Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
Updated May 15, 2026 · 10 platforms evaluated

Top 10 Physical Security Software for Oil and Gas in 2026: A Buyer-First CFATS, TSA Pipeline, MTSA, and BSEE Ranking

Honest 2026 ranking of the 10 best physical security software platforms for oil and gas covering CFATS RBPS, TSA Pipeline SDs, MTSA offshore, BSEE SEMS, and ISA/IEC 62443.

By RiskWatch Editorial · Oil and Gas Physical Security and CFATS Software Research

Verdict

TL;DR

If you run physical security for an oil and gas operator covering upstream wellheads and compressor stations, midstream pipelines and terminals under TSA SD-Pipeline-2021-01 and 2021-02 series, downstream refineries and tank farms under DHS CFATS Risk-Based Performance Standards, MTSA marine terminals under 33 CFR Part 105 with TWIC, and offshore platforms under BSEE SEMS in 30 CFR Part 250 Subpart S, RiskWatch ranks first on our weighted score because it ships API Standard 780 + API RP 781 + DHS CFATS RBPS + TSA Pipeline Security Guidelines + MTSA 33 CFR Part 105 + BSEE SEMS + ISA/IEC 62443-2-1 + NIST 800-53 PE + ASIS Facility Physical Security Control Standards as pre-built libraries in one tenant with offline mobile site walks at remote wellheads and four crime-data feeds. AlertEnterprise Guardian is the strongest pick when TWIC + Lenel + Pro-Watch + CCURE PIAM convergence at marine terminals and refineries is the primary risk surface; Honeywell Pro-Watch is the default PACS when the refinery, LNG terminal, or offshore platform is already running Experion DCS for process control and the security stack converges with HVAC, fire and gas, and emergency shutdown; Senstar owns perimeter intrusion detection at remote wellheads, compressor stations, and tank-farm perimeters where fence-line sensing has to survive on satcom or cellular telemetry. Pick by what a CISA chemical security inspector or a USCG facility security officer is going to read at the next inspection cycle, not by vendor demo polish: eight of the ten platforms here will not publish a price.

Pick by use case

Where each platform fits

Multi-site CFATS + TSA Pipeline + MTSA + BSEE TVRA + multi-framework GRC coverage
RiskWatch: API 780 + API RP 781 + CFATS RBPS + TSA Pipeline SD-2021-01 + SD-2021-02 + MTSA 33 CFR 105 + BSEE SEMS + ISA/IEC 62443 + NIST 800-53 PE + ASIS pre-mapped in one tenant; four crime-data feeds; offline mobile site walks at remote wellheads and compressor stations; single-tenant deployment for sensitive security information handling.
TWIC + PIAM convergence across HR, AD, and PACS at MTSA marine terminals and refineries
AlertEnterprise Guardian: G2 Spring 2026 Grid Leader for Physical Security (March 22 2026); deepest Lenel S2 + Honeywell Pro-Watch + Software House CCURE + Genetec Synergis integration; TWIC 33 CFR 101.515 enrolment and revocation workflow; contractor badge expiration tied to HR termination at refinery and tank-farm scale.
PACS with Experion DCS convergence at refineries, LNG terminals, and offshore platforms
Honeywell Pro-Watch: Honeywell Building Technologies PACS with mature install base at refineries, LNG export terminals, and offshore platforms; integration with Honeywell Experion DCS used in process control rooms; convergence with HVAC, fire and gas, and emergency shutdown under one Honeywell stack.
Unified VMS + access + ALPR at refineries, tank farms, and CFATS Tier 1 sites
Genetec Security Center: Industry standard for unified video, access control, ALPR, and intrusion at refinery and tank-farm scale; per-channel and per-door SaaS pricing published; AutoVu ALPR for refinery gate truck-in/truck-out logging; federated multi-site architecture maps to upstream + midstream + downstream rollups.
Fence-line perimeter intrusion at remote wellheads, compressor stations, and tank farms
Senstar: LM100 perimeter intrusion + deterrence luminaire with built-in accelerometer for cut, climb, lift; FlexZone cable-based fence sensor; FiberPatrol FP1150 fiber-optic for long perimeters at midstream pipeline compressor stations and tank-farm berms; integrator-deployed in upstream produce-water and downstream refinery perimeters.
PACS at refineries and CFATS chemical sites with deep legacy install base
Lenel S2: Honeywell-owned (Carrier divestiture completed April 2 2024) PACS with deep refinery and chemical-plant install base; OnGuard supports CFATS RBPS 7 access control logging at scale; LenelS2 NetBox covers smaller upstream produce-water and tank-farm administrative offices.
Cloud-native unified VMS + access for distributed wellhead and pump station footprints
Avigilon Alta: Motorola Solutions cloud-native suite combining former Openpath access control and Ava Security video on a serverless architecture; AI analytics; right shape for thousands of upstream wellheads, midstream pump stations, and unmanned compressor stations without on-prem server stack per site.
Open-platform VMS for heterogeneous camera estates at upstream and midstream
Milestone XProtect: Widest camera and sensor compatibility (8,000+ devices); XProtect 2026 R1 added long-term cloud video storage and scheduled reporting; Canon-owned stability; hardware-agnostic for operators that inherited Axis, Bosch, Hanwha, and Pelco fleets across decades of upstream and midstream procurement.
Travel risk + mass notification + duty-of-care for offshore platforms and expat field crews
OnSolve / Crisis24: GardaWorld-owned (OnSolve acquired July 30 2024 and integrated into Crisis24); AI risk intelligence + mass notification + travel risk + ISO 31030 duty-of-care for offshore platform crew change, expat field-service workforces, and geopolitical risk in West Africa, Caspian, and Middle East operations.
Integrator-led CFATS + TSA Pipeline + MTSA advisory + multi-site PACS deployment
Convergint: Global service-based integrator in 30+ countries; 2024 Deloitte alliance for cyber-physical convergence; CFATS RBPS advisory + TSA Pipeline SD deployment + MTSA Facility Security Officer support services; PACS deployment expertise across Lenel S2 + Honeywell Pro-Watch + Genetec + Avigilon at oil and gas scale.

Physical security software for oil and gas is a label that masks six different buying jobs and one geographic reality. Oil and gas security directors come to this category looking for one of six things: a DHS CFATS Risk-Based Performance Standards assessment platform that survives a CISA chemical security inspector at a Tier 1 or Tier 2 chemical facility; a TSA Pipeline Security Guidelines and SD-Pipeline-2021-01 + SD-Pipeline-2021-02 series compliance platform for designated hazardous liquid and natural gas pipelines; a Maritime Transportation Security Act Facility Security Officer platform for marine terminals under 33 CFR Part 105 with TWIC under 33 CFR 101.515; a BSEE Safety and Environmental Management Systems platform for offshore platforms under 30 CFR Part 250 Subpart S; a Physical Identity and Access Management system that ties HR, Active Directory, and the Physical Access Control System together across refinery, tank farm, marine terminal, and offshore badges; or an integrator-led advisory and deployment partner for the multi-year CFATS, TSA, and MTSA compliance cycle. The geographic reality is that upstream wellheads, midstream compressor stations, and offshore platforms operate on satcom, cellular, or no connectivity at all, which forces an offline-first workflow that most general-purpose physical security platforms do not handle. The ten platforms in this ranking serve at least one of those briefs well, and none of them serves all six equally.

We considered 26 platforms across the G2 Spring 2026 Grid for Physical Security, the ASIS Foundation vendor directory, Gartner Peer Insights for video surveillance and PIAM, the American Petroleum Institute Security Subcommittee vendor list, and CFATS practitioner threads. We cut to ten by removing pure-play body-worn cameras and patrol-management tools, excluding TVRA-only platforms with no oil and gas customer base (covered separately at /top-10-physical-security-assessment-software/), excluding OT/ICS cyber detection vendors like Dragos, Nozomi, Claroty, and Industrial Defender (covered at /top-10-risk-management-software-for-utilities/ and adjacent OT-cyber comparisons), and including the perimeter intrusion vendor, the travel risk and mass notification vendor, and the integrator that buyers most commonly shortlist on CFATS, TSA Pipeline, and MTSA cycles. The result is ten platforms a real oil and gas physical security director might shortlist in 2026.

Pricing transparency is poor in this category. Eight of the ten platforms here gate pricing behind a demo or a deployment scope. Genetec publishes Security Center SaaS pricing per channel and per door. RiskWatch publishes Standard and Professional tier prices and gates Enterprise behind a quote because deployment topology and sensitive security information handling vary by site mix. The other eight are quote-only at the enterprise tier. We triangulated the opaque vendors from public third-party teardowns and dated each estimate. Read each card for honest weaknesses on every vendor, RiskWatch included.

At-a-glance

Comparison table

The 10 platforms scored on the methodology weights at the bottom of this page. Pricing-transparency pill is the buyer-honesty signal.

