Updated May 15, 2026 · 10 platforms evaluated

Top 10 Physical Security Software for Medical Devices in 2026: A QMSR, ISO 13485, and ITAR Buyer Ranking

Honest 2026 ranking of the 10 best physical security platforms for medical device makers: QMSR facility controls, ISO 13485 cleanroom access, ITAR for defense-medical.

By RiskWatch Editorial · Medical Device Physical Security and QMSR Facility Software Research

Verdict

TL;DR

If you run physical security at a medical device manufacturer, a contract manufacturer, or an in vitro diagnostic maker and you owe an auditor a defensible answer on the February 2 2026 transition from 21 CFR Part 820 to 21 CFR Part 4 Quality Management System Regulation with ISO 13485:2016 incorporated by reference, ISO 14644 cleanroom access for sterile-pack and implant production, EU MDR 2017/745 and IVDR 2017/746 manufacturer facility controls, ITAR 22 CFR Parts 120-130 and EAR 15 CFR Parts 730-774 for defense-medical, and the supplier-qualification site-visit program under § 820.50 and ISO 13485 § 7.4, RiskWatch ranks first on our weighted score because it ships pre-mapped libraries for every one of those frameworks in one tenant with site-level rollup, four crime-data feeds for supplier-route and IP-theft likelihood, and offline mobile site walks for unannounced supplier audits. AlertEnterprise Guardian is the strongest pick when PIAM convergence across Workday, SAP S/4HANA, and the Lenel S2 / Genetec / Honeywell PACS is the primary risk surface for ITAR-controlled-handler segregation and supplier-engineer access. Genetec Security Center is the unified VMS plus high-assurance access plus Restricted Security Area Surveillance pick for ISO 14644 Class 5 and Class 7 cleanrooms and ITAR-segregated production cells. Verkada is the cloud-managed cameras-plus-access pick for distributed R&D sites and contract-manufacturer satellite plants. Lenel S2 OnGuard, AMAG Symmetry, Honeywell Pro-Watch, Avigilon Alta, Milestone XProtect, and Brivo round out the list with honest weaknesses on each. Pick by where the FDA, an EU notified body, a DDTC compliance officer, and a DCMA auditor are going to look first, not by vendor demo polish: eight of the ten platforms here will not publish a price.

Pick by use case

Where each platform fits

Multi-site QMSR + ISO 13485 + ISO 14644 + MDR + IVDR + ITAR TVRA aligned across medical device plants, contract manufacturers, and supplier audits: RiskWatch: Pre-built libraries for 21 CFR Part 4 QMSR (effective Feb 2 2026), 21 CFR Part 820 QSR, ISO 13485:2016 facility controls, ISO 14971:2019 risk, ISO 14644-1 cleanroom classification, EU MDR 2017/745, EU IVDR 2017/746, ITAR 22 CFR 120-130, EAR 15 CFR 730-774, NIST 800-171 r3, CMMC 2.0 Level 2 PE, 21 CFR Part 11, Federal Select Agent Program (for biothreat IVD makers), and ASIS Facility Physical Security Control Standards in one tenant; offline mobile site walks for unannounced supplier audits under § 820.50 and § 7.4.
PIAM convergence across Workday, SAP S/4HANA, and the PACS for ITAR-controlled-handler segregation and supplier-engineer access: AlertEnterprise Guardian: G2 Spring 2026 Grid Leader for Physical Security; Personal Risk Assessment workflow for ITAR-controlled-handler eligibility tracked alongside DDTC registration status, ECCN classification, and ISO 13485 training records; deepest Lenel S2 + Genetec Synergis + Software House CCURE + Honeywell Pro-Watch + AMAG Symmetry integration for medical device holding companies with implant, IVD, surgical-instrument, and defense-medical staff segregation.
Unified VMS plus high-assurance access plus Restricted Security Area Surveillance for ISO 14644 Class 5 / 7 cleanrooms and ITAR-segregated production cells: Genetec Security Center: Independent Montreal-headquartered founder-led; unified Omnicast VMS plus Synergis high-assurance access with flexible lockdown plus AutoVu ALPR plus Restricted Security Area Surveillance plus Mission Control for ISO 14644 Class 5 / 7 cleanroom interlocked door logic and ITAR § 120.55 controlled-area segregation; per-channel and per-door SaaS pricing published.
Cloud-managed cameras, access, alarms, and intercom across R&D sites, contract-manufacturer satellite plants, and distributed component-supplier facilities: Verkada: Cloud-native unified suite with $5.8B CapitalG round December 2025 and $1B+ ARR across 30,000+ customers; 4.5/5 G2 across 1,800+ reviews; medical-device life-sciences vertical with named ISO 13485-adjacent deployments; right shape for emerging medtech that wants to retire on-prem DVRs and standalone Lenel servers at the satellite site.
Enterprise PACS at headquarters plant and implant production plant with ITAR dual-control and 21 CFR Part 11 audit-trail logging: Lenel S2: Honeywell-owned post-April 2 2024 divestiture from Carrier; OnGuard supports dual-control logging for ITAR § 120.55 controlled-area entries at scale, NetBox for mid-size contract-manufacturer deployments, and embedded reader-and-controller hardware longevity that medical device 15-year capex cycles need; deep medical-device reference base among PACS incumbents.
Defense-medical grade access control with Allied Universal field-services bench for ITAR + biothreat IVD containment: AMAG Symmetry: Allied-Universal-owned since 2022 G4S carve-out; Symmetry CONNECT identity management plus Symmetry GUEST visitor management plus Symmetry SR high-assurance access; deep critical-infrastructure pedigree that ports to defense-medical ITAR production cells and biothreat-IVD BSL-2 / BSL-3 containment for Federal Select Agent Program work.
Medical device facility running access control inside a Honeywell-Forge-unified BMS plus HVAC plus cleanroom-monitoring stack: Honeywell Pro-Watch: Honeywell Forge integration plus Pro-Watch unified building lets medical device manufacturers run access control alongside the same BMS that already monitors ISO 14644 cleanroom HVAC, differential pressure, particle counting, and 21 CFR Part 11 audit-trail evidence in one tenant; deepest fit when the BMS vendor is already Honeywell.
Cloud-native VMS plus access for distributed medical device sites preserving Avigilon camera capex: Avigilon Alta: Motorola Solutions cloud-native suite combining former Openpath access control and Ava Security video on a serverless architecture; Alta Cloud plus Unity On-Premise; Motorola APX dispatch-radio integration for off-duty officer programs; right fit for medical device networks already owning Avigilon-branded cameras at IVD plants and finished-device warehouses.
Open-platform VMS supporting heterogeneous medical-device campus camera fleets inherited through M&A: Milestone XProtect: Widest camera and sensor compatibility (8,000+ devices) for medical device networks that grew through merger and inherited Axis, Bosch, Hanwha, and Pelco fleets; XProtect 2026 R1 added long-term cloud video storage and scheduled reporting plus chain-of-custody export for FDA inspection subpoenas, EU notified-body audit requests, and DDTC compliance reviews; Canon-owned stability; free Essential+ tier for the smallest contract-manufacturer satellite sites.
Per-door published-pricing cloud access for emerging medtech, startup IVD makers, and contract-manufacturer satellite sites: Brivo: Published $13.50/door/month per Acre Security and Vendr; SOC 2 Type II + ISO/IEC 27001:2022 + GDPR; NASDAQ:BRIV post-2023 SPAC; open API + Eagle Eye Networks video pairing; the cleanest TCO anchor for emerging medtech that needs cloud access at three R&D sites without standing up a PACS server farm.

Physical security software for medical devices is a label that masks seven different buying jobs. Medical device security officers come to this category looking for one of seven things: a 21 CFR Part 820 QSR (transitioning to Part 4 QMSR with ISO 13485:2016 incorporated by reference on February 2 2026) facility-access Threat-Vulnerability-Risk-Assessment platform that survives an FDA Form 483 medical device inspection and a notified-body MDR or IVDR audit; an ISO 14644 cleanroom access program with interlocked-door logic at Class 5, Class 7, and Class 8 production zones for sterile-pack and implantable-device manufacturing; a Video Management System and high-assurance access control platform for the headquarters plant, the implant production plant, the IVD reagent plant, and the sterile-pack production cleanroom; a cloud-managed cameras-plus-access-plus-alarms console for distributed R&D sites and contract-manufacturer satellite plants; a Physical Identity and Access Management system that ties Workday, SAP S/4HANA, ISO 13485 training records, and the PACS together so ITAR-controlled-handler eligibility is enforced at the badge swipe; a supplier-qualification site-visit program aligned to § 820.50 and ISO 13485 § 7.4 that documents the on-site evaluation of every critical supplier with offline mobile evidence capture; or a defense-medical ITAR 22 CFR 120-130 and EAR 15 CFR 730-774 physical-security program for battlefield trauma kits, military prosthetics, and biothreat-agent IVD development. The ten platforms in this ranking serve at least one of those briefs well, and none of them serves all seven equally.

We considered 22 platforms across G2 Spring 2026 Grid for Physical Security, the AdvaMed Manufacturing Council vendor list, the MDIC Case for Quality vendor directory, the RAPS Regulatory Convergence sponsor list, and EnergyCentral and Medical Design Technology forum threads. We cut to ten by removing pure-play body-worn cameras and patrol-management tools, excluding cyber-only OT or fraud-detection vendors (Claroty Medigate, Cynerio, Asimily are covered separately at /top-10-risk-management-software/ and /top-10-compliance-management-software/), excluding TVRA-only platforms with no medical-device manufacturer customer base (covered at /top-10-physical-security-assessment-software/), excluding integrators without a software product (Convergint Smart Tools, Resolver in this cut), excluding real-estate-led platforms without ISO 13485 and ITAR framework depth (Kastle Systems), folding the merged Openpath product into its current Avigilon Alta home, and including the cloud-managed VMS, the cloud access platform, the open-VMS, and the PIAM platform that medical-device physical-security buyers most commonly shortlist on annual QMSR audit cycles. The result is ten platforms a real medical-device security officer might shortlist in 2026.

Pricing transparency is poor in this category. Eight of the ten platforms here gate pricing behind a demo or a deployment scope. Brivo publishes $13.50/door/month per Acre Security and Vendr. Genetec publishes Security Center SaaS pricing per channel and per door. Verkada publishes per-camera SaaS bands. The other seven, including RiskWatch at the Enterprise tier, are quote-only because deployment topology varies materially with plant count, cleanroom class, ITAR-segregated cell count, and supplier-site-visit volume. We triangulated the opaque vendors from public third-party teardowns and dated each estimate. The methodology block at the bottom of this page spells out the weights, the sources, and the disclosure.

At-a-glance

Comparison table

The 10 platforms scored on the methodology weights at the bottom of this page. Pricing-transparency pill is the buyer-honesty signal.

