Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
Updated May 14, 2026 · 10 platforms evaluated

Top 10 Physical Security Assessment Software in 2026: A Buyer-First TVRA Ranking

Honest 2026 ranking of the 10 best physical security assessment software platforms, scored on TVRA workflow, ASIS alignment, crime data overlay, multi-site rollup, and pricing.

By RiskWatch Editorial · Physical Security and Compliance Software Research

Verdict

TL;DR

If you run a multi-site corporate security program and need ASIS-aligned TVRAs with crime data overlay and enterprise rollup, RiskWatch ranks first on our weighted score. Resolver is the strongest pick when investigations and incident management sit in the same tenant as assessment; Circadian Risk fits mid-market teams who want a clean vulnerability-to-remediation workflow without a heavy GRC platform tax; AlertEnterprise Guardian is the right call when physical identity and access governance is the primary risk surface. Genetec, Milestone, and Verkada belong on this list because buyers shortlist them, but they are video and access platforms with assessment as a side workflow, not TVRA-first tools.

Pick by use case

Where each platform fits

ASIS-aligned multi-site TVRA at enterprise scale
RiskWatch: 35+ pre-built libraries including ASIS Facility Physical Security Control Standards, NERC CIP-014, FEMA 426/452, NIST 800-53 PE, plus crime data overlay from four feeds and offline mobile site walks.
Corporate security with investigations and incidents in one tenant
Resolver: Kroll-owned since March 2022; G2 Best Software Awards 2025 honoree; deepest investigations workflow in the category.
Mid-market pure-play TVRA with strong remediation tracking
Circadian Risk: Series A $11.3M raised; vulnerability assessment and corrective action plan workflow purpose-built for physical security.
Physical identity governance plus risk assessment
AlertEnterprise Guardian: G2 Spring 2026 Grid Leader for Physical Security; PIAM-led with policy enforcement, personal risk assessment, and PACS integration.
Enterprise multi-discipline risk including physical
Riskonnect: Salesforce-native ERM with 2,700+ enterprise customers and mature multi-site rollup; physical security one module of many.
Unified VMS plus access control with assessment as a side workflow
Genetec Security Center: Industry standard for unified video, access, ALPR, and intrusion; SaaS pricing now published per channel and per door.
Cloud-native multi-site surveillance with lightweight assessment
Verkada: Cloud VMS, access, alarms, and guest in one console; AI analytics; weakest pre-built TVRA library of any platform here.
Travel risk and critical event management linked to physical risk
OnSolve (Crisis24): Acquired by GardaWorld July 30 2024; risk intelligence, mass notification, incident management, travel risk in one Crisis24 platform.
Open VMS platform with strong reporting and 8,000+ device support
Milestone XProtect: Widest camera and sensor compatibility; XProtect 2026 R1 added scheduled reporting and long-term cloud storage; assessment workflow is third-party.
Integrator-led security advisory plus deployment
Convergint: Global service-based integrator with Deloitte alliance for cyber-physical convergence; assessments delivered as professional services, not self-serve software.

Physical security assessment software is a contested label. Buyers searching for it want one of three different things: a Threat-Vulnerability-Risk-Assessment platform that survives an ASIS, NERC CIP-014, or FEMA review; a Video Management System with access control and analytics; or an integrated risk platform where physical security is one module among many. The ten platforms in this ranking serve at least one of those briefs well, and none of them serves all three equally. We ranked them on a single weighted score so a Director of Corporate Security who knows their primary use case can find the right pick in under two minutes.

We considered 22 platforms across G2 Spring 2026 Grid for Physical Security, Capterra for security risk management, the ASIS Foundation vendor directory, and Gartner Peer Insights for video surveillance and PIAM. We cut to ten by removing pure-play body-worn cameras and patrol-management tools, excluding VMS-only platforms that ship no assessment workflow whatsoever, and including the two protective intelligence platforms that buyers most commonly shortlist alongside TVRA tools. The result is ten platforms a real multi-site corporate security buyer might shortlist in 2026.

Pricing transparency is poor in this category. Eight of the ten platforms here gate pricing behind a demo. Genetec publishes Security Center SaaS pricing per channel and per door, and SafetyCulture (excluded from this top 10 but covered on the companion comparison page) publishes tiered pricing. The other eight, including RiskWatch, are quote-only. We triangulated the opaque vendors from public third-party teardowns and dated each estimate. The methodology block at the bottom of this page spells out the weights, the sources, and the conflict disclosure.

At-a-glance

Comparison table

The 10 platforms scored on the methodology weights at the bottom of this page. Pricing-transparency pill is the buyer-honesty signal.

RankProductBest forPricing transparencyG2Verdict
1RiskWatch
RiskWatch International
Multi-site enterprises running ASIS-aligned TVRAs across 5+ facilities, especially in energy and utilities, manufacturing, logistics, healthcare, and government.Partial4.5/5
60+ reviews
35+ pre-built physical-security standards libraries on day one, ASIS plus NERC CIP-014...
2Resolver
Resolver, a Kroll Business
Corporate security, physical security, and operational-risk teams at mid-large enterprise; retail, manufacturing, and energy customers tying incidents to risk register.Opaque4.3/5
200+ reviews
Strongest investigations and case-management workflow in the category, heritage from...
3Circadian Risk
Circadian Risk, Inc.
Mid-market security teams (10-50 sites) who want a focused TVRA platform with strong remediation tracking and are willing to build their own standards templates.Opaque4.4/5
30+ reviews
Pure-play focus on physical security risk analysis, not a GRC bolt-on
4AlertEnterprise Guardian
AlertEnterprise, Inc.
Utilities, hospitals, airports, and Fortune 500 facilities where physical-cyber identity convergence is the primary risk surface and PACS integration matters more than TVRA library breadth.Opaque4.5/5
40+ reviews
G2 Spring 2026 Grid Leader for Physical Security category
5Riskonnect
Riskonnect, Inc.
Enterprise insurance, claims, manufacturing, and retail customers running ERM at scale where physical security is one of several risk disciplines.Opaque4.2/5
180+ reviews
2,700+ enterprise customers across six continents, the largest active install base...
6Genetec Security Center
Genetec Inc.
Large enterprise and campus deployments that need a single pane for VMS, ACS, and analytics, with periodic assessments layered on via a separate tool.Partial4.4/5
320+ reviews
Industry standard for unified VMS plus access control plus ALPR in one console
7Verkada
Verkada Inc.
Cloud-first multi-site retail, education, and mid-market enterprise that wants unified cameras, access, and alarms with minimal IT lift, and that runs assessments via a separate tool.Opaque4.5/5
1800+ reviews
Cloud-native multi-site deployment with no on-prem server stack required
8OnSolve (Crisis24)
Crisis24, a GardaWorld company
Enterprises with dispersed workforces, executive travel programs, and duty-of-care obligations under ISO 31030 or similar; security teams whose primary risk is threat-to-people not facility risk.Opaque4.4/5
150+ reviews
Largest AI-powered risk intelligence feed in this ranking, combining GardaWorld field...
9Milestone XProtect
Milestone Systems
Buyers who want maximum camera-hardware freedom and an open-platform VMS, with assessment delivered via a separate tool like RiskWatch.Opaque4.3/5
220+ reviews
Widest camera and sensor compatibility in the category, hardware-agnostic by design
10Convergint
Convergint Technologies LLC
Buyers who want a one-off enterprise security roadmap, a large multi-site PACS deployment, or an advisory-led cyber-physical convergence project rather than recurring assessment software.Opaquen/a
0+ reviews
Global service-based integrator with offices in 30+ countries
Calculator