RankProductBest forPricing transparencyG2Verdict
1RiskWatch
RiskWatch International
Integrated oil and gas operators, midstream pipeline companies, refining and marketing companies, and offshore operators running CFATS RBPS + TSA Pipeline SDs + MTSA 33 CFR 105 + BSEE SEMS across 10+ sites in one tenant.Partial4.5/5
60+ reviews
DHS CFATS RBPS 1-18 + TSA Pipeline Security Guidelines + SD-Pipeline-2021-01 series +...
2AlertEnterprise Guardian
AlertEnterprise, Inc.
Major integrated oil and gas operators, midstream pipeline companies, and refining companies where TWIC + CFATS RBPS 7 + MTSA personnel access governance is the primary risk surface and PACS integration matters more than TVRA library breadth.Opaque4.5/5
40+ reviews
G2 Spring 2026 Grid Leader for Physical Security category (announced March 22 2026)
3Honeywell Pro-Watch
Honeywell Building Technologies (NYSE: HON)
Downstream refining and marketing operators, LNG export and import terminals, and offshore platform operators standardizing on a single Honeywell stack across Pro-Watch PACS, Experion DCS, HVAC, and fire and gas.Opaque4.1/5
70+ reviews
Mature install base at downstream refineries, LNG export terminals, offshore...
4Genetec Security Center
Genetec Inc.
Downstream refining operators, large tank-farm operators, and midstream pipeline companies that need a single pane for VMS, ACS, ALPR, and analytics with periodic CFATS or TSA Pipeline assessments layered on via a separate tool.Partial4.4/5
320+ reviews
Industry standard for unified VMS + access control + ALPR + intrusion in one console...
5Senstar
Senstar Corporation
Oil and gas operators running CFATS RBPS 1 or TSA Pipeline SD perimeter intrusion detection at 5+ remote wellheads, compressor stations, tank farms, or CFATS Tier 1 chemical sites who need a fence-line sensor partner under one integrator-led deployment.Opaquen/a
0+ reviews
Purpose-built perimeter intrusion detection and fence-line sensing for industrial...
6Lenel S2
Honeywell International (NYSE: HON)
Downstream refining operators, LNG terminal operators, and CFATS Tier 1 + Tier 2 chemical sites standardizing PACS across high-impact perimeter, control room, and process unit access points.Opaque4.2/5
90+ reviews
Deep refining and chemical-plant install base for OnGuard at CFATS Tier 1 + Tier 2...
7Avigilon Alta
Motorola Solutions
Upstream wellhead fleets, midstream pump station and compressor station fleets, and unmanned-site portfolios where cloud-native serverless architecture lowers per-site IT cost.Opaque4.3/5
150+ reviews
Cloud-native serverless architecture across any number of sites; no on-prem server...
8Milestone XProtect
Milestone Systems
Oil and gas operators with heterogeneous upstream and midstream camera estates assembled over many procurement cycles who want maximum hardware freedom and long-term retention for incident investigations.Opaque4.3/5
220+ reviews
Widest camera and sensor compatibility in the category, hardware-agnostic by design;...
9OnSolve / Crisis24
Crisis24, a GardaWorld company
Integrated oil and gas operators with offshore platforms, expat field-service workforces in Caspian, West Africa, or the Middle East, and a Gulf-Coast refining footprint exposed to hurricane season.Opaque4.4/5
280+ reviews
AI-powered risk intelligence and global Security Operations Centre delivering...
10Convergint
Convergint Technologies LLC
Integrated oil and gas operators and midstream pipeline companies running CFATS RBPS + TSA Pipeline SD cycles who want a single integrator-and-advisory contract covering assessment, design, and PACS deployment.Opaquen/a
0+ reviews
Global service-based integrator with offices in 30+ countries; able to staff...
Calculator

Estimate the licence cost

Drag the slider to your headcount. Estimates use each vendor's published or triangulated tiers. Opaque vendors show Contact sales.

500
11.3k2.5k3.8k5k
RiskWatch
Professional (≤ 1,000 employees)
$36,000/yr
AlertEnterprise Guardian
Guardian Express (est.) (quote-only tier)
Contact sales
Honeywell Pro-Watch
Pro-Watch refinery deployment (est.) (quote-only tier)
Contact sales
Genetec Security Center
Enterprise on-prem (est.) (quote-only tier)
Contact sales
Senstar
Multi-site programme (est.) (quote-only tier)
Contact sales
Lenel S2
NetBox mid-market (est.) (quote-only tier)
Contact sales
Avigilon Alta
Enterprise multi-site (est.) (quote-only tier)
Contact sales
Milestone XProtect
XProtect Corporate (est.) (quote-only tier)
Contact sales
OnSolve / Crisis24
OnSolve Risk Intelligence (est.) (quote-only tier)
Contact sales
Convergint
CFATS / TSA Pipeline assessment engagement (est.) (quote-only tier)
Contact sales

Estimates only. Opaque-pricing vendors do not publish list prices; bands are triangulated from public third-party sources dated 2026-05-15. Implementation services, module add-ons, and renewal escalators are extra.

Pick your own weights

Decision matrix

Default weights match the methodology at the bottom of this page. Drag the sliders to match your priorities and re-rank in real time.

20%

How quickly a non-technical control owner reaches first value

20%

Module coverage across ERM, IT, audit, TPRM, BC

20%

Price to value ratio at mid-market

15%

Quality and responsiveness of vendor support

15%

Handling 5,000+ employees, multiple entities, regions

10%

Breadth of native connectors and APIs

Weights sum: 100%
  1. 1
    RiskWatch
    Editorial rank #1
    8.82
  2. 2
    AlertEnterprise Guardian
    Editorial rank #2
    8.20
  3. 3
    Genetec Security Center
    Editorial rank #4
    8.17
  4. 4
    OnSolve / Crisis24
    Editorial rank #9
    7.97
  5. 5
    Avigilon Alta
    Editorial rank #7
    7.96
  6. 6
    Milestone XProtect
    Editorial rank #8
    7.88
  7. 7
    Lenel S2
    Editorial rank #6
    7.80
  8. 8
    Honeywell Pro-Watch
    Editorial rank #3
    7.79
  9. 9
    Senstar
    Editorial rank #5
    7.70
  10. 10
    Convergint
    Editorial rank #10
    7.61
Switching cost

Migration matrix

Read row-to-column. Row = today's platform, column = tomorrow's. Colour reflects realistic switching effort, not vendor sales pitches.

From / To
RiskWatch
AlertEnterprise Guardian
Honeywell Pro-Watch
Genetec Security Center
Senstar
Lenel S2
Avigilon Alta
Milestone XProtect
OnSolve / Crisis24
Convergint
RiskWatch.MHMHHEMEM
AlertEnterprise GuardianE.MEMMEEEE
Honeywell Pro-WatchME.EEEEEEE
Genetec Security CenterMEM.EMEEEE
SenstarMMEE.EEEEE
Lenel S2MEEEE.EEEE
Avigilon AltaHMHMHH.MEM
Milestone XProtectHMMMEME.EE
OnSolve / Crisis24MMMMMMEM.M
ConvergintHHMMMMMEM.
Easy (E)Moderate (M)Hard (H)Source: per-vendor migration field with radar-profile fallback. Treat as a directional guide, not a quote.
Methodology

How we scored and why you should trust it

The methodology is the only thing keeping this page honest. Read it carefully and apply your own weights in the decision matrix above.

We scored each of the ten platforms on six axes weighted for the oil and gas physical security buyer using the default playbook weights: Ease of Use including offline mobile site walks at remote wellheads and offshore platforms (20%), Feature Breadth covering CFATS RBPS + TSA Pipeline SD + MTSA 33 CFR Part 105 + BSEE SEMS + API Standard 780 + ISA/IEC 62443 alignment (20%), Value including pricing transparency and renewal-escalator behaviour (20%), Customer Support (15%), Scalability across multi-site rollups spanning upstream wellheads + midstream compressor stations + downstream refineries + MTSA marine terminals + offshore platforms (15%), and Integrations with VMS, PACS, GIS, SCADA, OT historians, and crime data feeds (10%). Scores are 0-10 and calibrated within this category. Ratings reference G2 and Capterra figures pulled 2026-05-15. Pricing reflects the most-recent published or triangulated figures, also pulled 2026-05-15; where pricing is opaque we report a range based on two or more public third-party sources. We re-verify this page quarterly.

Weights used in the editorial ranking

Ease of use
20%
Feature breadth
20%
Value
20%
Customer support
15%
Scalability
15%
Integrations
10%
#1

RiskWatch

RiskWatch International · Founded 1993 · Annapolis, MD, USA

CFATS + TSA Pipeline + MTSA + BSEE + API 780 physical security assessment software with offline mobile site walks.