Rank	Product	Best for	Pricing transparency	G2	Verdict
1	RiskWatch RiskWatch International	US medical device manufacturers, multi-state contract manufacturers, and global IVD makers running annual 21 CFR Part 4 QMSR audits plus notified-body MDR / IVDR surveillance audits plus DDTC compliance reviews across 1-30+ plants with implant production, IVD reagent, sterile-pack production, ITAR-segregated defense-medical, supplier-qualification, and biothreat-IVD scope in one tenant.	Partial	4.5/5 60+ reviews	21 CFR Part 4 QMSR (effective Feb 2 2026) + 21 CFR Part 820 QSR + ISO 13485:2016 § 6.4...
2	AlertEnterprise Guardian AlertEnterprise, Inc.	Top-50 global medical-device and IVD holding companies with 10+ plants, mature Workday or SAP SuccessFactors HR, mature Lenel S2 or Genetec Synergis or CCURE or Pro-Watch PACS, and Personal Risk Assessment requirements across ITAR-controlled handlers, supplier-engineer escort programs, and biothreat-IVD containment-suite staff.	Opaque	4.4/5 90+ reviews	G2 Spring 2026 Grid Leader for Physical Security
3	Genetec Security Center Genetec Inc.	Top-50 global medical-device headquarters, multi-plant contract-manufacturer networks, and IVD R&D campuses running a unified Security Operations Center that needs ITAR-segregated cell access, ISO 14644 Class 5 / 7 cleanroom interlocked doors, and plant-gate ALPR in one console.	Partial	4.4/5 320+ reviews	Unified Omnicast VMS + Synergis high-assurance access + AutoVu ALPR + Mission Control...
4	Verkada Verkada Inc.	Distributed medtech R&D sites, contract-manufacturer satellite plants, emerging medical-device companies, and IVD reagent satellite labs where the buyer wants to retire DVRs and standalone PACS servers and consolidate on one cloud console.	Partial	4.5/5 1820+ reviews	Cloud-native unified suite (cameras + access + alarms + intercom + sensors + guest) on...
5	Lenel S2 Honeywell (acquired LenelS2 from Carrier April 2 2024)	Top-50 global medical-device headquarters implant production plants, IVD reagent plants, sterile-pack production plants, and combination-product warehouses with ITAR-segregated cells, 15-year capex cycles, and Honeywell Forge BMS already deployed; LenelS2 NetBox for single-site mid-size contract manufacturer.	Opaque	4.0/5 180+ reviews	OnGuard supports ITAR § 120.55 controlled-area dual-control logging and ISO 13485...
6	AMAG Symmetry AMAG Technology (Allied Universal portfolio)	Medical-device defense-medical ITAR-segregated production cells, biothreat-IVD BSL-2 / BSL-3 containment under the Federal Select Agent Program, top-50 medical-device headquarters running R&D campus perimeter at critical-infrastructure-grade, and medical-device manufacturers that already buy guard-force services from Allied Universal and want one master services agreement for the software stack and the field-services bench.	Opaque	4.0/5 70+ reviews	Symmetry SR high-assurance access supports defense-medical ITAR-segregated cell access...
7	Honeywell Pro-Watch Honeywell International (Building Technologies)	Medical-device plants already running Honeywell BMS + HVAC + cleanroom head-end where one Honeywell account team for access, BMS, and cleanroom monitoring is the procurement-simplifying win; Defense Health Agency or BARDA contract holders that need a GSA Schedule vendor for the access platform.	Opaque	4.1/5 120+ reviews	Native Honeywell Forge BMS integration for ISO 14644 cleanroom HVAC, differential...
8	Avigilon Alta Motorola Solutions (NYSE: MSI)	Distributed medical-device sites already deployed on Avigilon-branded cameras that want cloud-managed VMS plus access without retiring the camera capex; federal-contract medical-device makers under Defense Health Agency or BARDA contracts that need Motorola APX radio adjacency.	Opaque	4.4/5 250+ reviews	Cloud-native serverless suite combining cloud cameras + cloud access + AI analytics on...
9	Milestone XProtect Milestone Systems (Canon subsidiary)	Medical-device networks that grew through merger and inherited heterogeneous camera fleets across Axis, Bosch, Hanwha, Pelco, and Sony; medical-device security operations centres that want to consolidate on one VMS without retiring camera capex; contract manufacturers with the smallest satellite sites that need the free Essential+ tier.	Partial	4.4/5 380+ reviews	Widest camera and sensor compatibility (8,000+ devices) of any VMS in this ranking;...
10	Brivo Brivo, Inc.	Emerging medtech, startup IVD makers, contract-manufacturer satellite sites, and medical-device R&D campuses with 1-5 sites that need cloud access at the published per-door price without standing up a PACS server farm and without a multi-year integrator engagement.	Public	4.4/5 220+ reviews	Published $13.50/door/month per Acre Security and Vendr; the cleanest TCO anchor in...

Calculator

Estimate the licence cost

Drag the slider to your headcount. Estimates use each vendor's published or triangulated tiers. Opaque vendors show Contact sales.

Employees500

11.3k2.5k3.8k5k

RiskWatch

Professional (≤ 1,000 employees)

$36,000/yr

AlertEnterprise Guardian

Mid-market PIAM (est.) (quote-only tier)

Contact sales

Genetec Security Center

Security Center SaaS Standard (per channel) (quote-only tier)

Contact sales

Verkada

Cameras (per camera SaaS) (quote-only tier)

Contact sales

Lenel S2

NetBox mid-market (est.) (quote-only tier)

Contact sales

AMAG Symmetry

Symmetry Business mid-market (est.) (quote-only tier)

Contact sales

Honeywell Pro-Watch

Pro-Watch mid-market (est.) (quote-only tier)

Contact sales

Avigilon Alta

Alta Cloud cameras (per camera, reseller) (quote-only tier)

Contact sales

Milestone XProtect

Express+ (per channel) (quote-only tier)

Contact sales

Brivo

Brivo Access Enterprise (est.) (quote-only tier)

Contact sales

Estimates only. Opaque-pricing vendors do not publish list prices; bands are triangulated from public third-party sources dated 2026-05-15. Implementation services, module add-ons, and renewal escalators are extra.

Pick your own weights

Decision matrix

Default weights match the methodology at the bottom of this page. Drag the sliders to match your priorities and re-rank in real time.

Ease of use20%

How quickly a non-technical control owner reaches first value

Feature breadth20%

Module coverage across ERM, IT, audit, TPRM, BC

Value20%

Price to value ratio at mid-market

Customer support15%

Quality and responsiveness of vendor support

Scalability15%

Handling 5,000+ employees, multiple entities, regions

Integrations10%

Breadth of native connectors and APIs

Weights sum: 100%

1
RiskWatch
Editorial rank #1
8.72
2
Verkada
Editorial rank #4
8.66
3
Genetec Security Center
Editorial rank #3
8.55
4
Milestone XProtect
Editorial rank #9
8.45
5
Brivo
Editorial rank #10
8.41
6
Avigilon Alta
Editorial rank #8
8.31
7
AlertEnterprise Guardian
Editorial rank #2
8.29
8
Lenel S2
Editorial rank #5
8.04
9
Honeywell Pro-Watch
Editorial rank #7
8.02
10
AMAG Symmetry
Editorial rank #6
7.97

Switching cost

Migration matrix

Read row-to-column. Row = today's platform, column = tomorrow's. Colour reflects realistic switching effort, not vendor sales pitches.

From / To	RiskWatch	AlertEnterprise Guardian	Genetec Security Center	Verkada	Lenel S2	AMAG Symmetry	Honeywell Pro-Watch	Avigilon Alta	Milestone XProtect	Brivo
RiskWatch	.	M	M	E	H	M	M	E	M	E
AlertEnterprise Guardian	E	.	E	E	M	E	E	E	E	E
Genetec Security Center	E	E	.	E	M	M	M	E	E	E
Verkada	M	H	H	.	H	H	H	M	H	E
Lenel S2	E	E	E	E	.	E	E	E	E	E
AMAG Symmetry	M	E	E	E	E	.	E	E	E	E
Honeywell Pro-Watch	E	E	E	E	E	E	.	E	E	E
Avigilon Alta	M	M	M	E	H	M	M	.	M	E
Milestone XProtect	E	E	E	E	M	E	E	E	.	E
Brivo	H	M	H	E	H	H	H	M	M	.

Easy (E)Moderate (M)Hard (H)Source: per-vendor migration field with radar-profile fallback. Treat as a directional guide, not a quote.

Methodology

How we scored and why you should trust it

The methodology is the only thing keeping this page honest. Read it carefully and apply your own weights in the decision matrix above.

RiskWatch published this ranking. RiskWatch accepts no affiliate fees, sponsorship money, or paid placements on this page. RiskWatch is also in the ranking, at #1. Readers should weigh that disclosure against the published evidence on this page. We scored each of the ten platforms on six axes weighted for the medical-device physical-security buyer using the playbook default weights: Ease of Use including offline mobile site walks at unannounced supplier audits under § 820.50 (20%); Feature Breadth covering 21 CFR Part 4 QMSR (effective Feb 2 2026) + 21 CFR Part 820 QSR + ISO 13485:2016 facility controls + ISO 14971:2019 risk + ISO 14644-1 cleanroom classification + EU MDR + EU IVDR + ITAR 22 CFR 120-130 + EAR 15 CFR 730-774 + NIST 800-171 r3 + CMMC 2.0 PE plus cleanroom interlocked-door logic, ITAR-segregated cell access, and supplier-route coverage (20%); Value including pricing transparency and renewal-escalator behaviour (20%); Customer Support (15%); Scalability across multi-site rollups from 1 R&D campus to 30+ global medical-device plants (15%); and Integrations with VMS, PACS, BMS, HVAC, cleanroom particle-counter alarming, ISO 13485 training records, Workday, SAP S/4HANA, and DDTC reporting feeds (10%). Scores are 0-10 and calibrated within this category. Ratings reference G2 and Capterra figures pulled 2026-05-15. Pricing reflects the most-recent published or triangulated figures, also pulled 2026-05-15; where pricing is opaque we report a range based on two or more public third-party sources. We re-verify this page quarterly.

Weights used in the editorial ranking

Ease of use: 20%
Feature breadth: 20%
Value: 20%
Customer support: 15%
Scalability: 15%
Integrations: 10%

RiskWatch

RiskWatch International · Founded 1993 · Annapolis, MD, USA

QMSR + ISO 13485 + ISO 14644 + MDR + IVDR + ITAR physical security assessment software with site-level rollup.