Estimate the licence cost

Drag the slider to your headcount. Estimates use each vendor's published or triangulated tiers. Opaque vendors show Contact sales.

500
11.3k2.5k3.8k5k
RiskWatch
Professional (≤ 1,000 employees)
$36,000/yr
Resolver
Mid-market (est.) (quote-only tier)
Contact sales
Circadian Risk
Mid-market (est.) (quote-only tier)
Contact sales
AlertEnterprise Guardian
Guardian Express (est.) (quote-only tier)
Contact sales
Riskonnect
Enterprise entry (est.) (quote-only tier)
Contact sales
Genetec Security Center
Enterprise on-prem (est.) (quote-only tier)
Contact sales
Verkada
Enterprise (est.) (quote-only tier)
Contact sales
OnSolve (Crisis24)
Critical Event Management (est.) (quote-only tier)
Contact sales
Milestone XProtect
XProtect Corporate (est.) (quote-only tier)
Contact sales
Convergint
Risk assessment engagement (est.) (quote-only tier)
Contact sales

Estimates only. Opaque-pricing vendors do not publish list prices; bands are triangulated from public third-party sources dated 2026-05-14. Implementation services, module add-ons, and renewal escalators are extra.

Pick your own weights

Decision matrix

Default weights match the methodology at the bottom of this page. Drag the sliders to match your priorities and re-rank in real time.

15%

How quickly a non-technical control owner reaches first value

25%

Module coverage across ERM, IT, audit, TPRM, BC

20%

Price to value ratio at mid-market

15%

Quality and responsiveness of vendor support

15%

Handling 5,000+ employees, multiple entities, regions

10%

Breadth of native connectors and APIs

Weights sum: 100%
  1. 1
    RiskWatch
    Editorial rank #1
    8.87
  2. 2
    Resolver
    Editorial rank #2
    8.34
  3. 3
    AlertEnterprise Guardian
    Editorial rank #4
    8.22
  4. 4
    Circadian Risk
    Editorial rank #3
    8.04
  5. 5
    Riskonnect
    Editorial rank #5
    8.00
  6. 6
    OnSolve (Crisis24)
    Editorial rank #8
    7.99
  7. 7
    Genetec Security Center
    Editorial rank #6
    7.88
  8. 8
    Verkada
    Editorial rank #7
    7.85
  9. 9
    Milestone XProtect
    Editorial rank #9
    7.79
  10. 10
    Convergint
    Editorial rank #10
    7.55
Switching cost

Migration matrix

Read row-to-column. Row = today's platform, column = tomorrow's. Colour reflects realistic switching effort, not vendor sales pitches.

From / To
RiskWatch
Resolver
Circadian Risk
AlertEnterprise Guardian
Riskonnect
Genetec Security Center
Verkada
OnSolve
Milestone XProtect
Convergint
RiskWatch.MEMHMEEMM
ResolverE.EEHEEEMM
Circadian RiskMM.MHHEMHH
AlertEnterprise GuardianEEE.HEEEEE
RiskonnectHHHH.HHHHH
Genetec Security CenterHMEMH.EEEE
VerkadaHHMHHH.MHH
OnSolveHMEMHME.MM
Milestone XProtectHHMHHEEM.E
ConvergintHHMHHMEME.
Easy (E)Moderate (M)Hard (H)Source: per-vendor migration field with radar-profile fallback. Treat as a directional guide, not a quote.
Methodology

How we scored and why you should trust it

The methodology is the only thing keeping this page honest. Read it carefully and apply your own weights in the decision matrix above.

RiskWatch published this ranking. RiskWatch accepts no affiliate fees, sponsorship money, or paid placements on this page. RiskWatch is also in the ranking, at #1. Readers should weigh that disclosure against the published evidence on this page. We scored each of the ten platforms on six axes weighted for the physical-security buyer: Feature Breadth covering TVRA workflow and ASIS alignment (25%), Value including pricing transparency (20%), Ease of Use including mobile and offline site walks (15%), Customer Support (15%), Scalability across multi-site rollups (15%), and Integrations with VMS, PACS, GIS, and crime data feeds (10%). Scores are 0-10 and calibrated within this category. Ratings reference G2 and Capterra figures pulled 2026-05-14. Pricing reflects the most-recent published or triangulated figures, also pulled 2026-05-14; where pricing is opaque we report a range based on two or more public third-party sources. We re-verify this page quarterly.

Weights used in the editorial ranking

Ease of use
15%
Feature breadth
25%
Value
20%
Customer support
15%
Scalability
15%
Integrations
10%
#1

RiskWatch

RiskWatch International · Founded 1993 · Annapolis, MD, USA

TVRA-first physical security assessment software with 35+ standards libraries and crime-data overlay.

