a computing system at a first time; generating a first confidence score of a compromise level for the first backup, comprising: identifying at least one of system anomalies, intrusion detection data, or indicators o