Partial pricingG2 4.5 · Capterra 4.6 · 60+ reviews

Summary

RiskWatch ships a physical security risk assessment platform built around pre-mapped libraries for the February 2 2026 transition from 21 CFR Part 820 Quality System Regulation to 21 CFR Part 4 Quality Management System Regulation with ISO 13485:2016 incorporated by reference, ISO 13485:2016 § 6.4 work environment and contamination control, ISO 14971:2019 risk management application to medical devices, ISO 14644-1:2015 cleanroom classification at Class 5 / 6 / 7 / 8, EU MDR Regulation 2017/745 manufacturer facility controls under Annex IX / X / XI, EU IVDR Regulation 2017/746 for in vitro diagnostic medical devices, ITAR 22 CFR Parts 120-130 with § 120.55 controlled-data physical-security requirements for defense-medical, EAR 15 CFR Parts 730-774 with § 734.18(a)(5) for export-controlled hardware, NIST SP 800-171 r3 § 3.10 Physical Protection, NIST SP 800-53 r5 PE family, CMMC 2.0 Level 2 PE domain, 21 CFR Part 11 electronic records and signatures, the Federal Select Agent Program rules at 42 CFR Part 73 + 7 CFR Part 331 + 9 CFR Part 121 for IVD makers handling biothreat agents, and ASIS Facility Physical Security Control Standards. The platform models the headquarters plant, the implant production plant, the IVD reagent plant, the sterile-pack production cleanroom, the ISO 14644 Class 5 critical zone, the ISO 14644 Class 7 and Class 8 background zones, the ITAR-segregated production cell, the supplier site, and the loading-dock cargo cage as discrete assessable assets with their own control sets. Likelihood pulls from four crime-data feeds anchored to plant addresses for supplier-route diversion risk and IP-theft risk. Customers include US medical device manufacturers, multi-state contract manufacturers, and global IVD makers running annual QMSR audits plus notified-body MDR / IVDR surveillance audits. The product has been in the field since 1993 and is the only platform in this ranking that pre-maps every requirement an FDA Form 483 inspector, a notified-body MDR auditor, a DDTC compliance officer, and a DCMA Industrial Security Specialist will ask for in one tenant.

Strengths

21 CFR Part 4 QMSR (effective Feb 2 2026) + 21 CFR Part 820 QSR + ISO 13485:2016 § 6.4 work environment + ISO 14971:2019 risk + ISO 14644-1 cleanroom classification + EU MDR 2017/745 + EU IVDR 2017/746 + ITAR 22 CFR 120-130 + EAR 15 CFR 730-774 + NIST 800-171 r3 + NIST 800-53 PE + CMMC 2.0 Level 2 PE + 42 CFR 73 + 7 CFR 331 + 9 CFR 121 Select Agent Regulations + ASIS Facility Physical Security Control Standards pre-mapped on day one in one tenant
Site-level, region-level, and enterprise-level rollup dashboards with year-over-year trends covering the annual QMSR audit pack, the notified-body MDR / IVDR surveillance audit, the DDTC compliance review, and the DCMA Industrial Security Specialist site visit
Discrete asset models for headquarters plant, implant production plant, IVD reagent plant, sterile-pack production cleanroom, ISO 14644 Class 5 critical zone, ISO 14644 Class 7 / 8 background zones, ITAR-segregated production cell, supplier site, and loading-dock cargo cage with their own control sets
Supplier-qualification site-visit workflow under 21 CFR § 820.50 and ISO 13485 § 7.4 with offline mobile evidence capture for unannounced supplier audits at sterilisation contractors, electronic component vendors, and raw material suppliers
Crime-data overlay from four independent feeds (Cap Index CRIMECAST, Security Gauge, GlobalIncidentMap, World Aware) anchored to plant street addresses so IP-theft likelihood and supplier-route diversion likelihood trace back to source and last-updated date for the DDTC compliance officer and the DCMA Industrial Security Specialist
Browser-based mobile TVRA that works offline at remote supplier sites and contract-manufacturer satellite plants with no cellular signal and syncs when connectivity returns; no findings lost on the annual supplier audit
Site Risk Cycle with ISO 31000 and NIST 800-30 semi-quantitative scoring; findings convert to tracked remediation tasks with owners and proof-of-close defensible to FDA, notified-body, DDTC, DCMA, or state department-of-health inspectors
Single-tenant deployment with US-only or EU-only data residency for medical-device customers under 21 CFR Part 11 electronic-records integrity, ITAR § 120.55 controlled-data residency, EAR § 734.18(a)(5) export-controlled hardware handling, and CMMC 2.0 Level 2 CUI handling
30-day free trial with no credit card and full platform access; the only TVRA-first vendor on this list offering it

Weaknesses

Not a VMS, access control system, alarm panel, BMS, cleanroom particle-counter head-end, or DDTC reporting platform; integrates with Genetec, Verkada, Brivo, Avigilon Alta, Milestone, Lenel S2, AMAG, Honeywell Pro-Watch, AlertEnterprise, Workday, and SAP S/4HANA via APIs and bulk imports rather than deep native connectors
Brand awareness on G2 and Capterra in medical-device physical security specifically is lower than Genetec or Verkada; total third-party review volume in this niche sits below 100
Public pricing is opaque at the Enterprise tier and scaled by framework count, plant count, cleanroom class, ITAR-segregated cell count, and supplier-site-visit volume; marked partial because the Standard and Professional contract bands are published in the pricing calculator on this page
No native DDTC Form DSP-5 or DSP-83 license workflow; ITAR licence evidence ingests from third-party DDTC reporting platforms rather than first-party integration
No native ISO 14644 particle-counter telemetry; cleanroom-event evidence ingests from third-party BMS and particle-counter head-ends (Honeywell Forge, Siemens Desigo, Schneider EcoStruxure, Particle Measuring Systems) rather than first-party hardware integration
UI shows operational heritage in some assessment-builder screens; newer cloud-first entrants like Verkada and Avigilon Alta have a more polished first-run experience for non-specialist plant managers

Best for

US medical device manufacturers, multi-state contract manufacturers, and global IVD makers running annual 21 CFR Part 4 QMSR audits plus notified-body MDR / IVDR surveillance audits plus DDTC compliance reviews across 1-30+ plants with implant production, IVD reagent, sterile-pack production, ITAR-segregated defense-medical, supplier-qualification, and biothreat-IVD scope in one tenant.

Worst for

Single-suite virtual medtech startups with no ITAR exposure, no cleanroom manufacturing footprint, and no critical-supplier audit obligation that only need a cloud access bundle for a leased R&D lab; Brivo or Verkada is the better fit there.

Key features

Pre-built libraries for 21 CFR Part 4 QMSR, 21 CFR Part 820 QSR, ISO 13485:2016, ISO 14971:2019, ISO 14644-1, EU MDR 2017/745, EU IVDR 2017/746, ITAR 22 CFR 120-130, EAR 15 CFR 730-774, NIST 800-171 r3, CMMC 2.0 Level 2 PE, 21 CFR Part 11, Federal Select Agent Program 42 CFR 73 + 7 CFR 331 + 9 CFR 121, ASIS Facility Physical Security Control Standards
Supplier-qualification site-visit workflow under § 820.50 and ISO 13485 § 7.4 with offline mobile evidence capture for unannounced audits
Discrete asset models for HQ plant, implant production, IVD reagent, sterile-pack cleanroom, ISO 14644 Class 5 critical zone, Class 7 / 8 background, ITAR-segregated cell, supplier site, and loading-dock cargo cage
Site-level, region-level, and enterprise-level rollup for the annual QMSR audit pack and the notified-body MDR / IVDR surveillance audit
Four crime-data feeds anchored to plant addresses for IP-theft likelihood and supplier-route diversion likelihood scoring
Findings-to-remediation workflow with owners and proof-of-close for FDA, notified-body, DDTC, DCMA, and state-inspector evidence
Single-tenant deployment with US-only or EU-only data residency under 21 CFR Part 11, ITAR § 120.55, EAR § 734.18(a)(5), and CMMC 2.0 Level 2
30-day free trial with no credit card

Integrations

25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.

Target size

100 to 50,000 employees · US · Canada · EU · UK · AU · Switzerland · Ireland · Israel

Radar score

Pricing

Standard$99/month
Up to 250 employees
- · Up to 3 standards libraries (e.g. 21 CFR Part 4 QMSR + ISO 13485:2016 + ISO 14644-1)
- · Up to 10 plants or sites
- · Mobile offline site-walk app for supplier audits
- · Crime data overlay (one feed)
- · Email + named CSM support
Professional$36,000/year
Up to 1,000 employees
- · All 40+ libraries incl 21 CFR Part 4 QMSR + 21 CFR Part 820 + ISO 13485 + ISO 14971 + ISO 14644 + EU MDR + EU IVDR + ITAR + EAR + NIST 800-171 + CMMC 2.0 + 21 CFR Part 11 + Federal Select Agent Program + ASIS
- · Unlimited plants, sites, and supplier audits
- · All four crime data feeds
- · SSO + SAML
- · API access + custom reports
- · Phone + dedicated CSM
EnterpriseContact sales
- · All 40+ frameworks
- · Single-tenant deployment with US-only or EU-only data residency
- · Customer-owned data residency for 21 CFR Part 11, ITAR § 120.55, EAR § 734.18(a)(5), and CMMC 2.0 Level 2
- · 24/7 support
- · Solutions architect on retainer for QMSR, MDR, IVDR, and ITAR site renewals

Watch for

· Implementation services billed separately (typical 1-time fee 15-25% of first-year licence)
· Custom framework additions outside the 40+ library are scoped per request
· CMMC 2.0 Level 2 assessment-readiness package quoted per deployment

Public list-price pages are coming. For now we publish typical contract bands above; the Enterprise tier is quote-only because deployment topology, plant count, cleanroom class, ITAR-segregated cell count, and supplier-site-visit volume vary materially.

AlertEnterprise Guardian

AlertEnterprise, Inc. · Founded 2007 · Fremont, CA, USA

PIAM platform converging HR, training, and PACS for ITAR-controlled-handler and supplier-engineer access across medical device sites.

Opaque pricingG2 4.4 · Capterra 4.3 · 90+ reviews

Summary

AlertEnterprise ships Guardian, a Physical Identity and Access Management platform that bridges HR systems (Workday, SAP SuccessFactors, Oracle HCM, ISO 13485 training records), the Active Directory or Microsoft Entra ID identity store, and the Physical Access Control System (Lenel S2 OnGuard, Genetec Synergis, Software House CCURE, Honeywell Pro-Watch, AMAG Symmetry). The product was named a G2 Spring 2026 Grid Leader for Physical Security. The medical-device fit is the Personal Risk Assessment workflow that tracks ITAR-controlled-handler eligibility alongside DDTC registration status, ECCN classification, ISO 13485 cleanroom-gowning training, and 21 CFR Part 11 e-signature audit-trail evidence; when a handler's ITAR clearance lapses, the badge swipe to the ITAR-segregated production cell is denied at the reader. The strength is convergence; the weakness is that Guardian assumes you already have a mature PACS and identity stack to converge.

