General security

9 free risk management tools for IT & security pros

Irfan Shakeel
April 12, 2018 by
Irfan Shakeel

Selecting and following the appropriate risk assessment methodology is key to creating a safe computing environment. However, the reality is that assessing risk and recognizing the rate of return is a time-consuming task to accomplish Thus, it often does not become a priority for many businesses and corporations.

Determining risk can be a complicated task due to limited resources and a constantly changing threat landscape. Because of this, IT security experts must have a toolset to help them create a comprehensive view with regards to the potential impact of different IT security related threats and attacks.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

This toolset should be reliable, and cost-effective. Risk management is not a new concept in today's technological world. Therefore, there are many devices and techniques that are available for overseeing organizational risks. There are even various tools and techniques which emphasize on overseeing risks to information frameworks.

There are amazing tools out there, but it is essential to be realistic — requesting management to allocate a specific budget for risk management tools can be a tough sell. If your budget request for risk management tools is denied, you have three options:

  1. Do nothing
  2. Attempt to manage with what is given now
  3. Get creative and inventive. Various free and open-source devices can help with risk management tasks on hand. In this scenario, you must find a specialized tool that fits your needs and customize it to the IT environment in which you are in.

Here are some risk management tools to help you effectively assess your organization's assets and its risks.

Tools for asset inventory management

One of the hardest parts of the risk management cycle is monitoring what devices, applications and resources your business or corporation has handled as of now. On the off chance that you do not know what you have out there, you should seriously think about some free and open-source choices in this field. For instance, SpiceWorks could be a good choice. It is important to note while it is not open-source, it is free.

If you prefer an open-source alternative,

GLPI (GNU GPL v 2) may be the best fit. However, if you must automate discovery, you might want to use something like

OCS Inventory NG.

Security risk & mitigation tracking tools

There are many free tools you can use to help track risk and mitigations, rank hazards by their critical value, produce reports and complete other complex calculations.

For example,

SimpleRisk can get you started. However, the additional features are not free.

Tools to help you analyze security threats

Breaking down the universe of cyber-based threat vectors that exist today and analyzing their impacts can be a very daunting task. Having a tool that can automate and streamline these processes can be extremely useful.


Practical Threat Analysis (PTA) tools can enable you to produce a threat model, efficiently assess the threats and impacts, and from there, build a risk register based on your IT environment. It is free to use and can help streamline the launch of a specific risk analysis program.

Vulnerability scanning tools

Sometimes, there are highly specialized vulnerabilities which exist in given IT environments. While there are some incredible commercial tools available, software packages like

OpenVAS can be used for host scanning. Tools like

Vega can help you scan applications for vulnerabilities.

Tools for system monitoring

The ongoing monitoring of any system is a significant part of a holistic risk management process because unpredicted variations or downtime can be symptomatic of an upcoming risk.

Therefore, continuous monitoring of the information system and infrastructure can tie directly back to your current risk monitoring levels and practices. In this regard, tools such as

Nagios or

Icinga 2 can be both valuable and beneficial.

The role of risk assessment in business

It is important to remember the purpose of assessing risk is to assist management in determining where to direct resources. If you select risk management tools that fit organizational requirements, then you can overcome as many threats and risks that are associated with your IT infrastructure. Businesses and organizations should choose their risk assessment and management tools wisely, as risk mitigation is one of the biggest concerns in the IT world in today's times.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.