Rapid7 InsightVM alternatives and competitors

We use it for vulnerability management. We have the latest version because we're using it in the cloud right now. I have a public cloud and a private cloud version.

When we do our scans, I'm able to give full reports of what's vulnerable per device. I could group them and say, "Hey, here's a vulnerability in the infrastructure. Here's all the host that needs to be addressed," by showing the report. When I give a report or a request for change, I would include the report so that they are undisputed. Instead of the sys admins giving the excuse of, "Hey, we don't have enough time," or, "We've already done it," or some other poor excuse, now I have a report behind it that says, "Hey, you're vulnerable with this. Here's the CVE, and here's the POC of the CVE," and then if I want to be a little bit more obnoxious, I provide them the POC that I ran with the proof that the POC is there, and then I'm able to say, "Hey, you need to patch this now."

My executives now are able to say, "Hey, you know what? The ISO gave you a directive to patch this with proof. Why haven't you done it?" Because now, as we know, all C-levels are ultimately responsible. If you have an ISO that is interfacing with sys admins saying, "Hey, here's a change that you need to patch it. Here's my proof that even has POC with proof and the report," then there is no benign, "Why haven't you done it?"

I like its ease of use. It has the script that is pre-built in it, and you just got to know which ones you're looking for.

The price could be more reasonable. I used the free Nessus version in my lab with which you can only scan 16 IP addresses. If I wanted to put it in the lab in my network at work, and I'm doing a test project that has over 30 nodes in it, I can't use the free version of Nessus to scan it because there are only 16 IP addresses. I can't get an accurate scan. The biggest thing with all the cybersecurity tools out there nowadays, especially in 2020, is that there's a rush to get a lot of skilled cybersecurity analysts out there. Some of these companies need to realize that a lot of us are working from home and doing proof of concepts, and some of them don't even offer trials, or you get a trial and it is only 16 IP addresses. I can't really do anything with it past 16. I'm either guessing or I'm doing double work to do my scans. Let's say there was a license for 50 users or 50 IP addresses. I would spend about 200 bucks for that license to accomplish my job. This is the biggest complaint I have as of right now with all cybersecurity tools, including Rapid7, out there, especially if I'm in a company that is trying to build its cybersecurity program. How am I going to tell my boss, who has no real budget of what he needs to build his cybersecurity program, to go spend over $100,000 for a tool he has never seen, whereas, it would pack the punch if I could say, "Let me spend 200 bucks for a 50 user IP address license of this product, do a proof of concept to scan 50 nodes, and provide the reason for why we need it." I've been a director, and now I'm an ISO. When I was a director, I had a budget for an IT department, so I know how budgets work. As an ISO, the only thing that's missing from my C-level is I don't have to deal with employees and budgets, but I have everything else. It's hard for me to build the program and say, "Hey, I need these tools." If I can't get a trial, I would scratch that off the list and find something else.

I'm trying to set up Tenable.io to do external PCI scans. The documentation says to put in your IP addresses or your external IP addresses. However, if the IP address is not routable, then it says that you have to use an internal agent to scan. This means that you set up a Nessus agent internally and scan, which makes sense. However, it doesn't work because when you use the plugin and tell it that it is a PCI external, it says, "You cannot use an internal agent to scan external." The documentation needs to be a little bit more clear about that. It needs to say if you're using the PCI external plugin, all IP addresses must be external and routable. It should tell the person who's setting it up, "Wait a minute. If you have an MPLS network and you're in a multi-tenant environment and the people who hold the network schema only provide you with the IP addresses just for your tenant, then you are not going to know what the actual true IP address that Tenable needs to do a PCI scan."

I've been working on Tenable.io to set up PCI scans for the last ten days. I have been going back and forth to the network thinking I need this or that only to find out that I'm teaching their team, "Hey, you know what, guys? I need you to look past your MPLS network. I need you to go to the edge's edge. Here's who you need to ask to give me the whitelist to allow here." I had the blurb that says the plugin for external PCI must be reachable, and you cannot use an internal agent. I could have cut a few days because I thought I had it, but then when I ran it, it said that you can't run it this way. I wasted a few hours in a day.