Partial pricingG2 4.5 · Capterra 4.6 · 60+ reviews

Summary

RiskWatch ships a physical security risk assessment platform built around pre-mapped libraries for DHS CFATS Risk-Based Performance Standards, TSA Pipeline Security Guidelines + SD-Pipeline-2021-01 series + SD-Pipeline-2021-02 series for designated pipelines, USCG Maritime Transportation Security Act 33 CFR Part 105 facility security plans + 33 CFR Part 106 OCS facility security, BSEE Safety and Environmental Management Systems under 30 CFR Part 250 Subpart S, API Standard 780 Security Risk Assessment for petroleum and petrochemical industries, API RP 781 Facility Security Plan methodology, API RP 1164 Pipeline SCADA Security, ISA/IEC 62443-2-1 cybersecurity management for OT environments, NIST 800-53 PE control family, FEMA 426 and 452, and ASIS Facility Physical Security Control Standards. Likelihood pulls from four crime-data feeds. The product has been in the field since 1993 with US federal customers (Department of Defense, VA, DOJ per public press) and is the only platform in this ranking that pre-maps every requirement an oil and gas operator owes a CISA chemical security inspector, a TSA pipeline security inspector, a USCG facility security officer, and a BSEE inspector in one tenant.

Strengths
  • DHS CFATS RBPS 1-18 + TSA Pipeline Security Guidelines + SD-Pipeline-2021-01 series + SD-Pipeline-2021-02 series + USCG MTSA 33 CFR Part 105 + 33 CFR Part 106 + BSEE SEMS under 30 CFR Part 250 Subpart S + API Standard 780 + API RP 781 + API RP 1164 + API RP 1173 + ISA/IEC 62443-2-1 + NIST 800-53 PE + ASIS Facility Physical Security Control Standards pre-mapped on day one in one tenant
  • Crime-data overlay from four independent feeds (Cap Index CRIMECAST, Security Gauge, GlobalIncidentMap, World Aware) so likelihood traces back to source and last-updated date for the CFATS inspector or the API Standard 780 reviewer
  • Browser-based mobile site walk that works offline at remote upstream wellheads, midstream compressor stations, tank farms, and offshore platforms with no cellular signal and syncs when connectivity returns; no findings lost between satcom passes
  • Site Risk Cycle with ISO 31000 and NIST 800-30 semi-quantitative scoring; findings convert to tracked remediation tasks with owners and proof-of-close defensible to CISA chemical security inspectors, TSA pipeline security inspectors, USCG Captain of the Port reviewers, and BSEE inspectors
  • Single-tenant deployment with US-only data residency for upstream + midstream + downstream operators handling sensitive security information including facility diagrams, pipeline maps, and SVA findings
  • 30-day free trial with no credit card and full platform access; the only TVRA-first vendor on this list offering it
  • Multi-site rollup dashboards at site, region, and enterprise level with year-over-year trends across upstream wellhead fleets, midstream pipeline segments, downstream refineries and tank farms, marine terminals, and offshore platforms
Weaknesses
  • Not a VMS, access control system, perimeter intrusion sensor, or mass notification platform; integrates with Genetec, Lenel S2, Honeywell Pro-Watch, Avigilon, Milestone, Senstar, AlertEnterprise Guardian, and OnSolve / Crisis24 via APIs and bulk imports rather than deep native connectors
  • Brand awareness on G2 and Capterra in oil and gas physical security specifically is lower than Honeywell or Genetec; total review volume sits below 100
  • Public pricing is partial; Standard $99 per month and Professional $36K per year are published, Enterprise is quote-based and scaled by framework count and site count
  • No native OT/ICS cyber detection at Dragos, Nozomi, or Claroty depth; ISA/IEC 62443-3-3 system security and 62443-4-2 component security evidence ingests from third-party OT-detection rather than first-party detection
  • UI shows operational heritage in some assessment-builder screens; newer cloud-first entrants like Avigilon Alta have a more polished first-run experience for non-specialist users
Best for

Integrated oil and gas operators, midstream pipeline companies, refining and marketing companies, and offshore operators running CFATS RBPS + TSA Pipeline SDs + MTSA 33 CFR 105 + BSEE SEMS across 10+ sites in one tenant.

Worst for

Single-site upstream operators running a handful of unmanned wellheads with no CFATS, TSA, MTSA, or BSEE scope and no plan to add framework coverage; Avigilon Alta or a Verkada-equivalent cloud-only suite fits that brief better.

Key features

  • Pre-built libraries for DHS CFATS RBPS 1-18, TSA Pipeline Security Guidelines + SD-Pipeline-2021-01 + SD-Pipeline-2021-02 series, USCG MTSA 33 CFR Part 105 + 33 CFR Part 106, BSEE SEMS 30 CFR Part 250 Subpart S, API Standard 780, API RP 781, API RP 1164, API RP 1173, ISA/IEC 62443-2-1, NIST 800-53 PE, ASIS Facility Physical Security Control Standards, FEMA 426 + 452, NFPA 1600
  • Crime-data overlay from Cap Index CRIMECAST, Security Gauge, GlobalIncidentMap, World Aware for API 780 likelihood scoring and CFATS RBPS 1 (restrict access) threat-and-vulnerability evaluation
  • Browser-based mobile site walks that work offline at remote upstream wellheads, midstream compressor stations, and offshore platforms; sync on reconnect
  • Site Risk Cycle with per-site cadence, recommendation register, and proof-of-close defensible to CISA, TSA, USCG, and BSEE inspectors
  • Multi-site rollup dashboards across upstream + midstream + downstream + marine terminal + offshore platform asset classes
  • Board-ready and regulator-ready report templates aligned to CFATS SVA + SSP and MTSA Facility Security Assessment + Plan formats
  • Single-tenant deployment with sensitive security information handling for facility diagrams, pipeline maps, and SVA findings
  • 30-day free trial, no credit card, full platform access

Integrations

25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Cap Index CRIMECAST, Genetec, Lenel S2, Honeywell Pro-Watch, Avigilon, Milestone, Senstar (API + bulk import), AlertEnterprise Guardian, Jira.

Target size

200 to 1,00,000 employees · US · Canada · EU · UK · ME · LATAM

#2

AlertEnterprise Guardian

AlertEnterprise, Inc. · Founded 2007 · Fremont, CA, USA

Physical Identity and Access Management platform with TWIC + CFATS + MTSA workflow built in.

Opaque pricingG2 4.5 · Capterra 4.4 · 40+ reviews

Summary

AlertEnterprise Guardian is the category leader in Physical Identity and Access Management (PIAM) for oil and gas. The platform was named a Leader in the G2 Spring 2026 Grid Report for Physical Security (March 22 2026 announcement). Guardian sits between HR systems, Active Directory, and Physical Access Control Systems (Lenel S2 OnGuard, Honeywell Pro-Watch, Software House CCURE, Genetec Synergis) enforcing access policies and running TWIC enrolment, revocation, and unescorted-access workflows under 33 CFR 101.515 at MTSA-regulated marine terminals. Guardian also supports CFATS RBPS 7 personnel surety background-check workflows and contractor badge expiration tied to HR termination at refinery, tank-farm, and chemical-plant scale. Strength is identity-driven physical access governance for major oil companies, midstream operators, and downstream refineries; weakness is that the centre of gravity is access governance and not facility-level CFATS SVA or TSA Pipeline TVRA workflow.

Strengths
  • G2 Spring 2026 Grid Leader for Physical Security category (announced March 22 2026)
  • Deepest PIAM integration with oil and gas PACS estates (Lenel S2 OnGuard, Honeywell Pro-Watch, Software House CCURE, Genetec Synergis) of any platform in this ranking
  • TWIC enrolment and unescorted-access workflow under 33 CFR 101.515 + automated card-revocation tied to Coast Guard TWIC cancellation, Hotlist publication, and HR termination
  • CFATS RBPS 7 personnel surety background-check workflow with audit-ready evidence pack for the CISA chemical security inspector
  • Fortune 500 oil and gas customer base across major integrated, midstream, and downstream operators
  • GenAI-powered identity reconciliation across IT, OT, and PACS directories for operators where contractor identity sprawl at refinery turnarounds is an audit risk
  • Visitor logbook automation with mandatory expected check-out time and escort verification fields aligned to CFATS RBPS 6 limit access + RBPS 12 personnel surety
Weaknesses
  • Centre of gravity is identity and access governance, not facility-level CFATS SVA or TSA Pipeline TVRA; site-by-site assessment libraries require integration with RiskWatch or Resolver
  • Pricing is enterprise-tier and opaque; no published list, typical deals are six-figure annual contracts
  • Implementation is consultant-heavy; expect 90-180 day deployment with PACS integration scope across refineries, terminals, and offshore admin stacks
  • Less crime-data-overlay capability than RiskWatch for API Standard 780 likelihood scoring at remote upstream wellheads and midstream compressor stations
  • Smaller G2 review volume than the larger PACS platforms; reference-customer pool in oil and gas is narrower at upstream and offshore than at downstream refining
Best for

Major integrated oil and gas operators, midstream pipeline companies, and refining companies where TWIC + CFATS RBPS 7 + MTSA personnel access governance is the primary risk surface and PACS integration matters more than TVRA library breadth.

