The CIS Critical Security Controls are 18 prioritized safeguards that stop the most common attacks. Here is which of them Alvor helps you implement, and how directly.
All 18 controls in CIS v8.1.
An honest map of where Alvor materially contributes. Control ownership stays with you.
About CIS Controls
Who it is for
Teams that want a concrete, attack-informed starting point rather than a compliance checklist, and that need to show measurable coverage to leadership.
The CIS Critical Security Controls are a prioritized set of safeguards maintained by the Center for Internet Security. Built from real-world attack data, they answer a practical question: of everything you could do, what should you do first?
Version 8.1 organizes the work into 18 controls, each broken into safeguards and grouped into three Implementation Groups (IG1 to IG3) that scale with organizational maturity. Inventory and continuous vulnerability management sit at the top because you cannot defend what you cannot see.
Control alignment
All 18 controls, rated by how directly Alvor contributes. Inventory, vulnerability, and third-party controls are where Alvor does the heavy lifting; operational defenses stay in your security stack with Alvor holding the control and its evidence.
Alvor performs the control or produces the evidence.
Alvor helps you manage, track, and document it.
You implement it operationally; Alvor stores the control and evidence.
Pull asset inventory in from your cloud and security tooling, spreadsheet import, and shadow-asset reconciliation into one continuously updated register.
AssetsInventory installed software and components with PURL/CPE and end-of-life flags, per asset.
AssetsClassify data by sensitivity and type and record its retention and encryption status; encryption and DLP enforcement run in your stack.
Data GovernanceTrack the recorded configuration baseline and its drift in the CMDB; hardening standards are defined in your tooling.
Secure by DesignMaintain an inventory of accounts and owners and the policy that governs them; provisioning is enforced in your identity provider.
PolicyDocument least-privilege and access-review policy and track the reviews; grants and revocations run in your IdP.
PolicyPull CVE findings in from your scanner (Veracode) and cloud posture (AWS, OCI), linked to the affected asset and visible to its owners.
RiskDefine your logging standard and retention and hold the evidence; collection and storage run in your SIEM.
ProgramRecord the control design and configuration evidence; enforcement lives in your mail gateway and endpoint tooling.
ProgramReconcile endpoint-protection coverage against the asset inventory to surface unprotected or stale hosts.
AssetsDocument recovery objectives and procedures (RTO/RPO) per asset; backups and restore tests run in your stack.
Business ContinuityInventory network devices and map the dependencies between them; configuration is managed in your network tooling.
AssetsCapture the control design and monitoring evidence; detection runs in your NDR and SIEM.
ProgramYou run security awareness and training; Alvor holds the control and its evidence.
ProgramMaintain a vendor inventory, send and score security questionnaires, and requeue reassessments on a risk-tiered cadence.
TPRMTake applications through secure-design review and control implementation, and ingest application findings from Veracode.
Secure by DesignYou run incident response; Alvor holds the IR control and its evidence.
ProgramPentests run externally; their findings can be ingested and linked to the affected assets.
RiskThis mapping shows where Alvor materially contributes to each control. It is a guide for scoping, not an attestation or certification: responsibility for implementing and operating every control remains with your organization. Ratings reflect Alvor's product capabilities and may differ from your audited scope.
Get started
Whether you lead security, run IT, manage compliance, or sit in the C-suite - we'll show you your view.