The number of web applications we can scan is limited. There's a cost associated with how many web apps we want to scan.

Rapid7 InsightAppSec needs improvement in detecting phishing pages. 

Scanning can be better. When you add new projects for the same product, it either duplicates or replaces the scan configuration. If I run a scan for the same product with a different scan configuration, it should keep the previous scan configuration and not replace it with the new scan configuration. It should just add the new scan configuration. That would be helpful. They do keep the results as it is, but the scan configuration keeps changing. For example, I have set a scan configuration to a full scan, and next week, I want to run a new scan for the same product with some changes or new functionalities. I want to run a partial scan. Currently, if I change the scan configuration to partial, it changes the old one also to partial. That should be improved.

They need to work on the user interface and management of all the projects. Their support can also be improved a little.

They should also focus on a wider integration scale and end-to-end scanning.

The product’s pricing could be flexible compared to Acronis.

The only concern I have with Rapid7 is that it does not provide enough information about vulnerabilities within AppSec. 

You can prepare a report, for example, but even inside the report, you must have some knowledge of Rapid7 and know how to explore certain vulnerabilities.

Out of five, I would rate Rapid7 a 3.5.

We get a lot of false positives during the tests. 

We'd like to see integrations with WAF solutions. That could be improved. 

Rapid7 has a new solution to test a secure application and integrate with the secure application, however, sometimes, our customer has a Web Application Firewall externally.

They should add more features. I would like to see them do a little more on static analysis and also interactivity analysis. Currently, it does very basic static analysis. It could do a little more static analysis, which is something that would help. A lot more interactivity analysis should also be there. It should basically look at security during interactivity.

The performance can be improved.

I would like a facility to monitor applications after they have been scanned. For example, when new programming is done, an application should be scanned again because sometimes they add a lot of pages and can affect it. The application should be monitored to protect you from future attacks or mistakes made by the developer team.

In the future, if they can have integration with a lot of ticketing systems then it would be amazing. This would mean that if you're using any ticketing system, then because the application is already integrated with it, and if there's an issue with the web application, it will automatically open a support ticket for the development team.

The reporting is definitely an aspect of the solution that's in need of some work. We found that we'd try to use widgets, but often getting them to work for us wasn't very clear. They need to be more user friendly or offer better instructions. 

The solution needs to have a softcore scan or scan that integrates better with the content.

I would like more details of what the product can do.

For the new vulnerabilities and information which comes out, I would like to see them do some specific in-house application testing for companies who do their own application development.

I find the AppSec interface for defining scans and targets a bit confusing at first, but with practice the logic of the operation flow is understood.