Insight Platform

Vulnerability Risk Management

Contents
Differentiators ......................................................................................................................................... 4
Solution Benefits...................................................................................................................................... 5
Competitive Differentiators..................................................................................................................... 5
Rapid7 Cyber Security Products and Services ......................................................................................... 7
Rapid7 Mission Statement....................................................................................................................... 8
Research .................................................................................................................................................. 8
Customer Support ................................................................................................................................. 10
InsightVM .................................................................................................................................................. 12
Vulnerability Assessment ...................................................................................................................... 16
Vulnerability Prioritisation and Risk Scoring ......................................................................................... 19
Remediation .......................................................................................................................................... 22
Reporting ............................................................................................................................................... 25
Compliance & Configuration Assessment ............................................................................................. 31
Administration ....................................................................................................................................... 32
Integration ............................................................................................................................................. 33
Updates.................................................................................................................................................. 37

2
Rapid7 Overview
Rapid7 is a leading cyber security solutions provider, on a mission to make successful security tools and practices
accessible to all. Rapid7 Insight Platform technology, expert services, and thought-leading research enables over
9,800 customers to improve their security programs so that they can safely advance and innovate.
In the nearly 20 years that Rapid7 has been in business, security companies and trends have come and gone, while
broader technology innovation continues to advance rapidly. Every company is now a technology company, and
rampant innovation inevitably creates security risk. The migration of businesses to the cloud and ubiquitous
connected devices present security teams with an increasingly complex, ever-changing, and unpredictable attack
surface.
We believe as cybersecurity challenges continue to rise exponentially; two key factors can prevent organizations from
effectively managing their growing security exposure. First, the tools to manage complex security problems are often
complicated to use. Second, there is a scarcity of cybersecurity professionals who are qualified to successfully manage
these sophisticated tools. These two factors compound the difficulties that resource-constrained organizations face
when attempting to minimize their security exposure, meet security compliance regulations and provide visibility to
their leadership. The expanding divide between risk created through innovation and risk managed by security teams
is called the Security Achievement Gap.
We believe Rapid7 is uniquely positioned to improve how customer security challenges are addressed. Our solutions
simplify the complex, allowing teams to more effectively reduce vulnerabilities, monitor malicious behavior,
investigate and shut down attacks, and automate routine tasks. All of our solutions and services are built with and
supported by the expertise of our dedicated team of security researchers and consultants, who bring knowledge of
attacker behavior and emerging vulnerabilities directly to customers. We also continue to invest in further simplifying
our technology to improve usability, lowering the barrier to managing security for teams and organizations who lack
resources.
While our security technology is the foundation of our mission to make successful security accessible to all,
technology alone will not solve today’s cybersecurity challenges. Our ongoing commitment to researching and
partnering with the technology community helps to curb new security risks born through innovation. We are also
investing in under-served, at risk communities, like non-profits and hospitals, to better understand their needs and
make security technology and services accessible. By continuously improving our technology, stemming the creation
of risk in the community, and making security more usable and accessible, Rapid7 aims to close the Security
Achievement Gap.
We market and sell our products and professional services to organizations of all sizes globally, including mid-market
businesses, enterprises, non-profits, educational institutions and government agencies. Our customers span a wide
variety of industries such as technology, energy, financial services, healthcare and life sciences, manufacturing, media
and entertainment, retail, education, real estate, transportation, government and professional services.
We sell our products and professional services through direct inside and field sales teams and indirect channel
partner relationships. Our sales teams focus on both new customer acquisition as well as up-selling and cross-selling
additional offerings to our existing customers. Our sales teams are organized by geography, consisting of the
Americas; Europe, the Middle East and Africa (EMEA); and Asia Pacific (APAC), as well as by target organization size.
Our highly technical sales engineers help define customer use cases, manage solution evaluations and train channel
partners. In addition, we maintain a global channel partner network that complements our sales organization,
particularly in EMEA, APAC and Latin America.
As of December 31, 2020, we had more than 9,800 customers that rely on Rapid7 technology, services, and research
to improve security outcomes and securely advance their organizations. We have experienced strong revenue growth
with revenue increasing from $110.5 million in 2015 to $411 million in 2020, representing a 50% compound annual
growth rate.