In terms of new features, it doesn't require new features. It is a tool that has been out there for years. It is used in the cybersecurity community. It has got the CV database in it, and there are other plugins that you could pass through. It has got APIs you can attach to it. They can just improve the database and continue adding to the database and the plugins to make sure those don't have false positives. If you're a restaurant and you focus on fried chicken, you have no business doing hamburgers.

I've been using Nessus for about eight years.

Internally, it is stable. Externally also, from what I've seen, it is stable. The only problem that I've had with it was if you have a network and internet blip, you get disconnected, but that happens with anything. Right now, I would say that a lot of cloud companies are having problems because COVID has got a lot of people working from home remotely in VPN. This is the biggest problem we have. You went from 35 people using VPN to over 2,000 people using VPN. You're trying to go to a cloud that wasn't set up for VPN, or you don't have the necessary routes or bandwidth to it. The average person is going to say, "This cloud application sucks." It doesn't really suck. It means that you don't have enough bandwidth in your infrastructure.

We haven't had to scale it yet. We haven't scaled internal Nessus because we have our own version of it. I'm not sure how many IP addresses we're feeding, but I know we only have one server. I looked at the processes, and it's only doing 50% of the process.

We have 13 people who are capable or licensed to use it, which would be all of our risk management information, information security, and risk management office, but I would say only half or about six of us are actually using it daily.

I've used the tech support a couple of times. I would say they are very good because they were able to say, "Hey, let's stop the chatting. Let's get on a Webex, and we will Webex you and ask the questions directly." They were able to get to the engineers on the Webex at the same time, and within 30 minutes, they solved our problem. I would rate them a ten out of ten.

If I was installing Nessus just by itself, it is straightforward simply because I've done it before. If you're setting up Nessus from the cloud version, there's a little bit more to it because, for one, it's in the cloud version, and you got to open up ports for your network. You got network people who get all scary because they don't understand what you're doing. Other than that, once you get it set up, then it is pretty much straightforward.

Nowadays, your vulnerability applications are going to be kind of pricey because lots of them, including Rapid7, are based upon a base price, but then they add in the nodes. That's where they get you. If you're a big network, obviously, you need to scan everything. Therefore, it's going to be costly.

The risk and insurance money associated with having ransomware on my networks is going to cost me more money, time, and marketing than the price of the tool. That's why I'm speaking only as an information security officer to security operations. This is the tool that is there in my toolbox to say whether we vulnerable or not. At this point, I don't care about how much it costs my company to have it because if I wasn't able to report it and we got ransomware, then who cares? I'm probably going to be out of business because it happened. That's why I don't care about the price. I have it, and I could use it effectively and do my report. At the end of the day, even if we get ransomware, as long as I reported it, followed my protocol, and put in the change, irrespective of whether it was ignored or denied, I did my job.

The advice would be definitely doing your proof of concept because that's what you're going to need for your buy-in for your upper management because it is going to cost some money. I would do a hybrid version, where your own Nessus is internal, and then you have your cloud. If you lose connection to the internet, you could still run an internal Nessus scan to save the scan and then input the scan into Tenable.sc. Do your proof of concepts, get your reports, and use your proof of concepts when you do your presentation to upper management to purchase. If you use your own nodes and your own network as your proof of concept, it gives them an eye view of, "Hey, we're vulnerable because of this, and here's the tool that did it." To me, that was a better selling point because it was real. It wasn't the demo data. Once you have purchased it and get it all set up, use it continuously, meaning include your scanned reports with your change control. This way, it shuts all the administrators who have been there over 20 years and say, "Hey, I don't want to patch right now because it takes the network down." Yes, it's going to take the network down. However, the longer you wait, the more vulnerable you are because if I'm doing change requests every week, and I'm calling on more and more risk and you start to find the same nodes in the same reports, then somebody up high is going to say to the network administrator guy to fix it.

