RSA Archer Reviews

We use RSA Archer in my organization for assessments (ISO, GDPR, PCIDSS, etc.) or to raise dispensation for any application, security-related controls.

If we want to perform the application assessment or any ISMS assessment, earlier, we had to do it manually. The RSA Archer tool gives us the output in an automated manner, it is beautiful and has helped our organization.

RSA Archer is the most usable GRC tool and leading tool and I have found performing the application, ISMS, and TPRM assessments beneficial.

In a future release, there should be an option to upload the main data.

I used RSA Archer within the last 12 months.

Early on we faced lots of issues because the communicating with the RSA Archer, the database was not synced properly. Two times when we installed RSA Archer in an environment a few settings and configuration was not correct, this caused the passwords not to match.

The stability could improve.

The scalability is easy to achieve.

Most of our clients are large businesses. I have plans to continue the usage of RSA Archer.

The technical support is good, but they respond a little late, sometimes it can be a few days to have a response.

Positive

The initial setup is a bit complex. The whole process can take approximately three hours with one or two people.

We have faced challenges. For example, the database is not synced with the RSA Archer. A few services were not running if the RSA Archer was logged in through local admin or the specific user, we have received few errors. 

Archer is responsible for the maintenance of the solution.

The ROI depends on the company's needs as RSA has 7 solutions, the company can pay based on the subscription. 

The solution's price should be reduced. You only have to pay the license and there are no additional fees.

I did not previously evaluate any other solutions.

They have to use RSA Archer if they use the automated tools, their data will be safe.

Though there are some issues with the technicality of the solution, such as errors. The solution provides great features, such as customization, we can customize it as per our requirements.

I rate RSA Archer a ten out of ten.

RSA Archer's best features are advanced workflow, reports, dashboards, and notifications.

There is some lag and instability with the platform when using the cloud version. I would also like the look and feel of the layout to be updated and made more customizable. 

I've been using RSA Archer for eight to nine years.

RSA Archer is scalable.

RSA Archer's technical support is a little disappointing because the first level is always manned by junior members who don't have much technical expertise.

Neutral

The initial setup was straightforward.

I would give RSA Archer a rating of eight out of ten.

We use Archer as a risk management portal. We've customized Archer to follow the Sherwood Applied Business Security methodology for governance and risk assessment. We don't use the compliance module much.

The main benefit is that we can automate risk management. The whole purpose of having Archer is to automate governance, risk, and compliance. Previously, we used to do everything in Excel sheets and Notepad. It was mostly manual. We'd send emails to people and collect information. Once you have Archer, you can automate all these processes.

I like how Archer requires very little programming ability. A person with minimum coding experience can configure the necessary fields in Archer. It's more of a drag-and-drop solution. 

When we have to do formulas or some other type of calculation in Archer, it sometimes doesn't work correctly. The fields don't display right, and we have to contact RSA Archer support to fix things. I think the calculation components are a bit complicated.

I've been using RSA Archer every day for the past six years.

RSA Archer's overall performance is good. It slows down at times whenever a script or some process is running in the backend. Sometimes our users have complained about the speed.

Scaling up RSA Archer is a straightforward process. You just need to upgrade your hardware and software. We have about 80 end-users working on Archer now. 

We've opened several tickets with RSA, and they're settled pretty quickly. The experience has always been good. 

When we started working with Archer, it was more or less the only product in the field that could do GRC automation. A few have been launched since then, but we've only ever worked with Archer.

Deploying RSA Archer is effortless. You just need to make a database backup of Archer and keep it somewhere. Then you can install Archer on any server and load the backup. Everything from A to Z comes back. It's restored, and you don't have to do anything. It's a straightforward process. The initial installation takes three hours, and two technicians can handle the job. 

After installation, it doesn't need much maintenance. We periodically deploy some security patches on the operating system, make backups, and cross-verify if the backup is working correctly or not. 

