Rapid7 InsightVM Reviews

In our first use case, we wanted to map the solution back to our NIS (Network and Information Systems) framework and the CIS (Center for Internet Security that publishes Critical Security Controls). That is the first part. The second part of this same use case is that we wanted to do continuous vulnerability scanning. That is we wanted to scan the complete network every month at a minimum. What we are finding out in practice is that we are scanning every week because of our network and the size of it. In the end, we are able to get even more aggressive than our original position.  

The next use case was we wanted to identify the assets that were in our environment. We can identify how many servers we have, we have identified how many desktops and laptops we have got, et cetera. To that point is where we were looking at pretty good.  

Our next use case was the obvious next step where we wanted to identify vulnerabilities. That meant identifying all the vulnerabilities from critical all the way down to the low. We needed to know what they were and how many. Also, we wanted to know how many are unique versus how many there are in total.  

We also wanted to get away from tracking vulnerabilities on spreadsheets. It was incredibly cumbersome, incredibly hard to do, and it was not efficient. The IT guys kept telling me that they did not know how to fix certain issues. So I thought we needed to do CVSS ( Common Vulnerability Scoring System) on it. They were a bit resistant to that idea. Well, I was not about to start doing that for them. So InsightVM gives us the ability now to track the issues and communicate how the remediation should occur to fix vulnerabilities.  

Then the last thing is we wanted was to have a dashboard for management. We had to have a dashboard to be able to have a CIO (Chief Information Officer) log in and find out where we sit with things. Like where do we sit with remediation where are we failing to make expected progress and things of that nature.  

Rapid7 gave us the ability to do a lot of that, and it was not a cumbersome tool to implement. It is good and fits well with pretty much all of our use case needs. It only falls short in a couple of spots.  

Now that we have been using it, I think there are some things Rapid7 needs to consider and address in improving InsightsVM. I think the reporting piece has room for improvement. While they have a lot of reporting, and some of the reporting is really good, there are some things that I think they can do better on. They need to add some categories that are not covered and expand a few things that have only surface coverage.  

I would love to be on a customer advisory board so that I could provide feedback to them and show them what their solution does not do. For example, I could point out things that I can not do with a widget on the dashboard that I would expect it to be able to do. Things like that might help them improve the product from a real user's perspective. That could amount to a lot of different things, but ideally, it would focus on your most common issues.  

There were a couple of things I know that the security analyst and I were looking at and we were wondering why Rapid7 would choose to implement it that way. Like if they did not include something we needed as part of a report, we could not do what we expected when running the report. That is a little frustrating. I would say that they need to spend some more time evaluating enhancements suggested by customers so that they can get those things implemented and round out the user experience. That is the reason why I think a CAB (Customer Advisory Board) is important for vendors like Rapid7.  

We rolled it out in our operations between June and September. So we have been using it since June of 2020.  

I do not know at this point just how scalable this solution is. We bought it for an enterprise solution, so our enterprise need is getting solved. I do not know how much scaling we have to do on top of that. I do not like the fact that as a vulnerability scanner, this product has a fault to a certain extent. We want to be able to scan applications dynamically and this solution does not give us that ability. It does for web apps. But if you are a company that does not have a lot of web apps, something is getting left uncovered.  

Let's say you have a third-party app. You go to that third-party developer and you ask if they have ever done a security attestation on the application. They look at you and like they have no idea what the heck you are talking about and they have no idea what that means. It would be good, in that case, to be able to take the Rapid7 product and point it at that third-party app and scan it dynamically. That way you can get code vulnerabilities or functional vulnerabilities. What would otherwise be a problem is something you could identify and isolate. If Rapid7 looked at the scripting and identified a secret injection attack at line 1,141 — or something to that effect — it could be vetted. It does do that, but it only does that on web applications. Why stop there?  

In order to solve that issue, you have to go out and buy another third-party product that allows you to scan the application to do dynamic or static vulnerability scanning on the application. I do not like that omission because I had that capability with Qualys. We could take Qualys and we could point it at an application and get dynamic scanning reports from it. It told us a line that needed to be fixed and everything.  

I have not yet gotten into the bowels of that discussion with Rapid7, but I want to. What I did find out about it is our current setup does not cover that type of potential application vulnerability. It does allow for some scanning of web applications, but we are not a company that has a lot of web applications. We are not a retail organization. We do not sell anything. We do have web applications, but they are mainly used for marketing.  

We probably have close to a dozen people in our organization who are currently interfacing in some way with Rapid7 InsightVM. That part is scalable. The utility does have those certain limitations, however.  