3
Differentiators
Our Insight Platform is at the core of our security data and analytics product offerings. The platform was built using
our extensive experience in collecting and analyzing data to enable our customers to create and manage active,
analytics-driven cyber security programs. There are two fundamental and competitively differentiating capabilities of
our technology platform: (1) the breadth and depth of data that we collect and (2) the powerful analytics, and
resulting correlation and context that we apply to the data. Our robust data collection architecture supports
gathering a wide swath of organizational and environmental data from endpoints to the cloud, including key data
about user-specific behavior. Further, by using agentless data collection architecture, we can provide IT security
professionals with seamless integration and automatic visibility into their dynamic and rapidly-expanding attack
surfaces.
Our Insight Platform was architected from inception to be secure, reliable, scalable and extensible, enabling both us
and third-party developers to create and add new applications that leverage our powerful data collection and
analytics competencies. The design and development of our Insight Platform includes the following key attributes:
• Holistic Dataset for Managing Cyber Security. Our Insight Platform collects information from multiple sources to
provide a holistic view across an organization’s ecosystem from network and endpoint data, to enterprise cloud
data, to user information. We collect data from the following sources: cyber security assets such as firewalls,
intrusion detection systems, or IDS, intrusion prevention systems, or IPS, identity and access management, or
IAM, and security information and event management, or SIEM; users; endpoints such as computers, mobile and
connected devices and servers; applications; cloud activity; IT environment permissions, policies and controls;
and third parties, such as cloud-based email and business productivity solution providers.
• Robust Platform and Customer Data Security. Our Insight Platform was designed to provide a secure environment
for both our data and that of our customers. We deploy a variety of technologies and industry- leading practices
such as physical and logical customer data segregation, network segmentation, audited and monitored access
level controls, data anonymization and separated development-staging-production environments to help ensure
that the data collected from a customer’s environment remains proprietary and secure, including encrypting data
when appropriate. Further, we regularly run penetration tests of our platform.
• Both Agentless and Endpoint Agent Based Architecture with Automated Analytics. We have designed our
solutions to be easy to deploy with minimal manual input from our customers. We developed our platform
utilizing a flexible approach that employs both agentless data collection and our own internally-developed
endpoint agent-based data collection technology, which enables rapid and seamless integration of our products
into our customers’ IT environments and provides IT security professionals with instant visibility into their
dynamic and rapidly-expanding attack surfaces. Our customers can use the approach that best meets their needs.
Proprietary analytics are embedded in our solutions and are continuously curated based on the latest security
research such that organizations are not required to develop customized detection rules or write scripts to yield
actionable insights.
• Enterprise-Grade Scalability. Our technology platform provides a high level of horizontal scalability. We leverage
on premise deployment models and Amazon Web Services, or AWS, to achieve a high degree of redundancy, fault
tolerance and cost-effective operations. Our automated deployment technologies enable us to add new AWS
instances or additional services rapidly. Our infrastructure architecture is designed to process large amounts of
data and easily incorporate new data sources, including on premise, cloud and mobile. Our platform is designed
to support customers with large numbers of users or with geographically dispersed environments, and we have
scaled to meet the needs of customers with over 2.0 million active assets and 50,000 active users. Our technology
platform also provides a rich set of APIs and services that enable customers, partners and developers to import
and export data and utilize our analytics capabilities. This allows us to easily integrate with other security tools in
the customer’s environment and also enables customers to build bespoke applications and analysis on top of the
data that we gather.