I would rate Tenable Nessus a ten out of ten right now. If you had asked me last year, Rapid7 would have been the same and on top, but now that I've been using Tenable and I'm comparing the jobs that I'm doing right now, Tenable is cut and clear to what the report is saying. My favorite report is the VPR report. Instead of just looking at CVS numbers, it has a VPR report that ranks, whereas, in Rapid7, it's just focused on CVS. It is CVS version 2 or 3, which kind of gets confusing. For example, in Tenable, I can run a scheduled scan and have my report, but let's say, for instance, I did patching in the middle before my scheduled scan. I could kick off a new scan specifically for that vulnerability and get a report, whereas, in Rapid7, you could not easily do that. Therefore, you were stuck waiting for the scan to go again and to see if your mitigation efforts fixed it.

Qualys' main function is to scan IT systems. It does the scanning of computer systems.

Continuous Monitoring is excellent because it is entirely dependent on the agent, and the Agent Scan, is also quite good. 

I also like the asset tagging, asset grouping features, and the dashboard, because we can customize and create our own dashboard. That's quite good. 

The most recent is VMDR, which provides a comprehensive overview of how to detect, patch, and remediate specific vulnerabilities. That is also an excellent module.

The dashboard itself could be improved, while we can customize it, they can create different tabs where we can see the trending vulnerabilities, how many there are, or how many have been fixed, as in the most recent scan report, so that trend analysis is a little easier.

Aside from that, the solution itself is fairly generic in nature. What they can do is pretty much customize everything and provide a relevant solution for everything. For example, because Qualys has a Cloud Agent that scans a system's entire inventory. As a result, they can test their use cases to determine whether or not a vulnerability has been confirmed. If they can do so, they can also provide us with a straightforward solution to a specific problem rather than a generic one. That could be one area where they can improve. 

Qualys does not currently have an IoT, SCADA vulnerability assessment, they can significantly improve their IoT, SCADA, and ICS (Industrial Control Systems) vulnerability assessment technique. When you compare with Tenable SC it has more features than Qualys VM.

If you see power grids, large oil stations, they fall under SCADA and Industrial Control Systems. These systems are very different from standard IT systems. Qualys currently does not have any features for scanning SCADA, IoT, and Industrial Control Systems.

I believe they can improve on the addition of devices. Assume I have two lakhs of devices that cannot all be added at the same time. For example, if I have two lakhs of devices, and two lakhs of those devices have a Cloud Agent, adding all of those devices at once is not easy. We have to add it 1,000 at a time, which takes a long time when there are two lakhs of assets to add. If we do 1,000 at a time, we'll have to do it for around two lakhs, which is quite difficult.

They can increase their frequency of working faster, similar to the time constraint they currently have. The second thing they can improve is the addition of assets. They can almost completely automate the process of adding assets, or they can increase the maximum number of assets that can be added in one go. They are only allowed to add 1,000 assets. If I want to add two lakh assets, it will be extremely difficult to do so by adding 1,000, at a time.

That is a fairly technical issue. Most of the false positives reported by Qualys or the inability to detect a cumulative patch update, if any, are the few things that they can improve and incorporate. 

As I previously stated, it would be extremely beneficial if they could implement scanning, vulnerability scanning of IoT systems, Industrial Control Systems, and SCADA devices.

I have been working with Qualys VM for approximately four years.

We have been using multiple Qualys modules, such as VMDR, Cloud Agent, AssetView, and Continuous Monitoring. The most recent version that we are using is 4.14.

It's reasonably steady. When we say stable version, there is also room for improvement in that Qualys will not be able to handle large amounts of data at once. When you do billions of scans, such as a scan for millions of devices, it becomes extremely slow, and gathering data and populating the report becomes extremely tedious. 

Scalability is quite good. We can pretty much rely on the tool. It is easy to scale. 

If the organization grows, we can pretty much scale it to most of the areas. The only problem is that they must primarily work on Industrial Control Systems and lightweight devices such as CCTV cameras, and lightweight devices. As a result, they are required to work in that field, otherwise, it is pretty good.

