Coming October 25: PeerSpot Awards will be announced! Learn more

Rapid7 InsightVM OverviewUNIXBusinessApplication

Rapid7 InsightVM is #5 ranked solution in top Vulnerability Management tools. PeerSpot users give Rapid7 InsightVM an average rating of 7.4 out of 10. Rapid7 InsightVM is most commonly compared to Tenable Nessus: Rapid7 InsightVM vs Tenable Nessus. Rapid7 InsightVM is popular among the large enterprise segment, accounting for 61% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
Rapid7 InsightVM Buyer's Guide

Download the Rapid7 InsightVM Buyer's Guide including reviews and more. Updated: September 2022

What is Rapid7 InsightVM?

Rapid7 InsightVM is a comprehensive vulnerability management platform that protects your systems from attackers and is easy to scale. The solution provides easy access to vulnerability management, application security, detection and response, external threat intelligence, orchestration and automation, and more. Rapid7 InsightVM is ideal for security, IT, and DevOps teams, helping them reduce risk by enabling them to detect and respond to attacks quickly.

Rapid7 InsightVM Features

Rapid7 InsightVM has many valuable key features. Some of the most useful ones include:

  • Automated containment: With this feature, you can decrease exposure from vulnerabilities by automatically implementing temporary (or permanent) compensating controls via your network access control (NAC) systems, firewalls, and endpoint detection and response tools.
  • Policy assessment: Rapid7 InsightVM offers pre-built scan templates for common compliance requirements. The solution helps you take clear, actionable steps to compliance once you have assessed your risk posture. In addition, Rapid7 InsightVM’s Custom Policy Builder allows you to modify existing benchmarks or create new policies from scratch.
  • REST API: Rapid7 InsightVM REST API is easy to use and was built to easily automate virtually any aspect of vulnerability management, from data collection to risk analysis.
  • Live dashboards: Rapid7 InsightVM includes dashboards that are live and interactive by nature. The live dashboards enable you to create custom cards and full dashboards for anyone in your organization and allow you to track progress of your security program.
  • Automation-assisted patching: Rapid7 InsightVM’s automation-assisted patching gives you the autonomy to make key decisions in your patching process, such as your approval to apply certain patches to certain vulnerabilities.
  • Real risk prioritization: Rapid7 InsightVM makes it simple to know which vulnerabilities need to be prioritized and where your riskiest assets lie.
  • Goals and SLA’s: This feature enables you to make and track progress toward your goals and service level agreements (SLAs) at an appropriate pace.

Rapid7 InsightVM Benefits

There are many benefits to implementing Rapid7 InsightVM. Some of the biggest advantages the solution offers include:

  • Attack surface monitoring for maintained visibility: By leveraging attack surface monitoring with Project Sonar (a Rapid7 research project that regularly scans the internet to gain insights into global exposure to common vulnerabilities), you can gain more control of all of your external-facing assets, both known and unknown.
  • Container security: Rapid7 InsightVM integrates with your CI/CD tools, public container repositories, and private repositories to assess container images for vulnerabilities during the build process even before they are deployed.
  • Lightweight endpoint agent: Rapid7 InsightVM unifies data so you only need to install a single agent for continuous vulnerability assessment, incident detection, and log data collection.
  • Easily assign and track remediation duties: Using Rapid7 InsightVM, IT and security teams can assign as well as track remediation duties without having to deal with remediation reports, complex spreadsheets, or back-and-forth email tags.
  • Integration with cloud services and virtual infrastructure: Rapid7 InsightVM provides full visibility into risk across your physical, virtual, and cloud infrastructure.
  • Integrated threat feeds: Rapid7 InsightVM is designed with integrated threat feeds, giving you a dynamic view that shows you which threats are most relevant to your environment, enabling you to better protect against current, impending threats so you can react quickly to critical vulnerabilities.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Rapid7 InsightVM solution.

An owner at a tech services company says, "I liked the dashboard on it. I could customize my dashboard with different widgets and different heat maps."

PeerSpot user Kimeang S., Technical Consultant at Yip Intsoi, mentions, "The most important aspect of the solution is that it rarely gives false positives, especially compared to other products. It provides very clear reports for our IT teams to look at."

A Director of Information Technology at a government explains, "The main functionality of identifying item endpoints that weren't properly patched or had vulnerabilities is the solution's most valuable feature."

Rapid7 InsightVM was previously known as InsightVM, NeXpose.

Rapid7 InsightVM Customers

ACS, Acosta, AllianceData, amazon.com, biogen idec, CBRE, CATERPILLAR, Deloitte, COACH, GameStop, IBM

Rapid7 InsightVM Video

Archived Rapid7 InsightVM Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Bill Young - PeerSpot reviewer
Director of Cyber Security (CISO) at a marketing services firm with 201-500 employees
Real User
Broad capabilities make this scanning solution able to cover a lot of ground
Pros and Cons
  • "It is good and fits well with pretty much all of our use case needs."
  • "You can bring in and get online to do reports fairly quickly,"
  • "The product does not have the capability to do dynamic scanning of non-web applications."
  • "Reporting could be expanded."
  • "There are end-user needs and expectations that are being overlooked in the development that could be addressed by appointing a customer advisory board."

What is our primary use case?

In our first use case, we wanted to map the solution back to our NIS (Network and Information Systems) framework and the CIS (Center for Internet Security that publishes Critical Security Controls). That is the first part. The second part of this same use case is that we wanted to do continuous vulnerability scanning. That is we wanted to scan the complete network every month at a minimum. What we are finding out in practice is that we are scanning every week because of our network and the size of it. In the end, we are able to get even more aggressive than our original position.  

The next use case was we wanted to identify the assets that were in our environment. We can identify how many servers we have, we have identified how many desktops and laptops we have got, et cetera. To that point is where we were looking at pretty good.  