We have a client service manager for Rapid7 tech support. He is an appointed customer service manager where we have him for the first year. We are working with him to identify things, correct things, implement, attune, and things like that. Because of that relationship, I do not have a need to call their regular tech support right now. We just worked through the service manager.  

I have had some previous experience with Qualys and using Rapid7 now is really a matter of what I chose to bring on based on my personal user experience. Each has its own advantages and neither is a bad product.   

The initial installation and setup were pretty much straightforward. We did run into an issue with credentialing. We ended up working through that and got that correct.  

I think it was done fairly quickly overall. When we ran into that credentialing issue, we spent about three weeks or so — almost a month — working through that. The issue meant involving some guys from some of the other IT teams and getting them into the mix to help us out.  

I had implemented InsightVM before at another company. I liked it when we were using it there which is why it ended up here. I have also had previous experience with Qualys. I did not have the time or the luxury to sit back and do a full analysis, RFI (Request for Information) and RFP (Request for Proposal) when we had to bring on the solution. We are not the CIA (Central Intelligence Agency), we are not the NSA (National Security Agency). We do not need any sophisticated solution or anything like that. We just needed something we could bring in, get online fairly quickly, and get running to do reports. Rapid7 InsightsVM fit the bill.  

On a scale of one to ten (where one is the worst and ten is the best), I would rate Rapid7 InsightVM as probably about an eight-out-of-ten. It gets an eight rather than scoring higher just because of some of the other stuff that I wish we had.  

The primary use is to protect against cybersecurity attacks in your digital infrastructure. One example of such an attack is credential-grabbing.

We have put in some requests for enhancements and they are listening quite well. When there is something that we want to have enhanced then we can easily chat with the people at Rapid7. If it makes sense and another customer thinks that it makes sense then it will be built into the next release.

We are very satisfied with the reports, as they provide us with the information that is required for our management. You can perform the queries that you need.

There have been instances where technical support takes a long time to update the status of a ticket, which is something that can be improved.

I have been using this product for about two and a half years.

The stability is okay.

In terms of scalability, this product is awesome. We have more than 5,000 users and we plan to increase our usage in the future.

The technical support is very nice. They are good and they listen to the customers, which is very important in my opinion.

There is always a demand for technical support to be faster. That said, I think it is much more important to have quality and communication. If I am going to be updated during the course of the case that is running, then that is okay with me. Also, as long as the quality stays in the system and they keep on improving, I am satisfied.

We switched to Rapid7 because we were not satisfied with our previous solution. It was not up to par in terms of our needs and standards.

The initial setup is very straightforward and not complex at all. Our deployment took about three months.

This is mostly a cloud-based solution that works with the assistance of agents and collectors.

We implemented and deployed this product on our own.

The licensing is asset-based and very straightforward.

Overall, this is a product that I am very satisfied with.

I would rate this solution an eight out of ten.

The solution is primarily used for vulnerability management, specifically vulnerability scanning of the endpoint devices.

The main functionality of identifying item endpoints that weren't properly patched or had vulnerabilities is the solution's most valuable feature.

We found that after you passed an endpoint, it didn't always reflect it in the next scan. I'm not sure if it was a glitch or some issue with the product's software. That was never clear. That was always an issue and something that definitely needed improvement.

We've used the solution for four years.

I didn't notice anything in terms of stability issues. There was always data in it, so I didn't, face any problems. We just had an issue once where we would scan and then we would patch and occasionally it wasn't reflected on the next scan that that patch was there. That was the biggest issue we faced. Other than that, it was reliable. We didn't really have glitchiness or bugs. It wasn't crashing or freezing on us.

I probably don't have an opinion on the scalability. It seemed to function, however, beyond that I'm not sure. As an end-user, I just would log in and run reports. I wasn't in charge of expanding the solution. I used it in a pretty non-technical way.

There were only ever about 10 to 15 users on the solution at any given time.

I never actually got in touch with technical support. I wouldn't be able to speak t their level of service.

The company did not use a different solution before using this product.

I never set up the software myself. I was always just an end-user. I can't speak to if the solution was straightforward or complex.

I have not idea how long deployment took. I'm not sure if it was a long process or not.

Maintenance was handled by our security division. I don't know if there was one person or there were multiple admins that handled that aspect of the solution.

It's my understanding that the solution was set up in-house and an integrator or reseller was not used.

I'm not sure what the solution would cost on a monthly or yearly basis.

I'm not sure if the company evaluated other options or not. I wasn't part of that process.

The company I'm working with now is looking at evaluating Tenable.io.

The company I worked for was just a customer and I was just an end-user. There was no business relationship between the two companies that I was aware of.

The company is considering moving from on-premises to the cloud.

I am unsure of which version of the solution is being used currently. I'm no longer at the company where I used the product.