Worst for

Single-site upstream operators with no MTSA scope and no Lenel, Pro-Watch, CCURE, or Genetec PACS estate to govern.

Key features

  • Physical Identity and Access Management (PIAM) with deep oil and gas PACS integration
  • TWIC enrolment + revocation + unescorted-access workflow under 33 CFR 101.515 for MTSA terminals
  • CFATS RBPS 7 personnel surety background-check workflow
  • Visitor logbook automation aligned to CFATS RBPS 6 + MTSA
  • Blended threat detection across IT, PACS, and Industrial Control Systems
  • Contractor management with automated badge deactivation on termination, contract expiry, or inactivity
  • GenAI identity reconciliation across HR, AD, and OT directories
  • Compliance reporting for CFATS RBPS + MTSA 33 CFR Part 105 + TSA Pipeline access controls

Integrations

35+ native. Notable: Lenel S2 / OnGuard, Honeywell Pro-Watch, Software House CCURE, Genetec Security Center / Synergis, Microsoft Active Directory, Workday, SAP SuccessFactors.

Target size

2,000 to 1,00,000 employees · US · Canada · UK · EU · ME · APAC

#3

Honeywell Pro-Watch

Honeywell Building Technologies (NYSE: HON) · Founded 1985 · Atlanta, GA, USA

PACS at refineries, LNG terminals, and offshore platforms with Experion DCS convergence.

Opaque pricingG2 4.1 · Capterra 4.2 · 70+ reviews

Summary

Honeywell Pro-Watch is the Honeywell Building Technologies PACS platform with a mature install base at downstream refineries, midstream gas processing plants, LNG export terminals, and offshore platforms. The product is the right pick when the operator is running an all-Honeywell stack covering Pro-Watch PACS, Experion DCS for process control, ControlEdge PLC and RTU for upstream wellhead and compressor station control, HVAC and fire and gas under Honeywell Building Technologies, and (since Carrier divested Global Access Solutions in April 2024) Lenel S2 under the same parent. Pro-Watch Intelligent Command operator workflow ties access events, video, intrusion, and fire and gas into one security operations centre console for refinery and LNG-terminal control rooms.

Strengths
  • Mature install base at downstream refineries, LNG export terminals, offshore platforms, and gas processing plants worldwide
  • Convergence with Honeywell Experion DCS used in refinery and LNG-terminal process control rooms reduces vendor-management overhead at single-stack operators
  • Single-parent procurement covering Pro-Watch + Lenel S2 (post-April 2 2024 acquisition) + HVAC + fire and gas + emergency shutdown under Honeywell Building Technologies
  • Pro-Watch Intelligent Command operator workflow for security operations centre efficiency at refineries running a converged physical-and-OT SOC
  • Established Honeywell global service network covering Gulf Coast refining, North Sea offshore, Caspian, West Africa, and Middle East operations
  • On-prem deployment supports sensitive security information handling at high-impact downstream and offshore sites
Weaknesses
  • Not a TVRA platform; CFATS SVA + SSP + TSA Pipeline TVRA workflows require RiskWatch, Resolver, or Circadian Risk for the library and the inspector-export
  • Implementation is integrator-led and consultant-heavy; expect 90-180 day deployment per refinery, LNG terminal, or offshore-platform-class site
  • Pricing is quote-only and Honeywell dealer-led; no public list price
  • Heavy lift to standardize on Pro-Watch if the operator does not already run Honeywell Experion DCS or Honeywell HVAC; platform tax for non-Honeywell shops
  • Pro-Watch UI carries operational heritage; cloud-native PACS (Openpath, Brivo) feel more modern on first run
  • Lenel S2 acquisition in 2024 created internal Honeywell portfolio overlap that buyers still report on Pro-Watch versus OnGuard procurement choices for upstream and midstream sites
Best for

Downstream refining and marketing operators, LNG export and import terminals, and offshore platform operators standardizing on a single Honeywell stack across Pro-Watch PACS, Experion DCS, HVAC, and fire and gas.

Worst for

Independent upstream operators with no Honeywell process control footprint where the all-Honeywell convergence story does not apply.

Key features

  • Pro-Watch enterprise PACS
  • Pro-Watch Intelligent Command operator workflow for converged physical + OT SOC
  • Convergence with Honeywell Experion DCS
  • Convergence with Honeywell HVAC, fire and gas, emergency shutdown
  • Visitor management module
  • Mobile credential support
  • Integration with Genetec, Milestone, Avigilon for VMS pairing
  • On-prem deployment for sensitive security information handling

Integrations

80+ native. Notable: Honeywell Experion DCS, Honeywell HVAC and fire and gas, Genetec Security Center, Milestone XProtect, AlertEnterprise Guardian, Senstar.

Target size

1,000 to 2,50,000 employees · Global

#4

Genetec Security Center

Genetec Inc. · Founded 1997 · Montreal, Quebec, Canada

Unified VMS, access control, ALPR, and intrusion at refinery scale; published per-channel SaaS pricing.

Partial pricingG2 4.4 · Capterra 4.6 · 320+ reviews

Summary

Genetec Security Center is the industry standard for unified physical security platforms at downstream refining and tank-farm scale, tying video surveillance, access control (Synergis), automatic licence plate recognition (AutoVu) for truck-in / truck-out logging at refinery gates, and intrusion into one console. AutoVu is the differentiator for refinery and tank-farm operators that need a tamper-evident record of every truck entering and leaving a hazardous facility. Genetec publishes Security Center SaaS pricing per channel and per door, making it one of only two platforms in this ranking with published pricing. The product is the right pick when the primary brief is real-time operations across cameras, doors, gates, and truck ALPR at refineries, tank farms, and CFATS Tier 1 chemical sites.

Strengths
  • Industry standard for unified VMS + access control + ALPR + intrusion in one console at refining, tank-farm, and CFATS Tier 1 scale
  • AutoVu ALPR differentiator for refinery and terminal truck-in / truck-out logging; CFATS RBPS 5 (shipping, receipt, storage) and TSA Pipeline RP-2021 truck-access logging fit
  • Mature integration ecosystem with hundreds of camera and access control hardware manufacturers used at refineries, midstream sites, and LNG terminals
  • Security Center SaaS publishes per-channel and per-door pricing, partial transparency advantage in a category of quote-only vendors
  • Large active oil and gas customer base across downstream refining and midstream pipeline operators
  • Federated multi-site architecture maps cleanly to multi-refinery + multi-terminal + multi-compressor-station deployments
Weaknesses
  • Not a TVRA or assessment platform; CFATS SVA + SSP + TSA Pipeline TVRA + API Standard 780 workflows are auxiliary and require third-party tools (RiskWatch, Resolver, Circadian Risk) for the library and the inspector export
  • No pre-built CFATS RBPS, TSA Pipeline SD, MTSA 33 CFR Part 105, BSEE SEMS, or API Standard 780 question libraries
  • Hardware and licensing complexity; costs scale with channel and door counts per G2 and Capterra reviewers at refinery scale
  • Learning curve for new operators; multi-refinery administration becomes complex as the estate grows past 20 sites
  • Plug-in interfacing reliability is flagged by G2 reviewers as a weakness, particularly for legacy upstream camera hardware on satcom
Best for

Downstream refining operators, large tank-farm operators, and midstream pipeline companies that need a single pane for VMS, ACS, ALPR, and analytics with periodic CFATS or TSA Pipeline assessments layered on via a separate tool.

Worst for

CFATS-first or TSA-Pipeline-first programs that need an inspector-defensible export with pre-built libraries; Genetec does not ship the workflow or the libraries.

Key features

  • Unified video management (Omnicast)
  • Access control (Synergis) with deep refining and tank-farm install base
  • Automatic Licence Plate Recognition (AutoVu) for refinery gate truck-in / truck-out
  • Intrusion detection
  • Analytics across video, badge, and LPR data
  • Mobile operator app for guard force and supervisors
  • Federated multi-site architecture for multi-refinery and multi-terminal rollouts
  • Hardware-agnostic integration framework with hundreds of camera manufacturers

Integrations

200+ native. Notable: Axis Communications, Bosch, HID Global, Mercury Security, AlertEnterprise Guardian, Senstar, Microsoft Entra ID.

Target size

500 to 2,50,000 employees · Global

#5

Senstar

Senstar Corporation · Founded 1981 · Ottawa, Ontario, Canada

Fence-line perimeter intrusion detection for remote wellheads, compressor stations, and tank farms.

Opaque pricing

Summary

Senstar has built perimeter intrusion detection and fence-line sensing for industrial sites since 1981. The product line covers the Senstar LM100 perimeter intrusion detection and deterrence luminaire (with built-in accelerometer to detect cut, climb, or lift attempts on fence fabric), the FlexZone cable-based fence-mounted sensor, and the FiberPatrol FP1150 fiber-optic perimeter detection system that can be fence-mounted, buried, or wall-top deployed at long midstream pipeline compressor station and tank-farm perimeters. Senstar publishes case studies across critical infrastructure including utility and industrial sites. Senstar is the right pick when the primary brief is the perimeter intrusion detection requirement under CFATS RBPS 1 (restrict area perimeter) or TSA Pipeline SD-Pipeline-2021-01 perimeter controls; it is the wrong pick when the brief is the CFATS SVA or TSA Pipeline TVRA workflow itself.