4
Solution Benefits
We are a leading provider of analytics for security and IT operations that enable organizations to implement an active,
analytics-driven approach to cyber security and IT operations. Key benefits of our solutions include:
Decreased Risk of Security Breach. Our technology platform and solutions provide IT security professionals with a
more complete view of their dynamic attack surface and automatically assess an organization’s vulnerabilities relative
to the evolving threat landscape. We provide robust and relevant analytics and insight into attacker behaviors and
techniques so that IT security professionals are able to identify and prioritize risks effectively to reduce risks and
ultimately create a more secure IT environment for their organization. Our solutions allow our customers to test their
defenses by simulating real-world attacks on their IT environments, using the same techniques and exploits as
attackers. Our solutions leverage our security data and analytics expertise as well as the insights from our community
of thousands of active Metasploit users who provide us with real-time, real-world insight into attacker behavior
across the global IT attack surface. Our data and analytics are coupled with our deep search technology that allows IT
organizations the ability to deeply investigate risks such that they can be contained and remediated quickly. Our
integrated workflows enable IT and security teams to work together more effectively to reduce risks across the entire
ecosystem.
Fast, Effective and Confident Intrusion Response. Our product and service offerings can help mitigate the impact of a
breach by automatically identifying the root cause of a breach and providing clear and actionable insight into effective
mitigation and correction. Our technology automatically monitors each user and IT asset within an organization
without the need to build and maintain complicated detection rules or data queries. Rather than sending numerous
alerts and alarms that become an onslaught of overwhelming and unintelligible data, our solutions provide timely,
prioritized and clear analysis and instructions to IT security professionals so that they can quickly, confidently and
effectively respond to cyber security breaches. Furthermore, we couple our detection technology with our deep
search capabilities, which can improve the time from compromise to containment. Complementing our products and
managed services, when an organization is breached, our incident response professionals leverage our deep security
expertise to help guide customers through critical breach response tactics and implementation of mitigation
strategies.
Increased Uptime and Faster Resolution for IT and DevOps. By collecting and analyzing machine data from across an
organization’s entire IT environment, our Insight Platform provides solutions for security, IT, and development
operations. With real-time data collection and processing capabilities, IT and DevOps professionals can be instantly
alerted to issues impacting their IT environments or production applications and perform immediate root cause
analysis through search, data visualization, and reporting functionality. Our cloud-based Insight Platform eliminates
the need for IT and DevOps to deploy and manage costly, complex servers and systems to store and manage data,
thus reducing overall operating costs.
A Continually-Relevant and Effective Security Program. We serve as a trusted security advisor to our customers,
providing both products and professional services that enable organizations to implement an active, analytics-driven
approach to cyber security. Our solutions are continually relevant as they evolve with, and react to, the dynamic
threat landscape. Guided by our holistic approach balancing prevention, detection and correction solutions, we
provide strategic, technology-agnostic guidance tailored to an organization’s security maturity and optimized to an
organization’s IT environment.

Competitive Differentiators
We have developed the following key competitive advantages that we believe will allow us to grow and maintain a
leadership position in the market for analytics for security and IT operations:

5
Automated Data Collection from the Endpoint to the Cloud. We have deep technology expertise in data collection
from 16 years of experience in vulnerability management. Our Insight Platform provides robust data collection
capabilities across multiple data sources, from endpoint information, to user behaviors, to cloud activity. As an
organization’s infrastructure evolves and expands, additional data sources are quickly and efficiently integrated into
our platform. Further, our Insight Platform uses flexible collection methods including a lightweight, easy to deploy
endpoint agent that provides instant endpoint visibility to support vulnerability management, security incident
detection, and IT operations. This allows our platform to amass data from multiple sources quickly and without
significant customer installation expertise, while providing greater visibility to IT security professionals. We believe
that the simplicity of integrating our products into a customer’s IT environment is a key competitive differentiator for
us, as it provides a significant advantage for IT security professionals who may otherwise be unable to collect and
process the necessary data from across their organization.
Customer and Use-case Specific Analytics. We understand that developing, managing and securing a modern IT
infrastructure requires a combination of role specific analytics and automated workflow to enable success, and the
ability to identify and adapt to the risks specific to each of our customer’s organizations. Our technology platform
collects and organizes data from each customer’s unique IT environment, which allows us to systematically and
automatically profile the key risks specific to each customer. By utilizing our powerful, proprietary analytics to assess
and understand the context and relationships around users, IT assets and cyber threats within a customer’s
environment, we can provide our customers with specific, actionable insights specific to their environments. The
applications built on our Insight Platform allow our customers to collect data once, but use it to solve a range of
challenges from reducing risk, to identifying and responding to security incidents to quickly resolving IT issues
impacting user productivity. Our analytics are purpose built with an emphasis on accuracy, usability and relevance.
Robust and Relevant Knowledge of Attacker Activity. Our database of more than 85,000 known vulnerabilities is
continuously expanding through the efforts of our internal security experts and the broader Metasploit community.
Our ties to the security research community through Metasploit, an open source project with an active community of
contributors and users that was downloaded over 160,000 times in 2016, provides us with real-time insight into new
attacks and exploits. The size and accuracy of our exploit database and the speed at which our Threat Exposure
Management offerings are updated provides significant value to IT security professionals looking to secure their
networks in a dynamic and evolving threat environment. We also have a team of experienced security researchers
who support our knowledge and security insights through threat intelligence research and attacker modeling.
Intuitive Product Design Focused on Speed to Insight. Our solutions are designed for ease-of-use by IT security
professionals. Our underlying technology platform can easily become part of our customers’ operational fabric
without requiring internal expertise in systems integration, data science or data scripting. Our solutions are designed
to abstract the powerful underlying capabilities of our IT and security analytics platform so that users interact with a
simple, elegant interface. We believe that this clean user interface and intuitive design of our products differentiate
Rapid7 products from the competition and enables our customers to develop actionable insights quickly and with
limited training. We believe that our solutions are resource efficient for our customers and provide them with a fast
time-to-value, which makes it easy for organizations to understand the benefits of an active, analytics-driven
approach to cyber security and IT operations analysis.
Deep IT and Security Domain Expertise Across Technology, Operations and People. We leverage our deep domain
expertise in IT and security analytics to better serve our customers, who frequently have limited ability to carry deep
expertise in-house. We offer Security Advisory Services to help customers assess the quality of their security
programs and implement changes to make them more effective and cost efficient. We also offer Incident Detection
and Response services to help customers find and respond to attacks and compromises that they may be missing on
their own. Ultimately, we serve as a trusted security advisor to our customers, encompassing a powerful combination
of technology, services and operations expertise to support our customers’ success in managing their cyber security
exposure.

6
User Behavior Analytics. We believe that our user-centric approach to analytics is a key differentiator of our
technology platform and offerings. Our software solutions automatically create a behavior profile for each user in a
customer’s IT environment and automatically correlates every event and device with the correct user. Without this
automated correlation, security and IT professionals must search through several technology systems to manually
find and connect the information. In addition to saving precious time when things go wrong, our user behavior
analytics vastly improve the efficacy of our security incident detection. We compare user profiles against dynamic
attacker behavior profiles to distinguish normal user behavior from suspicious behavior and incorporate additional
data about how systems are likely to respond when under real-world attack. Within our technology platform, our
prioritization engine triangulates on the most important data to determine potentially compromised user credentials
and reduce false signals and alerts. In addition, our ability to provide rapid context around users and assets involved
in an incident can significantly reduce investigation time, enabling organizations to more quickly respond to, contain
and mitigate breaches. These powerful user-centric analytics allow IT security professionals to make informed and
proactive decisions.
Fast and Accessible Search Capabilities. We believe that our ability to enable fast search through an organization’s
data and endpoints can enable IT security professionals to better investigate and operationalize data to quickly
identify the root cause of issues. Our solutions allow IT security professionals to collect both structured and
unstructured machine data and to obtain rapid access to their data. These capabilities, along with real time and easily
accessible search across raw logs and endpoints for known patterns with intuitive search queries, can enable IT
security professionals to access their data for operational purposes.

Rapid7 Cyber Security Products and Services

Rapid7 solutions make customer data more productive, unlocking the answers customer need to deter, detect, and
remediate attacks and vulnerabilities, optimize IT operations, and automate workflows. It all begins with our
researchers and developers around the world collecting data and serving it up to the community and our products.
Project Heisenberg honeypots. Project Sonar internet-wide scans. The hundreds of thousands who participate in the
Metasploit Framework. We have the data and threat intelligence to model attacker behavior and prioritize risk. This
insight feeds our products and our platform; in other words, provides the answers you need to pwn that innovation
paradox.

Our Solutions
We offer products across the four main pillars of on our Insight Platform:
• Vulnerability Risk Management: Our industry-leading Vulnerability Risk Management (VRM) solutions provide
clarity into risk across traditional and modern IT environments, and the capabilities and data to influence
remediation teams and track progress. With built-in risk prioritization, IT-integrated remediation projects,
tracking of goals and service level agreements, and pre-built automation workflows, our solutions are designed to
not just enumerate risk, but also accelerate risk mitigation.
• Incident Detection and Response: Our Incident Detection and Response (IDR) solutions are designed to enable
organizations to rapidly detect and respond to cyber security incidents and breaches across physical, virtual and
cloud assets. Equipped with user behavior analytics (UBA), attacker behavior analytics (ABA), end-point detection
and response (EDR) and deception technology, our Security Information and Event Management (SIEM) is
designed to provide comprehensive network visibility and accelerate threat investigation and response.
• Application Security: Our Application Security offerings provide dynamic application security testing and run-time
application security monitoring and protection solutions that are designed to continuously analyze web
applications for security vulnerabilities throughout a customer’s software development life cycle.

7
• Security Orchestration and Automation Response: Our Security Orchestration and Automation Response (SOAR)
solutions allow security teams to connect disparate solutions within their cyber security, IT and development
operations and build automated workflows, without requiring code, to eliminate repetitive, manual and labor-
intensive tasks, resulting in measurable time and cost savings.

Rapid7 Products
• InsightVM | Vulnerability management for an ever-evolving threat landscape
• InsightAppSec | Proven crawling and attack engine made for modern applications
• InsightIDR | Complete incident detection and response, SIEM, and UBA
• InsightConnect | Security Orchestration, Automation and Response (SOAR)
• DivvyCloud | Cloud Security Posture Management (CSPM)

Finally, to complement our products, we offer a range of managed services based on our software solutions and
professional services, including incident response services, security advisory services, and deployment and training.

Rapid7 Managed Services

• Managed Detection and Response
• Managed Vulnerability Management
• Managed Application Security

Rapid7 Consulting
• Advisory Services
• Penetration Testing Services
• Incident Response Services
• IoT Security Services
• Training and Deployment Services

Rapid7 Mission Statement

Rapid7's mission is to advance security through technology and expertise that simplify the complex.
Research
Our Philosophy
We believe security is the responsibility of all technology users, manufacturers, and intermediaries and that
collaboration is the only way to achieve long-term change. That’s why we’re committed to openly sharing security
information, helping our peers to learn, grow, and develop new capabilities, and supporting each other in raising and
addressing issues that affect the cybersecurity community.

8
We invest substantial resources in research and development to enhance our core technology platform and products,
develop new end market-specific solutions and applications, and conduct product and quality assurance testing. Our
technical and engineering team monitors and tests our products on a regular basis, and we maintain a regular release
process to refine, update, and enhance our existing products. We also have a team of experienced security
researchers who work to keep us abreast of the latest developments in the cyber security landscape. Our research
and development teams are located in our offices in Boston, Massachusetts; Austin, Texas; Los Angeles and San
Francisco, California; Arlington, Virginia; Toronto, Canada; Dublin and Galway, Ireland; Belfast, Northern Ireland; and
Stockholm, Sweden, providing us with a broad, worldwide reach to engineering talent.
Metasploit Community: Our Metasploit product has an active community of contributors and users. This online
security community provides us with a robust and growing network of active users and influencers who promote the
usage of our software. Security researchers contribute modules to the Metasploit Framework that serve as a resource
about real-world attacker techniques. The community also provides us with near real-time visibility into new cyber
attacks as they occur and a deep understanding of attacker behaviors.
We perform security research that enables the analytics in our platform and products as well as delivers strategic
value to the security community at large. The output of our research results in threat intelligence, exposure analysis
and attacker awareness that we publish as well as integrate into our platform. This data is used for security research,
product development, and across our services to help protect and inform our customers, partners and community.
We share this data with validated educational and private security researchers, research partners, vetted threat
sharing communities, and organizational security teams through our Open Data portal to foster collaboration and
encourage discovery of new insights. We collect data for research purposes through two key areas:
• Attacker Intelligence: We collect data from across the internet through a variety of honeypots distributed both
geographically and across IP space. The honeypots collect many data types which are then analyzed to help
enhance our understanding of attacker methods.
• Internet Intelligence: We conduct internet-wide scans across many services and protocols to gain insight into
global exposures and vulnerabilities.
This data collected is analyzed for the purpose of analytics in our platform and results in core research reports. We
publish a variety of reports including The National Exposure Index, The Industry Cyber Exposure Report and Under the
Hoodie. The National Exposure Index, published annually, is a census report that highlights the state of exposed
internet services at the nation-state level and provides key trending information on the use of insecure protocols. The
Industry Cyber Exposure Index details the attack surface, insecure service presence, email safety configurations,
malware infection rates and internet supply-chain risks of Fortune 500 companies. The Under the Hoodie report
sheds light on the art of penetration testing by revealing not just the process, techniques and tools that go into it, but
also revealing the real-world experience of our engineers and investigators, gathered over thousands of penetration
tests.
Rapid7 is committed to continuous improvement in large part through extensive investments in security research. We
conduct a broad range of research across four areas:
Vulnerability Discovery and Exploit Development — The most frequent research we do at Rapid7, vulnerability
discovery and exploit development focuses on uncovering vulnerabilities in software and creating exploits to exercise
them. Our aim with this research is to identify potentially harmful issues so they can be mitigated, either by the
technology provider, or by the user. We coordinate our disclosures with vendors and CERT to quickly develop and
deploy fixes and publish our findings routinely so other software developers can learn how to avoid similar problems
and users can learn a little more about the security issues that permeate their online lives.
Internet Telemetry — Our internet telemetry research involves the active and passive scanning of different services
and protocols around the world to gain insights into global exposure to common vulnerabilities and better
understand the threat landscape. We run two major telemetry projects:

9
• Project Sonar is a flexible and stable framework for conducting internet-wide scans. Like our vulnerability
disclosures and exploits, we publish the data we collect for free to encourage scientists, engineers, and anyone
else interested in the nature and form of the internet to make their own discoveries.
• The Heisenberg Project is a collection of honeypots distributed both geographically and across IP space. The
honeypots offer the front end of various services to learn what other scanners are up to and to conduct "passive
scanning" that enhances our understanding of the threat landscape.
Quarterly Threat Intelligence Reports — In our quarterly threat reports, we leverage data from Rapid7’s Insight
platform, Rapid7 Managed Detection and Response engagements, Project Sonar, and Heisenberg Cloud to dive into
notable security events, determine key takeaways, and provide helpful information for companies continuing to build
out their detection and response programs. The Rapid7 Quarterly Threat Report gives you a clear picture of the
threats that you face within your unique industry, and how those threats change throughout the year.
Rapid7 has also just released our National Exposure Index 2018. This report delves into the nature of internet
exposure—services that either do not offer modern cryptographic protection, or are otherwise unsuitable to offer on
the increasingly hostile internet—and how those exposure levels look around the globe. Powered by our Project
Sonar technology and data science and research teams, the report provides excellent insights into why certain
services equal greater risk of susceptibility to cyber threats.
Security Surveys — While direct measurement of internet technologies is in our DNA, there are some questions that
can only be answered by humans (for now). For these projects, we design meaningful surveys and apply modern
survey methodology to best craft the questions, reduce the bias and noise generated, and target the audiences most
relevant to the subject matter.
For example, we surveyed over 270 security professionals in order to collect some insight around the average security
team size, the adoption of cloud services, and the most pressing challenges those teams face today. Our Under the
Hoodie report summarizes actionable research from penetration testing engagements.
Customer Support
Rapid7 is advancing security with visibility, analytics, and automation delivered through our Insight cloud. Our
solutions simplify the complex, allowing security teams like yours to work more effectively with IT and development
to reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate routine
tasks.
The mission of Rapid7 Global Customer Support is to enable our customers to drive successful outcomes intheir
security programs by providing unparalleled customer service and support. We collaborate with our customers to
help them not only when things don’t go according to plan, but also when they seek to securely innovate and
transform their business.
As the technology behind our solutions and the needs of our customers evolve over time, we will update this living,
breathing document.

10
 InsightVM

Solution Overview

Vulnerability Risk Management

11
InsightVM
1.1 Solution Architecture
InsightVM’s Security Console and Scan Engines are available as software installers, physical appliances
and pre-built virtual appliances, and can be deployed to systems meeting minimum
requirements. Rapid7 also offers cloud-based Scan Engines for external scans and various managed
service deployment options. Hybrid deployments (physical/virtual) are supported, allowing the
different components to be paired interchangeably.
Nexpose System Requirements: https://www.rapid7.com/products/nexpose/system-requirements/
InsightVM System Requirements: https://www.rapid7.com/products/insightvm/system-requirements/
A typical deployment includes a single Security Console and one or more Scan Engines, depending on
the size and distribution of the organization. When multiple Scan Engines are deployed, the Security
Console is often used for management operations only. Components can be implemented using
different deployment methods. For example, a physical Security Console appliance can be paired with
virtual machine Scan Engines (and vice versa), hosted Scan Engines in Rapid7’s cloud environment can
be paired with the internally deployed Security Console for internal management of external scans,
and laptop installations can be used to support air gapped environments.
The solution is comprised of two main internal components: the Security Console and one or more
Scan Engines. The Security Console, an on-premise component that exists on the customer's network,
controls Scan Engines and retrieves scan data from them. It also controls all operations and provides a
Web-based user interface. Scan Engines perform asset discovery and vulnerability detection
operations, and can be distributed within or outside a firewall for varied coverage. Each installation of
the Security Console also includes a local engine, which can be used for scans within the console’s
network perimeter.
The Security Console communicates with distributed Scan Engines over a network to initiate scans and
retrieve scan results. By default, the Security Console initiates a TCP connection to Scan Engines over
port 40814, and communication is TLSv1.2 encrypted. The port and direction of communication
initiation between the Security Console and each remote Scan Engine can be changed. If the direction
of communication is from Console to Engine, which is the default setting, the Security Console will
initiate communication with the Scan Engine. If the direction of communication is from Engine to
Console, the Scan Engine will actively notify the console that it is available.
Scan results are transferred to the Security Console and are not stored on the Engines themselves.
Scan results may be transferred incrementally throughout the duration of a scan, or in their entirety at
the conclusion of a scan. By default, the Security Console retrieves scan results from distributed Scan
Engines incrementally, displaying results in the Web interface as it integrates the data, rather than
retrieving the full set of results after each scan completes. This allows users to view scan results as they
become available while a scan is in progress. Incremental retrieval modulates bandwidth usage
throughout the scan. It also makes it unnecessary for the Security Console to retrieve all the data at the
end of the scan, which could cause a significant, temporary increase in bandwidth usage, especially
with large sets of data.
While the primary administration and scan components exist on the customer's network, InsightVM
also leverages the Rapid7 Insight Platform in the cloud to provide assessment via endpoint agents,
customizable dashboards, remediation workflows, in-product integrations and more.

