Cayosoft Guardian is a hybrid identity protection platform purpose-built for Microsoft environments. It continuously monitors Active Directory, Microsoft Entra ID, Microsoft 365, Teams, Intune, and Exchange Online; logs every change with full who/what/when/where context; and offers attribute-level rollback and patented Instant Forest Recovery for catastrophic AD scenarios. Cayosoft is the most direct competitor for Lavawall®'s M365 / Entra / Azure configuration backup & rollback module.
Where Cayosoft and Lavawall® diverge is in scope and packaging. Cayosoft is identity-first and includes on-premises AD with forest recovery — strong for enterprises with hybrid AD where AD recovery is a board-level concern. Lavawall® is cloud-first and adds Azure subscription resources (Network Security Group rules, Key Vault access policies, RBAC role assignments, managed identities) to the same change-monitoring + rollback engine, plus file integrity monitoring and event-log analytics on every Lavawall®-managed Windows, macOS, and Linux endpoint. Lavawall® is also part of a broader MSP platform — bundled with patching, breach detection, GRC, and helpdesk — at MSP pricing rather than enterprise identity-tool pricing.
For an MSP that needs M365 and Entra config backup as one capability among many, Lavawall® is typically the right answer. For an enterprise IT org whose dominant concern is on-premises AD recovery from ransomware, Cayosoft is.
Where Lavawall® wins
Azure subscription scope. Conditional Access and role assignments are only part of the cloud attack surface. NSG rules opening 3389 to the world, Key Vault access policies handing service principals secret read, managed identities chained to subscription-level roles — Lavawall® snapshots these, diffs them, and rolls them back. Cayosoft Guardian does not cover Azure subscription resources.
Endpoint file integrity & event-log monitoring in the same console. When attackers compromise tenant config they typically pivot to endpoints — write a script to a domain controller, modify a hosts file, harvest credentials from a workstation. Lavawall®'s cross-platform agent monitors file changes and Windows / macOS / Linux event logs from the same console as the config backup. Cayosoft is identity-only and doesn't see endpoints at all.
Bundled with the rest of the platform. Configuration backup is one Lavawall® module; the same agent and console handle patching, M365 breach detection, AV/EDR coexistence, GRC compliance evidence, application control, helpdesk, and remote support. For MSPs, that's one console, one bill, one vendor relationship instead of stacking Cayosoft alongside an RMM, a GRC tool, an app-control product, and so on.
MSP-native pricing. Cayosoft is sold per-tenant on enterprise quotes. Lavawall®'s configuration backup & rollback is bundled in the Complete tier or available a-la-carte at C$3.95 / US$2.95 per user per month. For SMB-served MSP clients, that's a materially lower per-tenant cost.
Plan → approve → execute rollback workflow. Rollbacks are a strict three-step lifecycle: plan generation (no Graph calls), admin approval, and operator execution from the m365sync host. Dry-run mode lets you preview every Graph call. Continue-on-error is per-rollback. Designed for MSPs operating across many client tenants with audit trails.
Audit-log correlation built into the change feed. Each change is correlated with CON_M365_Audit_Events to surface the UPN, IP, and country of the user who made it. Lavawall® serves as both detection and evidence collection.
Where Cayosoft Guardian wins
On-premises Active Directory. Cayosoft watches AD on-prem, attribute-level, and offers patented Instant Forest Recovery for catastrophic AD outages. For organisations whose AD is the keystone of their identity environment and ransomware preparedness is a board-level item, Cayosoft is the better choice.
Group Policy Object (GPO) and AD-specific objects. GPO change tracking, FSMO role changes, schema modifications — Cayosoft is built for these. Lavawall® doesn't cover them.
Real-time change capture for AD. Cayosoft Guardian Protector (the free tier) and the paid Audit & Restore product capture AD changes in near real time. Lavawall®'s collector cycle is configurable per object type but typically polls every 15–60 minutes.
Standalone identity focus. If identity protection is a discrete budget line not tied to RMM/GRC/helpdesk, Cayosoft fits cleanly into a Microsoft-shop's identity stack alongside Defender for Identity, Entra ID Protection, and similar tools.