Strengths
  • Purpose-built perimeter intrusion detection and fence-line sensing for industrial sites; mature install base at chemical plants and critical infrastructure perimeters
  • LM100 luminaire combines lighting and intrusion detection in one fixture, reducing pole count at remote wellhead and compressor station perimeters and lowering total cost of perimeter ownership
  • FlexZone cable-based and FiberPatrol fiber-optic options cover fence-mounted, buried, and wall-top deployment for tank-farm berms, compressor station perimeters, and refinery fence lines
  • Fit for CFATS RBPS 1 (restrict area perimeter) + RBPS 2 (secure site assets) detection layer alongside RiskWatch + AlertEnterprise + Genetec for the rest of the stack
  • Sensor outputs integrate with Genetec Security Center, Milestone XProtect, and Avigilon for VMS-led operations
  • Hardened weatherproofing and EMI tolerance survive remote upstream and midstream environments on satcom or cellular telemetry
Weaknesses
  • Hardware-led product line; not a TVRA platform, PIAM platform, or VMS in its own right; assessment workflows live in RiskWatch or Resolver and identity workflows live in AlertEnterprise Guardian
  • Pricing is integrator-quoted only; per-foot fence-line economics vary widely with perimeter length and terrain (refinery fence vs offshore platform railing vs midstream compressor station gravel pad)
  • Installation requires fence-line trenching or fence-fabric mounting; total deployment cost scales with perimeter footprint, not just sensor count
  • Smaller corporate platform footprint than Genetec or Milestone; integrators carry most of the customer relationship
  • Public review volume on G2 and Capterra is minimal compared with VMS platforms; reference checking happens via the API Security Subcommittee and integrator references rather than public review sites
Best for

Oil and gas operators running CFATS RBPS 1 or TSA Pipeline SD perimeter intrusion detection at 5+ remote wellheads, compressor stations, tank farms, or CFATS Tier 1 chemical sites who need a fence-line sensor partner under one integrator-led deployment.

Worst for

Operators that already have a perimeter intrusion vendor and need a TVRA assessment platform, a PIAM platform, or a VMS console; Senstar does not ship those workflows.

Key features

  • Senstar LM100 perimeter intrusion detection and deterrence luminaire with built-in accelerometer
  • FlexZone cable-based fence-mounted sensor for cut, climb, lift detection
  • FiberPatrol FP1150 fiber-optic sensor (fence-mount, buried, wall-top)
  • Sensor outputs into Genetec, Milestone, Avigilon, AlertEnterprise
  • Video analytics for perimeter alarm verification
  • Industrial-grade weatherproofing and EMI hardening
  • Detection-zone reporting aligned to CFATS RBPS 1 + TSA Pipeline perimeter controls
  • Multi-site sensor network management

Integrations

30+ native. Notable: Genetec Security Center, Milestone XProtect, Avigilon Alta, AlertEnterprise Guardian, Honeywell Pro-Watch, Software House CCURE.

Target size

500 to 1,00,000 employees · Global

#6

Lenel S2

Honeywell International (NYSE: HON) · Founded 1991 · Pittsford, NY, USA

PACS platform with deep refining and chemical-plant install base; OnGuard at CFATS RBPS 7 scale.

Opaque pricingG2 4.2 · Capterra 4.3 · 90+ reviews

Summary

Lenel S2 ships the OnGuard and NetBox Physical Access Control Systems used at refineries, chemical plants, LNG terminals, and midstream control centers. OnGuard is the enterprise-tier PACS used at downstream refining and CFATS Tier 1 + Tier 2 chemical-plant scale with deep integration into HR, AD, and identity governance platforms including AlertEnterprise Guardian. NetBox is the mid-market option used at smaller administrative offices and tank-farm offices. The platform was divested by Carrier and consolidated under Honeywell on April 2 2024, putting Lenel S2 inside the same parent as Honeywell Pro-Watch and the Honeywell Experion DCS used in process control rooms.

Strengths
  • Deep refining and chemical-plant install base for OnGuard at CFATS Tier 1 + Tier 2 sites, LNG terminals, and midstream control centers
  • CFATS RBPS 7 personnel surety and access-event logging at scale; mature integration with AlertEnterprise Guardian for the personnel-surety workflow
  • NetBox covers smaller administrative office and tank-farm office PACS at a lower price point than OnGuard
  • Honeywell parent ownership (post-April 2024 divestiture from Carrier) consolidates Lenel S2 + Pro-Watch + Experion DCS under one vendor for operators running an all-Honeywell stack
  • Established integration ecosystem with Genetec, Milestone, Avigilon, AlertEnterprise, and Senstar covering the rest of the oil and gas physical security stack
  • On-prem deployment supports sensitive security information handling at refineries and offshore platforms
Weaknesses
  • Not a TVRA platform; CFATS SVA + SSP + TSA Pipeline TVRA workflows require integration with RiskWatch, Resolver, or Circadian Risk
  • Implementation is integrator-led and consultant-heavy; expect 90-180 day deployment per refinery or chemical plant
  • Pricing is quote-only and integrator-led; no public list price
  • Carrier-to-Honeywell ownership transition in 2024 created procurement uncertainty during the contract-novation period; roadmap clarity continued to emerge through 2025-2026
  • OnGuard UI carries operational heritage; competing cloud-native PACS (Openpath, Brivo) feel more modern on first run for non-specialist users
Best for

Downstream refining operators, LNG terminal operators, and CFATS Tier 1 + Tier 2 chemical sites standardizing PACS across high-impact perimeter, control room, and process unit access points.

Worst for

Distributed upstream operators with many small unmanned wellheads where cloud-native architecture (Avigilon Alta) lowers per-site IT cost.

Key features

  • OnGuard enterprise PACS for refining and CFATS scale
  • NetBox mid-market PACS for admin offices and tank-farm offices
  • CFATS RBPS 7 personnel surety access-event logging
  • MTSA TWIC reader support (with AlertEnterprise Guardian)
  • Visitor management module
  • Mobile credential support
  • Integration with Genetec, Milestone, Avigilon, Senstar
  • On-prem deployment for sensitive security information handling

Integrations

100+ native. Notable: AlertEnterprise Guardian, Genetec Security Center, Milestone XProtect, Senstar, Honeywell Pro-Watch, Microsoft Entra ID.

Target size

500 to 2,50,000 employees · Global

#7

Avigilon Alta

Motorola Solutions · Founded 2004 · Chicago, IL, USA (Motorola Solutions HQ)

Cloud-native unified VMS + access for distributed wellhead and pump station footprints.

Opaque pricingG2 4.3 · Capterra 4.4 · 150+ reviews

Summary

Avigilon Alta is the Motorola Solutions cloud-native security suite that brings together the former Avigilon video portfolio, Openpath access control, and Ava Security analytics. The product is a 100% serverless architecture supporting any number of sites with end-to-end encryption, AI-powered analytics, and integration into IT stacks. The product is the right pick for oil and gas operators running distributed cloud-native deployments across thousands of upstream wellheads, midstream pump stations, and unmanned compressor stations where putting a server stack at every site is uneconomic. It is the wrong pick when the brief is on-prem sensitive security information handling at a downstream refinery, LNG terminal, or offshore platform.

Strengths
  • Cloud-native serverless architecture across any number of sites; no on-prem server stack at each wellhead or pump station
  • AI-powered analytics learn what matters and surface anomalies for distributed upstream and midstream security operations centers
  • End-to-end encryption across the suite for in-transit and at-rest video
  • Motorola Solutions distribution and dealer footprint covers public safety and critical infrastructure markets where oil and gas security buyers already procure radios and dispatch
  • Mobile credentials for Openpath access control reduce contractor badge logistics across distributed upstream and midstream sites
  • Multi-site management from one browser console for fleet-wide updates and policy enforcement
Weaknesses
  • Cloud-native serverless architecture is not the right shape for high-impact CFATS Tier 1 refineries, LNG terminals, or offshore platforms requiring on-prem sensitive security information handling and air-gapped operation
  • Pricing is quote-only and Motorola Solutions dealer-led; no public per-camera or per-door SaaS pricing comparable to Genetec
  • Not a TVRA platform; no pre-built CFATS RBPS, TSA Pipeline SD, MTSA 33 CFR Part 105, BSEE SEMS, or API Standard 780 assessment libraries
  • Camera and access control are Avigilon-only and Openpath-only hardware; less hardware-agnostic than Milestone or Genetec
  • Brand consolidation from Avigilon + Openpath + Ava into Alta over 2022-2023 created some integrator confusion that buyers still report
Best for

Upstream wellhead fleets, midstream pump station and compressor station fleets, and unmanned-site portfolios where cloud-native serverless architecture lowers per-site IT cost.