Partial pricingG2 4.5 · Capterra 4.6 · 60+ reviews

Summary

RiskWatch ships a physical security risk assessment platform built around pre-mapped libraries for 35+ standards including ASIS Facility Physical Security Control Standards, NERC CIP-014 R4 and R5, NIST 800-53 PE, NIST 800-30, FEMA 426 and 452, ISC RMP, OSHA, Joint Commission, C-TPAT, NFPA 1600, and ISO 28000. Likelihood pulls from four crime-data feeds (Cap Index CRIMECAST, Security Gauge, GlobalIncidentMap, World Aware). Customers include Aon, Bose, Coca-Cola, Johnson and Johnson, Tennessee Valley Authority, and multiple US electric utilities running the NERC CIP-014 30-month cycle. The product has been in the field since 1993.

Strengths
  • 35+ pre-built physical-security standards libraries on day one, ASIS plus NERC CIP-014 plus FEMA 426/452 plus NIST 800-53 PE plus ISC RMP plus C-TPAT plus OSHA plus Joint Commission
  • Crime-data overlay from four independent feeds, every likelihood score traces back to its source and last-updated date
  • Browser-based mobile TVRA that works offline at substations and remote perimeter areas, syncs when cellular returns, no findings lost
  • Site Risk Cycle with ISO 31000 and NIST 800-30 semi-quantitative scoring, findings convert to tracked tasks with owners and proof-of-close
  • Average assessment drops from 31 hours to 8 hours per facility, internal RiskWatch benchmark across 200+ customers
  • 30-day free trial with no credit card and full platform access, the only TVRA-first vendor on this list offering it
  • Single-tenant deployment option with US-only data residency for federal and utility customers under NERC CIP physical-perimeter rules
Weaknesses
  • Public pricing is opaque, quote-based and scaled by framework count and site count, marked partial because typical contract bands are published in the pricing calculator on this page
  • Brand awareness on G2 and Capterra in physical security specifically is lower than Genetec or Verkada, total review volume sits below 100
  • Not a VMS or access control system, integrates with Genetec, Lenel, Avigilon, Milestone and similar via APIs and bulk imports rather than deep native connectors
  • Less protective intelligence (threat-to-person) depth than Ontic or Crisis24, the platform's centre of gravity is facility risk not executive protection
  • UI shows its operational heritage in some assessment-builder screens, competing newer entrants like Verkada have a more polished first-run experience for non-specialist users
Best for

Multi-site enterprises running ASIS-aligned TVRAs across 5+ facilities, especially in energy and utilities, manufacturing, logistics, healthcare, and government.

Worst for

Single-site buyers who only need cameras and badge readers, no separate TVRA program; Verkada or Genetec is the better fit there.

Key features

  • Pre-built libraries for ASIS Facility Physical Security Control Standards, NERC CIP-014 R4/R5, NIST 800-53 PE, NIST 800-30, FEMA 426 and 452, ISC RMP, OSHA, Joint Commission, C-TPAT, NFPA 1600, ISO 28000
  • Crime-data overlay from Cap Index CRIMECAST, Security Gauge, GlobalIncidentMap, World Aware
  • Browser-based mobile site walks that work offline and sync on reconnect
  • Site Risk Cycle with per-site cadence, recommendation register, and proof-of-close
  • Multi-site rollup dashboards at site, region, and enterprise level with year-over-year trends
  • Board-ready report templates that pass an insurer or regulator review
  • Single-tenant deployment with customer-owned data residency option
  • 30-day free trial, no credit card, full platform access

Integrations

25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Cap Index CRIMECAST, Genetec, Lenel, Avigilon (API + bulk import), Jira, Custom REST API.

Target size

100 to 25,000 employees · US · Canada · EU · UK · AU

#2

Resolver

Resolver, a Kroll Business · Founded 2000 · Toronto, Ontario, Canada

Corporate security suite with mature investigations, incidents, and security risk modules.

Opaque pricingG2 4.3 · Capterra 4.3 · 200+ reviews

Summary

Resolver was founded in 2000 in Toronto and acquired by Kroll in March 2022. The platform sits at the intersection of corporate security, physical security, incident management, and investigations, which makes it the natural pick when your risk program is owned by security operations rather than IT or internal audit. Resolver was named to G2's 2025 Best Software Awards in the GRC category and carries a 4.3/5 rating across 180+ reviews. The platform safeguards over $6.5 trillion in market cap for more than 1,000 global companies according to Resolver's own metrics.

Strengths
  • Strongest investigations and case-management workflow in the category, heritage from physical security and corporate security customers
  • Kroll ownership unlocks intelligence-led risk feeds and global investigations support that standalone vendors cannot match
  • G2 Best Software Awards 2025 honoree in GRC; 4.3/5 across 180+ reviews
  • Mature multi-site security risk module aligned to ISO 31000 and ASIS ESRM
  • Strong threat-assessment and brand-protection use cases for retail and consumer-brand customers
Weaknesses
  • Pricing is opaque, no public tier and no self-serve trial; SelectHub and SmartSuite teardowns place mid-market deals in the $45-90K range
  • Setup and configuration is heavy; G2 reviewers consistently flag implementation effort as the most-cited downside
  • UX has not had a generational rewrite; competitors with newer cloud interfaces feel more modern on first run
  • Pulled toward security-operations use cases; less natural fit for facilities-led TVRA programs that want pre-built ASIS libraries out of the box
  • Smaller pre-built physical-security standards library than RiskWatch, NERC CIP-014 and FEMA 426/452 require custom configuration rather than ship pre-mapped
Best for

Corporate security, physical security, and operational-risk teams at mid-large enterprise; retail, manufacturing, and energy customers tying incidents to risk register.

Worst for

Smaller facility-led security teams that want a pre-built ASIS library and a 30-day trial; Resolver is overkill and the price reflects it.