The initial purchase is cheap. You pay a nominal price to start then renew the license annually. You also must buy a license for each module. I'm not too fond of that aspect of the licensing model. You buy the elephant and then spend more money to feed the elephant.

I rate RSA Archer seven out of 10. To anyone thinking about deploying Archer, I would suggest exploring other products in the market as well. Archer is a bit costly compared to its competitors. 

We have four primary uses of the solution. My job role was mainly the administration of RSA Archer, in financial services for the public sector bank. Our main use cases were security incident management, mainly to the cyber security incident management, and also the governance risk and compliance part to the DRC part. The auditing and audit updates all were taken through the RSA Archer, and also the customer feedback. But mainly RSA Archer was used for inventory. 

At my organization, we used to have a manual process for every communication work. For example, security monitoring management and everything was happening through mail and was on Excel sheets, things like that. So after acquiring RSA Archer, we were able to have a single platform, a dedicated platform where we can get all our requirements. The solution has improved my organization by having everything combined into a single platform.

I have used a couple of other products for the same domain. As compared to Archer, this solution is a highly mature product. The interaction has highly improved, especially in the latest two updates. The flexibility of the application and the usability have improved a lot as well. That's what I think stands out for RSA Archer.

One area that could be improved with the solution is the administration part, the backend task. That is a bit complex; or rather, the user interface can be made easier. For the newcomer, Archer might seem a bit complex. But once you get used to that, it's all fine.

In the next release of the solution, I'd like to see more inbuilt applications. For example, I talked about our organization having security management. Those are custom applications built by our own team. These are not out-of-the-box applications.

I have a total of three years experience with RSA Archer.

After deployment, my company managed the solution. We've had multiple issues with RSA Archer. The database has gone down; the infrastructure on the application side had a couple of issues; sometimes the services went down. After upgrading to the latest version of the solution, they are more stable than the previous one and it is a lot better now.

I'm really satisfied with the performance. We have more than 1000 or 2000 current users on RSA Archer, and we haven't faced many problems.

It's really scalable because we have options to import users or applications automatically; there are options to import a large number of users. Last year, we had a merging of three banks, and the users of the other two banks were brought into our Archer. They had more then, about 1,000 to 1,500 users, and that was done within a month. We were able to integrate all applications and users. Scalability won't be an issue.

I have been in touch with Archer customer support a couple of times. I have had good experiences; I haven't faced many issues with them. But it will depend upon the company's contract with RSA. There are different support levels.

I haven't worked on the deployment of the solution, but I know the basics of the infrastructure. It's not highly complex, but it is complex as compared to other applications because, in addition to applications and databases, we have the services side as well.

Our deployment of the solution was done by a third-party.

The solution is not at all a cheap product. Whenever someone is planning to buy the RSA Archer application for their organization, the first thing is to understand whether they really need it or not. We have our in-built applications, but first, we need to check whether we require it or not. That is the main thing. The second thing is whether they have the technical people available who are able to handle Archer. Even if they have the product and all, there aren't many people in Archer. We always be making custom applications; we hardly use any built application. So we should have technical employees there.

Talking about my personal use, RSA Archer is one of the four tools which I have managed. And talking about in my organization, it is used extensively. The main core use was security incident management.

I would rate the solution an eight out of ten.

My primary use case varies depending on the requirements, but uses include working on email notifications, fetching data feeds, and working on feed managers.

Archer allows us to define the progress of the organization's processes and helps build the right cyclic process and improve the current structure. We also track a lot and transfer a lot of vendors and users, and Archer has a repository that allows us to collect that data step by step. It also makes auditing easier.

The most valuable features of RSA Archer are notifications, workflow routing, and data filtering.

An area for improvement is the turnaround time for advice from the support team. In the next release, I would like to see a maturity rating feature that would provide industry ratings and information on the market.

I have been using this solution for about a year and a half.

Stability has improved over time, but there's still a lot of latency with some features, like looking up or checking the database.

This solution is scalable.

The tech support team's turnaround time is often slow.

Previously, I have used Aravo, and currently, I'm using Process Utility.

