Cavirin vs RiskRecon
Abstract shapeAbstract shape
Join 27,000+ cybersecurity newsletter subscribers

The emergence of the cyber risk assessment space marks a strategic shift in how enterprises handle digital threats, from traditional, ineffective security-centric approaches to blended frameworks that combine layered security and risk management. Let's see how Cavirin and RiskRecon stack up when it comes to measuring enterprise cyber risk.

Data breaches are continually on the rise and won't be letting up any time soon, especially with digital transformation in the works across the globe. And despite a marked rise in enterprise cybersecurity spending year-on-year, security incidents continue to increase in volume and severity.

In order to capitalize on technology's benefits, enterprises must maintain a healthy, albeit grounded appetite for technological risk—without endangering the livelihood of the business. Solutions like Cavirin ARAP and RiskRecon enable enterprises to ascertain the impact existing IT assets and/or third party vendors have on their cyber risk postures. 


Founded in 2012, Santa Clara-based Cavirin Systems offers risk analysis and assessment through its Automated Risk Assessment Platform (ARAP) and Pulsar, its elastic security platform. Its solutions provide risk assessment and policy compliance monitoring/reporting services for on-premise, cloud, and containerized infrastructures.

The Cavirin UI
The Cavirin UI. Source:

Among others, a feature worth noting is ARAP's Docker support: the platform provides an integrated, menu-driven tool for ensuring that Docker containers are in line with CIS Docker v1.11.0 benchmarks.


You may recall last year's Australian Red Cross and Michael Page/Capgemini data breaches and 2015's CVS/Costco/PNI Photo hack, all security fiascos resulting from third party security failures. RiskRecon emerged out of stealth mode last year with its solution for helping firms avoid these incidents, specifically—with its SaaS platform for assessing third party cyber risk.

The RiskRecon UI
The RiskRecon UI. Source:

The platform enables enterprises to build a portfolio of third party vendors and partners to monitor/track; assessments are based on external data like website perimeter security, DNS security, and email security, among others.

Side-by-Side Scoring: Cavirin vs. RiskRecon

1. Capability Set

Cavirin ARAP provides continuous monitoring and automated assessment and reporting for both cloud and on-premise IT infrastructures. In contrast, RiskRecon is fairly limited in scope—the solution only measures third party risk based on external data sources.

Cavirin RiskRecon
5/5 3/5

2. Usability / Learning Curve

Both platforms are trivial to get up to speed with, featuring modern web-based interfaces and sensibly laid out menus and visual controls. Cavirin in particular provides a range of features designed for simplicity, including one-button assessments and easy-to-configure/run compliance report cards.

Cavirin RiskRecon
5/5 4/5

3. Community Support

As relatively new, specialized enterprise security offerings, neither Cavirin or RiskRecon have much to offer in terms of community support. That said, Cavirin's public support resources are more plentiful than RiskRecon's—in fact, the latter does not provide any support resources via its website.

Cavirin RiskRecon
3/5 2/5

4. Release Rate

Currently on version 8.4.2, Cavirin has seen regular releases over the years since its initial release back in 2012; in contrast, RiskRecon—having debuted in 2016—has a limited release history.

Cavirin RiskRecon
5/5 4/5

5. Pricing and Support

Cavirin's pricing model varies depending on deployment architecture and infrastructure size—for example, its AWS virtual appliance costs $495/month for a subscription on top of metered pricing per instance.

RiskRecon's pricing is not publicly available; similarly, support resources are noticeably absent from its website. In contrast, Cavirin provides a decent corpus of public support materials as well as an online help desk/knowledge base and support portal (password protected). 

Cavirin RiskRecon
4/5 1/5

6. API and Extensibility

Cavirin's ARAP does not come with a REST API, though it does provide an SDK for its Scripted Policy Framework. That said, the company's forthcoming Pulsar platform does leverage a RESTful API architecture. RiskRecon does not provide any API with its solution.

Cavirin RiskRecon
3/5 1/5

7. 3rd Party Integrations

Cavirin features integrations with the leading cloud service providers such as AWS, Microsoft Azure, and Google Cloud Platform. Additionally, the platform supports VMware, KVM, and Docker, among others. In contrast, RiskRecon does not have any third party integrations to speak of.

Cavirin RiskRecon
3/5 1/5

8. Companies that Use It

RiskRecon does not provide a list of its marquee customers on its website, though it claims that the top 500 businesses in the U.S. have signed up as customers. In contrast, Cavirin's customer list includes prominent enterprises such Zephyr Health, Grainger, SCOR, Gainsight, and Jitterbit, to name a few.

Cavirin RiskRecon
4/5 2/5

9. Predict Capabilities

Cavirin's platform continuously discovers, monitors, and tracks the state of IT assets in the cloud or datacenter, but doesn't provide other critical capabilities like vulnerability testing and security analytics. Again, according Cavirin—these advanced security features will be available in its forthcoming Pulsar solution. RiskRecon's coverage is even more limited in scope, focusing only on third party vendor risk assessment.

Cavirin RiskRecon
4/5 3/5

10. Security rating

Cavirin's security rating of 513/950 reflects a number of security issues. While RiskRecon's security rating of 684/950 is better, it too has a number of security issues.

Scoreboard and Summary

  Cavirin RiskRecon
Capability set 5/5 3/5
Usability and learning curve 5/5  4/5 
Community support 3/5  2/5 
Release rate 5/5  4/5 
Pricing and support 4/5  1/5 
API and extensibility 3/5  1/5 
3rd party integration 3/5  1/5 
Companies that use it 3/5  2/5 
Predict capabilities 4/5  3/5 
Security rating 513 684
Total 3.8/5  2.5/5

Cyber risk is multifaceted and the two solutions in this comparison focus on different measures of it: RiskRecon only gauges digital risk as it pertains to the firm's digital supply chain, while Cavirin focuses on the state of internal IT assets in the cloud or on-premise. If you're looking for a solution designed solely for assessing third party risk, RiskRecon is a safe bet—otherwise, Cavirin provides more granular, comprehensive risk assessments based on the infrastructure's internal state, though it leaves out external risk factors that may impact the enterprise's security posture


UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape