What is The CARVER Target Analysis and Vulnerability Assessment Methodology?
“The CARVER Methodology is one of the most effective tools that a security professional can use.”
General James L. Jones, Former U.S. National Security Advisor
What is the CARVER Method?
A Security Vulnerability Assessment (SVA) is an understanding of the threats, weaknesses, and probability of attack, which could impact a facility, person, system or event.
As such, the CARVER Target Analysis and Vulnerability Assessment Methodology is a time-tested vulnerability assessment methodology that balances efficiency with reliability.
It is a unique analytical tool because it facilitates both a qualitative and a quantitative assessment of an asset’s vulnerabilities. Most assessment tools are limited to qualitative assessments. A quantitative assessment assists in highlighting vulnerabilities, prioritizing assets and remedial efforts.
What does CARVER mean?
Identify critical systems, single points of failure or choke points
Determine ease of access to critical systems, operations or assets
The time and effort taken to recover from an adverse event
Security system effectiveness vs. adversary capability
Scope and magnitude of adverse consequences that would result from malicious actions and responses to them
Evaluate likelihood that potential adversaries would recognize the asset as a critical or valuable target
The CARVER Value Rating Scale
Using CARVER successfully requires inserting the proper values into the CARVER matrix. Otherwise, its practitioners won’t be able to assess the probability of attack or risk to the asset accurately. When a CARVER matrix is completed, it provides the following results:
+ Identifies high risk assets
+ Categorizes and prioritizes assets
+ Assesses vulnerabilities and consequences
The values 1-5 are used to calculate Risk and Probability of Attack (Pa) in the CARVER Matrix. The higher the number the higher both the Risk and Probability of Attack.
Get CARVER Certified from the “Godfather of CARVER”
CARVER Co-creator, Leo “the Godfather of CARVER” Labaj, on CARVER’s Origins:
"During my first six years in Special Activities Branch, I trained special operations forces and CIA paramilitary units in the use of explosives to conduct or plan sabotage operations. The training included not only how to destroy targets but also how to select targets for destruction to meet mission objectives. The target analysis methodology of choice at the time was called CARVE.
From 1972 to 1975, as the Vietnam War wound down, CARVE became an important part of the military’s target-analysis module. But after the war, and as incidents of international terrorism emerged and increased in frequency, analysts began to find CARVE lacking as a vulnerability assessment tool.
In 1976 CARVE became CARVER. It followed that if we (CIA-SAB) knew how to attack a target, we should also be able to prevent an attack on a target. So, we turned our hats around and strove to become counterterrorism “experts.”
Sign-Up Today For One of Our CARVER Training Online or In-Person Courses
*Earn 24 continuing education units from ASIS-International
Read the Definitive CARVER Book
Want to read about the history of the CARVER Methodology? SMI’s Luke Bencie and the CIA’s Leo “the Godfather of CARVER” Labaj, have written a practical guide for evaluating security vulnerabilities utilizing the CARVER Method.
Learn CARVER Online
Don’t have time to take the in-person, 3-day CARVER course? Why not learn at your own pace with The Fundamentals of the CARVER Target Analysis and Vulnerability Online Training Course. This virtual training will give you everything you need to know about conducting a vulnerability assessment using the CARVER matrices.
Attend the 3-DAY *LIVE* CARVER Training Course
The 3-day CARVER Target Analysis and Vulnerability Assessment Training Course is the "original" CARVER course, which is taught by retired CIA bomb-tech, Leo "the Godfather of CARVER" Labaj. This course is recognized by ASIS-International as a "Preferred CPE Provider" and is worth 24 Continuing Educations Units.
Attend CARVERCON 2022
After FOUR previously successful iterations, CARVERCON returns once more - in November 2022 - to be the must-attend Vulnerability Assessment conference of the year. Join critical infrastructure protection experts on the campus of the University of South Florida in beautiful Tampa, Florida.
Simplify with SOTERIA: CARVER Software
It's time to simplify your assessments with CARVER software. The brilliance of the CARVER Target Analysis and Vulnerability Assessment Methodology has finally been packaged in an easy to use mobile collection platform with a multi-purpose asset management dashboard system, known as SOTERIA. The future of vulnerability assessments is here.
Live Training Events/Workshops
Looking to enhance your knowledge, skills and abilities in the security field from true subject matter experts? Below is a list of upcoming training courses and executive workshops designed to enhance your professional development. Earn your Certified CARVER Assessment Professional (CCAP) designation from Leo “the Godfather of CARVER” Labaj. Also, earn 24 Continuing Education Units (CEUs) from ASIS-International.
CARVER TAVA Training Course
Next course date - November 1st - 3rd at the University of South Florida (Tampa)