Based on my previous experience, there were approximately 300 or more users using Qualys in organizations with a population of more than two lakh people. Currently, I see that approximately 400 users are using it, and the size of the organization is significantly larger than the previous one.

We use this solution daily.

Technicals support is pretty good. Since I've been working in this, they've been friendly and straightforward, and we were able to get the most out of them.

We have suggested areas for improvement, and they have been working on them. They always make a good impression on us.

As a consultant, I've worked on a variety of projects in a variety of organizations.

The initial setup is simple and straightforward.

We initially had assistance from the vendor, but once we had a good understanding of it, we scaled it in our organization.

Because I've been using Qualys for quite some time, I was looking for a comparison of several solutions such as Tenable SC, Rapid7, InsightVM, and Tenable Nessus. I was curious to know if there were any other tools that were better than Qualys.

I was looking for more information about Tenable SC and wanted to compare it to Qualys in more detail, with parameters such as, how the false positives are detected in Tenable SC and how good it is in comparison to Qualys. In a similar manner, in comparison to Qualys, we learn about its usability, interface, and how user-friendly it is. Those are the few things I was looking for, and I'm still looking for more information about Tenable right now.

They have the ability to improve SCADA. SCADA stands for Supervisory Control and Data Acquisition, and IoT stands for Internet of Things scanning.

Recommending this solution would depend on the organization, the requirements, and the devices they have.

For a typical IT system, it is very good to go with this solution. Microsoft, Deloitte, and the majority of organizations still use it, it is pretty much good to go. But, once again, it is entirely dependent on how the organization is, what type of devices they have, and what kind of scans they would like to have, it is entirely dependent.

In a broad sense, it is a good solution to go with.

I would rate Qualys VM an eight out of ten.

We manufacture cloud solutions and we employ Orca Security to monitor them.

When we implement Orca, we don't have to make changes to any other products. This is important because we can design the products to be best-in-class without worrying about incompatibilities from third-party vendors. Orca sits on the perimeter and is able to essentially do excellent security work without re-engineering our solutions.

The regulatory reporting has been very helpful for our own certifications from SOC and ISO.

The most valuable features are vulnerability management and attack detection.

The vulnerability management does not require network scanning or agent technology, so I don't need to modify any of my products in order to do vulnerability assessments.

The monitoring of logs and attack scenarios are basically hands-free. It's a non-intrusive approach.

In the future, I'd like to see Orca work better with third-party vendors. Specifically, being able to provide sanitized results from third parties.

I would like to see support for FedRAMP certification.

I have been using Orca Security for more than two years.

Stability-wise, we have never had any problems. It's solid.

We are a middle-size business and we've had no scalability issues.

We have more than 4,000 cloud customers. The environments are across AWS and Azure, both public and private cloud. We manage this with three admins, a director, an engineer, and an analyst.

When there have been issues, the team is incredibly responsive to resolving them. One of the major benefits, since it's fully cloud-based, is that a single fix affects everything. You're not re-rolling agents or collectors or data aggregation tools. It's fixed once and it works everywhere. So, even from a support standpoint, it's a major benefit.

I would rate their support a nine out of ten. Nobody gets a ten.

We were fully deployed on Rapid7 and had 100% coverage. It was the primary tool that was replaced by Orca.

Some of the advantages to using Orca are its rapid time to deployment, extensive compatibility, and honoring security best practices like using the least privilege for the implementation.

Transitioning from Rapid7 to Orca has saved us time. I estimate that we save at least one person-year per year. The costs of the two products are similar.

Another important point is that we have more accurate results with fewer false positives.

The entire deployment was completed in two months. Actually turning on the product was weeks at most, but going through change control and testing for all of our production environments was two months, including writing standard operating procedures, all of our escalation paths, et cetera.

When I say deployment, I'm not just talking about installing the software and turning it on. I'm referring to making it fully business-integrated.

The cost of Orca is similar to that of Rapid7.