Our next use case was the obvious next step where we wanted to identify vulnerabilities. That meant identifying all the vulnerabilities from critical all the way down to the low. We needed to know what they were and how many. Also, we wanted to know how many are unique versus how many there are in total.  

We also wanted to get away from tracking vulnerabilities on spreadsheets. It was incredibly cumbersome, incredibly hard to do, and it was not efficient. The IT guys kept telling me that they did not know how to fix certain issues. So I thought we needed to do CVSS ( Common Vulnerability Scoring System) on it. They were a bit resistant to that idea. Well, I was not about to start doing that for them. So InsightVM gives us the ability now to track the issues and communicate how the remediation should occur to fix vulnerabilities.  

Then the last thing is we wanted was to have a dashboard for management. We had to have a dashboard to be able to have a CIO (Chief Information Officer) log in and find out where we sit with things. Like where do we sit with remediation where are we failing to make expected progress and things of that nature.  

Rapid7 gave us the ability to do a lot of that, and it was not a cumbersome tool to implement. It is good and fits well with pretty much all of our use case needs. It only falls short in a couple of spots.  

What needs improvement?

Now that we have been using it, I think there are some things Rapid7 needs to consider and address in improving InsightsVM. I think the reporting piece has room for improvement. While they have a lot of reporting, and some of the reporting is really good, there are some things that I think they can do better on. They need to add some categories that are not covered and expand a few things that have only surface coverage.  

I would love to be on a customer advisory board so that I could provide feedback to them and show them what their solution does not do. For example, I could point out things that I can not do with a widget on the dashboard that I would expect it to be able to do. Things like that might help them improve the product from a real user's perspective. That could amount to a lot of different things, but ideally, it would focus on your most common issues.  

There were a couple of things I know that the security analyst and I were looking at and we were wondering why Rapid7 would choose to implement it that way. Like if they did not include something we needed as part of a report, we could not do what we expected when running the report. That is a little frustrating. I would say that they need to spend some more time evaluating enhancements suggested by customers so that they can get those things implemented and round out the user experience. That is the reason why I think a CAB (Customer Advisory Board) is important for vendors like Rapid7.  

For how long have I used the solution?

We rolled it out in our operations between June and September. So we have been using it since June of 2020.  

What do I think about the scalability of the solution?

I do not know at this point just how scalable this solution is. We bought it for an enterprise solution, so our enterprise need is getting solved. I do not know how much scaling we have to do on top of that. I do not like the fact that as a vulnerability scanner, this product has a fault to a certain extent. We want to be able to scan applications dynamically and this solution does not give us that ability. It does for web apps. But if you are a company that does not have a lot of web apps, something is getting left uncovered.  

Let's say you have a third-party app. You go to that third-party developer and you ask if they have ever done a security attestation on the application. They look at you and like they have no idea what the heck you are talking about and they have no idea what that means. It would be good, in that case, to be able to take the Rapid7 product and point it at that third-party app and scan it dynamically. That way you can get code vulnerabilities or functional vulnerabilities. What would otherwise be a problem is something you could identify and isolate. If Rapid7 looked at the scripting and identified a secret injection attack at line 1,141 — or something to that effect — it could be vetted. It does do that, but it only does that on web applications. Why stop there?  

In order to solve that issue, you have to go out and buy another third-party product that allows you to scan the application to do dynamic or static vulnerability scanning on the application. I do not like that omission because I had that capability with Qualys. We could take Qualys and we could point it at an application and get dynamic scanning reports from it. It told us a line that needed to be fixed and everything.  

I have not yet gotten into the bowels of that discussion with Rapid7, but I want to. What I did find out about it is our current setup does not cover that type of potential application vulnerability. It does allow for some scanning of web applications, but we are not a company that has a lot of web applications. We are not a retail organization. We do not sell anything. We do have web applications, but they are mainly used for marketing.  

We probably have close to a dozen people in our organization who are currently interfacing in some way with Rapid7 InsightVM. That part is scalable. The utility does have those certain limitations, however.  

Buyer's Guide
Rapid7 InsightVM
September 2022
Learn what your peers think about Rapid7 InsightVM. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
635,162 professionals have used our research since 2012.

How are customer service and support?

We have a client service manager for Rapid7 tech support. He is an appointed customer service manager where we have him for the first year. We are working with him to identify things, correct things, implement, attune, and things like that. Because of that relationship, I do not have a need to call their regular tech support right now. We just worked through the service manager.  

Which solution did I use previously and why did I switch?

I have had some previous experience with Qualys and using Rapid7 now is really a matter of what I chose to bring on based on my personal user experience. Each has its own advantages and neither is a bad product.   

How was the initial setup?

The initial installation and setup were pretty much straightforward. We did run into an issue with credentialing. We ended up working through that and got that correct.  

I think it was done fairly quickly overall. When we ran into that credentialing issue, we spent about three weeks or so — almost a month — working through that. The issue meant involving some guys from some of the other IT teams and getting them into the mix to help us out.  

What other advice do I have?

I had implemented InsightVM before at another company. I liked it when we were using it there which is why it ended up here. I have also had previous experience with Qualys. I did not have the time or the luxury to sit back and do a full analysis, RFI (Request for Information) and RFP (Request for Proposal) when we had to bring on the solution. We are not the CIA (Central Intelligence Agency), we are not the NSA (National Security Agency). We do not need any sophisticated solution or anything like that. We just needed something we could bring in, get online fairly quickly, and get running to do reports. Rapid7 InsightsVM fit the bill.  

On a scale of one to ten (where one is the worst and ten is the best), I would rate Rapid7 InsightVM as probably about an eight-out-of-ten. It gets an eight rather than scoring higher just because of some of the other stuff that I wish we had.  

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Enterprise ICT Security Architect at a tech services company with 1-10 employees
Real User
Good scalability, reporting, and technical support
Pros and Cons
  • "We are very satisfied with the reports, as they provide us with the information that is required for our management."
  • "There have been instances where technical support takes a long time to update the status of a ticket, which is something that can be improved."