While the solution worked well, I have never compared other solutions, so I don't know if it's best in class or not.

I'd rate the solution six out of ten.

We have a few primary use cases. The main one is looking at the visibility of devices that are on our network to keep track of things as they come and go, we're looking for known vulnerabilities whether it's the operating system, network devices, mobile devices, and the like. When we find the vulnerabilities we remediate them, so it's also our job to verify that remediations have been successful. In addition, we are now beginning to get involved in setting security baselines and configuring baselines and using InsightVM to audit those configurations.

We're scanning about 6,000 devices. There are about 4,000 users in our environment, they are all IT staff. We also have technical leads from our user services, which is our workstation support, mobile devices, laptops, etc. We've got our infrastructure office which is servers and cloud administration, the IT security group, which is myself, and then our network support team and network administrators as well. It means our IT leadership gets some definite value from the reporting there. The CTO, his assistant, and all the IT managers receive their information from there as well. We have one person working in maintenance, and that's not a full-time position. 

For us there are many integrations with things like the VMware NSX that are great, the reporting is really solid. I like the ability to set goals and SLAs for remediation. When a new vulnerability is found we can have an SLA associated with it automatically based on severity and some of those things. I like the integration with Cisco ISE for identity and doing automated containments and the like. But the biggest thing for me is the quality of the vulnerability scanning itself. The quality of the results and the timeliness, the speed with which they update with new checks for new vulnerabilities. That is the big thing for us.

There are some difficulties with the online reporting and lack of integrations, the information that you can get from the APIs in the software is not the best. There's still some fleshing out of their API that I think could benefit them as well. 

I'd like to see more integrations with ticketing systems. Right now, JIRA and ServiceNow are the only ticketing systems that have integration with Rapid7. Extending that would be big. Some additional integrations with some patch management solutions would be good too. IBM BigFix and SCCM. Microsoft has integrations there. In our situation, we're not using either of those and that feature doesn't really give us a whole lot. If there were to be new integrations added on, both on the patch management and the ITMS side, that would be a big improvement.

Additional features would be the additional integrations for ticketing systems that I mentioned. There are always updates rolling out for new scans and things. 

We've been using the solution for quite a few years. 

I've been impressed with the stability. The only issues that have really come up have been on the cloud reporting aspect. We've had a couple of issues here or there, but their support people were able to get us fixed up in a couple of hours. As far as the on-premises stuff, the only issues we've honestly had with it were problems of our own making. We didn't keep an eye on storage and it filled up but that was a lack of monitoring on our side. Since then it's been rock solid.

I haven't thrown anything at it that it can't handle. The report generation slows down the larger your environment gets, and the greater the number of scans you're trying to integrate into a single report. Even with the increased resources that we gave the server when we did a rebuild hasn't caused any problems. I would anticipate that if you're getting up into the tens of thousands of devices and trying to report across all of those, I could see that grinding to a halt a little bit.

Otherwise, scalability is great. We have more than doubled the number of devices that we're scaling since we did the initial install. We're up to somewhere around 6,000 now and it's chugging right along.

The technical support have been a pleasure to work with. 

The initial setup was pretty straightforward. There were a couple of things with integrating and some areas where it gets a bit more complex, but for the most part, it was very straightforward, especially for how powerful a solution it is. We're running a fairly advanced setup here with multiple scanning engines, scanning pools, and integrations into other systems in our environment and all of that. Defining all of the sites and asset grouping and all of those sorts of things, took some additional time after that. You'd have to do that no matter what. 

We used professional services from Rapid7 to assist with the initial deployment and set up was completed in less than two days. They were great. They took their time and didn't just do the setup, they also included user education and they have continued to reach out since then and make sure we're getting value from the product.  

Our licensing costs are somewhere around $40,000 annually. There are no additional fees. We will probably increase our license count annually as our environment kind of naturally grows. We started out with probably about a third of the network covered and we are up to probably 75, 80% now. We'll get that up to over 99%, I'm sure.

We looked at a few other options: Acunetix was on the list and we looked at Manage Engine, Nessus, Rubric, Alien Vault, Microfocus, ArcSight, FireMon and RedSeal. On the vulnerability management side, we were very, very impressed with Rapid7 and the Insight VMware product. We looked more in-depth at a few of the others but VMware Insight stood out. The ease of use on VMware Insight coming from an organization that doesn't have a large dedicated security team, and being able to split out some of those responsibilities amongst people who may have a strong IT background, but may not have an IT security background really helped us out. It became a no-brainer at that point.

It's important to take the time to have a full understanding of how schemes are scheduled, how sites and asset groups are set up and make sure it's done upfront. It's a big help. If you remove an old site and recreate it with small differences you lose some of the data associated with the old site. Getting the organization sorted from the beginning would be the biggest piece of advice.