Key features

  • Security risk register aligned to ISO 31000 and ASIS ESRM
  • Incident reporting and case management
  • Investigations workflow with chain-of-custody
  • Brand-protection and threat-assessment feeds (Kroll-powered)
  • Business continuity and operational resilience module
  • Configurable dashboards and multi-site rollup reports
  • Mobile incident reporting for guard force and frontline staff
  • Vendor and contractor risk module

Integrations

40+ native. Notable: Microsoft Entra ID, Okta, ServiceNow, Splunk, Genetec, Lenel, Kroll intelligence feeds.

Target size

1,000 to 1,00,000 employees · US · Canada · UK · EU · AU

#3

Circadian Risk

Circadian Risk, Inc. · Founded 2016 · Ann Arbor, MI, USA

Pure-play physical security risk software with vulnerability-to-remediation workflow.

Opaque pricingG2 4.4 · Capterra 4.5 · 30+ reviews

Summary

Circadian Risk was founded in 2016 by Paul Mestemaker and Daniel R Young in Ann Arbor and built a SaaS platform purpose-built for physical security risk analysis. The product runs a proprietary score-based method comparing risks across sectors and locations, with strong vulnerability assessment and corrective action plan modules. Series A funding totals $11.3M and PitchBook places valuation at $22M as of September 2025. The platform is the right pick when a mid-market security team wants a clean TVRA workflow without the heavier GRC platform tax of Resolver or Riskonnect.

Strengths
  • Pure-play focus on physical security risk analysis, not a GRC bolt-on
  • Strong vulnerability assessment to corrective action plan workflow with remediation tracking
  • Multi-location dashboard for risk and compliance status across sites
  • Works with arbitrary standards templates, not locked to a built-in library set
  • Cleaner first-run experience than the larger GRC platforms
Weaknesses
  • Smaller pre-built standards library than RiskWatch; teams bringing ASIS, NERC CIP-014, or FEMA 426/452 must build the templates themselves
  • No built-in crime-data feeds; likelihood is operator-scored rather than overlaid from third-party data
  • Pricing on request only, no public trial, no self-serve sign-up
  • Series A company at $22M valuation; some enterprise procurement teams want a vendor with 10+ years of operating history before signing 3-year deals
  • Smaller install base and review volume than the established GRC players, harder to find enterprise reference customers
Best for

Mid-market security teams (10-50 sites) who want a focused TVRA platform with strong remediation tracking and are willing to build their own standards templates.

Worst for

Enterprises that need pre-built NERC CIP-014, FEMA 426/452, or ASIS libraries on day one, or that require crime-data overlay rather than operator-scored likelihood.

Key features

  • Vulnerability assessment workflow with proprietary score-based method
  • Corrective action plan module with remediation tracking
  • Multi-location risk dashboard
  • Arbitrary-standards template engine
  • Site-by-site risk comparison and benchmarking
  • Findings register with owner and due-date tracking
  • Configurable reporting for board and executive readers
  • Web and mobile assessment capture

Integrations

15+ native. Notable: Microsoft Entra ID, Okta, Microsoft Excel / CSV import, Custom REST API.

Target size

100 to 5,000 employees · US · Canada · UK

#4

AlertEnterprise Guardian

AlertEnterprise, Inc. · Founded 2007 · Fremont, CA, USA

Physical Identity and Access Management platform with policy-driven risk assessment.

Opaque pricingG2 4.5 · Capterra 4.4 · 40+ reviews

Summary

AlertEnterprise Guardian is the category leader in Physical Identity and Access Management (PIAM), and was named a Leader in the G2 Spring 2026 Grid Report for Physical Security. The platform sits between HR systems, Active Directory, and Physical Access Control Systems (PACS) like Lenel, Genetec, and CCURE, enforcing access policies and running Personal Risk Assessment (PRA) checks. Strength is identity-driven risk for utilities, healthcare, and Fortune 500 buyers; weakness is that the centre of gravity is access governance, not facility-level TVRA.

Strengths
  • G2 Spring 2026 Grid Leader for Physical Security category
  • Deepest PIAM integration with PACS (Lenel, Genetec, CCURE, Honeywell, Software House) of any platform on this list
  • Personal Risk Assessment (PRA) workflow with automated policy enforcement and expiration alerts
  • Fortune 500 customer base across utilities (NERC CIP physical-cyber convergence), healthcare, and aerospace
  • GenAI-powered identity reconciliation across IT and OT environments
Weaknesses
  • Centre of gravity is identity and access governance, not facility-level TVRA; ASIS site assessments are not the primary workflow
  • Pricing is enterprise-tier and opaque; no published list, typical deals are six-figure annual contracts
  • Implementation is consultant-heavy; expect 90-180 day deployment with PACS integration scope
  • Less crime-data-overlay capability than RiskWatch or Crisis24 for likelihood scoring
  • Smaller G2 review volume than the larger GRC platforms; reference-customer pool is narrower
Best for

Utilities, hospitals, airports, and Fortune 500 facilities where physical-cyber identity convergence is the primary risk surface and PACS integration matters more than TVRA library breadth.

Worst for

Mid-market security teams running facility TVRAs against ASIS, NERC CIP-014, or FEMA 426/452 who do not have an existing PACS estate to govern.

Key features

  • Physical Identity and Access Management (PIAM) with PACS integration
  • Personal Risk Assessment (PRA) workflow with policy enforcement
  • Blended threat detection across IT, PACS, and Industrial Control Systems
  • Visitor and contractor management
  • GenAI identity reconciliation across HR, AD, and OT directories
  • Compliance reporting for NERC CIP, HIPAA, SOX physical-access controls
  • Real-time policy enforcement with automated provisioning and de-provisioning
  • Audit-ready access certification workflow

Integrations

35+ native. Notable: Lenel S2 / OnGuard, Genetec Security Center, Software House CCURE, Honeywell ProWatch, Microsoft Active Directory, Workday, SAP SuccessFactors.

Target size

2,000 to 1,00,000 employees · US · Canada · UK · EU · APAC

#5

Riskonnect

Riskonnect, Inc. · Founded 2007 · Atlanta, GA, USA

Salesforce-native integrated risk platform with physical security as one module of many.