Feature comparison
| Feature | Lavawall® | Cayosoft Guardian |
|---|---|---|
| Conditional Access policies | Yes | Yes |
| Entra ID role assignments / PIM | Yes | Yes |
| Entra ID users (cloud + hybrid, attribute-level diffs) | Yes | Yes |
| Administrative units | Yes | Yes |
| App registrations / service principals | Yes | Yes |
| OAuth permission grants (delegated & admin-consented) | Yes | Yes |
| Intune device-config / compliance / app-protection | Yes | Yes |
| Microsoft Teams team-level settings | Yes | Yes |
| Exchange Online transport / mail-flow rules | Yes | Yes |
| On-premises Active Directory objects | No | Yes — primary use case |
| Group Policy Object change tracking | No | Yes |
| AD Instant Forest Recovery | No | Yes (patented) |
| Real-time change capture | Polling (15–60 min, configurable) | Real-time |
| Azure subscription RBAC role assignments | Yes | No |
| Azure Network Security Group rules | Yes | No |
| Azure Key Vault access policies | Yes | No |
| Azure managed identities | Yes | No |
| File integrity monitoring on endpoints | Yes (cross-platform agent) | No (identity-only) |
| Endpoint event-log analytics (Windows / macOS / Linux) | Yes | No |
| Plan → approve → execute rollback workflow | Yes (auditable) | One-click rollback |
| Dry-run rollback (preview every API call) | Yes | Limited |
| Audit-log correlation in change feed | Yes (CON_M365_Audit_Events) | Yes (Cayosoft change history) |
| Severity rating per change | Yes (info/low/medium/high/critical) | Yes (canned alert types) |
| Bundled with patching / RMM | Yes — one platform | No — identity-only |
| Bundled with GRC / framework evidence | Yes — 15+ frameworks | No |
| Bundled with helpdesk & remote support | Yes | No |
| Pricing model | Per-user MSP add-on or bundled | Enterprise quote-based |
| Free tier | Scout (domain scanner only) | Guardian Protector (monitoring; no rollback) |
Who should pick which?
Pick Lavawall® if…
MSPs serving SMB and mid-market clients with M365, Entra, Intune, and (often) Azure subscriptions, where AD on-prem is either not present or already covered by another tool.
You want Azure subscription resources (NSG, Key Vault, RBAC) covered alongside identity.
You want one platform — config backup, RMM, GRC, helpdesk, breach detection — instead of stacking specialist tools.
You want MSP per-tenant pricing instead of enterprise per-user quotes.
Pick Cayosoft Guardian if…
On-premises Active Directory is core to the environment and forest recovery is a board-level concern.
You need GPO change tracking and AD-schema-level coverage that pure cloud tools don't provide.
You're an enterprise IT team with a dedicated identity-protection budget line and don't need the rest of an MSP platform.
Frequently asked
- Is Cayosoft Guardian the same product category as Lavawall®?
- Yes for the M365 / Entra config backup & rollback function. Cayosoft Guardian and Lavawall®'s configuration module both monitor changes across Entra ID, Microsoft 365, Intune, and Teams, and offer rollback. Lavawall® additionally covers Azure subscription resources (NSGs, Key Vault, RBAC, managed identities) which Cayosoft does not.
- What about on-premises Active Directory?
- Cayosoft is the better choice if on-premises AD coverage and forest recovery are primary requirements. Lavawall® focuses on cloud — M365, Entra ID, Intune, and Azure subscriptions. AD on-premises is not in scope.
- How does pricing compare?
- Cayosoft uses enterprise quote-based pricing typical of identity-protection vendors. Lavawall® is included free in the Complete tier and otherwise priced as an MSP add-on at C$3.95 / US$2.95 per user per month. For most MSP-served SMB and mid-market clients, Lavawall® is materially less expensive.
- Can I run both?
- You can. They overlap on Entra and M365, so most customers pick one. The decision usually comes down to whether you need on-prem AD coverage (Cayosoft) or Azure subscription scope plus the rest of an MSP platform (Lavawall®).
Related Lavawall® pages
- M365, Entra & Azure configuration change monitoring & rollback
- Best M365 / Entra / Azure configuration backup
- What is M365 configuration backup?
- What is Entra ID backup?
- What is configuration drift?
- Lavawall® vs Dropsuite (NinjaOne)
- Lavawall® vs AvePoint Cloud Backup
- Lavawall® vs CIPP
- Lavawall® vs N-able Cove
- Lavawall® pricing