Strengths

G2 Spring 2026 Grid Leader for Physical Security
Personal Risk Assessment workflow for ITAR-controlled-handler eligibility tracked alongside DDTC registration, ECCN classification, and ISO 13485 cleanroom-gowning training records
Deepest Lenel S2 OnGuard + Genetec Synergis + Software House CCURE + Honeywell Pro-Watch + AMAG Symmetry integration in this ranking; medical-device holding companies with implant, IVD, surgical-instrument, and defense-medical staff segregation are the named reference base
Honeywell strategic investor since 2021 plus deep SAP S/4HANA and Oracle HCM bidirectional integration
GenAI-powered identity reconciliation and SOC intelligence; 2026 Vibrant identity intelligence release
21 CFR Part 11 audit-trail e-signature evidence on every identity-lifecycle event and every badge-swipe-denied event

Weaknesses

Assumes you already own a mature PACS (Lenel S2, Genetec Synergis, CCURE, Pro-Watch, AMAG) and a mature identity store (Workday or SAP SuccessFactors plus AD/Entra); Guardian is overlay software, not a standalone access platform
Pricing is opaque; deployments at medical-device scale routinely exceed $150K/yr for the converged-identity platform alone before PACS, VMS, and BMS spend
Implementation is consultant-heavy; expect 4-8 month deployment with named SI partner support and dedicated medical-device identity-stewardship resource on the customer side
Not a TVRA platform; QMSR, ISO 13485, MDR, IVDR, and ITAR framework controls have to come from RiskWatch, a GRC platform, or a manual control library
Smaller G2 + Capterra review volume than Verkada or Genetec in medical-device physical security specifically

Best for

Top-50 global medical-device and IVD holding companies with 10+ plants, mature Workday or SAP SuccessFactors HR, mature Lenel S2 or Genetec Synergis or CCURE or Pro-Watch PACS, and Personal Risk Assessment requirements across ITAR-controlled handlers, supplier-engineer escort programs, and biothreat-IVD containment-suite staff.

Worst for

Single-site emerging medtech with no mature PACS and no SAP / Workday / Oracle HCM footprint; Guardian assumes upstream maturity that this buyer does not yet have.

Key features

Personal Risk Assessment workflow with ITAR-handler eligibility, DDTC registration status, and ISO 13485 cleanroom-gowning training tracked together
Bidirectional Workday + SAP SuccessFactors + Oracle HCM integration
Lenel S2 OnGuard + Genetec Synergis + Software House CCURE + Honeywell Pro-Watch + AMAG Symmetry native integration
GenAI-powered identity reconciliation and SOC intelligence
21 CFR Part 11 audit-trail e-signature on every identity-lifecycle and badge-swipe-denied event
Visitor management with medical-device-specific escort and supplier-engineer certification workflow
Automated badge expiration and revocation tied to HR off-boarding
Compliance reporting for FDA, notified-body, DDTC, and DCMA inspections

Integrations

80+ native. Notable: Workday, SAP SuccessFactors, Oracle HCM, Microsoft Entra ID, Lenel S2 OnGuard, Genetec Synergis, Software House CCURE, Honeywell Pro-Watch, AMAG Symmetry.

Target size

2,000 to 2,50,000 employees · Global

Genetec Security Center

Genetec Inc. · Founded 1997 · Montreal, Quebec, Canada

Unified VMS + Synergis high-assurance access + Restricted Security Area Surveillance for ISO 14644 Class 5 / 7 cleanrooms and ITAR-segregated production cells.

Partial pricingG2 4.4 · Capterra 4.5 · 320+ reviews

Summary

Genetec ships Security Center, a unified platform combining Omnicast VMS, Synergis high-assurance access control with flexible lockdown, AutoVu ALPR for plant-perimeter and supplier-gate, Restricted Security Area Surveillance for ISO 14644 cleanroom interlocked-door logic and ITAR § 120.55 controlled-area segregation, and Mission Control event management. The company has been founder-led since 1997 and remains privately held, which differentiates it from PE-owned alternatives like Verkada or Honeywell-owned Lenel S2 or Allied-Universal-owned AMAG. Medical-device customers include top-50 global medical-device headquarters, contract-manufacturer multi-site networks, and IVD R&D campuses. Security Center SaaS pricing is published per channel and per door, which is rare in this category. The unified-platform approach is the right shape for a medical-device headquarters Security Operations Center that needs to correlate VMS, access, ALPR, and intrusion in one console; it is over-built for a 3-site emerging medtech that only needs cloud cameras and badge readers.

Strengths

Unified Omnicast VMS + Synergis high-assurance access + AutoVu ALPR + Mission Control + Restricted Security Area Surveillance for ISO 14644 cleanroom interlocked-door logic and ITAR § 120.55 controlled-area segregation in one console
Synergis high-assurance access supports dual-control entries to ITAR-segregated production cells and ISO 13485 cleanroom-gowned-area access at the controller, not just at the head-end
Restricted Security Area Surveillance natively models the ISO 14644 Class 5 critical zone, Class 7 background, and Class 8 background hierarchy with interlocked-door logic
Published Security Center SaaS pricing per channel and per door; the only enterprise-tier VMS plus access control in this ranking with public pricing at that granularity
Independent founder-led ownership since 1997; no PE renewal-pressure dynamic and no Carrier-style divestiture churn that affected LenelS2
Deep medical-device customer base including top-50 global medical-device headquarters and contract-manufacturer multi-site networks; reference calls available for ITAR-segregated cell and ISO 14644 cleanroom deployments
200+ hardware integrations across cameras, controllers, intercom, and intrusion; preserves medical-device capex on existing camera fleets

Weaknesses

Over-built for emerging medtech with 1-3 R&D sites and no ITAR exposure; the unified-platform pricing model only pays back at headquarters or multi-plant scale
Implementation is integrator-heavy; expect 4-6 month deployment with a named Genetec Channel Partner and a medical-device-experienced field engineer
Not a TVRA platform; QMSR, ISO 13485, MDR, IVDR, and ITAR framework controls have to come from RiskWatch, a GRC platform, or a manual control library
On-prem-leaning architecture historically; Security Center SaaS closed the gap but still trails Verkada and Avigilon Alta on cloud-native maturity at distributed-site scale
Limited cleanroom particle-counter and BMS integration; cleanroom-event evidence comes from Honeywell Forge or Siemens Desigo or Particle Measuring Systems, not from Security Center

Best for

Top-50 global medical-device headquarters, multi-plant contract-manufacturer networks, and IVD R&D campuses running a unified Security Operations Center that needs ITAR-segregated cell access, ISO 14644 Class 5 / 7 cleanroom interlocked doors, and plant-gate ALPR in one console.

Worst for

Emerging medtech with 1-3 R&D sites and no ITAR exposure; Verkada or Brivo is the better fit there.

Key features

Omnicast VMS for plant-perimeter, dock, ITAR-cell, cleanroom, and cargo-cage video
Synergis high-assurance access with flexible lockdown for ITAR-segregated production cells
Restricted Security Area Surveillance for ISO 14644 Class 5 / 7 / 8 cleanroom interlocked-door logic
AutoVu ALPR for plant-gate and supplier-gate
Mission Control event management with QMSR and ITAR audit-trail export
Per-channel and per-door published SaaS pricing
200+ hardware integrations across cameras, controllers, intercom, and intrusion
On-prem and cloud deployment options

Integrations

200+ native. Notable: Axis Communications, Bosch Security Systems, Hanwha Vision, Microsoft Entra ID, Okta, Honeywell Forge (BMS bridge), AlertEnterprise Guardian.

Target size

1,000 to 2,50,000 employees · Global

Radar score

Pricing

Security Center SaaS Standard (per channel)Contact sales
- · Per-channel Omnicast VMS pricing published on the Genetec pricing page
- · Per-door Synergis access control pricing published on the Genetec pricing page
- · Standard support
Enterprise full-suite (est.)Contact sales
- · Full Security Center (Omnicast + Synergis + AutoVu + Mission Control + RSA Surveillance)
- · Per-channel and per-door scaling
- · Premium support
- · Channel Partner integrator

Watch for

· Per-channel and per-door SaaS pricing scales with plant count, cleanroom class, and ITAR-segregated cell count
· Implementation services 20-30% of first-year licence (integrator-heavy)
· On-prem perpetual licence option available but locks customer to maintenance fees

Genetec publishes Security Center SaaS pricing per channel and per door; the only enterprise-tier VMS plus access control in this ranking with public pricing at that granularity.

Verkada

Verkada Inc. · Founded 2016 · San Mateo, CA, USA

Cloud-native cameras + access + alarms + intercom + sensors for distributed medtech R&D sites and contract-manufacturer satellite plants.

Partial pricingG2 4.5 · Capterra 4.5 · 1820+ reviews

Summary

Verkada ships a cloud-native unified suite covering cameras, access control, alarms, intercom, environmental sensors, and guest management. The company raised a $5.8B CapitalG-led round on December 3 2025 (post-money) following the $4.5B Series E in December 2024 and reports $1B+ ARR across 30,000+ customers. G2 carries 1,800+ reviews at 4.5/5. The medical-device fit is distributed R&D sites and contract-manufacturer satellite plants where the buyer wants to retire on-prem DVRs and standalone Lenel servers at the satellite site and consolidate on one cloud console; the weakness is that Verkada is not an ITAR-grade high-assurance access platform and does not natively model the ISO 14644 cleanroom hierarchy or the ITAR § 120.55 controlled-area segregation the way Genetec Restricted Security Area Surveillance does.

Strengths

Cloud-native unified suite (cameras + access + alarms + intercom + sensors + guest) on one console
$5.8B CapitalG-led round Dec 3 2025 and $1B+ ARR across 30,000+ customers; the most-funded cloud-native pure-play in this ranking
4.5/5 G2 across 1,800+ reviews; the highest review volume in this ranking after AlertEnterprise's PIAM peers
Right shape for distributed medtech R&D sites and contract-manufacturer satellite plants that need to retire DVRs and standalone PACS servers
Environmental sensors (temperature, humidity, particle count, air quality, vape detection) are native to the platform and pair with cleanroom and IVD-reagent cold-chain monitoring
Published per-camera SaaS bands and per-door pricing; one of the few public-pricing vendors in this category
Medical-device life-sciences vertical with named ISO 13485-adjacent deployments and HIPAA-aligned data-handling for combination-product clinical-trial-material warehouses

Weaknesses

Not a high-assurance access platform; ITAR § 120.55 controlled-area dual-control logging at the controller-level is not the design point and is better served by Genetec Synergis or Lenel S2 OnGuard
Does not natively model the ISO 14644 Class 5 / 7 / 8 cleanroom hierarchy with interlocked-door logic; pair with Genetec Restricted Security Area Surveillance or Honeywell Pro-Watch for sterile-pack production
Cloud-first architecture is a buyer-trap when ITAR § 120.55 controlled-data residency or CMMC 2.0 Level 2 CUI handling requires on-prem or single-tenant deployment for the access-control system itself
Customer-data incident March 2021 (third-party Bedrock Security breach) and December 2023 (insider-access incident) are still in medical-device security-officer memory; medical-device board diligence still asks about them
Smaller medical-device reference base than Lenel S2 or Genetec; biotech and R&D-leaning, not headquarters-implant-plant-leaning

Best for

Distributed medtech R&D sites, contract-manufacturer satellite plants, emerging medical-device companies, and IVD reagent satellite labs where the buyer wants to retire DVRs and standalone PACS servers and consolidate on one cloud console.