The initial setup was fairly straightforward as we were given hands-on training. Deployment took around three months.

When implementing Archer, I recommend looking through the videos supplied and making use of the free sessions that Archer provides. I would rate this product as six out of ten.

Our primary use case of this solution is for GRC. I work for a bank and we used this tool to audit our information security team and our cybersecurity team. We had our control library, regulatory requirements, and third-party risks on Archer. So basically, I would say audit, regulatory requirements, third-party risk management solutions, and all kinds of controls, including SOX. These are the integrations we had set up. Right now, it's deployed on-prem. 

This solution helped us with the centralization of our governance data, so we could house all of our controls in one place. We could use that central repository of all our controls to build our risk management strategy and our policy and governance. So we could use controls as a central library and build policy, and then build risk management around it. 

One of the most valuable features is the ease of use. The customizable forms and drop-downs are pretty easy to configure. Automated notifications is another feature that is nice. The whole workflow, basically—if you're going through a workflow process, the whole process is automated with notifications. Basically, it's a pretty straightforward, easy-to-understand interface. I've also had the chance to develop some backend configurations, which is straightforward as well, if you want to add a new field or anything. 

Archer could be improved by having more customization. I'm not sure if the backend processes have API calls and those kinds of seamless integrations, but from the front, some of the solutions are very out-of-the-box. It's not customizable, so that could be a little problematic since you have to use their features. In terms of the backend structure, I'm not too sure because I'm not a developer—I was an end user and product owner of Archer—and I don't quite know the backend and developmental features. But since it's an out-of-the-box solution, sometimes customization was challenging and support was a little problematic because we had to reach out to them all the time. 

I have been working with this solution for the past 18 months. 

We did have a few outages, but otherwise, I must say it's fairly reliable. 

For maintenance, there's an admin dashboard. It's a capability that is handed over to our user and admin has super user access. 

This solution is quite scalable. At that point, it really depends on the strategy. Since we had all our controls on Archer, it was easy for us to scale and deploy other applications or develop other applications seamlessly. But imagine you had your controls on a different application—if it was not on Archer and you had to scale, it would be challenging to move all your data into Archer and then scale. So that is something that could be challenging, but since our strategy was already Archer through and through, we did not find it difficult to scale. 

There are approximately 500 users, across all departments, using Archer. It is being used extensively at the moment. Right now, we don't have plans to increase usage, but I'm sure there's going to be organic growth. 

On a scale of one to five, I would probably rate support a three. I wouldn't say it's the best, but it's not bad either, in terms of both the response time as well as the support. 

We used SharePoint for a bit. We switched to Archer because the graph, user interface, and all that was better than SharePoint. I'm not too sure about the strategic decision because I wasn't with the organization back then, but I know that they wanted a centralized location for their governance, risk, and applications. 

I think the deployment process is pretty straightforward. The solution was deployed for us through a third-party consulting agency, so it wasn't Archer or RSA developers, but a third party that implemented the solution for us. During the time of deployment, we were in a CI/CD mode, so we always had new applications, customization, new fields getting added. 

A third party implemented the solution for us. 

If you are considering implementation, my advice would be to decide on a strategy first before you implement a solution. The solution is nice, but unless you have a strategy, I don't see the point in implementing it. 

I rate Archer a seven out of ten. 

We customize this solution for our clients. We take all their requirements and prepare the design and format by creating fields, notifications, access controls and workflows. We use all the management features that the solution provides to support our clients. We are customers of RSA Archer and I'm a senior consultant. 

The Advanced Workflow feature is one of the most valuable and user-friendly. We used to have to write multiple calculations. With Advanced Workflow, things are much easier for the developer and end user. It's a robust feature that allows users to easily identify what they're doing and where they are. We're able to create multiple layers with a specified functionality that gives an understanding of what is required as well as increased flexibility. Archer provides good security, enabling access where necessary. It's also a useful reporting tool, clearly showing functional data and, when needed, the ability for comparison. The default dashboard shows daily activities that are easily captured allowing for information to be extracted. 