Opaque pricingG2 4.2 · Capterra 4.4 · 180+ reviews

Summary

Riskonnect runs on Salesforce and is built around an integrated-risk data model covering ten GRC disciplines from one tenant. Physical security risk lives alongside enterprise risk, insurance, claims, and business continuity. The company serves 2,700+ enterprise customers across six continents and is owned by TA Associates with Thoma Bravo and Arrowroot Capital. The platform is the right pick when physical security is part of a broader ERM story rather than the singular focus; it is the wrong pick when you want a TVRA-first product with pre-built ASIS libraries on day one.

Strengths
  • 2,700+ enterprise customers across six continents, the largest active install base among the integrated platforms on this list
  • Salesforce-native architecture means inherited Salesforce SSO, mobile, and reporting capabilities
  • Strong business continuity and operational resilience modules sit alongside physical security
  • Mature claims-management and insurance integration (Ventiv Technology acquisition)
  • Unified board-level risk story across cyber, physical, and operational risk
Weaknesses
  • Generalist platform; less depth on facility-level TVRA workflow than RiskWatch, Resolver, or Circadian Risk
  • G2 reviewers consistently flag initial complexity and overwhelming UI before familiarity sets in
  • Pricing reported by SmartSuite starting at $283K annually, the highest entry point in this ranking
  • Salesforce dependency cuts both ways, non-Salesforce shops absorb a platform tax they did not budget for
  • Pre-built physical-security standards libraries are weaker than RiskWatch; ASIS and NERC CIP-014 require custom configuration
Best for

Enterprise insurance, claims, manufacturing, and retail customers running ERM at scale where physical security is one of several risk disciplines.

Worst for

Sub-1000-employee security-led teams running pure-play TVRAs; cost-prohibitive and over-built for that brief.

Key features

  • Salesforce-native data model
  • Security risk register with multi-site rollup
  • Business continuity and operational resilience
  • Insurance and claims management
  • Third-party / vendor risk management
  • Compliance and policy management
  • Internal audit workflow
  • Connected risk dashboards for board reporting

Integrations

200+ native. Notable: Salesforce AppExchange ecosystem, Microsoft Entra ID, ServiceNow, SAP, Workday, Tableau.

Target size

1,000 to 1,00,000 employees · US · Canada · UK · EU · AU · APAC · LATAM

#6

Genetec Security Center

Genetec Inc. · Founded 1997 · Montreal, Quebec, Canada

Unified VMS, access control, ALPR, and intrusion in one console; assessment is a side workflow.

Partial pricingG2 4.4 · Capterra 4.6 · 320+ reviews

Summary

Genetec Security Center is the industry standard for unified physical security platforms, tying video surveillance, access control, automatic licence plate recognition, and intrusion into one console. The product is the right pick when the buyer's primary brief is real-time operations across cameras and doors. It is the wrong pick when the brief is a periodic TVRA program against ASIS or NERC CIP-014. Genetec now publishes Security Center SaaS pricing per channel and per door, making it one of only two platforms in this ranking with public pricing.

Strengths
  • Industry standard for unified VMS plus access control plus ALPR in one console
  • Strong analytics across video, badge, and licence-plate data
  • Mature integration ecosystem with hundreds of camera and access control hardware manufacturers
  • Security Center SaaS now publishes per-channel and per-door pricing, partial transparency advantage
  • Large active customer base in airports, large retail, transit, and city-wide surveillance programs
Weaknesses
  • Not a TVRA or assessment platform, assessment workflows are auxiliary and require third-party tools
  • No pre-built ASIS, NIST 800-30, FEMA 426/452, or NERC CIP-014 question libraries
  • Hardware and licensing complexity, costs scale significantly with channel and door counts per G2 and Capterra reviewers
  • Learning curve for new operators, multi-site administration becomes complex as estate grows
  • Plug-in interfacing could be more robust per G2 reviewer commentary
Best for

Large enterprise and campus deployments that need a single pane for VMS, ACS, and analytics, with periodic assessments layered on via a separate tool.

Worst for

TVRA-first programs that need an ASIS or NERC CIP-014 assessment platform; Genetec does not ship the libraries or the workflow.

Key features

  • Unified video management (Omnicast)
  • Access control (Synergis)
  • Automatic Licence Plate Recognition (AutoVu)
  • Intrusion detection
  • Analytics across video, badge, and LPR data
  • Mobile operator app for guard force and supervisors
  • Federated multi-site architecture
  • Hardware-agnostic integration framework

Integrations

200+ native. Notable: Axis Communications, Bosch, HID Global, Mercury Security, AlertEnterprise Guardian, Microsoft Entra ID, ServiceNow.

Target size

500 to 2,50,000 employees · Global

#7

Verkada

Verkada Inc. · Founded 2016 · San Mateo, CA, USA

Cloud-native unified physical security suite with light assessment templates.

Opaque pricingG2 4.5 · Capterra 4.5 · 1800+ reviews

Summary

Verkada was founded in 2016 in San Mateo by former Cisco Meraki engineers and built a cloud-native platform spanning cameras, access control, alarms, environmental sensors, intercom, and guest management. The product carries a 4.5/5 G2 rating across 1,800+ reviews and is the cloud-native challenger to Genetec at mid-market and multi-site retail. Strengths are ease of deployment and AI-powered video analytics; weaknesses are licence cost, software-update access issues per G2 reviewers, and the near-absence of a TVRA-style assessment workflow.

Strengths
  • Cloud-native multi-site deployment with no on-prem server stack required
  • 4.5/5 G2 rating across 1,800+ reviews, one of the largest review volumes in this category
  • Strong AI-powered video analytics, tailgating detection, and people-counting features
  • Unified suite across cameras, access, alarms, intercom, sensors, and guest in one console
  • 24/7 customer support praised in reviews
Weaknesses
  • Licence costs and ongoing subscription fees flagged as expensive by multiple G2 reviewers
  • Software-update access issues and lack of IP filtering for mobile access cited in 2026 reviews
  • Connectivity issues including bandwidth strain and camera downtime reported by reviewers
  • Inaccurate detection particularly tailgating and unknown-user errors despite badging per recent reviews
  • Weakest TVRA workflow on this list; no pre-built ASIS or NIST 800-30 question libraries
Best for

Cloud-first multi-site retail, education, and mid-market enterprise that wants unified cameras, access, and alarms with minimal IT lift, and that runs assessments via a separate tool.

