Cavirin vs RiskRecon

Last updated by UpGuard on June 29, 2020

scroll down

The emergence of the cyber risk assessment space marks a strategic shift in how enterprises handle digital threats, from traditional, ineffective security-centric approaches to blended frameworks that combine layered security and risk management. Let's see how Cavirin and RiskRecon stack up when it comes to measuring enterprise cyber risk.

Data breaches are continually on the rise and won't be letting up any time soon, especially with digital transformation in the works across the globe. And despite a marked rise in enterprise cybersecurity spending year-on-year, security incidents continue to increase in volume and severity.

Read More: Get the Free Digital Resilience eBook

In order to capitalize on technology's benefits, enterprises must maintain a healthy, albeit grounded appetite for technological risk—without endangering the livelihood of the business. Solutions like Cavirin ARAP and RiskRecon enable enterprises to ascertain the impact existing IT assets and/or third party vendors have on their cyber risk postures. 


Founded in 2012, Santa Clara-based Cavirin Systems offers risk analysis and assessment through its Automated Risk Assessment Platform (ARAP) and Pulsar, its elastic security platform. Its solutions provide risk assessment and policy compliance monitoring/reporting services for on-premise, cloud, and containerized infrastructures.

The Cavirin UIThe Cavirin UI. Source:

Among others, a feature worth noting is ARAP's Docker support: the platform provides an integrated, menu-driven tool for ensuring that Docker containers are in line with CIS Docker v1.11.0 benchmarks.


You may recall last year's Australian Red Cross and Michael Page/Capgemini data breaches and 2015's CVS/Costco/PNI Photo hack, all security fiascos resulting from third party security failures. RiskRecon emerged out of stealth mode last year with its solution for helping firms avoid these incidents, specifically—with its SaaS platform for assessing third party cyber risk.

The RiskRecon UIThe RiskRecon UI. Source:

The platform enables enterprises to build a portfolio of third party vendors and partners to monitor/track; assessments are based on external data like website perimeter security, DNS security, and email security, among others.

Side-by-Side Scoring: Cavirin vs. RiskRecon

1. Capability Set

Cavirin ARAP provides continuous monitoring and automated assessment and reporting for both cloud and on-premise IT infrastructures. In contrast, RiskRecon is fairly limited in scope—the solution only measures third party risk based on external data sources.

Cavirin score_570.png
RiskRecon score_570.png


2. Usability / Learning Curve

Both platforms are trivial to get up to speed with, featuring modern web-based interfaces and sensibly laid out menus and visual controls. Cavirin in particular provides a range of features designed for simplicity, including one-button assessments and easy-to-configure/run compliance report cards.

Cavirin score_570.png
RiskRecon score_570.png


3. Community Support

As relatively new, specialized enterprise security offerings, neither Cavirin or RiskRecon have much to offer in terms of community support. That said, Cavirin's public support resources are more plentiful than RiskRecon's—in fact, the latter does not provide any support resources via its website.

Cavirin score_3.png
RiskRecon score_2.png


4. Release Rate

Currently on version 8.4.2, Cavirin has seen regular releases over the years since its initial release back in 2012; in contrast, RiskRecon—having debuted in 2016—has a limited release history.

Cavirin score_570.png
RiskRecon score_570.png


5. Pricing and Support

Cavirin's pricing model varies depending on deployment architecture and infrastructure size—for example, its AWS virtual appliance costs $495/month for a subscription on top of metered pricing per instance.

RiskRecon's pricing is not publicly available; similarly, support resources are noticeably absent from its website. In contrast, Cavirin provides a decent corpus of public support materials as well as an online help desk/knowledge base and support portal (password protected). 

Cavirin score_4.png



6. API and Extensibility

Cavirin's ARAP does not come with a REST API, though it does provide an SDK for its Scripted Policy Framework. That said, the company's forthcoming Pulsar platform does leverage a RESTful API architecture. RiskRecon does not provide any API with its solution.

Cavirin score_570.png
RiskRecon score_570.png


7. 3rd Party Integrations

Cavirin features integrations with the leading cloud service providers such as AWS, Microsoft Azure, and Google Cloud Platform. Additionally, the platform supports VMware, KVM, and Docker, among others. In contrast, RiskRecon does not have any third party integrations to speak of.

Cavirin score_570.png
RiskRecon score_5.png


8. Companies that Use It

RiskRecon does not provide a list of its marquee customers on its website, though it claims that the top 500 businesses in the U.S. have signed up as customers. In contrast, Cavirin's customer list includes prominent enterprises such Zephyr Health, Grainger, SCOR, Gainsight, and Jitterbit, to name a few.

Cavirin score_570.png
RiskRecon score_570.png


9. Predict Capabilities

Cavirin's platform continuously discovers, monitors, and tracks the state of IT assets in the cloud or datacenter, but doesn't provide other critical capabilities like vulnerability testing and security analytics. Again, according Cavirin—these advanced security features will be available in its forthcoming Pulsar solution. RiskRecon's coverage is even more limited in scope, focusing only on third party vendor risk assessment.

Cavirin score_4.png
RiskRecon score_3.png


10. CSR

Cavirin's 532 CSR score is a reflection of numerous website perimeter security flaws: server information leakage, lack of HTTP strict transport security, missing secure cookies, lack of DMARC/DNSSEC, and database ports open to the public. RiskRecon's 561 CSR score is better, but still suffers due to numerous security flaws like lack of sitewide SSL, missing HTTP strict transport security, and disabled DMARC/DNSSEC.


Screen Shot 2017-02-16 at 6.35.06 AM.png


Screen Shot 2017-02-14 at 7.59.00 PM.png

Scoreboard and Summary

  Cavirin RiskRecon
Capability Set score_570.png score_570.png
Usability / Learning Curve score_570.png score_570.png
Community Support score_570.png score_570.png
Release Rate score_570.png score_570.png
Pricing and Support score_570.png score_570.png
API and Extensibility score_570.png score_570.png
3rd Party Integrations score_570.png score_570.png
Companies that Use It score_570.png score_570.png
Predict Capabilities score_570.png score_570.png

Screen Shot 2017-02-16 at 6.35.06 AM.png

Screen Shot 2017-02-14 at 7.59.00 PM.png

Total  3.6 out of 5  2.3 out of 5

Cyber risk is multifaceted and the two solutions in this comparison focus on different measures of it: RiskRecon only gauges digital risk as it pertains to the firm's digital supply chain, while Cavirin focuses on the state of internal IT assets in the cloud or on-premise. If you're looking for a solution designed solely for assessing third party risk, RiskRecon is a safe bet—otherwise, Cavirin provides more granular, comprehensive risk assessments based on the infrastructure's internal state, though it leaves out external risk factors that may impact the enterprise's security posture

Read More: Free eBooks on DevOps and Security

More Articles

Datadog vs. New Relic

Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.

Read Article >

Cisco vs. FireEye for Continuous Security

Who provides better continuous security: the world's largest maker of networking equipment or the first cybersecurity firm certified by the U.S. Department of Homeland Security? 

Read Article > 

Related posts

Learn more about the latest issues in cybersecurity