Worst for

Top-50 global medical-device headquarters with ITAR-segregated defense-medical production cells, ISO 14644 Class 5 sterile-pack lines, and CMMC 2.0 Level 2 CUI handling that requires controller-level high-assurance access and on-prem residency; Genetec, Lenel S2, or AMAG Symmetry is the better fit there.

Key features

Cloud-native cameras with on-camera AI analytics
Cloud-managed access control with mobile credentials
Cloud-managed alarms with monitoring tier
Cloud-managed intercom and visitor management
Environmental sensors (temperature, humidity, particle count, air quality)
Guest management with supplier-engineer escort and certification workflow
Per-camera and per-door published SaaS pricing
Site-rollup management across distributed medtech R&D sites and contract-manufacturer satellite plants

Integrations

60+ native. Notable: Microsoft Entra ID, Okta, Google Workspace, Slack, AlertEnterprise Guardian, ServiceNow.

Target size

50 to 25,000 employees · US · Canada · UK · EU · AU · APAC

Radar score

Pricing

Cameras (per camera SaaS)Contact sales
- · Per-camera SaaS bands published on the Verkada pricing page
- · Cloud storage 30 / 60 / 90 / 365 days options
- · Standard support
Access Control (per door)Contact sales
- · Per-door SaaS pricing published on the Verkada pricing page
- · Cloud-managed access on Verkada controllers
- · Standard support
Enterprise unified suite (est.)Contact sales
- · Cameras + Access + Alarms + Intercom + Sensors + Guest
- · Site-rollup management
- · Premium support

Watch for

· Per-camera and per-door SaaS scales fast across multi-site rollups
· Cloud storage tier upcharges for 365-day retention required at ITAR-registered sites
· Implementation services typically 15-20% of first-year licence

Verkada publishes per-camera and per-door SaaS bands; total deployment cost scales with site count and storage retention requirement.

Lenel S2

Honeywell (acquired LenelS2 from Carrier April 2 2024) · Founded 1991 · Pittsford, NY, USA

Enterprise PACS with deep ITAR-segregated production cell logging and 15-year medical-device capex longevity.

Opaque pricingG2 4.0 · Capterra 4.2 · 180+ reviews

Summary

Lenel S2 ships OnGuard, the enterprise PACS that medical-device headquarters implant production plants and IVD reagent plants have run on for two decades, plus the LenelS2 NetBox mid-size deployment line. Carrier carved LenelS2 out of UTC in 2019; Honeywell acquired LenelS2 from Carrier on April 2 2024. The medical-device fit is ITAR § 120.55 controlled-area dual-control logging at the controller (not just at the head-end), ISO 13485 cleanroom-gowned-area open-and-close logging, and 15-year embedded reader-and-controller hardware longevity that medical-device capex cycles need. The weakness is that the Honeywell carve-out triggered a year of customer-comms work that distracted from product velocity, and the OnGuard UI shows its operational heritage.

Strengths

OnGuard supports ITAR § 120.55 controlled-area dual-control logging and ISO 13485 cleanroom-gowned-area open-and-close logging at the controller, not just at the head-end
Deep medical-device reference base among PACS incumbents; top-50 global medical-device headquarters implant production plants and IVD reagent plants run on OnGuard
15-year embedded reader-and-controller hardware longevity that medical-device 15-year capex cycles need
LenelS2 NetBox for mid-size contract-manufacturer deployments (single-site, R&D campus) without the OnGuard enterprise overhead
Honeywell acquisition (April 2 2024) opens deeper Honeywell Forge BMS bridging for cleanroom HVAC and particle-count alarming in the same tenant
AlertEnterprise Guardian, Genetec Federation, and Milestone XProtect native integration

Weaknesses

Honeywell acquisition (April 2 2024) triggered a year of customer-comms work and roadmap reshuffles; the second carve-out in 5 years after the 2019 Carrier carve-out from UTC
OnGuard UI shows its operational heritage; G2 and Capterra reviewers consistently flag the legacy Windows-client look-and-feel and the steep learning curve
Pricing is opaque; deployments at top-50 medical-device scale routinely exceed $250K/yr for OnGuard licence alone before VMS, BMS, and PIAM spend
Implementation is integrator-heavy; expect 6-9 month deployment with a named Lenel S2 Value-Added Reseller and a medical-device-experienced field engineer
Cloud-managed option (LenelS2 NetBox + OnGuard Cloud) trails Verkada and Avigilon Alta on cloud-native maturity; cloud customers report performance gaps
Smaller G2 + Capterra review volume than Verkada; PACS-incumbent reference calls happen through the Value-Added Reseller, not through public G2

Best for

Top-50 global medical-device headquarters implant production plants, IVD reagent plants, sterile-pack production plants, and combination-product warehouses with ITAR-segregated cells, 15-year capex cycles, and Honeywell Forge BMS already deployed; LenelS2 NetBox for single-site mid-size contract manufacturer.

Worst for

Distributed R&D sites and contract-manufacturer satellite plants that want cloud-managed access and to retire on-prem PACS servers; Verkada, Avigilon Alta, or Brivo is the better fit there.

Key features

OnGuard enterprise PACS with ITAR § 120.55 controlled-area dual-control logging at the controller
LenelS2 NetBox for single-site mid-size deployment
Honeywell Forge BMS bridging for cleanroom HVAC and particle-count alarming
AlertEnterprise Guardian PIAM native integration
Genetec Federation and Milestone XProtect VMS integration
21 CFR Part 11 audit-trail e-signature on every badge swipe and every ITAR-cell open-and-close
15-year embedded reader-and-controller hardware longevity
On-prem and OnGuard Cloud deployment options

Integrations

100+ native. Notable: Honeywell Forge, Microsoft Entra ID, AlertEnterprise Guardian, Genetec Federation, Milestone XProtect, Software House CCURE (cross-vendor federation).

Target size

500 to 2,50,000 employees · Global

AMAG Symmetry

AMAG Technology (Allied Universal portfolio) · Founded 1971 · Torrance, CA, USA

Defense-medical grade access control with Allied Universal field-services bench for ITAR cells and biothreat-IVD BSL-2 / BSL-3 containment.

Opaque pricingG2 4.0 · Capterra 4.1 · 70+ reviews

Summary

AMAG ships the Symmetry suite covering Symmetry CONNECT identity management, Symmetry GUEST visitor management, Symmetry SR high-assurance access, and the Symmetry video management line. Allied Universal acquired AMAG in 2022 as part of the G4S carve-out, which means medical-device customers get the Symmetry software stack plus Allied Universal's field-services bench (guard force, investigations, executive protection) under one master services agreement. The medical-device fit is defense-medical ITAR-segregated cells and biothreat-IVD BSL-2 / BSL-3 containment under the Federal Select Agent Program where critical-infrastructure-grade access control with deep dual-authentication and biometric-at-the-door is the design point; the weakness is that AMAG's G2 + Capterra review volume in medical device specifically is thinner than Lenel S2 or Genetec, and the Symmetry UI trails Verkada and Avigilon Alta on cloud-native polish.

Strengths

Symmetry SR high-assurance access supports defense-medical ITAR-segregated cell access and biothreat-IVD BSL-2 / BSL-3 containment with deep dual-authentication and biometric-at-the-door
Deep critical-infrastructure pedigree (CIP-style perimeter logging at scale) that ports cleanly to medical-device defense-medical production cells and IVD biothreat containment
Allied Universal field-services bench (guard force, investigations, executive protection) bundled under one master services agreement
Symmetry CONNECT identity management with HR-system bidirectional integration for ITAR-handler eligibility tracking
Symmetry GUEST visitor management with supplier-engineer escort and certification workflow
On-prem and Symmetry Business deployment options; ITAR § 120.55 and CMMC 2.0 Level 2 residency supported on-prem
Acquired from G4S 2022; ownership has stabilised under Allied Universal after the carve-out

Weaknesses

G2 + Capterra review volume in medical-device physical security specifically is thinner than Lenel S2 or Genetec; reference calls happen through the Allied Universal account team, not through public G2
Symmetry UI trails Verkada and Avigilon Alta on cloud-native polish; G2 reviewers describe the on-prem client as functional but dated
Pricing is opaque; deployments at top-50 medical-device scale typically land in the $100-300K/yr band for the Symmetry software stack alone before guard-force services bundling
Implementation is integrator-heavy; expect 4-6 month deployment with a named AMAG Value-Added Reseller or the Allied Universal field-services team
Symmetry video management line trails Genetec Omnicast and Milestone XProtect on camera + sensor compatibility breadth

Best for

Medical-device defense-medical ITAR-segregated production cells, biothreat-IVD BSL-2 / BSL-3 containment under the Federal Select Agent Program, top-50 medical-device headquarters running R&D campus perimeter at critical-infrastructure-grade, and medical-device manufacturers that already buy guard-force services from Allied Universal and want one master services agreement for the software stack and the field-services bench.

Worst for

Distributed R&D sites and contract-manufacturer satellite plants that want cloud-managed access on one console without an Allied Universal field-services overlay; Verkada, Avigilon Alta, or Brivo is the better fit there.

Key features

Symmetry SR high-assurance access with dual-authentication and biometric-at-the-door for ITAR cells and BSL-2 / BSL-3 containment
Symmetry CONNECT identity management with HR bidirectional integration
Symmetry GUEST visitor management with supplier-engineer escort and certification workflow
Symmetry Business mid-market access control for single-site contract manufacturer
Symmetry video management line
On-prem and Symmetry Business deployment options for ITAR § 120.55 residency
Allied Universal field-services bench bundled under master services agreement
CIP-style critical-infrastructure perimeter logging at scale

Integrations

70+ native. Notable: Microsoft Entra ID, Workday, SAP SuccessFactors, AlertEnterprise Guardian, Genetec Federation, Milestone XProtect.

Target size

500 to 1,00,000 employees · US · Canada · UK · EU · AU

Honeywell Pro-Watch

Honeywell International (Building Technologies) · Founded 1885 · Charlotte, NC, USA

Access control inside a Honeywell-Forge-unified BMS + HVAC + cleanroom-monitoring stack for medical-device plants already on Honeywell.

Opaque pricingG2 4.1 · Capterra 4.2 · 120+ reviews

Summary

Honeywell Pro-Watch is the enterprise access control system inside the broader Honeywell Building Technologies stack, which includes Honeywell Forge (the BMS plus enterprise performance management layer), Honeywell Forge Cybersecurity, and the cleanroom HVAC and particle-counter head-ends that medical-device plants already buy from Honeywell. The medical-device fit is the plant that already runs Honeywell Forge for ISO 14644 cleanroom HVAC, differential pressure, particle counting, and 21 CFR Part 11 audit-trail evidence: Pro-Watch lets the access control system live in the same tenant. Honeywell also acquired LenelS2 from Carrier on April 2 2024, which means the Honeywell portfolio now spans Pro-Watch (mid-market enterprise) plus LenelS2 OnGuard (top-tier enterprise) plus LenelS2 NetBox (mid-market). The weakness is that the dual-product reality (Pro-Watch and OnGuard) inside one parent creates a roadmap-ambiguity dynamic for medical-device customers picking between them.