What is our primary use case?

The primary use is to protect against cybersecurity attacks in your digital infrastructure. One example of such an attack is credential-grabbing.

What is most valuable?

We have put in some requests for enhancements and they are listening quite well. When there is something that we want to have enhanced then we can easily chat with the people at Rapid7. If it makes sense and another customer thinks that it makes sense then it will be built into the next release.

We are very satisfied with the reports, as they provide us with the information that is required for our management. You can perform the queries that you need.

What needs improvement?

There have been instances where technical support takes a long time to update the status of a ticket, which is something that can be improved.

For how long have I used the solution?

I have been using this product for about two and a half years.

What do I think about the stability of the solution?

The stability is okay.

What do I think about the scalability of the solution?

In terms of scalability, this product is awesome. We have more than 5,000 users and we plan to increase our usage in the future.

How are customer service and technical support?

The technical support is very nice. They are good and they listen to the customers, which is very important in my opinion.

There is always a demand for technical support to be faster. That said, I think it is much more important to have quality and communication. If I am going to be updated during the course of the case that is running, then that is okay with me. Also, as long as the quality stays in the system and they keep on improving, I am satisfied.

Which solution did I use previously and why did I switch?

We switched to Rapid7 because we were not satisfied with our previous solution. It was not up to par in terms of our needs and standards.

How was the initial setup?

The initial setup is very straightforward and not complex at all. Our deployment took about three months.

This is mostly a cloud-based solution that works with the assistance of agents and collectors.

What about the implementation team?

We implemented and deployed this product on our own.

What's my experience with pricing, setup cost, and licensing?

The licensing is asset-based and very straightforward.

What other advice do I have?

Overall, this is a product that I am very satisfied with.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Rapid7 InsightVM
September 2022
Learn what your peers think about Rapid7 InsightVM. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
635,162 professionals have used our research since 2012.
Director of Information Technology at a government with 201-500 employees
Real User
Good at identifying vulnerabilities but had issues with scans and endpoint accuracy
Pros and Cons
  • "The main functionality of identifying item endpoints that weren't properly patched or had vulnerabilities is the solution's most valuable feature."
  • "We found that after you passed an endpoint, it didn't always reflect it in the next scan. I'm not sure if it was a glitch or some issue with the product's software. That was never clear. That was always an issue and something that definitely needed improvement."

What is our primary use case?

The solution is primarily used for vulnerability management, specifically vulnerability scanning of the endpoint devices.

What is most valuable?

The main functionality of identifying item endpoints that weren't properly patched or had vulnerabilities is the solution's most valuable feature.

What needs improvement?

We found that after you passed an endpoint, it didn't always reflect it in the next scan. I'm not sure if it was a glitch or some issue with the product's software. That was never clear. That was always an issue and something that definitely needed improvement.

For how long have I used the solution?

We've used the solution for four years.

What do I think about the stability of the solution?

I didn't notice anything in terms of stability issues. There was always data in it, so I didn't, face any problems. We just had an issue once where we would scan and then we would patch and occasionally it wasn't reflected on the next scan that that patch was there. That was the biggest issue we faced. Other than that, it was reliable. We didn't really have glitchiness or bugs. It wasn't crashing or freezing on us.

What do I think about the scalability of the solution?

I probably don't have an opinion on the scalability. It seemed to function, however, beyond that I'm not sure. As an end-user, I just would log in and run reports. I wasn't in charge of expanding the solution. I used it in a pretty non-technical way.

There were only ever about 10 to 15 users on the solution at any given time.

How are customer service and technical support?

I never actually got in touch with technical support. I wouldn't be able to speak t their level of service.

Which solution did I use previously and why did I switch?

The company did not use a different solution before using this product.

How was the initial setup?

I never set up the software myself. I was always just an end-user. I can't speak to if the solution was straightforward or complex.

I have not idea how long deployment took. I'm not sure if it was a long process or not.

Maintenance was handled by our security division. I don't know if there was one person or there were multiple admins that handled that aspect of the solution.

What about the implementation team?

It's my understanding that the solution was set up in-house and an integrator or reseller was not used.

What's my experience with pricing, setup cost, and licensing?

I'm not sure what the solution would cost on a monthly or yearly basis.

Which other solutions did I evaluate?

I'm not sure if the company evaluated other options or not. I wasn't part of that process.

The company I'm working with now is looking at evaluating Tenable.io.

What other advice do I have?

The company I worked for was just a customer and I was just an end-user. There was no business relationship between the two companies that I was aware of.

The company is considering moving from on-premises to the cloud.

I am unsure of which version of the solution is being used currently. I'm no longer at the company where I used the product.

While the solution worked well, I have never compared other solutions, so I don't know if it's best in class or not.

I'd rate the solution six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user1336563 - PeerSpot reviewer
Technical Consultant at Yip Intsoi
Consultant
Flexible, with good scanning, and rarely provides false positives
Pros and Cons
  • "The most important aspect of the solution is that it rarely gives false positives, especially compared to other products. It provides very clear reports for our IT teams to look at."
  • "There needs to be much clearer instructions surrounding scanning."

What is our primary use case?

We use the solution to scan our internal OS and applications. 

How has it helped my organization?

The solution protects us from vulnerabilities. If it sees anything, it can tell us about the vulnerability and ranks it as critical or high risk. It allows us to take action immediately to protect our company from attacks.

What is most valuable?

The most important aspect of the solution is that it rarely gives false positives, especially compared to other products. It provides very clear reports for our IT teams to look at. 

The solution has an excellent feature that scans for vulnerabilities that may affect the Windows operating system. It helps us avoid being affected by WannaCry or other malicious attacks of that nature. It's one of the most useful features that we have. We're able to see more vulnerabilities before they become an issue due to the fact that it's so protective. It's great at helping us avoid malware or ransomware.  

What needs improvement?

The solution needs to improve its smart monitoring. 

There needs to be much clearer instructions surrounding scanning. 