In the current version, RSA is a little slow mainly because of Silverlight which I believe has been removed in the next version. We have some issues using .NET because migrating requires retraining the custom object every time; it's a manual change which is challenging. For that reason, we don't use the custom object. What's needed is a valueless field, where we can drag and drop, add some values and the process is automatic. I'd also like to see an 'approved' button incorporated in the notifications for updates. It would save time and make life easier for the end users.  

I've been using this solution for 11 years. 

This solution is very easy to scale and easy for new users to understand.

Because we use most of the modules we're paying a lot to get good support. We interact with someone from RSA on a weekly basis and deal with any issues on the platform.

The initial setup is straightforward when you understand the system. We put our new users in the sandbox environment and get them to play around with it before setting out our requirements. It can be a bit of a challenge initially but not for long. It's not a common platform and is different from other tools. Once our users are implementing, it's a very smooth process for them. We have a total of seven developers, four are in-house and three are on contract. 

Deployment time depends on the use case; if it's a large implementation, it can take between six and nine months. The solution needs maintenance because of the updates and that often results in patching needs. We're using Archer on a daily basis. 

I'm not sure about the cost of the solution but every year we purchase additional on-demand applications. Archer offers a package that allows the purchase of 10 on-demand applications. You can purchase more than that and the price goes up accordingly. I believe these purchases come with two years of maintenance support. 

This is a good solution compared to others in the market because it is more secure. It's suitable for any size company although smaller companies will only need to use certain modules with larger organizations using multiple modules. This is a one-stop storage device that you can access from anywhere. 

I rate this solution nine out of 10. 

It is used for enterprise risk audit, corporate compliance, and vulnerability reporting like threat management reporting. It is a whole suite that has different products depending on what you want to track and report on.

I do use the SaaS version, but I have also deployed it on-prem, and I also have experience with the original cloud version. The one that we deployed originally on the cloud was on AWS, but now they do everything on SaaS.

From my perspective, because I've always done it as a consultant, I do like the way it is configured. They've gone into changing the application builder interface, so it is even easier. When you're working with users, it is really easy to show them how to do things quickly and how to configure, change, and design stuff quickly.

Some of the error reporting isn't very clear. When you're looking for information on error codes, you got to do a lot of digging.

I've never seen any major issues.

Its scalability is very good. Because of the way they've set up their licensing, it's now very easy to scale, especially if you're using SaaS.

We have over 60,000 users across all departments. Some users just go to check the status. I would think it is being used extensively.

It has changed over the last six months, and it is a little bit more challenging. When you have to report an error, you can't really find a lot of detail online. You have to open a case file, and then after opening a case file, it does take some time for resolution. From one to five, I'm going to rate them a 3.5.

It is very straightforward. The documentation that they provide is clear in terms of the instructions that you have to follow through. It is very well documented. Most users and techs can follow it, even with very little experience.

For its deployment, usually, there are one or two people. You don't need more than that because it's a very easy product to upload. If you're doing it from scratch where you have absolutely nothing, it is about a half-day setup.

It requires very little maintenance. Their upgrade packages are pretty quick, and it is easy to do the upgrades. It is very user-friendly, and even if you have no tech background or you're a new Archer administrator, it is very easy to do.

Its ROI is quite high when you look at how long it takes for people to input stuff for compliance risk, vulnerability management, and threat management. The centralization of data allows you to get a pretty high return on your investment pretty quickly because it's really easy to implement. It doesn't take like a year. You can do it in less than two months, depending on the solution that you want to implement. The customization opportunities with reporting are also pretty high.

I am not 100% familiar with that, especially with their new model. I just know that the way they've licensed per user to scale is good.

I would advise others to know their requirements going in because there's so much flexibility with the product. You could over customize it just because it allows you to do so much, but sometimes too much of a good thing is not a good thing. If you know your requirements upfront, your road to success is short, but your return is high.

I would rate it a nine out of 10.