About this integration
Cavelo is a security and attack-surface platform for MSPs that continuously scans your clients' environments. Connecting Cavelo to ControlMap brings that monitoring into your compliance program automatically, across two areas:
- the vulnerabilities found on your clients' devices, and
- how securely those devices are set up, measured against CIS Benchmarks (a recognized standard for hardening operating systems and applications).
Both become living, auditor-ready evidence, kept current on a regular sync. You set up the connection once at the partner (MSP) level — a client never connects Cavelo themselves. ControlMap routes each Cavelo organization's data to the matching ControlMap client, and for an active client the integration also appears in that client's own portal under Integrations, scoped to that company (see How Cavelo appears in the client portal below).
What ControlMap collects from Cavelo
- Organizations — each Cavelo client organization is brought in and matched to a ControlMap client.
- Assets — the devices Cavelo discovers in each organization, added to that client's asset inventory.
- Vulnerabilities — the vulnerability findings for each device, linked to the device they affect.
- CIS Benchmark results — how each device measures against CIS hardening benchmarks, summarized as an overall pass-rate and mapped to the matching CIS controls.
- Compliance check results — evidence that the data above is being collected on a regular schedule.
Before you start
- A Cavelo account with partner (multi-organization) access.
- A Cavelo API key with permission to read asset and vulnerability data.
- Your Cavelo API URL (for most partners this is
https://api.prod.cavelodata.com).
Connecting Cavelo
- In the ControlMap partner portal, go to Integrations and choose Cavelo.
- Enter your Cavelo API URL and API key.
- Save. ControlMap confirms the connection and begins its first sync.
Your API key is stored securely and shown masked after it's saved. You can change your API URL or rotate your key anytime from the Connection tab. If the key is rejected, ControlMap reports that it couldn't connect — see Troubleshooting below.
Viewing your Cavelo data
Once connected, the Cavelo integration page is organized into tabs. At the top you can start a sync at any time with the Run Once button, and an indicator shows whether a sync is currently running.
Compliance Checks
Shows the automated checks ControlMap runs against your Cavelo data on a regular schedule to confirm the connection is healthy and data is flowing. Summary tiles at the top count how many checks have Passed, Failed, or returned an Error. Each check has an Enable toggle and a Scan Results link.
The integration includes these checks:
| Check | What it confirms |
|---|---|
| Assets are monitored and inventoried from Cavelo | ControlMap is regularly pulling your discovered devices from Cavelo into the asset inventory. |
| Vulnerabilities are monitored and inventoried from Cavelo | ControlMap is regularly pulling vulnerability findings from Cavelo and linking them to the devices they affect. |
| CIS Benchmarks are monitored and passing | How many of your client devices pass their CIS Benchmark checks, shown as a pass-rate. |
Select the Scan Results link on any check to open its history — a dated list of past scans and their pass or fail outcomes over time.
Companies
Lists every Cavelo client organization the integration can see. Until an organization is matched to one of your existing ControlMap clients, it appears here as a prospective client. Columns:
- Company — the organization name from Cavelo.
- Status — whether the organization is matched to an active ControlMap client or is still a prospective one.
- Last Update — when the organization was last synced.
- Identifier — the organization's unique ID in Cavelo.
Assets
Shows the devices Cavelo has discovered across your organizations. A Historical Asset Count chart at the top tracks how the number of devices changes over time. Columns:
- Client Name — the organization the device belongs to.
- Asset Name — the device hostname.
- Identifier — the device's unique ID in Cavelo.
- Region — the device's locale.
- Last Updated — when the device record was last updated.
- Last Seen — when the device was last observed.
- Additional Information — opens a side panel with the full detail Cavelo holds for that device (hardware, operating system, network interfaces, and more).
Vulnerabilities
Shows the vulnerabilities Cavelo has found across your devices. A Right Now summary gives the current total broken down by severity (Critical, High, Medium, Low) and the number of companies affected, and a Vulnerabilities by date chart shows the trend over time. Columns:
- Name — the vulnerability's name.
- Severity — Critical, High, Medium, or Low.
- Product — the affected product.
- Description — a short description of the vulnerability.
- Assets — how many of your devices are affected.
- Company — the organization the affected devices belong to.
CIS Benchmarks
Shows how your clients' devices measure against CIS Benchmarks — the standard for securely configuring (hardening) operating systems and applications. At the top, summary cards give you the overall picture:
- Compliance Check % — the overall pass-rate: the share of benchmark rules that pass. Only rules ControlMap can assess (pass or fail) count toward this percentage; rules that couldn't be evaluated are left out so they don't skew it.
- Passing — the number of rules with a passing result.
- Failing — the number of rules that need remediation.
- Review Required — rules that need manual review.
- Mapped Safeguards — how many distinct CIS safeguards these results map to.
Below the cards you can filter the results and export them:
- Search rule / host — find a specific benchmark rule or device.
- Result — filter by outcome (for example, Pass, Fail, or Error).
- CIS Safeguard — filter to a specific CIS safeguard, chosen from the safeguards found in your results.
- Benchmark — filter by the benchmark definition.
- Operating System — filter by device operating system.
- Export CSV — download the current, filtered results as a spreadsheet.
The results table lists each benchmark check with these columns: Benchmark / Rule, Result, CIS Safeguard (the CIS control the rule maps to), Host, Operating System, and Scan Time. Because results are mapped to the matching CIS controls, they flow automatically to every framework in ControlMap that references those controls.
Connection
Shows your connection status and the Cavelo API URL and API key (masked) you connected with. Use Update Connection here to change your API URL or rotate your API key.
Schedule
Controls how often ControlMap automatically syncs data from Cavelo.
Help
Quick guidance and links for the integration.
How Cavelo appears in the client portal
The connection is set up and managed by the partner in the MSP portal — a client never connects Cavelo themselves. Once a client is active, Cavelo's monitoring shows up inside that client's own portal, scoped to their company, the same way ControlMap's other integrations appear for clients.
On the client's own Integrations page, the Cavelo integration is listed with its sync schedule, last scan, and status, and flagged as managed by the partner. The client can open it to see that company's own Compliance Checks, Assets, Vulnerabilities, and CIS Benchmarks, while the connection itself stays with you.
This is where evidence matters most. In the client portal, open Monitoring → Evidence and select the Automatically collected evidence list — every Cavelo check appears here with a Passing or Failing status and the objectives it satisfies. It's the auditor-ready evidence the integration produces, collected automatically with no manual effort.
Each Cavelo check is also routed automatically to the specific framework objective(s) it satisfies. Open any CIS Controls v8.1 objective and its Evidence tab lists the matching Cavelo check under an Automatic system monitors section — sitting alongside the manual evidence items, with its own pass or fail indicator. Nobody attaches it by hand; the mapping happens on its own.
The devices Cavelo discovers also populate the client's own asset inventory, each marked as created by Cavelo.
Keeping data current
ControlMap syncs Cavelo data on the schedule set in the Schedule tab, and you can trigger a sync at any time with Run Once. New organizations, devices, vulnerabilities, and benchmark results are added automatically, and existing records are kept up to date. If an organization is later removed from Cavelo, its ControlMap client is retained and simply stops receiving new data.
Troubleshooting
- “Unable to connect” when saving or updating — confirm the API key is correct and has permission to read asset and vulnerability data, and that the API URL matches your Cavelo environment.
- A compliance check shows Failed — the most recent sync didn't complete. Check the Connection tab and run a sync with Run Once; if it keeps failing, verify the API key hasn't been revoked.