.jpg)
First, we’d like to acknowledge the teams at Upguard and Bitsight. They’ve both built great vendor risk management tools. You’re in the right place if you’re here to quickly understand the differences between these products. You’re also in the right place if you’d like to see how a third option stacks up in this comparison – especially if you’re looking for a cost-effective solution tailored to small to mid-sized businesses.
Where are the differences?
Core features
Both Upguard and Bitsight share similar goals – to build trust through the better understanding of vendors’ cyber security position. They both provide many features you’d expect in IT vendor security risk management tools, such as monitoring and evaluating the security posture of vendors and suppliers, including fourth-party vendors. They also use security ratings to measure and compare the cyber security controls and measures as well as risk analytics to review the exposure levels using various publicly available data.
However, when you dive in deeper, you’ll see that they lean heavily on automating the process of sending and receiving security risk assessments to verify the compliance and security standards of vendors.
How does Glasstrail stack up?
We also share the trust-building vision of these companies. How Glasstrail helps build supply chain trust differs, however.
Research tells us that super large vendors (like Google and Microsoft for example) do not complete security surveys for their customers and prospects. They may provide independent reviews of their security measures for specific standards, like SOC2, to proactively build trust with their customers. Additionally small to mid-sized vendors have a varied response rate to security surveys.
With this uncertainty, here at Glasstrail we believe that gathering information via surveys is not always practical. So instead, we’ve chosen to focus solely on external attack surface scanning. We are a good fit when working with small to mid-size vendors – rather than the giants of Microsoft etc. Which makes sense – the huge vendors are most likely to have the security sorted and even if they aren’t prefect you’re unlikely to be able to influence change unless you too are a huge organisation.
Meanwhile small to medium vendors can get things wrong more often and you can have leverage to effect change and improvement.
Security ratings
Upguard and Bitsight both roll up the data collected from external attack surface monitoring into one headline security rating – to give an overarching rating for each vendor. There is no visibility of the weighting or assumptions used to build this rating. Bitsight themselves liken interpreting the rating to reading tealeaves!
Additionally, Bitsight has a huge database that it uses to baseline data and make comparisons. We were unable to find out composition of Bitsight’s database to validate the usefulness of these comparisons in depth.
How does Glasstrail stack up?
In comparison, Glasstrail deliberately does not use an overall score as this can be quite misleading. For example, a vendor may have a security issue with their main website – but if that is simply a brochureware site with no customer data should they still score poorly? Glasstrail uses a system of red, amber, and green evaluating each risk/issue and its relative importance. This gives a stronger insight into specific issues – which you can decide if they are important to you or not.
Price
Upguard and Bitsight were among the first vendor risk assessment solutions on the market. And as with any category creators, they reflect this in their expensive pricing. Upguard vendor risk plans start at $32,000 NZD pa for 50 vendor assessments. Bitsight don’t list their pricing on their website. However, it is reported to start at $32,000 NZD pa with an individual cost of $2000 per vendor.
How does Glasstrail stack up?
Glasstrail starts at $99/month for a 2 domain plan. However, if you want to scan more domains including multiple vendor domains, our Standard plan is $499/month for 50 domains. Need to separate out all your vendor scans from your own asset scans? You can upgrade to a multi-organisation plan.
Side note - Vendor cyber risk management versus supply chain risk management versus third-party risk management
Upguard, Bitsight, and Glasstrail all assist with vendor cyber security risk management.
This is important as security risks can have a big impact if vendors hold any of your customer or confidential data – or are critical to your business operations.
However, there are many other supply chain risks to consider beyond cyber security. Dedicated supply chain risk management solutions also assess third parties for health and safety procedures, insurance certificates and ESG frameworks and policies.
Glasstrail’s sister company, EVA Check-in, includes a supply chain management solution, that helps businesses understand, assess and mitigate risk across their entire supply chain, not just IT vendors.
When using Glasstrail for attack surface monitoring of vendors in conjunction with a comprehensive supplier onboarding system like EVA Check-in, you’ll have wider coverage of your entire supply chain risk rather than using a narrow vendor cyber security risk management tool.
Key takeaways
Ultimately the choice between Upguard and Bitsight depends on the specific needs and preferences of your workplace. And of course, whether your budget can stretch to pay for them.
If you’re considering vendor risk management tools, Glasstrail should be part of this evaluation if you:
Have limited budgets (Glasstrail is about one-sixth of the price of the Bitsight and Upguard)
Want a solution that gives you at-a-glance ratings for each of the key measures, which then you self-evaluate the relative importance of the results specific to your set of circumstances
Plan to, or are already using a supplier or vendor management system for vetting and surveys.
Want to see more? Get in touch or see what Glasstrail uncovers about your domain in our free 14 day trial.