Strengths

Native Honeywell Forge BMS integration for ISO 14644 cleanroom HVAC, differential pressure, particle counting, and 21 CFR Part 11 audit-trail evidence in one tenant
Medical-device plant already on Honeywell BMS + HVAC + cleanroom head-end gets access control in the same vendor tenant; one Honeywell account team
NASDAQ:HON public-company stability (~$135B market cap May 2026); no PE renewal-pressure dynamic
Mature integration with Honeywell Experion DCS for combination-product process-control plants
Mercury-board open hardware compatibility preserves medical-device capex across HID, Allegion, Idemia, and Suprema reader fleets
GSA Schedule-listed; right shape for medical-device makers under Defense Health Agency or BARDA contracts

Weaknesses

Dual-product reality inside Honeywell (Pro-Watch mid-market plus LenelS2 OnGuard top-tier plus LenelS2 NetBox mid-market) creates a roadmap-ambiguity dynamic for medical-device customers picking between them post-April 2 2024
Pricing is opaque; mid-market medical-device deployments typically land in the $75-150K/yr band before BMS and HVAC head-end spend
Implementation is integrator-heavy; expect 4-6 month deployment with a named Honeywell Channel Partner
On-prem-leaning architecture; the Forge-unified cloud option is newer than Verkada or Avigilon Alta and trails on cloud-native polish
Smaller G2 + Capterra review volume than Lenel S2 or Genetec; medical-device reference calls happen through the Honeywell account team
Pro-Watch reporting customisation is time-consuming per G2 reviewers; less out-of-the-box than Verkada Command

Best for

Medical-device plants already running Honeywell BMS + HVAC + cleanroom head-end where one Honeywell account team for access, BMS, and cleanroom monitoring is the procurement-simplifying win; Defense Health Agency or BARDA contract holders that need a GSA Schedule vendor for the access platform.

Worst for

Medical-device sites not on Honeywell BMS; the Forge convergence story does not apply and Pro-Watch competes head-to-head with Lenel S2 OnGuard without the BMS-overlap advantage.

Key features

Native Honeywell Forge BMS integration for ISO 14644 cleanroom HVAC, differential pressure, and particle counting
21 CFR Part 11 audit-trail evidence on every badge swipe in the same tenant as the BMS
Honeywell Experion DCS integration for combination-product process-control plants
Mercury-board open hardware compatibility (HID, Allegion, Idemia, Suprema)
GSA Schedule-listed for Defense Health Agency and BARDA contract holders
On-prem and Forge-unified cloud deployment options
Pro-Watch Intelligent Command operator workflow
Cross-vendor federation with Lenel S2 OnGuard and AMAG Symmetry under the Honeywell portfolio

Integrations

90+ native. Notable: Honeywell Forge, Honeywell Experion DCS, Microsoft Entra ID, AlertEnterprise Guardian, Lenel S2 OnGuard (cross-vendor federation), Milestone XProtect.

Target size

500 to 2,50,000 employees · Global

Avigilon Alta

Motorola Solutions (NYSE: MSI) · Founded 2004 · Chicago, IL, USA (Motorola Solutions HQ)

Cloud-native VMS + access for distributed medical-device sites preserving Avigilon camera capex.

Opaque pricingG2 4.4 · Capterra 4.4 · 250+ reviews

Summary

Avigilon Alta is the cloud-native suite launched in 2023 that combined the former Openpath cloud access acquired July 2021 and the former Ava Security cloud video acquired August 2021 with the Avigilon AI analytics heritage from the 2018 Motorola Solutions acquisition. The medical-device fit is distributed medical-device sites that already own Avigilon-branded cameras and want a cloud-managed VMS plus access on a serverless architecture without retiring the camera capex. Motorola APX dispatch-radio integration plus CommandCentral CAD integration extend to public-safety adjacency at federal-contract medical sites. The weakness is that the cloud-native architecture is a buyer-trap for ITAR § 120.55 controlled-data residency and CMMC 2.0 Level 2 CUI handling that requires on-prem; Avigilon Unity On-Premise is the hybrid pair but trails Lenel S2 OnGuard and Genetec Security Center on on-prem maturity.

Strengths

Cloud-native serverless suite combining cloud cameras + cloud access + AI analytics on one console
Preserves Avigilon camera capex for medical-device networks already deployed on Avigilon-branded hardware
Motorola APX dispatch-radio integration plus CommandCentral CAD for public-safety adjacency at federal-contract medical sites
AI Search and Appearance Search analytics for incident investigation across distributed medical-device sites
Alta Cloud plus Unity On-Premise hybrid for sites that need on-prem residency at the headquarters plant
NYSE:MSI Motorola Solutions parent stability; GSA Schedule-listed for federal medical-device contract holders
ISC West 2026 GenAI roadmap including Avigilon Intercom Touch and expanded AI analytics

Weaknesses

Cloud-native architecture is a buyer-trap when ITAR § 120.55 controlled-data residency or CMMC 2.0 Level 2 CUI handling requires on-prem; Avigilon Unity On-Premise pair trails Lenel S2 OnGuard and Genetec on on-prem maturity
Two-product reality (Alta cloud plus Unity on-prem) creates a roadmap-ambiguity dynamic for medical-device customers picking between them
Smaller medical-device reference base than Lenel S2 or Genetec; distributed-site-leaning, not headquarters-implant-plant-leaning
Openpath + Ava unification under Alta is still consolidating; some 2023-2024 customers report feature-parity gaps versus the standalone Openpath product
Per-camera and per-door pricing is published through Motorola resellers, not on a public pricing page; less transparent than Verkada or Brivo
AI analytics depth trails Verkada on-camera analytics for some use cases per G2 reviewers

Best for

Distributed medical-device sites already deployed on Avigilon-branded cameras that want cloud-managed VMS plus access without retiring the camera capex; federal-contract medical-device makers under Defense Health Agency or BARDA contracts that need Motorola APX radio adjacency.

Worst for

Top-50 medical-device headquarters with ITAR-segregated cells, ISO 14644 Class 5 sterile-pack lines, and CMMC 2.0 Level 2 CUI handling that requires controller-level on-prem high-assurance access; Genetec Security Center, Lenel S2 OnGuard, or AMAG Symmetry SR is the better fit there.

Key features

Cloud-native serverless VMS + access on one console
Avigilon AI Search and Appearance Search analytics
Alta Cloud plus Unity On-Premise hybrid for on-prem residency
Motorola APX dispatch-radio integration
Motorola CommandCentral CAD integration for public-safety adjacency
Mobile credentials and cloud-managed access
ISC West 2026 GenAI roadmap and Avigilon Intercom Touch
GSA Schedule-listed for federal-contract medical-device makers

Integrations

60+ native. Notable: Microsoft Entra ID, Okta, AlertEnterprise Guardian, Motorola APX P25 radio, Motorola CommandCentral CAD, ServiceNow.

Target size

100 to 1,00,000 employees · US · Canada · UK · EU · AU · APAC

Milestone XProtect

Milestone Systems (Canon subsidiary) · Founded 1998 · Brondby, Denmark

Open-platform VMS supporting heterogeneous medical-device campus camera fleets inherited through M&A.

Partial pricingG2 4.4 · Capterra 4.5 · 380+ reviews

Summary

Milestone Systems ships XProtect, the open-platform Video Management System that supports 8,000+ devices across Axis, Bosch, Hanwha, Pelco, Sony, and other manufacturers. Canon has owned Milestone since 2014. The medical-device fit is the network that grew through merger and inherited Axis, Bosch, Hanwha, and Pelco camera fleets at the headquarters plant, the IVD reagent plant, the implant production plant, and the supplier sites; XProtect lets the security operations centre consolidate on one VMS without retiring the camera capex. XProtect 2026 R1 added long-term cloud video storage, scheduled reporting, and a WebSocket PTZ API plus chain-of-custody export for FDA inspection subpoenas, EU notified-body audit requests, and DDTC compliance reviews. The weakness is that XProtect is a VMS only; pair with an access control system from Lenel S2, Genetec, AMAG, or Brivo.

Strengths

Widest camera and sensor compatibility (8,000+ devices) of any VMS in this ranking; preserves medical-device camera capex across Axis, Bosch, Hanwha, Pelco, Sony
XProtect 2026 R1 added long-term cloud video storage, scheduled reporting, WebSocket PTZ API, and chain-of-custody export for FDA inspection subpoenas, EU notified-body audit requests, and DDTC compliance reviews
Canon-owned stability since 2014; no PE renewal-pressure dynamic
Free XProtect Essential+ tier for the smallest contract-manufacturer satellite sites (up to 8 cameras)
600+ third-party integration marketplace covering analytics, intercom, intrusion, and access control
On-prem and cloud deployment options; on-prem residency for ITAR § 120.55 and CMMC 2.0 Level 2 compliance at the headquarters plant
Strong reference base in mixed-vendor medical-device networks where Avigilon-only or Verkada-only deployment is not an option

Weaknesses

VMS only; pair with an access control system from Lenel S2, Genetec, AMAG, Honeywell Pro-Watch, Avigilon Alta, Verkada, or Brivo
Implementation is integrator-heavy at scale; expect 4-6 month deployment with a named Milestone Solution Partner
Cloud-native maturity trails Verkada and Avigilon Alta despite XProtect 2026 R1 cloud-storage additions
Reporting customisation is time-consuming per G2 reviewers; less out-of-the-box than Verkada Command
Smaller G2 + Capterra review volume than Verkada despite the wider camera compatibility
Per-channel licensing scales with camera count; consolidation across 30+ medical-device sites with mixed camera fleets needs careful licence modeling

Best for

Medical-device networks that grew through merger and inherited heterogeneous camera fleets across Axis, Bosch, Hanwha, Pelco, and Sony; medical-device security operations centres that want to consolidate on one VMS without retiring camera capex; contract manufacturers with the smallest satellite sites that need the free Essential+ tier.

Worst for

Single-vendor camera networks already standardised on Avigilon (Avigilon Alta is the integrated VMS plus access pair) or Verkada (Verkada cameras only run on Verkada Command); over-built for an emerging medtech with 1-3 R&D sites.

Key features

Open-platform VMS with 8,000+ supported devices
XProtect 2026 R1 long-term cloud video storage
Scheduled reporting and chain-of-custody export for FDA, notified-body, and DDTC review
WebSocket PTZ API for custom integrations
Free Essential+ tier for the smallest contract-manufacturer satellite sites
600+ third-party integration marketplace
On-prem and cloud deployment options for ITAR + CMMC residency
Cross-vendor federation with Lenel S2, Genetec, AMAG, Honeywell Pro-Watch, and AlertEnterprise Guardian

Integrations

600+ native. Notable: Axis Communications, Bosch Security Systems, Hanwha Vision, Microsoft Entra ID, AlertEnterprise Guardian, Lenel S2 OnGuard, Genetec Federation, AMAG Symmetry.