As for new features, I can't think of anything that's lacking. It's pretty good overall in terms of feature offerings.

For how long have I used the solution?

I've only been using the solution for half a year - approximately six months. It hasn't been too long.

What do I think about the stability of the solution?

The solution is very stable. There are no bugs or glitches that I have witnessed. The solution doesn't crash. It's very reliable.

What do I think about the scalability of the solution?

The solution is very flexible and very scalable. A company that needs to add it to their endpoints should have no issues doing so. I don't think there is a limit as to how many are possible.

Typically we deploy this solution to medium-sized enterprises in microfinance and insurance.

How are customer service and technical support?

I've been in contact with technical support in the past. they're very good. We're satisfied with the level or attention they give us and the information they share.

How was the initial setup?

The solution doesn't really have a complex setup. It's easy to set up and integrate with the endpoint. We install insights at our endpoints to help us collect vulnerability information from there.

We can also install it again and again and use active scanning to conduct vulnerability testing at the endpoints. It's very simple.

Deployment doesn't take long at all. Currently, we can deploy in around two or three days and then integrate it with the endpoint after we've gotten clear instructions from InsightVM.

The steps we choose for implementation are as follows: we first need to follow the instructions to install network communication, from the endpoint to InsightVM. Network communication from the endpoint will go to the scan engine and from the scan engine to the management console of Insight. 

After we satisfy this, we start implementation and we start to deploy the engine to the endpoint. After that, we run a scan from the site configuration of each endpoint scope and we file the report displayed on the dashboard. Lastly, we export the report and provide it to the correct person that needs to be involved at the IT end of things.  

In terms of the number of staff we use for deployment, from our side, we have two people to help manage everything. For the customer, we have four people to coordinate with the internal team. In total, we have six people involved with deployment. Our team includes a deployment engineer and from the customer's side, members of security operations.

What about the implementation team?

Normally, we have both the reseller and the vendor to assist with deployment. From the vendor, we just consult on the step and classify each endpoint. After that, we'll discuss next steps with our team. Currently, we have a distributor that provides this product to us. We work with the vendor and work with the reseller to deploy everything to the customer's systems.

What's my experience with pricing, setup cost, and licensing?

The solution offers flexible pricing.

What other advice do I have?

We're a partner of InsightVM.

We're most likely using the latest version of the solution, however, I'm not sure which exact version number it is.

We've deployed on-premises with a local scan engine.

I'd advise companies that are looking into vulnerability assessment or faster deployment, to check out InsightVM. It's easy to expand as necessary and offers flexibility in its pricing.

I'd rate the solution nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Damir Miklavčič - PeerSpot reviewer
Security Analyst at Zavarovalnica Triglav, d.d.
Real User
Vulnerability management that is easy to use and install, with good technical support
Pros and Cons
  • "This solution is very easy to use and easy to install."
  • "It would be nice to have an additional feature that would provide reports on who has logged onto the console or who did what on the console."

What is our primary use case?

The primary use case of this solution is for vulnerability management.

We have monthly scans and reporting. The results are in QRadar, which is our SIEM.

What is most valuable?

This solution is very easy to use and easy to install.

It has nice features.

What needs improvement?

It would be nice to have an additional feature that would provide reports on who has logged onto the console or who did what on the console. I don't have the time to log onto the console and use SSH to go through the logs. 

We have some users with certain privileges, and sometimes they do things that I don't like.  This is why it would be nice to have an easy way to report what is in the logs.

In the next release, I would like to see reporting added to the console. It would be helpful to have reports to tell you who did what, who created reports, who created groups or who created tags.

For how long have I used the solution?

I have been working with this solution for five years.

What do I think about the stability of the solution?

The stability is good. I am running it on Linux and from that point of view, Linux is stable.

We are using this solution daily. 

What do I think about the scalability of the solution?

This solution is easy to scale. 

I am working at Triglav Group which is the leading insurance-financial group in Slovenia and
in the Adria region and one of the leading groups in South-East Europe

Triglav Group operates together with its subsidiaries and associated companies on seven markets and in six countries.

We use with two consoles, one is international for subdiraies and other is for the Slovenia all thogether we have 15 scan engines on locations.

How are customer service and technical support?

Approximately a year ago, we had an issue with the dashboard. We contacted technical support to ask a question. Unfortunately, we were not able to resolve the issue that we were having. It could have been something in our network, but we don't know. It was not a big issue.

The technical support is good, they do give you answers and they are pretty quick.

How was the initial setup?

The initial setup was easy and straightforward.

I deployed this solution. It took a couple of days with ten engines.

What about the implementation team?

We did not use a vendor or integrator to implement this solution. We have five thousand people in this firm and I am the only one in technical team. 

What other advice do I have?

My advice would be to just use it. 


As a whole, it's a pretty good product. I don't have any problem with it.

If they had the audit reporting then I would rate it a ten out of ten, but as it is now, I would rate this solution a nine out of then.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Pongtosaporn Junlobol - PeerSpot reviewer
Vice President at INET Managed Services Co.,LTD.
Reseller
Great scanning capabilities, fast, powerful, easy to access
Pros and Cons
  • "It's easy to use. It's fast, it's a powerful easy to access tool."
  • "The InsightVM cannot scan if we connect to our customer by the VPN."

What is most valuable?

InsightVM is good. It's easy to use. It's fast, it's a powerful, easy to access tool.

What needs improvement?

I have had some difficult problems with InsightVM. The InsightVM cannot scan if we connect to our customer by the VPN. I asked the Rapid7 support, they told me that the InsightVM can only work on the same network. We cannot use InsightVM by VPN. It also consumes a lot of memory. It would be good if they could resolve that.

For how long have I used the solution?

We worked with Rapid7 InsightVM for one year.

What do I think about the stability of the solution?

It is very stable, but it consumes a lot of memory.

What do I think about the scalability of the solution?

Scalability is good on the same network but not if you have to connect to another network.