Overall, the pricing is reasonable and the discounts have been acceptable.

We've had no issues with the licensing model, including when we've needed to use burst licensing. It's been good.

In terms of visibility into our environment, we compared similar technologies that use intrusive methods and we found that the results from Orca were superior. We evaluated Rapid7 for both vulnerability management and incident detection and response (IDR).

If you compare Orca to a competitor like Lacework, Lacework requires agents but Orca does not. Orca's agentless approach is incredibly beneficial for maintenance upgrades, change control, certifications, et cetera. So basically, there is less code to deploy, less code to manage, and another vendor not to worry about. These are all positives.

When we were evaluating Orca, it was very important to us that they are a SaaS solution. It is updated regularly and new features become available at no extra cost. Also, managing the cloud from the cloud was critical for us.

Initially, I was quite skeptical that Orca Security could do all of the things that they claimed. In fact, I was skeptical to the point where I stalled the salesperson for six months before accepting a demo.

I've been in the vulnerability-management space for over 20 years, personally, and I didn't believe the claims. When they told me how they were doing it, I thought that there was no way it was accurate. Then, when they showed it to me, I realized that it was something that I'd never seen, heard, or even considered doing.

To any skeptics that are out there, this is a unique approach and a modern approach, and worth consideration. It basically breaks the mold of how vulnerability management has been done for the last 20 years.

Orca has a lot of features available out of the box, although that was not important for us when we initially chose it. We chose them for vulnerability management when that's all they had to replace agents. Originally, they were only for vulnerability management. All of the extra features that have come along since that time have just been very pleasant bonus add-ons. As they added features, we were able to do the rest.

The biggest lesson that I have learned from using this product is that there's a right way and a wrong way to modernize security best practices in the cloud. Orca is one of the vendors that is doing it the right way.

Overall, I'm thoroughly impressed with this product, which is the best way I can put it. It is a unicorn in the space, with a lot of people trying to play catch-up.

I would rate this solution a ten out of ten.

We use the firewall assurance and the network assurance when we use change manager to check any changes in our firewall. We also use FortiGate's firewall for all our company. For six months, until 2020, we used the vulnerability control module to analyze our infrastructure.

For one of my customers, we used firewall assurance, network assurance and change manager - three modules. We optimized the firewall appliance and rules for one of the Ukrainian banks.

Skybox Security Suite is a great, strong solution. But you need a good engineer with high-level technical skills. For businesses it is a great solution - you look at the pie chart and understand everything. But if we talk about technical expertise, you need one or two technical expertise guys on your team to support this platform. You need to check, understand and discuss all cases and events, analyze these events, and make changes in your infrastructure. In terms of the technical aspect, it's good. For businesses, it is great.

The features that I have found most valuable with Skybox Security Suite, and this is because I work on the security side, are the firewall assurance, the change manager and the vulnerability control. These three features are the most impressive from Skybox Security.

In terms of the firewall rules, compliance, and vulnerability control, I need to understand what changes were provided from my IT team. I need to understand how these changes impact our compliance. I need to understand this to make decisions.

In terms of the vulnerability control, we need to understand how changes in our infrastructure impact the security in our company, such as having an open port to LinkedIn or Facebook. This could be very bad for the cybersecurity in our company, because some hackers or some non-loyal employees could make a lot of trouble.

So we need to understand how our changes impact the cybersecurity of our company. And Skybox Security is one of greatest solutions for this because you can see the firewall and the network infrastructure and you understand what's happening and how it could impact your cybersecurity.

In terms of what could be improved, I would say support for Cisco Firepower. This is one of the biggest segments in the Ukraine market. Many customers use Cisco Firepower. It is not a good solution for me, but it make sense. The second feature that could be improved is a deeper integration with Palo Alto. One of my customers uses Palo Alto and during the trial period with Skybox Security, we had some issues because when the IT administrator used the rules Skybox Security didn't understand. But it's not really a problem with Skybox Security. This was a problem for the company who used these stupid rules.

I have been using Skybox Security Suite for the last 15 months. 