Worst for

TVRA-led security programs against ASIS, NERC CIP-014, or FEMA 426/452; Verkada does not ship the assessment workflow or the libraries.

Key features

  • Cloud-native unified VMS
  • Access control with badge, mobile, and Bluetooth credentials
  • Alarms and environmental sensors
  • Intercom and guest management
  • AI-powered video analytics including tailgating and people-counting
  • Multi-site federated dashboards
  • Mobile operator app
  • Open API for SIEM and ITSM integration

Integrations

30+ native. Notable: Microsoft Entra ID, Okta, Google Workspace, Splunk, ServiceNow, Slack.

Target size

100 to 50,000 employees · US · Canada · UK · EU · AU

#8

OnSolve (Crisis24)

Crisis24, a GardaWorld company · Founded 2017 · Alpharetta, GA, USA

Critical event management, mass notification, and travel risk under the Crisis24 umbrella.

Opaque pricingG2 4.4 · Capterra 4.5 · 150+ reviews

Summary

OnSolve was acquired by GardaWorld on July 30 2024 and integrated into the Crisis24 business, combining critical event management, mass notification, incident management, travel risk, and AI-driven risk intelligence in one platform. The product is the right pick when physical risk is dominated by threat-to-people events, dispersed workforces, travel-risk obligations, or duty-of-care programs. It is the wrong pick when the brief is periodic facility TVRAs, OnSolve does not ship an ASIS assessment library and was never designed for that workflow.

Strengths
  • Largest AI-powered risk intelligence feed in this ranking, combining GardaWorld field operations with Crisis24 OSINT
  • Mass notification at scale (multi-channel: SMS, voice, email, mobile app, desktop)
  • Travel risk and duty-of-care workflow for mobile workforces
  • Strong integration with the broader GardaWorld global security operations footprint
  • Continuous threat-feed updates rather than periodic assessment cadence
Weaknesses
  • Not a TVRA platform; no pre-built ASIS, NIST 800-30, FEMA 426/452, or NERC CIP-014 libraries
  • Acquisition integration ongoing post-July 2024; product roadmap and brand alignment between OnSolve and Crisis24 still in flux
  • Opaque pricing; enterprise-tier deals typical, no self-serve trial
  • Less facility-level multi-site assessment rollup than RiskWatch or Resolver
  • Centre of gravity is threat-to-people and critical events, not physical infrastructure risk scoring
Best for

Enterprises with dispersed workforces, executive travel programs, and duty-of-care obligations under ISO 31030 or similar; security teams whose primary risk is threat-to-people not facility risk.

Worst for

Facility-led TVRA programs against ASIS or NERC CIP-014; the platform is not built for that workflow.

Key features

  • AI-powered risk intelligence feed
  • Mass notification across multiple channels
  • Incident management with playbooks
  • Travel risk and duty-of-care workflow
  • Global Security Operations Centre access (Crisis24 SOC)
  • Geospatial threat-to-asset mapping
  • Mobile app for traveller check-in and SOS
  • Integration with HR and travel-booking systems

Integrations

40+ native. Notable: Workday, SAP SuccessFactors, Concur, Microsoft Entra ID, Slack, Microsoft Teams, ServiceNow.

Target size

1,000 to 2,50,000 employees · Global

#9

Milestone XProtect

Milestone Systems · Founded 1998 · Brondby, Denmark

Open-platform VMS with the widest camera compatibility and scheduled system reporting.

Opaque pricingG2 4.3 · Capterra 4.4 · 220+ reviews

Summary

Milestone Systems was founded in 1998 in Denmark and acquired by Canon in 2014. XProtect is the open-platform VMS standard, supporting the widest range of cameras and sensors in the industry. The 2026 R1 release added long-term cloud video storage, customizable scheduled reporting, a WebSocket-based PTZ API, and a redesigned LogServer interface. The product is the right pick when camera-hardware freedom and reporting matter more than a tightly coupled access-control suite. It does not ship a TVRA workflow, assessment is delivered via third-party plugins or separate platforms.

Strengths
  • Widest camera and sensor compatibility in the category, hardware-agnostic by design
  • XProtect 2026 R1 added long-term cloud video storage and customizable scheduled system reporting
  • Open developer ecosystem with hundreds of third-party plug-ins
  • Canon ownership provides stability; no PE renewal-pressure dynamic
  • Strong multi-site federated architecture with central log visibility
Weaknesses
  • Not a TVRA platform; no pre-built ASIS, NIST 800-30, FEMA 426/452, or NERC CIP-014 assessment libraries
  • Assessment workflows require third-party plugins or external platforms
  • Hardware-agnostic design means complexity scales with sensor mix; not turnkey like Verkada
  • Quote-only pricing for enterprise tiers; no public list price
  • Access control is integration-led, not native, unlike Genetec Synergis or Verkada Access
Best for

Buyers who want maximum camera-hardware freedom and an open-platform VMS, with assessment delivered via a separate tool like RiskWatch.

Worst for

TVRA-first programs needing pre-built ASIS or NERC CIP-014 libraries; Milestone is a VMS, not an assessment platform.

Key features

  • Open-platform VMS supporting 8,000+ cameras and devices
  • Long-term cloud video storage (XProtect 2026 R1)
  • Customizable scheduled system reporting
  • WebSocket-based PTZ API
  • Multi-site federated architecture
  • Mobile alert thumbnails for iOS
  • Centralized log visibility (new LogServer)
  • Open developer ecosystem and plug-in marketplace

Integrations

500+ native. Notable: Axis Communications, Bosch, Hanwha Vision, Sony, Canon, Lenel S2, Genetec (via plug-in).

Target size

50 to 2,50,000 employees · Global

#10

Convergint

Convergint Technologies LLC · Founded 2001 · Schaumburg, IL, USA

Global integrator delivering physical security risk assessments as professional services.