How are customer service and technical support?

I think the support is okay. They responded very quickly, and it was sufficient.

How was the initial setup?

InsightVM is Window-based. It is easy to install and easy to use.

What about the implementation team?

It took us about half a day to set up. When we bought from the distributor in Thailand, the distributor sent an engineer to install and explain how to use it and how to customize the report.

Which other solutions did I evaluate?

My team uses a small tool such as Tenable Nessus and Rapid7 InsightVM, but when we use both tools and compared the report, Tenable Nessus is very easy to consolidate, to expand to our customer, but InsightVM is very difficult. We would have to cancel it to explain the daily part to our customers.

What other advice do I have?

I would recommend having the distributor help you to explain how this software works and to help with the details. I would rate it at an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
IT Security Architect at a government with 1,001-5,000 employees
Real User
Speed and quality of vulnerability scanning translates to reliable and timely results
Pros and Cons
  • "There are many integrations with things like the VMware NSX that are great, the reporting is really solid."
  • "Some difficulties with the online reporting and lack of integrations."

What is our primary use case?

We have a few primary use cases. The main one is looking at the visibility of devices that are on our network to keep track of things as they come and go, we're looking for known vulnerabilities whether it's the operating system, network devices, mobile devices, and the like. When we find the vulnerabilities we remediate them, so it's also our job to verify that remediations have been successful. In addition, we are now beginning to get involved in setting security baselines and configuring baselines and using InsightVM to audit those configurations.

We're scanning about 6,000 devices. There are about 4,000 users in our environment, they are all IT staff. We also have technical leads from our user services, which is our workstation support, mobile devices, laptops, etc. We've got our infrastructure office which is servers and cloud administration, the IT security group, which is myself, and then our network support team and network administrators as well. It means our IT leadership gets some definite value from the reporting there. The CTO, his assistant, and all the IT managers receive their information from there as well. We have one person working in maintenance, and that's not a full-time position. 

What is most valuable?

For us there are many integrations with things like the VMware NSX that are great, the reporting is really solid. I like the ability to set goals and SLAs for remediation. When a new vulnerability is found we can have an SLA associated with it automatically based on severity and some of those things. I like the integration with Cisco ISE for identity and doing automated containments and the like. But the biggest thing for me is the quality of the vulnerability scanning itself. The quality of the results and the timeliness, the speed with which they update with new checks for new vulnerabilities. That is the big thing for us.

What needs improvement?

There are some difficulties with the online reporting and lack of integrations, the information that you can get from the APIs in the software is not the best. There's still some fleshing out of their API that I think could benefit them as well. 

I'd like to see more integrations with ticketing systems. Right now, JIRA and ServiceNow are the only ticketing systems that have integration with Rapid7. Extending that would be big. Some additional integrations with some patch management solutions would be good too. IBM BigFix and SCCM. Microsoft has integrations there. In our situation, we're not using either of those and that feature doesn't really give us a whole lot. If there were to be new integrations added on, both on the patch management and the ITMS side, that would be a big improvement.

Additional features would be the additional integrations for ticketing systems that I mentioned. There are always updates rolling out for new scans and things. 

For how long have I used the solution?

We've been using the solution for quite a few years. 

What do I think about the stability of the solution?

I've been impressed with the stability. The only issues that have really come up have been on the cloud reporting aspect. We've had a couple of issues here or there, but their support people were able to get us fixed up in a couple of hours. As far as the on-premises stuff, the only issues we've honestly had with it were problems of our own making. We didn't keep an eye on storage and it filled up but that was a lack of monitoring on our side. Since then it's been rock solid.

What do I think about the scalability of the solution?

I haven't thrown anything at it that it can't handle. The report generation slows down the larger your environment gets, and the greater the number of scans you're trying to integrate into a single report. Even with the increased resources that we gave the server when we did a rebuild hasn't caused any problems. I would anticipate that if you're getting up into the tens of thousands of devices and trying to report across all of those, I could see that grinding to a halt a little bit.

Otherwise, scalability is great. We have more than doubled the number of devices that we're scaling since we did the initial install. We're up to somewhere around 6,000 now and it's chugging right along.

How are customer service and technical support?

The technical support have been a pleasure to work with. 

How was the initial setup?

The initial setup was pretty straightforward. There were a couple of things with integrating and some areas where it gets a bit more complex, but for the most part, it was very straightforward, especially for how powerful a solution it is. We're running a fairly advanced setup here with multiple scanning engines, scanning pools, and integrations into other systems in our environment and all of that. Defining all of the sites and asset grouping and all of those sorts of things, took some additional time after that. You'd have to do that no matter what. 

What about the implementation team?

We used professional services from Rapid7 to assist with the initial deployment and set up was completed in less than two days. They were great. They took their time and didn't just do the setup, they also included user education and they have continued to reach out since then and make sure we're getting value from the product.  

What's my experience with pricing, setup cost, and licensing?

Our licensing costs are somewhere around $40,000 annually. There are no additional fees. We will probably increase our license count annually as our environment kind of naturally grows. We started out with probably about a third of the network covered and we are up to probably 75, 80% now. We'll get that up to over 99%, I'm sure.

Which other solutions did I evaluate?

We looked at a few other options: Acunetix was on the list and we looked at Manage Engine, Nessus, Rubric, Alien Vault, Microfocus, ArcSight, FireMon and RedSeal. On the vulnerability management side, we were very, very impressed with Rapid7 and the Insight VMware product. We looked more in-depth at a few of the others but VMware Insight stood out. The ease of use on VMware Insight coming from an organization that doesn't have a large dedicated security team, and being able to split out some of those responsibilities amongst people who may have a strong IT background, but may not have an IT security background really helped us out. It became a no-brainer at that point.

What other advice do I have?

It's important to take the time to have a full understanding of how schemes are scheduled, how sites and asset groups are set up and make sure it's done upfront. It's a big help. If you remove an old site and recreate it with small differences you lose some of the data associated with the old site. Getting the organization sorted from the beginning would be the biggest piece of advice.