It's very important to know what your environment is made up of. People often leave companies without documenting things and there's a lot that not everybody knows about because it was in the back of someone's mind. We now have a great repository of information on what's active on our network, what's installed on it, how all of those systems are interacting, and really having that visibility is great. One of the big lessons we were able to get value from immediately was really just having good visibility of what's in our environment.

It's a very solid product, reporting is great, it's reliable. We have a lot of faith in the results it gives us. At least once a week, I get a notification with some great new features that they've added that I didn't really even know I wanted, but now I have it and can't imagine life without it. 

The product is cloud-based, but with an on-prem portion, but it all auto-updates. The actual scanning engine and all of that is on-prem for us. It's a SaaS solution, it's not one where we are running our own servers. It's provided as a service for us on the cloud. The on-premises stuff that we're running is just virtual machines on our VMware environment.

I would rate this product an eight out of 10. 

The primary use case of this solution is for critical business applications for the web. We have also implemented it to identify when we are changing and an older system like the application client-server, the server two, the network equipment like switch routers, and security solutions.

The most valuable feature for us is the different types of reporting it provides. For example, the compliance reporting, compliance with the international standard in which we are certified and compliant. This is important for us to escalate the dashboard to our top management.

We need to scan and identify the different RPGs, the critical ones and the major ones that can generate risk or a measure of risk. We generate the reporting from the system and relay the report to our internal developers. We have our internal developers in the bank.

This solution integrates with another module in Metasploit, that doesn't exist in the other solutions. It is subscribed to on our roadmap, but we chose to implement both Nexppose and AppSpider.

This solution is stable. It's a good solution.

This solution is scalable.

It takes two people to manage this solution and to be the backup for the succession plan. Our manager has access and performs audits.

Technical support is good and responsive.

In this current company, they were using Qualys and I convinced the management to change to Rapid 7.

After every event, we are required to automize with information control tools like Sandbox, IPS, and vulnerability management. All of those security tools need to be implemented and automized.

That is not the case with Rapid 7. It can be automized and we are dependant on ourselves. We can perform in having this solution customized with the confines of our text.

The initial setup was not complex and it was easy to implement.

It took a week to prepare and install the virtual machine, and to implement the solution it took one month.

Our Regulatory requires that all banks must implement all security solutions on-premises, not on the cloud because they are worried that the data will be compromised and available on different data centers around the world.

We had the help of an integrator to implement this solution. There were three engineers to help. One was for Nexpose and two for Appsider.

This solution is expensive, but it's fine for us as we have an open budget for security solutions. Protection and having the system secured is more important.

Rapid 7 is a leading solution that has been implemented in many companies.

In Nexpose you have the console and the app assistant for Rapid 7. The design can be implemented in all of the segments of the network to scan, perform the scale of the scan, perform the reporting, generate the reports, and send it to the central console.

I would suggest that customers acquire this solution.

In addition to management, we are subscribed to the security dispense team and the company emergency dispense team. We always receive the bulletins, so we are always aware of the vulnerabilities.

I appreciate this solution. All of the features that are included are enough for me.

This is an excellent solution and I would rate it a ten out of ten.

We use the solution for vulnerability management of our on-cloud environments.

The solution provides all the required features for vulnerability management.

They should improve the cybersecurity feature of the solution.

We have been using the solution for a month.

It is a stable solution. We can connect it with other platforms easily.

We have four to five solution users in our organization.

The solution's initial setup process is easy.

The solution's license costs around $30 per month. It is less expensive compared to other competitors.

I advise others to consider the number of IP addresses required to be scanned for their network while opting for Rapid7. I rate the solution as a nine.

We use InsightVM for capacity forecasting.

I've been working around, I don't know, it's about three years.

I rate Rapid7 nine out of 10 for stability.

I rate Rapid7 nine out of 10 for scalability.

I rate Rapid7 support nine out of 10.

Positive

I rate InsightVM eight out of 10 for ease of setup. It takes two or three engineers to deploy. The solution requires some maintenance. It's mainly cleaning up data. 

I rate Rapid7 InsightVM 10 out of 10.

Rapid7 allows you to scan the entire network to discover information about devices, such as the type of operating system. 

I like Rapid7's scan optimization options.

Patch management is the only missing feature I can think of. Rapid7 detects vulnerabilities, but it should also help you manage patches.  

I have used Rapid7 for about five months.

The product isn't stable. Sometimes I attempt to log in using the correct password, but I can't access the server. It tells me that the password is wrong, so I have to reboot the server to access it. 

We pay a monthly license. 

I rate Rapid7 InsightVM seven out of 10.