Opaque pricing

Summary

Convergint was founded in 2001 and is one of the largest service-based security integrators globally, with offices in 30+ countries. The company offers physical security risk assessments and enterprise security roadmap creation as professional services rather than self-serve software. A 2024 alliance with Deloitte expanded the cyber-physical security convergence offering, and the company integrates Software House, Lenel S2, Genetec, and other PACS platforms. Convergint is the right pick when the buyer wants advisory-led assessment plus deployment in one contract; it is the wrong pick when the brief is recurring TVRA software ownership.

Strengths
  • Global service-based integrator with offices in 30+ countries
  • Physical security risk assessments delivered as advisory professional services
  • 2024 Deloitte alliance for cyber-physical security convergence and GSOC modernization
  • Strong PACS deployment expertise: Software House, Lenel S2, Genetec, Avigilon, Honeywell
  • Single-contract scope for assessment, design, deployment, and managed services
Weaknesses
  • Not a software product; assessment is a service engagement, not a recurring SaaS deliverable
  • No platform to log in to between assessments; findings live in PDFs and spreadsheets
  • Service-engagement pricing model means no per-site recurring TVRA workflow
  • Less suitable for multi-site programs that want quarterly or annual self-service reassessment
  • Cyber-physical convergence depth comes from Deloitte alliance, not first-party software
Best for

Buyers who want a one-off enterprise security roadmap, a large multi-site PACS deployment, or an advisory-led cyber-physical convergence project rather than recurring assessment software.

Worst for

Security teams that need quarterly or annual self-service TVRAs across 10+ facilities with year-over-year trend reporting; Convergint is service-shaped, not software-shaped for that workflow.

Key features

  • Physical security risk assessment as professional service
  • Enterprise security roadmap creation
  • PACS design and deployment (Software House, Lenel S2, Genetec, Avigilon)
  • Global Security Operations Centre modernization
  • Cyber-physical convergence (Deloitte alliance)
  • Touchless access control deployment
  • Service-led managed security operations
  • Multi-country deployment coordination

Integrations

100+ native. Notable: Software House CCURE, Lenel S2 OnGuard, Genetec Security Center, Avigilon, Honeywell ProWatch, AlertEnterprise Guardian.

Target size

1,000 to 5,00,000 employees · Global

Step by step

Buying guide

Walk these steps in order. The shortlist falls out of step 1, the negotiation moves come together in step 6, and step 8 closes the deal.

  1. 1

    Name your primary use case in one sentence

    Before you shortlist, write down the one job you must solve. Examples: pass an ASIS-aligned TVRA at 12 manufacturing plants by year-end; run NERC CIP-014 R4 across 28 critical substations on the 30-month cycle; consolidate guard-tour reports and incident data into a single security risk register; modernize PIAM across HR, AD, and PACS. The shortlist falls out of the answer.

  2. 2

    Match shortlist to facility count and budget band

    Filter the ten platforms here by site count and budget. Under 5 sites with a $20K budget rules out everything except Circadian Risk and RiskWatch Starter. Over 50 sites with a $100K+ budget filters back in Resolver, Riskonnect, AlertEnterprise Guardian, and RiskWatch Enterprise. Genetec, Milestone, and Verkada belong on a parallel VMS/PACS shortlist, not the TVRA shortlist.

  3. 3

    Verify pre-built libraries before the demo

    If your program runs against ASIS Facility Physical Security Control Standards, NERC CIP-014 R4/R5, NIST 800-53 PE, FEMA 426/452, or ISC RMP, ask each vendor to show you the library on screen during the demo. Pre-built means pre-mapped controls and pre-scored question banks. Vendors who promise to build it for you after signing are charging you for a configuration project that should already be done.

  4. 4

    Pressure-test the crime-data and likelihood story

    Defensible TVRA likelihood scores trace back to a sourced, dated data point. RiskWatch overlays four crime-data feeds (Cap Index CRIMECAST, Security Gauge, GlobalIncidentMap, World Aware). Other platforms either rely on operator-scored likelihood (Circadian Risk) or pull threat-feed data shaped for protective intelligence (Crisis24, Ontic) rather than facility risk. Pick the one that matches what your insurer and board will accept.

  5. 5

    Insist on a working pilot, not a demo

    Demos are choreographed. Working pilots are not. Ask each finalist for a 30-day pilot with your real data: three sites, one framework, one mobile site walk, one auditor-export. The platform that handles your data without three weeks of professional services is the one that will scale post-deal. RiskWatch publishes a 30-day no-card trial; other vendors require a structured POC.

  6. 6

    Ask for the renewal-escalator cap in writing

    Renewal-pricing pressure is the silent budget killer. PE-owned vendors (Riskonnect, Convergint, Verkada) historically signal 8-15% annual uplift pressure. Verkada's hardware-bundle model creates a 10-year camera-refresh dependency that compounds the same way. Ask for the renewal-escalator cap in the master subscription agreement and walk if the vendor refuses.

  7. 7

    Pressure-test the data residency and exit clause

    Physical security data includes site diagrams, access logs, and findings registers that are sensitive in their own right. Ask each vendor: where does my data live, who can access it, what happens to it if I leave? RiskWatch supports single-tenant deployment with US-only data residency for federal and NERC CIP customers. Most SaaS-first vendors are multi-tenant; that is fine if the SOC 2 report holds up. Get the exit clause in writing.

  8. 8

    Run the decision matrix with your own weights

    The methodology weights on this page (25% Features, 20% Value, 15% Ease, 15% Support, 15% Scalability, 10% Integrations) reflect a multi-site corporate security buyer. Your weights may differ. Use the decision-matrix slider on this page to re-rank with your weights before you book the demos. If a different platform wins your weighting honestly, that is the right pick for your program.

Frequently asked

Buyer questions, answered

The eight questions our pre-sales team hears the most often when buyers compare this category.