It's very important to know what your environment is made up of. People often leave companies without documenting things and there's a lot that not everybody knows about because it was in the back of someone's mind. We now have a great repository of information on what's active on our network, what's installed on it, how all of those systems are interacting, and really having that visibility is great. One of the big lessons we were able to get value from immediately was really just having good visibility of what's in our environment.

It's a very solid product, reporting is great, it's reliable. We have a lot of faith in the results it gives us. At least once a week, I get a notification with some great new features that they've added that I didn't really even know I wanted, but now I have it and can't imagine life without it. 

The product is cloud-based, but with an on-prem portion, but it all auto-updates. The actual scanning engine and all of that is on-prem for us. It's a SaaS solution, it's not one where we are running our own servers. It's provided as a service for us on the cloud. The on-premises stuff that we're running is just virtual machines on our VMware environment.

I would rate this product an eight out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Infrastructure Security Architect at a comms service provider with 11-50 employees
Real User
Good site-level vulnerability scanning capability, and the dashboard is not difficult to manage
Pros and Cons
  • "The most valuable feature is the site scanning, where we can provide a complete subnet and what it is we need to scan on those devices."
  • "The reporting is a little bit tricky because it can be difficult to exactly pinpoint some of the assets to filter them and generate a report."

What is our primary use case?

We use Rapid7 for our vulnerability assessment. It scans the network, identifies all of the assets that are present, and then identifies all of the vulnerabilities due to non-patching those systems. Based on that, we can generate reports and make sure that those applications or servers are patched on both the operating system and application level.

What is most valuable?

The most valuable feature is the site scanning, where we can provide a complete subnet and what it is we need to scan on those devices. It will extract all of the information, including the rating and vulnerabilities, in all of the applications that are present, on each of those machines. This is quite relevant because if you have many applications on one server then you don't know if they are individually patched, or not.

The dashboard is not difficult to manage.

What needs improvement?

The reporting is a little bit tricky because it can be difficult to exactly pinpoint some of the assets to filter them and generate a report. Improving the filtering capability would make the reporting easier.

We would like to have penetration testing features built into Nexpose, as it is the next area that we are going to be concentrating on. We have not yet tried it, but it is on our roadmap.

For how long have I used the solution?

We have been using this solution for one year.

What do I think about the stability of the solution?

We have not had any issues with stability. For what we are using it for, it is okay, and we use it on a weekly basis.

What do I think about the scalability of the solution?

We have five people who are working with Nexpose and we have not yet needed to scale.

How are customer service and technical support?

We have been in touch with support on one or two occasions but I was not the person who dealt with them.

How was the initial setup?

The initial setup is not complex. As soon as you deploy, you start by opening all of the needed communication tools on all of the target systems. In our situation, we deployed gradually as opposed to doing everyone at the same time.

We have five people who have access to this solution and can maintain it. They do not work on it full-time but can do site scanning and generate reports when needed.

What about the implementation team?

A third-party was brought in to implement this solution. However, I have done some of the upgrades and I would say that it is straightforward enough that it is not necessary to bring in anybody else.

What other advice do I have?

My advice for anybody who is implementing this solution is to begin by clearly identifying infrastructure and the most critical assets. This tool will give you good visibility into the network and the assets, but it is only the starting point. It is really the input for the process that you have in place to follow up and patch the assets. Simply knowing that they are vulnerable is not good enough, so the right process has to be put into place before it will work effectively.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Zain Rehman - PeerSpot reviewer
Senior Security Analyst at a financial services firm with 1,001-5,000 employees
Real User
We have fewer false positives when using it
Pros and Cons
  • "We feel the interface is very good. It is very easy to use, even a nontechnical person can use it."
  • "The reporting has room for improvement. You cannot customize any report. If I need a specific requirement, I have to create a new report for it."

What is our primary use case?

We are using the solution for configuration review and vulnerability management.

I am using the latest version.

How has it helped my organization?

We have fewer false positives.

What is most valuable?

We feel the interface is very good. It is very easy to use, even a nontechnical person can use it.

What needs improvement?

The reporting has room for improvement. You cannot customize any report. If I need a specific requirement, I have to create a new report for it. I cannot pull up two or three things in one report.

For how long have I used the solution?

Three years.

What do I think about the stability of the solution?

It is stable. For the last three years, we haven't faced any bugs.

What do I think about the scalability of the solution?

It's very easily scalable. You just have to renew your license, and the scalability is already done.

Currently, we have three people who are use the solution. We manage this solution for the whole organization.

How are customer service and technical support?

The technical support is very helpful, but too slow. Overall, it usually takes 24 hours for them to reply, but the support that they provide is good.

How was the initial setup?

It's very straightforward. The deployment took less than an hour.

What about the implementation team?

We implemented it on our own.

What's my experience with pricing, setup cost, and licensing?

The license is IP based. How many IPs you are using to scan is the amount of the license you have to buy. The number of users doesn't matter; many users can use it or only person. It depends on the culture of the organization.

We have 600 to 700 licenses.

Which other solutions did I evaluate?

We tested two to three solutions where we had a couple of false positives. 

Rapid7 InsightVM has very low false positives, so you don't have to go in manually and verify them. This solution is efficient.

What other advice do I have?

I would recommend the product. The product is very good.

I would rate the product between a nine and a nine point five (out of 10).

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user1152534 - PeerSpot reviewer
Information Security Senior Expert (Founding member, African Cybersecurity Center) at a financial services firm with 10,001+ employees
Real User
Stable and Scalable solution with good technical support and reporting capabilities
Pros and Cons
  • "The most valuable feature for us is the different types of reporting it provides."
  • "This solution integrates with another module in Metasploit, that doesn't exist in the other solutions. It is subscribed to on our roadmap, but we chose to implement both Nexppose and AppSpider."