Worst for

Downstream refineries, LNG terminals, and offshore platforms with on-prem sensitive security information handling requirements that exclude cloud-hosted video.

Key features

  • Cloud-native serverless VMS
  • Openpath cloud access control with mobile credentials
  • AI-powered video analytics (Ava Security heritage)
  • End-to-end encryption
  • Multi-site management from one browser console
  • Mobile operator and supervisor apps
  • Open API for SIEM and ITSM integration
  • Motorola Solutions ecosystem integration (radios + dispatch)

Integrations

40+ native. Notable: Microsoft Entra ID, Okta, Google Workspace, Splunk, ServiceNow, Motorola Solutions APX radios, AlertEnterprise Guardian.

Target size

100 to 50,000 employees · US · Canada · UK · EU · AU

#8

Milestone XProtect

Milestone Systems · Founded 1998 · Brondby, Denmark

Open-platform VMS with the widest camera compatibility for heterogeneous upstream and midstream estates.

Opaque pricingG2 4.3 · Capterra 4.4 · 220+ reviews

Summary

Milestone Systems was founded in 1998 in Denmark and acquired by Canon in 2014. XProtect is the open-platform VMS standard, supporting the widest range of cameras and sensors in the industry. The 2026 R1 release added long-term cloud video storage, customizable scheduled reporting, a WebSocket-based PTZ API, and a redesigned LogServer interface. The product is the right pick for oil and gas operators when camera-hardware freedom matters more than a tightly coupled access control suite, when the camera estate at upstream wellheads and midstream sites is heterogeneous from prior years of procurement (Axis + Bosch + Hanwha + Pelco), or when long-term retention of refinery and tank-farm footage is needed for post-incident DOT PHMSA pipeline incident investigations or BSEE SEMS incident review.

Strengths
  • Widest camera and sensor compatibility in the category, hardware-agnostic by design; fits oil and gas camera estates assembled over 10-20 years of upstream and midstream procurement
  • XProtect 2026 R1 added long-term cloud video storage and customizable scheduled system reporting for BSEE SEMS incident review and PHMSA pipeline investigations
  • Open developer ecosystem with hundreds of third-party plug-ins including Senstar, AlertEnterprise, and Milestone marketplace integrations
  • Canon ownership provides stability; no PE renewal-pressure dynamic
  • Strong multi-site federated architecture with central log visibility for distributed upstream + midstream + downstream deployments
  • Free XProtect Essential+ tier covers small administrative offices and single-site pilots at zero licence cost up to 8 cameras
Weaknesses
  • Not a TVRA platform; no pre-built CFATS RBPS, TSA Pipeline SD, MTSA, BSEE SEMS, or API Standard 780 assessment libraries
  • Assessment workflows require third-party plugins or external platforms
  • Hardware-agnostic design means complexity scales with sensor mix; not turnkey like Avigilon Alta
  • Quote-only pricing for enterprise tiers; no public list price beyond the free Essential+ entry tier
  • Access control is integration-led, not native, unlike Genetec Synergis or Avigilon Alta
Best for

Oil and gas operators with heterogeneous upstream and midstream camera estates assembled over many procurement cycles who want maximum hardware freedom and long-term retention for incident investigations.

Worst for

Operators running CFATS SVA + SSP against a CISA chemical security inspector or TSA Pipeline TVRA; Milestone is a VMS, not an assessment platform.

Key features

  • Open-platform VMS supporting 8,000+ cameras and devices
  • Long-term cloud video storage (XProtect 2026 R1)
  • Customizable scheduled system reporting for BSEE SEMS and PHMSA pipeline incident review
  • WebSocket-based PTZ API
  • Multi-site federated architecture for distributed upstream and midstream
  • Mobile alert thumbnails for iOS
  • Centralized log visibility (new LogServer)
  • Open developer ecosystem and plug-in marketplace

Integrations

500+ native. Notable: Axis Communications, Bosch, Hanwha Vision, Sony, Canon, Lenel S2, Senstar.

Target size

50 to 2,50,000 employees · Global

#9

OnSolve / Crisis24

Crisis24, a GardaWorld company · Founded 1998 · Boca Raton, FL, USA (OnSolve) / Boca Raton (Crisis24)

AI risk intelligence + mass notification + travel risk for offshore platforms and expat field crews.

Opaque pricingG2 4.4 · Capterra 4.5 · 280+ reviews

Summary

OnSolve was acquired by GardaWorld on July 30 2024 and integrated into Crisis24, consolidating AI-powered risk intelligence, mass notification, travel risk, and crisis management under one brand. The product is the right pick for oil and gas operators that have an offshore platform crew-change schedule in the Gulf of Mexico, North Sea, or West Africa, an expat field-service workforce in the Caspian or the Middle East, a hurricane-season Gulf-Coast refining footprint, or a geopolitical risk exposure that requires ISO 31030 duty-of-care for travelers. It is the wrong pick when the brief is the CFATS SVA or TSA Pipeline TVRA workflow; Crisis24 is not an assessment platform and does not pre-map the CFATS, TSA, or MTSA libraries.

Strengths
  • AI-powered risk intelligence and global Security Operations Centre delivering oil-and-gas-relevant alerts for offshore platforms, expat field crews, hurricane-season Gulf-Coast refining, and geopolitical events in the Caspian, West Africa, and the Middle East
  • Mass notification across SMS, voice, email, and mobile app for refinery turnaround populations, offshore platform musters, and pipeline emergency response
  • ISO 31030 travel risk and duty-of-care workflow for expat field service and crew-change movements
  • GardaWorld parent provides global protective services footprint that complements the software for executive movements at oil and gas major operations
  • FedRAMP-authorised mass notification path for federal oil-and-gas-adjacent customers (Strategic Petroleum Reserve, DOE national labs)
Weaknesses
  • Not a TVRA or PIAM or VMS or PACS platform; no pre-built CFATS RBPS, TSA Pipeline SD, MTSA 33 CFR Part 105, BSEE SEMS, or API Standard 780 assessment libraries
  • Pricing is quote-only and enterprise-tier; no published list
  • OnSolve to Crisis24 brand consolidation in 2024-2025 created some integrator confusion during the contract-novation period
  • Sits alongside the rest of the stack as an intelligence + notification + travel-risk layer; it does not replace the assessment, identity, access, or VMS layers
  • Best fit is offshore + expat + crisis comms; less differentiated for pure downstream refining sites with no traveler exposure
Best for

Integrated oil and gas operators with offshore platforms, expat field-service workforces in Caspian, West Africa, or the Middle East, and a Gulf-Coast refining footprint exposed to hurricane season.

Worst for

Single-site downstream refiners with no offshore operations, no expat workforce, and no travel-risk programme; Crisis24 is over-built for that brief.

Key features

  • AI-powered risk intelligence with oil-and-gas-relevant alert filters
  • Mass notification across SMS, voice, email, mobile app
  • Travel risk and ISO 31030 duty-of-care workflow
  • 24/7 Global Security Operations Centre coverage
  • Crisis management workflow with playbooks
  • Hurricane and tropical-storm tracking for Gulf-Coast refining
  • Geopolitical risk monitoring for Caspian, West Africa, Middle East
  • Mobile app for traveler check-in and panic alert

Integrations

50+ native. Notable: Workday, SAP SuccessFactors, Microsoft Entra ID, Concur, ServiceNow, Slack.

Target size

500 to 2,50,000 employees · Global

#10

Convergint

Convergint Technologies LLC · Founded 2001 · Schaumburg, IL, USA

Integrator-led CFATS + TSA Pipeline + MTSA advisory + multi-site PACS deployment.

Opaque pricing

Summary

Convergint was founded in 2001 and is one of the largest service-based security integrators globally, with offices in 30+ countries. The company offers CFATS Risk-Based Performance Standards advisory and security plan support services, TSA Pipeline SD-Pipeline-2021-01 and SD-Pipeline-2021-02 deployment services, MTSA Facility Security Officer professional services, multi-site Physical Access Control System deployment (Lenel S2, Honeywell Pro-Watch, Genetec Synergis, Software House CCURE), and enterprise security roadmap creation. A 2024 alliance with Deloitte expanded the cyber-physical security convergence offering for oil and gas operators running converged OT and physical-security operations centres. Convergint is the right pick when the operator wants advisory-led CFATS or TSA Pipeline assessment plus deployment in one contract; it is the wrong pick when the brief is recurring TVRA software ownership rather than an engagement.