Target size

50 to 2,50,000 employees · Global

Radar score

Pricing

Essential+ (free up to 8 cameras)Contact sales
Up to 100 employees
- · Free XProtect Essential+ tier
- · Up to 8 cameras
- · Community support
Express+ (per channel)Contact sales
- · Per-channel licensing through Milestone Solution Partners
- · Standard support
- · On-prem deployment
Corporate enterprise (est.)Contact sales
- · XProtect Corporate multi-site enterprise
- · Long-term cloud video storage
- · Scheduled reporting and chain-of-custody export
- · Premium support
- · Solution Partner integrator

Watch for

· Per-channel licensing scales with camera count across multi-site rollups
· Long-term cloud video storage tier upcharges
· Implementation services 20-30% of first-year licence (integrator-heavy)

Milestone publishes XProtect tier feature comparisons publicly; pricing varies through Solution Partners. Free Essential+ tier for the smallest sites is a category outlier.

#10

Brivo

Brivo, Inc. · Founded 1999 · Bethesda, MD, USA

Per-door published-pricing cloud access for emerging medtech, startup IVD makers, and contract-manufacturer satellite sites.

Public pricingG2 4.4 · Capterra 4.3 · 220+ reviews

Summary

Brivo ships a cloud-native access control platform with published $13.50/door/month pricing (per Acre Security and Vendr triangulations as of May 2026), SOC 2 Type II + ISO/IEC 27001:2022 + GDPR certifications, and an open API plus Eagle Eye Networks video pairing. The company went public via SPAC in 2023 (NASDAQ: BRIV). The medical-device fit is emerging medtech, startup IVD makers, and contract-manufacturer satellite sites that need cloud access at three R&D sites without standing up a PACS server farm and without a multi-year integrator engagement. The weakness is that Brivo is not a high-assurance access platform; ITAR § 120.55 controlled-area dual-control logging is not the design point, and on-prem residency for CMMC 2.0 Level 2 CUI handling is not supported on the cloud-only architecture.

Strengths

Published $13.50/door/month per Acre Security and Vendr; the cleanest TCO anchor in this ranking
SOC 2 Type II + ISO/IEC 27001:2022 + GDPR certifications; HIPAA-aligned deployment for combination-product clinical-trial-material warehouses
Cloud-native architecture with no on-prem PACS servers at the satellite site
Open API plus Eagle Eye Networks video pairing for cameras-plus-access on one console at distributed sites
NASDAQ:BRIV public-company stability post-2023 SPAC; no PE renewal-pressure dynamic
Mobile credentials included at the published per-door price; no add-on fee
Right shape for emerging medtech with 1-5 R&D sites that needs cloud access without a multi-year integrator engagement

Weaknesses

Not a high-assurance access platform; ITAR § 120.55 controlled-area dual-control logging at the controller-level is not the design point
Cloud-only architecture is a buyer-trap when ITAR § 120.55 controlled-data residency or CMMC 2.0 Level 2 CUI handling requires on-prem or single-tenant deployment for the access-control system itself
Smaller medical-device reference base than Lenel S2 or Genetec; SMB-medtech leaning, not headquarters-implant-plant-leaning
Limited cleanroom particle-counter and BMS integration; cleanroom-event evidence comes from Honeywell Forge or Siemens Desigo, not from Brivo
Not a VMS; pair with Eagle Eye Networks, Verkada, or Milestone XProtect for cameras
Smaller G2 + Capterra review volume in medical-device physical security specifically than Verkada

Best for

Emerging medtech, startup IVD makers, contract-manufacturer satellite sites, and medical-device R&D campuses with 1-5 sites that need cloud access at the published per-door price without standing up a PACS server farm and without a multi-year integrator engagement.

Worst for

Top-50 medical-device headquarters with ITAR-segregated cells, ISO 14644 Class 5 sterile-pack lines, and CMMC 2.0 Level 2 on-prem residency requirements; Lenel S2 OnGuard, Genetec Synergis, or AMAG Symmetry SR is the better fit there.

Key features

Cloud-native access control with published $13.50/door/month pricing
SOC 2 Type II + ISO/IEC 27001:2022 + GDPR certifications
Mobile credentials included at the published per-door price
Open API plus Eagle Eye Networks video pairing
Cloud-managed access without on-prem PACS servers
HIPAA-aligned deployment for combination-product clinical-trial-material warehouses
NASDAQ:BRIV public-company stability post-2023 SPAC
Site-rollup management across emerging medtech R&D sites and contract-manufacturer satellite plants

Integrations

50+ native. Notable: Eagle Eye Networks, Microsoft Entra ID, Okta, Google Workspace, Slack.

Target size

20 to 5,000 employees · US · Canada · UK · EU

Step by step

Buying guide

Walk these steps in order. The shortlist falls out of step 1, the negotiation moves come together in step 6, and step 8 closes the deal.

Name the primary regulatory surface in one sentence

Before you shortlist, write down the one regulatory surface you absolutely must defend. Examples: pass an FDA Form 483 medical-device facility-access inspection across 12 plants under the new February 2 2026 QMSR; survive a notified-body MDR or IVDR surveillance audit at the sterile-pack production cleanroom; close a DDTC compliance review at the ITAR-segregated defense-medical production cell; pass a DCMA Industrial Security Specialist site visit under CMMC 2.0 Level 2; close a quarterly supplier-qualification site-visit cycle under § 820.50 and ISO 13485 § 7.4. The shortlist falls out of the one-sentence answer.

Match the shortlist to your plant count and budget band

Filter the ten platforms here by plant count and budget. Emerging medtech with 1-5 R&D sites and a $25-60K budget rules out everything except Brivo cloud access, Verkada cameras, and a RiskWatch Standard tier. Mid-market contract manufacturer with 5-15 plants and a $150-400K budget filters in Verkada plus Avigilon Alta plus Lenel S2 NetBox plus a RiskWatch Professional tier. Top-50 global medical-device with 15-30+ plants and a $1-3M budget filters in Lenel S2 OnGuard or Genetec Security Center plus AMAG Symmetry SR or Honeywell Pro-Watch plus AlertEnterprise Guardian PIAM plus Milestone XProtect plus a RiskWatch Enterprise tier.

Walk the cleanroom and the ITAR-segregated cell

If your facility manufactures sterile or implantable devices, walk the cleanroom with the quality-engineering lead and confirm the ISO 14644 classification (Class 5 critical zone, Class 7 / 8 background), the interlocked-door logic between zones, and the differential-pressure plus particle-counter alarming. If your facility holds ITAR-controlled defense-medical articles, walk the segregated production cell with the empowered DDTC official and confirm the dual-control opening procedure, the handler-eligibility roster under DDTC registration, and the controlled-data residency under § 120.55. The access control platform choice falls out of the walk: Genetec Synergis, Lenel S2 OnGuard, AMAG Symmetry SR, or Honeywell Pro-Watch are the four high-assurance fits.

Pressure-test on-prem residency for ITAR and CMMC 2.0

If any medical-device site holds ITAR-controlled defense-medical articles or CMMC 2.0 Level 2 CUI under a Defense Health Agency contract, the access control system needs on-prem or single-tenant deployment for the controlled-data residency requirement. Cloud-only platforms (Verkada cloud, Brivo, Avigilon Alta Cloud) are a buyer-trap at sites that require on-prem. The on-prem fits are Lenel S2 OnGuard, Genetec Security Center on-prem, AMAG Symmetry on-prem, Honeywell Pro-Watch on-prem, Milestone XProtect on-prem, and Avigilon Unity. Ask each vendor for the CMMC 2.0 Level 2 assessment-readiness package and the on-prem deployment topology.

Build the supplier-audit workflow before signing

21 CFR § 820.50 and ISO 13485 § 7.4 require on-site evaluation of every critical supplier. The medical-device manufacturer typically runs 20-100 supplier audits per year across sterilisation contractors, electronic component vendors, raw material suppliers, and contract test labs. The platform requirement is offline mobile site-walk capability (because supplier sites often have no cellular signal), structured evidence capture against the ISO 13485 § 7.4 supplier-qualification checklist, sync-on-reconnect, and a findings-to-remediation workflow. Ask each finalist for a working pilot at one supplier site before signing. RiskWatch is the only platform in this ranking with offline mobile supplier-audit capability pre-mapped to § 820.50 and § 7.4.

Ask each vendor for the renewal-escalator cap in writing

Renewal-pricing pressure is the silent budget killer in this category. PE-owned vendors (AMAG under Allied Universal, Lenel S2 under Honeywell after the Carrier carve-out) historically signal 8-12% annual uplift pressure. Public-company vendors (Verkada, Avigilon under Motorola Solutions NYSE: MSI, Brivo NASDAQ:BRIV, Honeywell NYSE: HON, Canon-owned Milestone) are more stable but still price-uplift. Independent founder-led Genetec is the rare exception. Ask for the renewal-escalator cap in the master subscription agreement and walk if the vendor refuses.

Insist on a 30-day working pilot at one plant

Demos are choreographed. Working pilots are not. Ask each finalist for a 30-day pilot with one plant and real data: one ITAR-segregated cell, one ISO 14644 Class 5 implant line, one ISO 14644 Class 7 sterile-pack background, one loading-dock cargo cage, and one supplier-audit site walk. The platform that handles your data without three weeks of professional services is the one that will scale post-deal. RiskWatch offers a 30-day no-card free trial; insist on the equivalent from each access control and VMS finalist.

Pressure-test the data residency and exit clause

Medical-device physical-security data is sensitive: badge swipes into an ITAR-segregated production cell, video footage of an ISO 14644 Class 5 implant line, supplier-audit findings under § 820.50, and notified-body audit-trail evidence are inputs to an FDA Form 483 response, a notified-body MDR / IVDR surveillance action, or a DDTC compliance review. Ask each vendor: where does my data live, who can access it, and what happens to it if I leave? RiskWatch supports single-tenant deployment with US-only or EU-only data residency. Cloud-first vendors (Verkada, Brivo, Avigilon Alta) are multi-tenant; that is fine if the SOC 2 + ISO 27001 reports hold up to your TPRM team's review and if no ITAR or CMMC 2.0 controlled data flows through the platform. Get the exit clause in writing: data export format, retention period after termination, and price.

Frequently asked

Buyer questions, answered

The eight questions our pre-sales team hears the most often when buyers compare this category.

What physical security frameworks does a medical device manufacturer need to cover in 2026?

A medical device manufacturer in 2026 needs to cover the February 2 2026 transition from 21 CFR Part 820 Quality System Regulation to 21 CFR Part 4 Quality Management System Regulation with ISO 13485:2016 incorporated by reference, ISO 13485:2016 § 6.4 work environment and contamination control, ISO 14971:2019 risk management application to medical devices, ISO 14644-1:2015 cleanroom classification at Class 5 / 6 / 7 / 8 for sterile-pack and implant production, EU MDR Regulation 2017/745 manufacturer facility controls, EU IVDR Regulation 2017/746 for in vitro diagnostics, ITAR 22 CFR Parts 120-130 with § 120.55 controlled-data physical-security requirements for defense-medical, EAR 15 CFR Parts 730-774 with § 734.18(a)(5) for export-controlled hardware, NIST SP 800-171 r3 § 3.10 plus CMMC 2.0 Level 2 PE for medical-device makers under Defense Health Agency contracts, and the supplier-qualification site-visit program under 21 CFR § 820.50 and ISO 13485 § 7.4. RiskWatch ships pre-built libraries for every one of those in one tenant; AlertEnterprise Guardian, Genetec, Lenel S2, AMAG, Honeywell Pro-Watch, Verkada, Avigilon Alta, Milestone, and Brivo cover the access control and video sides of the program but do not ship the framework controls themselves.

