CyberGRX vs UpGuard Comparison

CyberGRX relies on point-in-time risk assessments to determine enterprise risk and primarily focuses on internal security controls and policies. While UpGuard focuses on both internal and external security postures through the use of security questionnaires and instantaneous security ratings.

• CyberGRX: Relies on a shared library of point-in-time risk assessments.
• UpGuard: Provides an always up-to-date score between 0 and 950 along with the following letter grades, A: 801-950, B: 601-800, C: 401-600, D: 201-400, F: 0-200. You can request your free security rating by clicking here.

According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.

Risk assessment methodology

CyberGRX provides a risk exchanged based on a storehouse of validated third-party risk assessments. It's designed to remove inefficiencies in third-party risk management programs for vendors who are responding to the same risk assessments again and again. Rather than doing the same risk assessment over and over, CyberGRX aims to let vendors do one assessment and share it with any company that wants it.

Standardizing security assessment practices against recognized security frameworks, and making attestations easily shareable can help all businesses save time, resources, and increase trust in their supply chain. This is why UpGuard has also introduced a Security Assessment exchange to market. UpGuard adds critical risk monitoring capabilities, integrated vendor processes, and accessibility to provide businesses with a complete solution for risk and compliance needs.

• CyberGRX: Relies on point-in-time risk assessments which can become out of date until the next assessment process.
• UpGuard: Uses point-in-time risk assessments along with security ratings. Our security ratings algorithm runs hundreds of individual checks including email security and email spoofing risks (SPF, DKIM, and DMARC), website security (SSL, HSTS, header exposure), phishing and malware risk, explicit checks for 200 services across thousands of ports (mail, app, user auth, file sharing, voice, administration, database, unidentified, and open ports), domain hijacking risk (DNSSEC and domain registry issues), reputational risks (CEO rating and employee rating), credential management (exposure to known data breaches and data leaks detected by our data leak detection engine).

Scope

Not every solution is able to provide the same level of coverage. If your organization employs small specialist vendors, they may not be covered by a solution. As you know, even cyber attacks on small vendors can lead to large data breaches, e.g. the HVAC vendor that eventually led to Target's exposure of credit card and personal data on more than 110 million consumers.

• CyberGRX: 63,883 companies on the exchange.
• UpGuard: 2,000,000 organizations scanned daily and new vendors can be automatically added by customers.

The usability, design, and learning curve of a product can play a large role in deciding which solution is right for you. The faster you and your team can get up to speed, the faster you can get your money's worth. CyberGRX and UpGuard offer their services via SaaS with minimal installation or configuration needed and are easily accessible from a web-based platform that can help you find, assess, and remediate risk.

• CyberGRX: Risks detailed on each point-in-time vendor assessment, which means new risks are only detected during the next assessment process. Remediation requests are not available. Their risk assessments are aligned to NIST and ISO 27001.
• UpGuard: High-level summation of risk with the ability to drill down into precise technical details. Each risk is prioritized based on extensive research conducted by our in-house security team, and where possible remediation and protection suggestions are provided. Additionally, we have a library of pre-built questionnaires that can be sent and managed with the UpGuard platform including a pandemic (e.g. coronavirus), ISO 27001, PCI DSS, NIST Cybersecurity Framework, CCPA, and Modern Slavery questionnaires. Read our full guide on the top security questionnaires here.

CyberGRX and UpGuard both invest in their community, making it easier for customers and prospects to get up to speed, reduce operational overhead, and decide on the right product for them. Each company has their own blogs that are useful sources of information for cybersecurity awareness training.

• CyberGRX: Company and product blog.
• UpGuard: The UpGuard cybersecurity and risk management blog is updated four times a week and our breach research blog has uncovered and secured some of the largest data breaches.

New vulnerabilities are uncovered, exploited, and shared on CVE on a daily basis. The faster a provider can incorporate changes and determine how to respond to threats should be a large factor in choosing a solution. Additionally, they should be comfortable with updating, adjusting, and improving their service based on customer requests.  

UpGuard has always adopted DevOps principles internally to develop, test, and release software, ensuring fast and consistent releases that have been tested for quality, and as we use both security ratings and risk assessments, we can incorporate new threats quickly.

Third-party risk management solutions can be expensive, with opaque pricing policies designed to put the power in the hands of the provider. They are typically priced on a per vendor, per year basis.

• CyberGRX: There is no public pricing available for CyberGRX, making it hard to know how much you would pay without talking to them.
• UpGuard: UpGuard has a transparent pricing model which you can view here. UpGuard pricing starts at $5k/year and scales with your company. If you have any questions, please let us know via sales@upguard.com and we will follow up.

While both services have their own platforms, some customers also want to access the resources they provide outside of their platform to consolidate them into another product or service. Both solutions offer standard APIs to pull data into other enterprise applications.

APIs are useful for technical staff, but not all vendor risk management teams have access to developers. This is why standard third-party integrations are an important part of decision-making.  

• CyberGRX: Integrates with BitSight, Optiv, and other platforms.
• UpGuard: Integrates with GRC platforms, ticketing systems like ServiceNow, and more.

The best proof comes from each solution's customers. CyberGRX and UpGuard both have impressive customer lists, none more distinguished than the other.

• CyberGRX: Customers include ADP, Blackstone, aetna, GV, and ClearSky.
• UpGuard: Customers include NASA, the New York Stock Exchange (ICE), Morningstar, Akamai, Bill.com, IAG, and ADP. Read our customer case studies here and our Gartner reviews here.

At the end of the day, the entire point of using a third-party risk management solution is to stop security incidents from happening in the first place. This makes the ability of a solution to prevent data breaches and other cyber attacks the main consideration. What differentiates CyberGRX and UpGuard are how well their methodology determines actual attack vectors, as well as their ability to detect data breaches and data leaks before they end up for sale on the dark web.

• CyberGRX: Relies on risk assessments which can quickly become out of date as new zero-day exploits are discovered and new IT infrastructure is used. The truth is that questionnaires, much like penetration testing, can be subjective and become inaccurate over time as new security issues emerge. Additionally, CyberGRX provides no controls for capturing data loss incidents.
• UpGuard: As UpGuard checks for misconfigurations across your Internet footprint, many important breach vectors are covered, including phishing, ransomware susceptibility (like WannaCry), man-in-the-middle attacks, DNSSEC, vulnerabilities, email spoofing, domain hijacking, and DNS issues. For example, we were able to detect data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day. This repo contained personal identity documents and system credentials including passwords, AWS key pairs, and private keys. We're able to do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos, and unsecured RSync and FTP servers. Our data leak discovery engine continuously searches for keyword lists provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of breach research. The UpGuard methodology is continuously refined based on the actual data breaches we have discovered and reported to the world in the New York Times, Bloomberg, Washington Post, Forbes, and TechCrunch.

Finally, let's take a look at how CyberGRX and UpGuard compare when assessed by UpGuard's platform on July 28, 2020.