Strengths
  • Global service-based integrator with offices in 30+ countries; able to staff multi-site multi-region deployments at oil and gas major scale
  • CFATS RBPS advisory + security plan support services delivered as professional services
  • TSA Pipeline SD-Pipeline-2021-01 + SD-Pipeline-2021-02 series deployment and continuous-improvement support
  • 2024 Deloitte alliance for cyber-physical security convergence and GSOC modernization tied to converged refinery and LNG-terminal operations
  • PACS deployment expertise across Lenel S2, Software House CCURE, Genetec Synergis, Avigilon, Honeywell Pro-Watch covering the full oil and gas PACS market
  • Single-contract scope for assessment, design, deployment, and managed services at oil and gas major procurement scale
Weaknesses
  • Not a software product; CFATS SVA + TSA Pipeline TVRA is a service engagement, not a recurring SaaS deliverable, so findings live in PDFs and engagement deliverables rather than a multi-site rollup dashboard
  • No platform to log in to between assessment cycles; year-over-year trend comparison requires the operator to maintain its own data layer
  • Service-engagement pricing model means no per-site recurring TVRA workflow under one licence
  • Less suitable for multi-site programs that want quarterly or annual self-service reassessment between formal CFATS or TSA Pipeline cycles
  • Cyber-physical convergence depth comes from Deloitte alliance, not first-party software
Best for

Integrated oil and gas operators and midstream pipeline companies running CFATS RBPS + TSA Pipeline SD cycles who want a single integrator-and-advisory contract covering assessment, design, and PACS deployment.

Worst for

Operators that need quarterly or annual self-service site reassessment across 10+ sites with year-over-year trend reporting; Convergint is service-shaped, not software-shaped for that workflow.

Key features

  • CFATS RBPS advisory + security plan support
  • TSA Pipeline SD-Pipeline-2021-01 + SD-Pipeline-2021-02 deployment
  • MTSA Facility Security Officer professional services
  • Enterprise oil-and-gas security roadmap creation
  • PACS design and deployment (Lenel S2, Software House, Genetec, Honeywell Pro-Watch, Avigilon)
  • Global Security Operations Centre modernization
  • Cyber-physical convergence (Deloitte alliance)
  • Multi-site deployment coordination

Integrations

100+ native. Notable: Lenel S2 OnGuard, Software House CCURE, Genetec Security Center, Avigilon Alta, Honeywell Pro-Watch, AlertEnterprise Guardian.

Target size

1,000 to 5,00,000 employees · Global

Step by step

Buying guide

Walk these steps in order. The shortlist falls out of step 1, the negotiation moves come together in step 6, and step 8 closes the deal.

  1. 1

    Name your primary use case in one sentence

    Before you shortlist, write down the one job you must solve. Examples: pass a CISA chemical security inspector at a Tier 1 refinery on the CFATS SVA and SSP cycle; close the TSA SD-Pipeline-2021-02F corrective-action evidence gap on a designated natural gas pipeline; modernise TWIC + CFATS RBPS 7 PIAM across HR, AD, and PACS at an MTSA marine terminal; deploy fence-line perimeter intrusion at 8 remote compressor stations under TSA Pipeline SD perimeter controls; stand up a BSEE SEMS programme at three Gulf of Mexico offshore platforms; cover offshore crew-change travel risk under ISO 31030. The shortlist falls out of the answer.

  2. 2

    Match shortlist to site count and asset class

    Filter the ten platforms here by site count and asset class. Under 5 sites with a $50K assessment budget rules out everything except RiskWatch Standard or Professional. Over 25 sites with a $500K+ stack budget filters back in AlertEnterprise Guardian Enterprise, Honeywell Pro-Watch enterprise, Lenel S2 OnGuard, Genetec Security Center on-prem, Senstar multi-site, RiskWatch Enterprise, and Crisis24 Enterprise for the travel risk layer. Avigilon Alta belongs on a parallel shortlist for upstream wellhead and midstream pump station cloud-first deployment.

  3. 3

    Verify pre-built CFATS + TSA Pipeline + MTSA + BSEE + API 780 libraries before the demo

    If your program runs against CFATS RBPS, TSA Pipeline SD-Pipeline-2021-01 + 2021-02, MTSA 33 CFR Part 105, BSEE SEMS, API Standard 780, or ISA/IEC 62443-2-1, ask each vendor to show you the library on screen during the demo. Pre-built means pre-mapped controls and pre-scored question banks. Vendors who promise to build it for you after signing are charging you for a configuration project that should already be done. RiskWatch is the only platform in this ranking that ships all of these libraries on day one.

  4. 4

    Pressure-test the inspector-export workflow

    CFATS SVA and SSP, TSA Pipeline TVRA and corrective action plans, MTSA Facility Security Assessment and Plan, and BSEE SEMS audits all require export to a regulator-side reader. Ask each vendor: can your assessment be exported to a CISA, TSA, USCG, or BSEE inspector outside our tenant without exposing other site data? Can the inspector add findings into the tenant without becoming a licensed user? RiskWatch supports this workflow inside the Enterprise tier. Convergint delivers the assessment service itself but the data does not persist in a multi-site rollup dashboard between cycles.

  5. 5

    Pressure-test PACS, VMS, and OT integration depth

    Your CFATS SSP and TSA Pipeline corrective action plan are going to require evidence from your PACS (badge events under RBPS 7 and TWIC), your VMS (camera coverage of the perimeter and process units), your perimeter intrusion sensor (Senstar fence-line alarms), your PIAM (AlertEnterprise TWIC and personnel-surety workflow), and increasingly your OT-detection layer (Dragos / Nozomi / Claroty signal for converged ISA/IEC 62443 evidence). Ask each assessment vendor for the integration depth with Lenel S2, Honeywell Pro-Watch, Genetec, Milestone, Senstar, and AlertEnterprise. Bulk import is acceptable; deep API integration is better.

  6. 6

    Insist on a working pilot at one CFATS Tier 1 site or one critical pipeline segment

    Demos are choreographed. Working pilots are not. Ask each finalist for a 30-day pilot at one CFATS Tier 1 site or one critical pipeline compressor station: one CFATS SVA mini-cycle, one mobile site walk in offline mode, one inspector-export, one PACS evidence ingest. The platform that handles your site data without three weeks of professional services is the one that will scale across the multi-year cycle. RiskWatch publishes a 30-day no-card trial; other vendors require a structured POC.

  7. 7

    Pressure-test sensitive security information handling and exit clause

    Oil and gas physical security data includes facility diagrams, pipeline maps, tank-farm layouts, MTSA Facility Security Plans, perimeter sensor placements, and findings registers that are sensitive security information under DHS guidance and Chemical-Terrorism Vulnerability Information under CFATS for Tier 1 and Tier 2 chemical sites. Ask each vendor: where does my data live, who can access it, what happens to it if I leave? RiskWatch supports single-tenant deployment with US-only data residency. Avigilon Alta and the cloud-only VMS players may not satisfy on-prem requirements at high-impact downstream and offshore sites. Get the exit clause in writing.

  8. 8

    Run the decision matrix with your own weights

    The default methodology weights on this page (20% Ease, 20% Features, 20% Value, 15% Support, 15% Scalability, 10% Integrations) reflect a generic mid-market oil and gas physical security buyer. Your weights may differ if you are leading with TWIC + PIAM (AlertEnterprise wins on Features + Integrations), with perimeter intrusion (Senstar wins on Features for the perimeter line item), or with offshore travel risk (Crisis24 wins on Features for that line item). Use the decision-matrix slider on this page to re-rank with your weights before you book the demos. If a different platform wins your weighting honestly, that is the right pick for your program.

Frequently asked

Buyer questions, answered

The eight questions our pre-sales team hears the most often when buyers compare this category.

