RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Cyber risk assessment that turns vulnerability and threat findings into residual risk scores, aligned to NIST CSF 2.0, CMMC, and NIST 800-53.
Summary
RiskWatch runs the cyber risk assessment that sits above the scanner. It is not a vulnerability scanner; it takes vulnerability and threat findings and turns them into residual risk scores, mapping each finding through its control to a risk-register entry so the team can prioritise and treat by risk rather than by raw CVE count. Cyber maturity and control-effectiveness roll up to residual risk aligned to NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, and NIST 800-171. Scanner output from Tenable, Qualys, Rapid7 InsightVM, CrowdStrike Spotlight, and Microsoft Defender is ingested by API and attached to the affected asset, control, and risk. Pre-mapped control libraries cover NIST 800-53 Rev 5 (RA-5 + SI-2 + CM-3), ISO 27001:2022 A.8.8 + A.8.9, NIST SP 800-40 Rev 4 patch-management planning, CIS Critical Security Controls v8 safeguards 7.1-7.7, CMMC 2.0 RA.L2-3.11.2, HIPAA 164.308(a)(1) risk analysis, and PCI DSS v4.0.1 Requirement 11.3, so one vulnerability scan supports many frameworks and the audit-committee SLA report. Customers include state governments in all 50 US states, healthcare networks, and financial-services holding companies; the product has been in the field since 1993. Single-tenant deployment with customer-owned data residency fits regulated-industry teams that must demonstrate vulnerability-management governance to an auditor under PCAOB AS 1215 or a NIST 800-53 ATO boundary.
Strengths
- Turns vulnerability and threat findings into residual risk scores: control-effectiveness rolls up to residual risk aligned to NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, and NIST 800-171
- Ingests scanner findings from Tenable, Qualys, Rapid7 InsightVM, CrowdStrike Spotlight, and Microsoft Defender via API and attaches each to the affected asset, control, and risk-register entry
- Pre-mapped NIST 800-53 RA-5 + SI-2 + CM-3 + ISO 27001 A.8.8 + A.8.9 + NIST SP 800-40 Rev 4 + CIS CSC v8 safeguards 7.1-7.7 + CMMC 2.0 RA.L2-3.11.2 + HIPAA Security Rule risk-analysis + PCI DSS Req 11.3 in one control library
- Cross-mapping engine auto-detects shared evidence across NIST 800-53 + ISO 27001 + SOC 2 + CMMC so the same vulnerability scan supports multiple frameworks
- Survey-based assessment engine works for non-technical control owners; vulnerability findings show up alongside the policy attestations and the third-party-risk responses in one tenant
- Mean-time-to-remediate (MTTR) and SLA-breach dashboards aligned to NIST SP 800-40 Rev 4 patch-management timelines, with audit-committee reporting templates pre-built
- 33-year operating history with federal customers (US Department of Defense, VA, DOJ, NSA per public press); single-tenant deployment with customer-owned data residency
Weaknesses
- Not a vulnerability scanner; you still pay a scanner vendor (Tenable, Qualys, Rapid7, Microsoft Defender, or open-source Greenbone) for the actual discovery and scan steps. RiskWatch is the GRC layer over the top
- No native EPSS or KEV scoring engine; the platform reads EPSS and KEV signals as they come in from the scanner and stores them, but the prioritisation logic lives upstream in the scanner
- Pricing is quote-only across every tier, so buyers cannot self-serve a list price and must request a quote scoped to their team size and framework count
Mid-market and regulated-industry security and risk teams that need to run a cyber risk assessment over their vulnerability and threat data, prioritise remediation by residual risk across NIST CSF 2.0 + ISO 27001 + CMMC + NIST 800-53, and report to the audit committee; the team already owns a scanner.
Security operations teams that need the scanner itself; you want Tenable, Qualys, or Rapid7 for that brief and RiskWatch as a layer above, not as the scanner.
Key features
- Cyber risk assessment that turns vulnerability and threat findings into residual risk scores, aligned to NIST CSF 2.0, ISO 27001, CMMC 2.0, NIST 800-171
- Risk register with auto-linkage from vulnerability findings to risk entries and to control evidence
- Scanner-ingestion connectors for Tenable, Qualys, Rapid7 InsightVM, CrowdStrike Spotlight, Microsoft Defender
- Pre-built control libraries for NIST 800-53 RA-5 + SI-2 + CM-3, ISO 27001:2022 A.8.8 + A.8.9, NIST SP 800-40 Rev 4, CIS CSC v8 safeguards 7.1-7.7, CMMC 2.0 RA.L2-3.11.2, HIPAA Security Rule, PCI DSS Req 11.3
- Cross-mapping engine that auto-detects shared evidence across NIST 800-53 + ISO 27001 + SOC 2 + CMMC
- Survey-based assessment engine for non-technical control owners
- Mean-time-to-remediate (MTTR) and SLA-breach dashboards aligned to NIST SP 800-40 Rev 4 patch timelines
- Audit-committee reporting templates pre-built
- Single-tenant deployment for data-residency requirements
Integrations
25+ native. Notable: Tenable Vulnerability Management, Qualys VMDR, Rapid7 InsightVM, CrowdStrike Falcon Spotlight, Microsoft Defender Vulnerability Management, Jira, ServiceNow.
Target size
100 to 25,000 employees · US · Canada · EU · UK · AU