What is physical security assessment software?
Physical security assessment software is a category of platforms that help corporate security teams identify, score, and treat physical risk across facilities. The category overlaps with TVRA (Threat, Vulnerability, Risk Assessment) tooling, integrated risk management, and physical identity governance. The ten platforms in this ranking serve at least one of those needs well; VMS-only platforms without an assessment workflow are excluded.
What is the difference between TVRA software and a VMS?
A Video Management System (VMS), like Genetec, Milestone, or Verkada, captures and analyses video and access events in real time. TVRA software, like RiskWatch, Resolver, or Circadian Risk, runs the periodic Threat, Vulnerability, and Risk Assessment program: surveyors walk each site against a standards library (ASIS, NERC CIP-014, NIST 800-30), score findings, attach evidence, and produce board-ready reports. The two are complementary. The VMS tells you what is happening right now; the TVRA platform tells you whether your facility-level program is defensible the next time the regulator, the insurer, or the board asks.
Which platforms cover NERC CIP-014 for electric utilities?
RiskWatch ships NERC CIP-014 R4 (vulnerability assessment) and R5 (security plan) as pre-built libraries and is used by multiple electric utilities to run the every-30-month cycle, including the unaffiliated third-party review option. Resolver and Riskonnect can support CIP-014 with custom configuration. Circadian Risk supports it through arbitrary-standard templates. AlertEnterprise Guardian covers the physical-access side under CIP-006 and CIP-014 R5. Genetec, Verkada, OnSolve, Milestone, and Convergint are not aimed at this workflow as software products.
Which platform is best for ASIS-aligned multi-site TVRA?
RiskWatch ranks first on our weighted score because it ships ASIS Facility Physical Security Control Standards as a pre-built library, pulls likelihood from four crime-data feeds, works offline on mobile, runs multi-site rollups, and offers a 30-day no-card trial. Resolver and Circadian Risk are credible alternatives. Resolver fits when investigations and incidents must live in the same tenant as assessment; Circadian Risk fits mid-market teams who are willing to author their own templates and do not need crime-data overlay.
How much should I budget for physical security assessment software in 2026?
Entry pricing ranges from $0/yr (Milestone XProtect Essential+ free tier, 8-camera cap) and ~$480/channel/yr (Genetec Security Center SaaS) to $283K+/yr (Riskonnect enterprise entry). For a mid-market multi-site TVRA program (5-25 sites, 2-4 frameworks) expect $25K-$60K/yr on licence plus 15-25% implementation costs. For enterprise programs (50+ sites, multi-framework, with crime-data overlay and PIAM convergence) expect $100K-$300K/yr. Always model 3-year TCO and ask for the renewal-escalator cap in writing.
Does RiskWatch replace my Genetec or Lenel system?
No. RiskWatch is the assessment, scoring, reporting, and audit-trail layer that sits above your physical security operation. Genetec, Lenel S2, Avigilon, Milestone, and Verkada handle real-time video and access control; RiskWatch tells you which controls are present, which are weak, which have been remediated, and how the portfolio rolls up to the board year over year. RiskWatch integrates with VMS and PACS systems via API and bulk import for evidence ingestion.
How often is this ranking re-verified?
We re-verify the ratings, pricing triangulations, and material vendor news on this page every quarter. The current pull is dated 2026-05-14. Pricing for opaque vendors is triangulated from two or more public third-party sources (SmartSuite, SelectHub, Vendr, vendor public marketing pages, G2 + Capterra). If a number on this page is stale when you read it, please file the correction at sales@riskwatch.com.
Does RiskWatch accept any money from the other vendors on this page?
No. RiskWatch accepts no affiliate fees, sponsorship money, or paid placements on this page. RiskWatch is also on the page, at #1. That conflict is disclosed inline on the RiskWatch product card and in the methodology block. Readers should weigh that disclosure against the published evidence on this page.
Definitions

Glossary

Definitions for the acronyms and jargon used on this page. Useful for sharing with non-specialist stakeholders on the buying committee.

TVRA
Threat, Vulnerability, and Risk Assessment. The periodic facility-level program that scores threats against vulnerabilities and produces a treatment plan. RiskWatch, Resolver, and Circadian Risk are TVRA-first platforms in this ranking.
ASIS
ASIS International is the largest professional society for security management. ASIS Facility Physical Security Control Standards and the ASIS Enterprise Security Risk Management (ESRM) framework are the most-cited standards in corporate security assessments.
NERC CIP-014
North American Electric Reliability Corporation Critical Infrastructure Protection Standard 014. Requires electric utilities to assess physical-security risk to critical substations every 30 months with an unaffiliated third-party review.
FEMA 426 and 452
FEMA Reference Manual 426 (Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings) and 452 (Risk Assessment Methodology). The federal physical-security risk assessment standards used across DHS, GSA, and DoD facilities.
PIAM
Physical Identity and Access Management. The category that governs who can badge into which facility, integrating HR, Active Directory, and PACS. AlertEnterprise Guardian is the category leader in this ranking.
Crime data overlay
A likelihood-scoring layer that pulls third-party crime data (Cap Index CRIMECAST, Security Gauge, GlobalIncidentMap, World Aware) into the assessment so likelihood scores are defensible to insurers and boards. RiskWatch is the only platform in this ranking that ships four feeds.
Multi-site rollup
The capability to aggregate findings from many facility assessments into one regional or enterprise dashboard with year-over-year trends. Essential for any program with more than five facilities; thin or absent in VMS-only platforms.
Final word

So which one should you pick?

If you read this page top to bottom and one platform stood out, that is your answer. The methodology is on this page so you can disagree with the rank and arrive at a different first pick honestly. We did not move our own product down the page to look unbiased; we did not move it up the page to sell the brief. The position reflects our weights and the public evidence on facility-level TVRA workflow, ASIS alignment, crime-data overlay, multi-site rollup, and pricing transparency.

The one thing every multi-site security buyer should do, regardless of which vendor wins your bake-off, is to insist on a 30-day working pilot with real data at two or three sites, a renewal-escalator cap in writing, and a documented exit clause that covers site diagrams and findings registers. The corporate-security buyers we see lose three-year deals always lose them on those three terms, not on feature coverage.

If you would like the RiskWatch demo or a 30-day no-card trial, sign up at riskwatch.com/start-free-trial. If you would like a no-strings second opinion on one of the other nine, email sales@riskwatch.com with the vendor name in the subject line and we will share what we know. If you prefer the criteria-driven comparison view rather than the ranked list, see /compare/best-physical-security-assessment-software/.

Request a Demo