What is physical security software for oil and gas and how is it different from generic physical security software?
Physical security software for oil and gas is the subset of the category that maps to DHS CFATS Risk-Based Performance Standards for chemical facilities, TSA Pipeline Security Guidelines plus SD-Pipeline-2021-01 and SD-Pipeline-2021-02 series for designated pipelines, USCG MTSA 33 CFR Part 105 facility security for marine terminals with TWIC under 33 CFR 101.515, BSEE Safety and Environmental Management Systems under 30 CFR Part 250 Subpart S for offshore platforms, and ISA/IEC 62443 for OT/ICS environments converging with physical security operations. Generic physical security software (Avigilon Alta, Milestone, Genetec) covers cameras, doors, and analytics but does not pre-map the CFATS, TSA Pipeline, MTSA, or BSEE libraries. Oil-and-gas-specific software (RiskWatch, AlertEnterprise Guardian) starts from those libraries and integrates with the VMS and PACS as supporting evidence.
Which platforms cover DHS CFATS Risk-Based Performance Standards?
RiskWatch ships the 18 DHS CFATS Risk-Based Performance Standards as a pre-built library for the SVA and SSP cycle, used by integrated oil and gas operators with Tier 1 and Tier 2 chemical sites. Convergint delivers CFATS advisory and security plan support as a professional service. AlertEnterprise Guardian covers RBPS 7 personnel surety with deep PACS integration for Lenel + Pro-Watch + CCURE + Synergis estates. Genetec, Honeywell Pro-Watch, Lenel S2, Avigilon Alta, Milestone, and Senstar are not aimed at the SVA or SSP workflow as software products; they provide the underlying cameras, doors, sensors, and PACS that the assessment evaluates. Note that CFATS statutory authority lapsed July 2023 and reauthorisation is pending; CISA continues subject-matter-expert engagement against the RBPS framework regardless of statutory state, and operators continue assessment cycles on the RBPS framework.
Which platforms cover TSA Pipeline Security Directives 2021-01 and 2021-02?
TSA Pipeline Security Directives 2021-01 (initial cyber and physical) and 2021-02 (subsequent series including the 2022 SD-Pipeline-2021-02C, 02D, 02E, and 02F) apply to owners and operators of TSA-designated hazardous liquid and natural gas pipelines. RiskWatch pre-maps the TSA Pipeline Security Guidelines plus the 2021-01 and 2021-02 series for the periodic TVRA and corrective action plan. Convergint delivers TSA Pipeline implementation services. AlertEnterprise Guardian covers the personnel and access governance side. The VMS and PACS vendors (Honeywell Pro-Watch, Genetec, Lenel S2, Avigilon Alta, Milestone) are not aimed at the SD compliance workflow as software products; they provide the underlying technical controls.
Which platforms cover MTSA marine terminal security and TWIC?
USCG Maritime Transportation Security Act regulations under 33 CFR Part 105 require Facility Security Plans, Facility Security Officers, and TWIC under 33 CFR 101.515 for unescorted access to secure and restricted areas. AlertEnterprise Guardian provides the deepest TWIC enrolment, revocation, and Hotlist-checked unescorted-access workflow tied to Lenel + Pro-Watch + CCURE + Genetec PACS estates. RiskWatch pre-maps MTSA 33 CFR Part 105 for the Facility Security Assessment and Plan cycle. Honeywell Pro-Watch and Lenel S2 are the dominant PACS estates at MTSA marine terminals with TWIC reader integration. Convergint delivers MTSA Facility Security Officer professional services.
Which platforms cover BSEE SEMS for offshore platforms?
BSEE 30 CFR Part 250 Subpart S Safety and Environmental Management Systems is the offshore SEMS framework for the Outer Continental Shelf, covering 17 SEMS elements including emergency response, incident investigation, and management of change. RiskWatch pre-maps BSEE SEMS as a library alongside the rest of the oil and gas regulatory stack. Honeywell Pro-Watch is the dominant PACS estate at large offshore platforms with Experion DCS convergence. OnSolve / Crisis24 covers the offshore crew-change travel risk and emergency mass notification side. The other VMS and PACS vendors are deployed offshore tactically but do not ship a BSEE SEMS assessment workflow.
How much should I budget for oil and gas physical security software in 2026?
Entry pricing ranges from $0/yr (Milestone XProtect Essential+ free tier, 8-camera cap) and ~$480/channel/yr (Genetec Security Center SaaS) and $99/month (RiskWatch Standard) to six-figure annual contracts (AlertEnterprise Guardian Enterprise, Honeywell Pro-Watch + Experion DCS at refinery scale, Lenel S2 OnGuard at integrated-operator scale). For a mid-market multi-site oil and gas operator (5-25 sites, 2-3 frameworks like CFATS RBPS + API 780 + NIST 800-53 PE) expect $36K/yr on assessment licence (RiskWatch Professional) plus $50K-$150K/yr on PIAM (AlertEnterprise Guardian Express) plus $100K-$300K one-time on perimeter intrusion (Senstar multi-site) plus integrator deployment. For integrated-operator programmes (50+ sites, CFATS + TSA Pipeline + MTSA + BSEE + perimeter intrusion + PIAM + travel risk) expect $750K-$2M/yr across the stack. Always model 3-year TCO and ask for the renewal-escalator cap in writing.
Does RiskWatch replace my Genetec, Honeywell Pro-Watch, or AlertEnterprise system?
No. RiskWatch is the assessment, scoring, reporting, and audit-trail layer that sits above your oil and gas physical security operation. Genetec and Honeywell Pro-Watch handle real-time video and access control; AlertEnterprise Guardian handles PIAM across HR + AD + PACS with TWIC and CFATS RBPS 7 workflows; Senstar handles fence-line perimeter intrusion; OnSolve / Crisis24 handles travel risk and mass notification; RiskWatch tells you which controls are present, which are weak, which have been remediated, and how the multi-site portfolio rolls up to the board and to CISA, TSA, USCG, and BSEE inspectors year over year. RiskWatch integrates with VMS, PACS, and PIAM systems via API and bulk import for evidence ingestion.
How often is this ranking re-verified?
We re-verify the ratings, pricing triangulations, and material vendor news on this page every quarter. The current pull is dated 2026-05-15. Pricing for opaque vendors is triangulated from two or more public third-party sources. If a number on this page is stale when you read it, please file the correction at sales@riskwatch.com.
Definitions

Glossary

Definitions for the acronyms and jargon used on this page. Useful for sharing with non-specialist stakeholders on the buying committee.

CFATS
Chemical Facility Anti-Terrorism Standards. The DHS programme under 6 CFR Part 27 covering high-risk chemical facilities (including many oil and gas refineries, tank farms, and gas processing plants), with 18 Risk-Based Performance Standards. Statutory authority lapsed July 2023; CISA continues subject-matter-expert engagement against the RBPS framework and operators continue assessment cycles regardless of statutory state.
RBPS
Risk-Based Performance Standards. The 18 standards under CFATS covering perimeter, access, screening, personnel surety, training, monitoring, cyber, response, and reporting. Used by integrated oil and gas operators as the assessment baseline at Tier 1 and Tier 2 chemical facilities.
TSA Pipeline SD
TSA Pipeline Security Directives, including SD-Pipeline-2021-01 (initial issuance) and SD-Pipeline-2021-02 series (including 2022 SD-Pipeline-2021-02C, 02D, 02E, and 02F). Mandatory for TSA-designated hazardous liquid and natural gas pipeline owners and operators; the 2022 series shifted cybersecurity to performance-based requirements.
MTSA + TWIC
Maritime Transportation Security Act under USCG regulations 33 CFR Part 101, 105, and 106. Requires Facility Security Plans for marine terminals and OCS facilities. TWIC (Transportation Worker Identification Credential) under 33 CFR 101.515 is required for unescorted access to secure and restricted areas of MTSA-regulated facilities, including most oil and gas marine terminals.
BSEE SEMS
Bureau of Safety and Environmental Enforcement Safety and Environmental Management Systems under 30 CFR Part 250 Subpart S. The offshore SEMS framework for the Outer Continental Shelf, covering 17 SEMS elements including emergency response, incident investigation, and management of change. Applies to offshore platform operators.
API Standard 780
American Petroleum Institute Standard 780 Security Risk Assessment for the petroleum and petrochemical industries (3rd edition 2013). The industry-standard SRA methodology used at refineries, terminals, tank farms, and pipelines. Paired with API RP 781 Facility Security Plan methodology.
ISA/IEC 62443
ISA/IEC 62443 series of standards for OT/ICS cybersecurity, with zones-and-conduits model. Key parts include 62443-2-1 cybersecurity management system, 62443-3-3 system security requirements, and 62443-4-2 component security. Used in oil and gas at DCS, BPCS, SIS, RTU, and PLC stacks across midstream and downstream operations.
Final word

So which one should you pick?

If you read this page top to bottom and one platform stood out, that is your answer. Most oil and gas physical security programmes in 2026 end up with a stack, not a single vendor: one assessment and multi-framework GRC platform (RiskWatch) covering CFATS RBPS + TSA Pipeline SDs + MTSA 33 CFR Part 105 + BSEE SEMS + API Standard 780 + ISA/IEC 62443, one PIAM and TWIC layer (AlertEnterprise Guardian), one PACS at refinery and offshore scale (Honeywell Pro-Watch or Lenel S2 with the full Honeywell convergence story), one unified VMS and access console (Genetec or Avigilon Alta depending on control-room vs distributed footprint), one perimeter intrusion sensor stack (Senstar), one travel risk and mass notification layer for offshore and expat operations (OnSolve / Crisis24), and one integrator-led advisory partner for the CFATS, TSA, and MTSA cycles (Convergint or a dedicated firm). The methodology is on this page so you can disagree with our rank and arrive at a different first pick honestly.

The one thing every oil and gas buyer should do, regardless of which vendor wins your bake-off, is to insist on a 30-day working pilot at one CFATS Tier 1 site or one critical pipeline compressor station, a renewal-escalator cap in writing, a documented exit clause covering sensitive security information export and retention after termination, and an inspector-export path that survives a CISA chemical security inspector, a TSA pipeline security inspector, a USCG Captain of the Port reviewer, or a BSEE inspector. The operators we see lose three-year deals always lose them on those four terms, not on feature coverage.

If you would like the RiskWatch demo for the CFATS + TSA Pipeline + MTSA + BSEE + API 780 + ISA/IEC 62443 coverage, sign up at riskwatch.com/request-a-demo. If you would like a no-strings second-opinion on one of the other nine, email sales@riskwatch.com with the vendor name in the subject line and we will share what we know.

Request a Demo