In terms of stability, humans write the code. So any solution will have some issues. So yeah, we have one or two issues, but for me, Skybox Security support is one of quicker supports in the world. I am familiar with support from Symantec and from Microsoft, these are bad support-wise. I also know about the support from McAfee and SolarWinds. For me, SolarWinds, Skybox and FireEye have quick, good support.

Support is good for me.

The initial setup with Skybox Security is hard. You need one or two strong security engineers on your team. We have that. One of my colleagues has great experience as a cybersecurity engineer officer. So we deployed, but during deployment we asked the Skybox team for support. You need to understand what you are doing and why you are doing it.

We use an NFR, not for resale, license because we have a strong relationship with Skybox Security. But Skybox Security sent me yearly support for the license, not monthly.

Skybox Security has good pricing.

If you need something like Skybox, you would pay more money than for a cybersecurity platform, because you need FireMon for firewalls. For firewalls, you would need a subscription to Cisco Tetration, for example, or for something else. These are more expensive solutions in collaboration. So if you want to save money and save time, use Skybox Security.

I would absolutely recommend using Skybox Security.

If you need to check compliance and to understand how your IT teams work, use Skybox Security. If you need understand, like a clear glass of water, how your IT infrastructure works, use Skybox.

Tenable or Qualys or Rapid7 vulnerability controls in your infrastructure could be installed for vulnerability scans. But they don't know what kind of attack could be used or what vector of attack could be used. If you use Skybox you will see the impact, all the issues with your infrastructure and your configuration, and you can quickly change the situation to be more protected from outside and inside attacks.

On a scale of one to ten, I would give Skybox Security an eight.

There are some very compelling use cases. A value proposition.

The most valuable features of this solution are the consolidation of all historical data on device endpoints, security drivers, firmware, and Software version gaps. 

Things that are sometimes overlooked within an IT support, operational, and security model framework, and all of that being consolidated into a multi-view and multi-windows dashboard.

The problem or challenge is a pre-sales and go-to strategy for the SMB market delivered through a channel or model.

It's very convoluted and vague, which leads to some confusion about the various types of modules, and the device-to-seat cost is extremely difficult to calculate.

You could have six different modules with 15 to 20 different device counts, which raises some red flags regarding service support and operational operations availability.

To be honest, I don't have enough time in the seat, or on the technology, to say whether or not there is a gap in terms of function or software.

It is not really additional functions, or the features that are needed, rather the complexity would be reduced based on the number of modules required to put together a comprehensive operational security and risk compliance model.

We are not really using it. As part of what my company does, we provide executive-level advisory and consulting services based on these types of products and other products in the marketplace. We are not end-users, rather we are, a service delivery, and integrator, as well as an executive business and operational technology alignment company.

We last worked with our clients on this solution in the last 30 days.

The version is the endpoint security and point management suite under a thousand seats.

The client hasn't used it long enough to know whether it's stable or not. It is reasonably stable, but it does not provide long-term stability or service to this software. I don't have enough working time on it.

Tanium is a scalable product.

Technical support is lacking.

I would rate the technical support a three out of five.

That is not necessarily people; it's the service window.

Neutral

HPE Simplivity, Nutanix Acropolis AOS, and VMware vSAN are all available. I don't have much experience. The research was being done as part of an inquiry on a consulting engagement for one of my clients.

We are working with Rapid Seven, and Crowdsource.

It's hosted by a third party on an MSP cloud platform.

This is not a light switch. It is probably a four on the level of complexity.

It may take up to 60 days to implement.

There is an on-premises version, but it is only available for more than a thousand seats through an appliance model.

It is not inexpensive.

It is higher than some competitors in the market. However, it appears to be more robust and functional to me.

Aside from the standard licensing fees, there are significant additional costs.

Some of the current topics of interest include software as a service based on cyber risk and cyber security. But I would say that would be the most, one of the most prevalent.

I would suggest doing your due diligence.

I am an independent consultant.

I would rate Tanium a seven out of ten.