12
Distributed Scanning:
The InsightVM 64-bit client/server architecture uses a central management Security Console with
distributed Scan Engines and/or Insight Agents to provide full coverage of the IT environment. Scan
engines perform scan operations while all scan management, report management, and administration
is performed from the central console. End users connect to the central console using a Web browser.
The central console also includes a robust API that end users and integrations can use to
programmatically invoke the functionality of the console.
Both the Security Console and Scan Engine(s) can be deployed to cloud infrastructure meeting the
necessary system requirements and in accordance with any IaaS vendor applicable policies.
Rapid7 provides pre-built Security Console and Scan Engine images within the Amazon AWS and
Microsoft Azure marketplaces. Furthermore, Rapid7 offers a pre-authorized Scan Engine AMI in the
AWS marketplace, which provides an easy way to scan dynamic Elastic Compute Cloud (EC2) assets
without requiring prior approval from AWS customer support. The solution can also integrated with
AWS and Azure environments to automatically discover, assess, and clean up decommissioned assets.

Internal & External Scanning:

InsightVM flexibly deploys as either an appliance, software, or a Managed Service for internal and
external vulnerability scanning.
InsightVM allows for scans to be proxied from Rapid7 servers that are on public address space. The
scan findings are then tunneled to the InsightVM instance that is deployed in the customer
environment.
Both the Security Console and Scan Engine(s) can be deployed to cloud infrastructure meeting the
necessary system requirements and in accordance with any IaaS vendor applicable policies.
Rapid7 provides pre-built Security Console and Scan Engine images within the Amazon AWS and
Microsoft Azure marketplaces. Furthermore, Rapid7 offers a pre-authorized Scan Engine AMI in the

13
AWS marketplace, which provides an easy way to scan dynamic Elastic Compute Cloud (EC2) assets
without requiring prior approval from AWS customer support. The solution can also integrated with
AWS and Azure environments to automatically discover, assess, and clean up decommissioned assets.

Agent-Based Assessment:
InsightVM offers continuous live monitoring of exposures using Adaptive Security and Rapid7 Agents.
InsightVM Adaptive Security automatically detects and scans new devices as they enter your network
and identifies which devices have critical vulnerabilities as soon as they're released. This monitoring
uses dynamic connections to monitor assets as they join the network and performs automated actions
including adding the asset to a site, initiating a scan in real time, or tagging assets for prioritization,
remediation, or alerting. Users can also create filters for newly published vulnerabilities above a
specific threshold and set the environment to automatically scan for just those vulnerabilities. Users
can use a minimum severity, risk, or Common Vulnerability Scoring System (CVSS) score as a threshold
to track the threats of most concern.
Rapid7 Agents drive assessment of assets not on the corporate network or that are transient. Agents
collect all data required for assessment and pass that data to the Insight platform. Assessment takes
place in the Insight platform, not on a console and not in the agent itself. When connected, agents
accept “jobs” from the Insight platform and send data back for assessment. With agents, the concept
of a “scan” no longer exists; however, assets with agents can still be scanned in the traditional manner.
InsightVM plugs directly into network infrastructure in order to passively discover assets without the
need for scanning via dynamic discovery. Utilizing DHCP, hypervisors, and API calls, InsightVM can
identify asset activity and utilize triggers to initiate automated actions. Based on power status, time
since last scan, departure from network defense in depth, etc., scans and tagging can be automated to
ensure no gaps in vulnerability coverage exist.