What is our primary use case?

The primary use case of this solution is for critical business applications for the web. We have also implemented it to identify when we are changing and an older system like the application client-server, the server two, the network equipment like switch routers, and security solutions.

What is most valuable?

The most valuable feature for us is the different types of reporting it provides. For example, the compliance reporting, compliance with the international standard in which we are certified and compliant. This is important for us to escalate the dashboard to our top management.

What needs improvement?

We need to scan and identify the different RPGs, the critical ones and the major ones that can generate risk or a measure of risk. We generate the reporting from the system and relay the report to our internal developers. We have our internal developers in the bank.

This solution integrates with another module in Metasploit, that doesn't exist in the other solutions. It is subscribed to on our roadmap, but we chose to implement both Nexppose and AppSpider.

For how long have I used the solution?

I have been using this solution for six months.

What do I think about the stability of the solution?

This solution is stable. It's a good solution.

What do I think about the scalability of the solution?

This solution is scalable.

It takes two people to manage this solution and to be the backup for the succession plan. Our manager has access and performs audits.

How are customer service and technical support?

Technical support is good and responsive.

Which solution did I use previously and why did I switch?

In this current company, they were using Qualys and I convinced the management to change to Rapid 7.

After every event, we are required to automize with information control tools like Sandbox, IPS, and vulnerability management. All of those security tools need to be implemented and automized.

That is not the case with Rapid 7. It can be automized and we are dependant on ourselves. We can perform in having this solution customized with the confines of our text.

How was the initial setup?

The initial setup was not complex and it was easy to implement.

It took a week to prepare and install the virtual machine, and to implement the solution it took one month.

Our Regulatory requires that all banks must implement all security solutions on-premises, not on the cloud because they are worried that the data will be compromised and available on different data centers around the world.

What about the implementation team?

We had the help of an integrator to implement this solution. There were three engineers to help. One was for Nexpose and two for Appsider.

What's my experience with pricing, setup cost, and licensing?

This solution is expensive, but it's fine for us as we have an open budget for security solutions. Protection and having the system secured is more important.

What other advice do I have?

Rapid 7 is a leading solution that has been implemented in many companies.

In Nexpose you have the console and the app assistant for Rapid 7. The design can be implemented in all of the segments of the network to scan, perform the scale of the scan, perform the reporting, generate the reports, and send it to the central console.

I would suggest that customers acquire this solution.

In addition to management, we are subscribed to the security dispense team and the company emergency dispense team. We always receive the bulletins, so we are always aware of the vulnerabilities.

I appreciate this solution. All of the features that are included are enough for me.

This is an excellent solution and I would rate it a ten out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Enterprise Manager Infrastructure and Operations at McGrath RentCorp
Real User
Enables us to gain insight into internal systems vulnerabilities and remediation tasks
Pros and Cons
  • "Rapid7 InsightVM has given us a practical view of the vulnerabilities present in our organization."
  • "A definite improvement would be to make it easier to run ad-hoc scans without needing to assign the asset to a site or group."

What is our primary use case?

Our primary use case for this solution is to gain insight into internal systems vulnerabilities and remediation tasks.

How has it helped my organization?

Rapid7 InsightVM has given us a practical view of the vulnerabilities present in our organization. Not only does it verify the vulnerability, but scores it against the skill level of an attacker.

What is most valuable?

The feature that we find most valuable is the granularity. You can view your assets however makes the most sense to your business. We found that we could isolate systems easily via tagging and site setup.

What needs improvement?

A definite improvement would be to make it easier to run ad-hoc scans without needing to assign the asset to a site or group.

For how long have I used the solution?

Less than one year.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user606432 - PeerSpot reviewer
User at a insurance company with 501-1,000 employees
Real User
It is stable and scalable. The templates need improvement.
Pros and Cons
  • "It is stable and scalable."
  • "There are not enough templates, and the reporting is weak with this solution."

What needs improvement?

There are not enough templates, and the reporting is weak with this solution. It would be great if there were more templates for the analytical reports, such as patch management reports. At present, these do not exist. 

In addition, there are false positives.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is quite stable. 

What do I think about the scalability of the solution?

The scalability is good. 

How are customer service and technical support?

The tech support is quite good. 

Which solution did I use previously and why did I switch?

I have previously used Qualys, and I find the Rapid7 is a bit limited in terms of reporting.

How was the initial setup?

The initial setup was easy and straightforward.

What's my experience with pricing, setup cost, and licensing?

The price is cheaper than other products on the market.

Which other solutions did I evaluate?

We looked at Rapid7 vs Tenable Nessus.

What other advice do I have?

Users need to customize the policy compliance in order to optimize usage.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Nanda-Kumar - PeerSpot reviewer
Security Team Lead at a tech services company with 10,001+ employees
Consultant
It is user-friendly, but sometimes it provides false-positives in the reporting.
Pros and Cons
  • "This solution is much more user-friendly than past solutions I have used."
  • "This solution creates false-positives which can cause issues with reporting."

What is our primary use case?

It is basically used for scanning.

How has it helped my organization?

When it comes to the automation, we use the plug-ins that are compatible with the dimensions. Once the builder is done, we run the test cases. Then it is installed onto the server and we run the test cases on the server after the installation.

What needs improvement?

It gives false positives at times, and this a problem. It causes problems with reporting. 

In addition, I did not find plug-ins for a Rapid7 InsightVM. It would be much more informational to run it through directly, so once the app is installed, once the software is installed on that particular server, it would find what exactly that application is open for. This would make things easier for us.

For how long have I used the solution?

Less than one year.

What do I think about the scalability of the solution?

It is scalable. It definitely handles everything we need, without a problem.

How are customer service and technical support?

I have not interacted with tech support.

Which solution did I use previously and why did I switch?

I previously used Tenable Nessus and Nessus Scan. Insight VM vs Tenable Nessus is a more user-friendly product.

How was the initial setup?

The setup was straightforward, and not complex.

