RiskWatch
RiskWatch · Founded 1993 · Sarasota, Florida, USA
IT asset inventory that feeds cyber and IT risk assessment, aligned to NIST CSF 2.0 and ISO 27001, with per-asset risk and vulnerability linkage
Summary
RiskWatch runs cyber and IT risk assessment on top of the asset inventory. Each hardware endpoint, on-prem server, cloud workload, and SaaS application is registered with its criticality and owner, then carries its own risk register, control assignments, and vulnerability linkage, so the inventory is the input to a NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, and NIST 800-171 r3 risk assessment rather than a static list. Cyber maturity scoring rolls control-effectiveness up to residual risk per asset and per business unit. The same asset register also stands as control evidence under ISO 27001 A.5.9 (Inventory of information and other associated assets), NIST 800-53 Rev. 5 CM-8, NIST CSF 2.0 ID.AM-01 through ID.AM-05, CIS Controls v8.1 Controls 1 and 2, HIPAA 164.310(d)(1), and PCI DSS v4.0.1, and cross-maps across all 40+ frameworks so one asset counts once and surfaces in every framework the auditor reviews. Single-tenant deployment with customer-owned data residency. RiskWatch is honest about its profile: it is the cyber-risk-and-controls layer, not a discovery scanner. For network-wide agentless discovery, customers pair RiskWatch with Lansweeper, Axonius, or Device42 and feed the discovered inventory in as the source of truth. The platform earns first place because, for a team whose load-bearing need is an audit-defensible inventory tied to cyber risk and control evidence rather than a raw discovery output, that combination of risk depth, framework breadth, and single-tenant data residency fits the brief better than any pure-play scanner.
Strengths
- Cyber and IT risk assessment aligned to NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, and NIST 800-171 r3; the asset inventory is the input, not the output
- Each asset carries its own risk register, control assignments, and vulnerability linkage; cyber maturity scoring rolls control-effectiveness up to residual risk per asset and per business unit
- Asset register also stands as control evidence under ISO 27001 A.5.9 + A.5.10 + A.8.1, NIST 800-53 Rev. 5 CM-8 and enhancements, NIST CSF 2.0 ID.AM-01 through ID.AM-05, CIS Controls v8.1 Controls 1 and 2, HIPAA 164.310(d)(1), and PCI DSS v4.0.1
- Cross-mapping engine auto-detects shared controls so one asset counts once and surfaces in every framework the auditor reviews
- Survey-based asset attestation for distributed environments where agent rollout is impractical
- Single-tenant deployment with customer-owned data residency for asset-data confidentiality (US, EU, UK, CA, AU regions)
- Quote-only pricing across all tiers
- 33-year operating history with continuity through 5 US presidential administrations
Weaknesses
- Not a discovery scanner; no agentless network sweep, no hardware fingerprint library, no shadow-IT SaaS discovery; for those, customers pair RiskWatch with Lansweeper, Axonius, or Device42
- Not a software asset management specialist at Flexera depth; license optimisation and vendor true-up defence are thinner than Flexera One IT Visibility
- Not a CMDB at ServiceNow depth; configuration items and dependency mapping are shallower than the Now Platform CMDB
- Quote-only pricing; all tiers gated behind a sales conversation
IT and security team (250-25,000 employees) that needs the asset inventory to drive a NIST CSF 2.0, ISO 27001, CMMC, or NIST 800-171 cyber risk assessment and stand as audit-defensible control evidence in one tenant, rather than three specialist tools for the inventory, the risk register, and the controls.
IT operations team whose primary brief is 'find every device on every subnet in 24 hours' with no audit framework attached; for that brief, Lansweeper is the right answer. Also not the right answer for a software-asset-management programme defending a Microsoft, Oracle, or SAP true-up; for that brief, Flexera One fits better.
Key features
- Cyber and IT risk assessment aligned to NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, NIST 800-171 r3
- Per-asset risk register, control assignments, and vulnerability linkage
- Cyber maturity scoring: control-effectiveness rolled up to residual risk
- Asset register as control evidence under ISO 27001 A.5.9 + NIST 800-53 CM-8 + NIST CSF 2.0 ID.AM
- Cross-mapping engine for 40+ frameworks sharing one asset register
- Hardware + on-prem + cloud + SaaS asset categories supported
- Survey-based asset attestation for distributed environments
- CIS Controls v8.1 Controls 1 and 2 baseline templates
- HIPAA 164.310(d) and PCI DSS v4.0.1 9.5 and 12.5.1 inventory templates
- Single-tenant deployment with customer-owned data residency; SSO + SCIM + audit log export
Integrations
45+ native. Notable: Active Directory, Entra ID, Jira, ServiceNow, Microsoft 365, Power BI, Tableau.
Target size
250 to 50,000 employees · US · EU · UK · CA · AU