How does the February 2 2026 QMSR transition change the physical security software brief?

The FDA Quality Management System Regulation Final Rule (89 FR 7496 published February 2 2024) consolidated 21 CFR Part 820 into 21 CFR Part 4 with ISO 13485:2016 incorporated by reference and a 2-year compliance window ending February 2 2026. The practical impact on physical security software is that the medical-device manufacturer evidence pack now reads against ISO 13485 § 6.4 work environment and contamination control, § 7.4 purchasing controls with on-site supplier evaluation, and § 7.5.5 particular requirements for sterile medical devices rather than the former Part 820 § 820.70 environmental control language. The control intent is materially unchanged but the audit map is different. RiskWatch ships pre-built libraries for both the legacy 21 CFR Part 820 QSR and the new 21 CFR Part 4 QMSR with ISO 13485:2016 mapped side-by-side so customers in transition have both audit paths covered.

How does ISO 14644 cleanroom classification affect access control platform choice for sterile-pack and implant production?

ISO 14644-1:2015 classifies cleanrooms Class 1 through Class 9 by particle count per cubic metre. Medical-device sterile-pack production typically runs ISO Class 7 background (formerly Class 10,000) or Class 8 background (formerly Class 100,000); implantable device production typically runs ISO Class 5 (formerly Class 100) in the critical zone with ISO Class 7 background. The platforms that natively model the Class 5 / Class 7 / Class 8 hierarchy and the interlocked-door logic between zones are Genetec Restricted Security Area Surveillance, Lenel S2 OnGuard, AMAG Symmetry SR, and Honeywell Pro-Watch (the last especially when paired with Honeywell Forge for particle-counter telemetry). Cloud-only platforms like Verkada, Brivo, and Avigilon Alta Cloud are weaker fits for ISO 14644 critical-zone access because the validated-environment requirement under 21 CFR Part 11 plus the notified-body MDR / IVDR audit often requires on-prem or single-tenant deployment.

How much should a medical device manufacturer budget for physical security software in 2026?

Budget bands for medical device physical security software in 2026: emerging medtech with 1-5 R&D sites runs $25-60K per year on Brivo cloud access plus Verkada cameras plus a RiskWatch Standard tier on top. Mid-market contract manufacturer with 5-15 plants and ISO 14644 Class 7 / 8 sterile-pack lines runs $150-400K per year across cloud access, on-prem PACS at the headquarters plant, VMS, and a RiskWatch Professional tier. Top-50 global medical-device makers with 15-30+ plants, ISO 14644 Class 5 implant lines, ITAR-segregated defense-medical cells, and biothreat-IVD BSL-3 containment runs $1-3M per year across Lenel S2 OnGuard or Genetec Security Center, AMAG Symmetry SR or Honeywell Pro-Watch, AlertEnterprise Guardian PIAM, Milestone XProtect VMS, and a RiskWatch Enterprise tier. Always model 3-year TCO and ask for the renewal-escalator cap in writing.

How does ITAR 22 CFR 120-130 affect physical security for defense-medical manufacturers (battlefield trauma kits, military prosthetics, biothreat IVDs)?

ITAR 22 CFR Parts 120-130 applies to defense articles and defense services on the US Munitions List. Defense-medical products that fall under ITAR include battlefield trauma surgical kits, military prosthetics, IVD kits for biothreat detection, FDA-cleared field transfusion kits, and military-spec autoinjectors. The physical-security requirements at ITAR § 120.55 (controlled-data definition, replacing the former § 120.10 technical data definition) require controlled-area access with documented handler eligibility under DDTC registration, dual-control opening procedures at the controlled-area boundary, badge-swipe audit-trail evidence for handler entries and exits, and on-prem or single-tenant deployment for the access-control system itself (cloud-only platforms are a buyer-trap). The platforms that fit are Lenel S2 OnGuard, Genetec Synergis on-prem, AMAG Symmetry SR, and Honeywell Pro-Watch on-prem. Pair with AlertEnterprise Guardian for handler-eligibility tracking and RiskWatch for the ITAR § 120.55 control library.

How does the supplier-qualification site-visit program under § 820.50 and ISO 13485 § 7.4 affect physical security software choice?

21 CFR § 820.50 and ISO 13485 § 7.4 require the medical device manufacturer to conduct on-site evaluations of critical suppliers (sterilisation contractors, electronic component vendors, raw material suppliers, contract sterilisers, contract test labs). Each site visit is documented physical-security evidence the FDA inspector and the notified-body auditor will ask for at the surveillance audit. The platform requirement is offline mobile site-walk capability (because supplier sites often have no cellular signal or visitor Wi-Fi), structured evidence capture against the ISO 13485 § 7.4 supplier-qualification checklist, sync-on-reconnect, and a findings-to-remediation workflow that ties the supplier-audit finding to the supplier-corrective-action and the proof-of-close evidence. RiskWatch is the only platform in this ranking that ships offline mobile supplier-audit capability with the § 820.50 + § 7.4 control library pre-mapped.

How often is this ranking re-verified?

We re-verify the ratings, pricing triangulations, and material vendor news on this page every quarter. The current pull is dated 2026-05-15. Pricing for opaque vendors is triangulated from two or more public third-party sources (Acre Security, Vendr, SmartSuite, SoftwareAdvice, SelectHub, GetApp). If a number on this page is stale when you read it, please file the correction at sales@riskwatch.com.

Does RiskWatch accept any money from the other vendors on this page?

No. RiskWatch accepts no affiliate fees, sponsorship money, or paid placements on this page. RiskWatch is also on the page, at #1. Readers should weigh that disclosure against the published evidence on this page.

Definitions

Glossary

Definitions for the acronyms and jargon used on this page. Useful for sharing with non-specialist stakeholders on the buying committee.

QMSR: Quality Management System Regulation at 21 CFR Part 4. The FDA Final Rule (89 FR 7496 February 2 2024) that replaces 21 CFR Part 820 Quality System Regulation effective February 2 2026 and incorporates ISO 13485:2016 by reference. Harmonises US medical-device quality requirements with the international standard.
ISO 13485:2016: The international standard Medical devices Quality management systems Requirements for regulatory purposes. § 6.4 covers work environment and contamination control, § 6.4.2 contamination control for sterile devices, § 7.4 purchasing controls and supplier qualification, § 7.5.5 particular requirements for sterile medical devices, § 7.5.7 validation of processes for sterilisation. Incorporated by reference into the new QMSR at 21 CFR Part 4.
ISO 14644 cleanroom classification: ISO 14644-1:2015 classifies cleanrooms Class 1 through Class 9 by particle count per cubic metre. Class 5 (formerly Class 100) is the critical zone for implant production. Class 7 (formerly Class 10,000) is typical sterile-pack background. Class 8 (formerly Class 100,000) is typical aseptic-fill background. ISO 14644-2 covers monitoring frequency and ISO 14644-3 covers test methods.
EU MDR + IVDR: EU Medical Device Regulation 2017/745 and EU In Vitro Diagnostic Regulation 2017/746. Manufacturer facility controls fall under Annex IX Conformity Assessment Based on a Quality Management System, Annex X Type-Examination, and Annex XI. Notified-body unannounced audits under MDR Article 52 include on-site verification of facility controls.
ITAR § 120.55: International Traffic in Arms Regulations 22 CFR § 120.55 controlled-data definition (replacing the former § 120.10 technical data definition). Requires controlled-area physical security at the medical-device manufacturer when defense articles or defense services are on the premises, including battlefield trauma kits, military prosthetics, biothreat-detection IVDs, and military-spec autoinjectors.
CMMC 2.0 Level 2 PE: Cybersecurity Maturity Model Certification 2.0 Level 2 Physical Protection domain, mapped to NIST SP 800-171 r3 § 3.10 Physical Protection. Required for medical-device manufacturers in the Defence Industrial Base under DFARS 252.204-7012 holding controlled unclassified information (CUI) from Defense Health Agency or DoD contracts.
PIAM: Physical Identity and Access Management. The category of platform that bridges HR systems (Workday, SAP SuccessFactors, Oracle HCM, ISO 13485 training records), the identity store (Active Directory, Microsoft Entra ID), and the Physical Access Control System (Lenel S2, Genetec, CCURE, Pro-Watch, AMAG). AlertEnterprise Guardian is the named G2 Spring 2026 Grid Leader.

Final word

So which one should you pick?

If you read this page top to bottom and one platform stood out, that is your answer. The methodology is on this page so you can disagree with the rank and arrive at a different first pick honestly. We did not move our own product down the page to look unbiased; we did not move it up the page to sell the brief. The position reflects our weights and the public evidence on the February 2 2026 transition from 21 CFR Part 820 QSR to 21 CFR Part 4 QMSR with ISO 13485:2016 incorporated by reference, ISO 14644 cleanroom classification at Class 5 / 7 / 8 for sterile-pack and implant production, EU MDR 2017/745 and IVDR 2017/746 manufacturer facility controls, ITAR 22 CFR 120-130 controlled-data physical security for defense-medical, CMMC 2.0 Level 2 PE for Defense Health Agency contract holders, and the supplier- qualification site-visit program under § 820.50 and ISO 13485 § 7.4.

The one thing every medical-device physical security officer should do, regardless of which vendor wins your bake-off, is to insist on a 30-day working pilot at one plant with real data (one ITAR-segregated production cell, one ISO 14644 Class 5 implant line, one ISO 14644 Class 7 sterile-pack background, one loading-dock cargo cage, and one offline supplier-audit site walk under § 820.50), a renewal-escalator cap in writing, and a documented exit clause that covers video clip export format, badge-swipe audit-trail export under 21 CFR Part 11, supplier-audit finding export, and retention period. The medical-device security officers we see lose three-year deals always lose them on those three terms, not on feature coverage. If you run a top-50 global medical-device maker with implant and IVD reagent and defense-medical scope, decide between AlertEnterprise Guardian and a custom Lenel S2 OnGuard plus Genetec Synergis Federation deployment before you select the VMS vendor.

If you would like the RiskWatch demo or a 30-day no-card trial, sign up at riskwatch.com/start-free-trial. If you would like a no-strings second opinion on one of the other nine, email sales@riskwatch.com with the vendor name in the subject line and we will share what we know. If you want the pharma-physical-security sibling ranking, see /top-10-physical-security-software-for-pharmaceuticals/; for the TVRA-first cut across all industries, see /top-10-physical-security-assessment-software/.