What's my experience with pricing, setup cost, and licensing?

I was not involved with the purchase of the product. This is dealt with by our sales team.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Information Security Manager at a non-tech company with 5,001-10,000 employees
Real User
With an effective dashboard, it gives us visibility into people using VPNs
Pros and Cons
  • "NeXpose is a pretty good vulnerability scanner... There's a nice dashboard."

    What is our primary use case?

    Our primary use case is looking for people who are using Tor, or VPNs generally, and the only way we can see that is if they log in and then they log in in a foreign country right away, which means they're jumping on to the "escalator".

    How has it helped my organization?

    We really didn't have any visibility at all and now we do. It's like night and day.

    What is most valuable?

    NeXpose is a pretty good vulnerability scanner, good enough. There's a nice dashboard and it's a pretty cool SIEM.

    What needs improvement?

    We could always have a cheaper price, but other than that it's pretty good stuff.

    Also, if they’d expand their product line, that would be good, and they are doing so, but they're not done yet.

    What do I think about the stability of the solution?

    Stability is rock solid.

    What do I think about the scalability of the solution?

    We're at a pretty big scale already. I don't expect us to get any bigger and it's handling our scale now. If anything, we’ll probably shrink.

    We're a school district and, in this area, there are three big districts, and they have open enrollment. We're not on the marketing end of our school district. If the marketing doesn't do well, we’ll shrink.

    How are customer service and technical support?

    Tech support is satisfactory.

    Which solution did I use previously and why did I switch?

    Last year got a new person in the position of information security officer, and he brought the news with him.

    We went with NeXpose because we wanted to get as many products as we could from the same vendor. A full suite would have been fantastic, but that doesn't exist yet. Rapid7 had the vulnerability scanner, the penetration testing, and the SIEM, and the web app evaluator. They're adding other things. They acquired another company recently that will benefit us if we get that product. It's the all-in-one works we like.

    My most important criterion when selecting a vendor is that they have to have a purchasing vehicle that is approved for school districts. It's harder than it sounds. We can't just say, "We want that, send us a bill."

    How was the initial setup?

    It's easy to install.

    Which other solutions did I evaluate?

    We started with SentinelOne, we looked at CrowdStrike, we looked at Red Canary. The funny thing was, Red Canary was just remarketing CrowdStrike, or something like that. It got to a point where I realized these weren’t additional vendors. They were just additional packagers of the same solution.

    What other advice do I have?

    Take a test drive. If you don't test drive it, how do you know you're going to like it or if it even works. Would you buy a car without test driving it? Absolutely not. In this case, it’s a sales contract. It's a service for one to three years. Backing out of it is pretty much impossible.

    I rate it at eight out of 10. It just works. We haven't had any trouble with it. We've had good support. What's not to like? But it's an eight because the software that can be purchased is not the ultimate software. It's hard to give anybody a 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    PeerSpot user
    ITSM & AntiFraud Consultant with 51-200 employees
    Consultant
    It scans my production servers, checks their patching levels, and reports on their security. But, the community edition only supports paid domain registrations (so no free emails, such as gmail.com).

    What is most valuable?

    Rapid 7 offers the community edition, a free of charge edition( 32 IP's) that helps small companies to secure their IT environment. Also with this edition it helps the students to learn about Vulnerability Management.

    The report from Nexpose is very big, and gives you a description of the problems you have on your servers, and the solution for remediation.

    Other valuable feature is the ability to check the vulnerability with Metasploit with only one click.

    How has it helped my organization?

    I use Nexpose to scan my production servers, check the patching level on those servers, and use the reports to show the evolution of security on my servers.

    What needs improvement?

    For the community edition one of the big issues is with the registration. Rapid 7 only supports paid domains for registration, so no .gmail.com , .yahoo.com domains (once it was possible) . Also the resources needed by the scans can be an issue.

    For how long have I used the solution?

    I used Nexpose for more than 6 years.

    What was my experience with deployment of the solution?

    Some of issues apear on Linux instalation, but most of the issues are regarding the DB connection. On windows installation, usually the installation is smooth.In my latest test I have used the VM and everything was smooth.

    What do I think about the stability of the solution?

    The application is very stable, but sometimes I have issues with the comunication to the update server.

    What do I think about the scalability of the solution?

    I have tried all Nexpose editions, and I didn't had any issues with any of them. Starting this year Rapid 7 offers hardware appliances.

    How are customer service and technical support?

    Customer Service:

    i'll rate is 10/10. I had some presentation with them, and the person who presented us the solution really knew what to say to make us look on his screen.

    Technical Support:

    I never used technical support from Rapid 7.

    Which solution did I use previously and why did I switch?

    I have tried Nessus when it was a free edition. After that I have used OpenVAS and Qualys.

    Qualys is another good solution.

    How was the initial setup?

    The initial setup was straightforward, with small user input.

    What about the implementation team?

    All the Nexpose and Metasploit implemenations were made by me for various clients and for my firm for testing purposes.

    What's my experience with pricing, setup cost, and licensing?

    When you buy a vulnerability management tool, always count your IP's. If you miss one IP, and that server is compromised, you have left the door open for attackers into your enviorment.

    Which other solutions did I evaluate?

    OpenVAS, Nessus , Qualys, SAINT8,Beyond Trust

    What other advice do I have?

    Nexpose is one of the best solution on the market with very good development. One of it's key features was the On-Premise installation and Community Edition. Also it integrates flawless with Metasploit.

    Disclosure: My company has a business relationship with this vendor other than being a customer: We are an consulting firm, and I have installed this product to some of our clients.
    PeerSpot user
    Buyer's Guide
    Download our free Rapid7 InsightVM Report and get advice and tips from experienced pros sharing their opinions.
    Updated: September 2022
    Product Categories
    Vulnerability Management
    Buyer's Guide
    Download our free Rapid7 InsightVM Report and get advice and tips from experienced pros sharing their opinions.