Endpoint Monitoring:
InsightVM provides organizations with the ability to assess their defenses for endpoints and create a
plan to improve security postures.
Authenticated scans of endpoints can gather information on installed software/versions. This
information can be used to build very specific asset groups or reports, and is viewable within the
security console.
InsightVM also includes Endpoint Agents that allow users to assess assets not on the corporate
network or that are transient. These agents use the same technology as other products on the Insight
platform, so there is need to install multiple agents for different Rapid7 products.
Agents collect all data required for assessment and pass that data to the Insight platform. Assessment
takes place in the Insight platform, not on a console and not in the agent itself. When connected,
agents accept “jobs” from the Insight platform and send data back for assessment. With agents, the
concept of a “scan” no longer exists; however, assets with agents can still be scanned in the traditional
manner.

14
Scalability:
InsightVM scales for larger networks using increased hardware capacity and additional scan engines
seamlessly paired with existing deployments. The InsightVM 64-bit client/server architecture offers
parallel and optimized distributed scans over low bandwidth connections.
InsightVM offers complete vertical and horizontal scalability, allowing customers to add more scan
engines at no additional cost. All scan engines can be managed from a single, central console deployed
on enterprise-level hardware. New scan engines are easily paired with existing deployments for the
additional coverage required by these environments. Newly added scan engines appear seamlessly in
scan group configuration within the GUI.
By default, scan groups are assigned a scan engine, and scan jobs are performed by that engine at
scheduled times or when launched for that scan group by the user. Scan engines can be pooled, and
scan groups assigned a pool as well in order to distribute the load across multiple available engines.
The number of scan engines simultaneously used is only restricted by network limits and the
specifications of the management console host.

15
Vulnerability Assessment:

Discovery:
InsightVM uses a built-in Nmap engine to perform asset discovery using ICMP echo requests (pings),
ARP pings (for local network), and TCP and UDP packets, as well as TCP/IP stack fingerprinting. Once
the application verifies that a host is live, or running, it begins to scan ports to collect information
about services running on the endpoint. The target range for service discovery can include TCP and
UDP ports.
InsightVM also provides dynamic discovery, allowing you to discover and track assets without running
a scan. It involves initiating a connection with a server or API that manages an asset environment, such
as one for virtual machines, and then receiving periodic updates about changes in that environment.
Dynamic connections leverage technologies such as DHCP, Active Directory, VMware, AWS and Azure.
InsightVM supports user and asset management with a full range of Role-Based Access Controls
(RBACs). Each user is assigned a set of assets, asset groups, and scan groups, and these determine what
assets will be visible to those users. InsightVM also discovers and profiles any system within the
defined scan range for each scan, and uses this information to automatically sort assets into groups
using a variety of combinable filter criteria. With group assignment and role-based user management,
configuring a workflow for user and team asset management is very easy.
InsightVM enables customers to track asset and user management, allowing users to be assigned sets
of assets that dynamically change as new scan information is obtained. These groups can be assigned
to each user and tracked from a dashboard and reporting perspective to show the risk and compliance
status of the group as a whole. Separate types of reports can be generated depending on the audience
consuming information about that asset group. For example, remediation plan reports can be
delivered to the asset owner to instruct them on the activities necessary to reduce risk, while executive
summary reports are delivered to managements, and audit reports are sent to auditors.
Users can manually categorize assets into Static Asset Groups. Assets can also be managed within
Dynamic Asset Groups by filtering based on the required criteria. These use over 20 user-defined,
combinable criteria to automatically update based on newly discovered assets and asset information.
For example, assets could be tracked based on PCI compliance, vulnerabilities present, operating
system, software or services running, and these groups could be used by the organization to more
effectively monitor what types of assets are present in the IT environment. This is automatically
reflected in InsightVM dashboards and reports, enabling optimized asset visibility and management.

Unified Vulnerability & Configuration Assessment:

Configuration and compliance management is built into InsightVM and available at no extra cost.
Additionally, as InsightVM is a unified solution providing all functionality from a single installation, it
provides increased stability and lower cost of ownership.
While users have the option to run these scans separately, a single scan can be run that will include
everything from initial device discovery, service/OS fingerprinting, vulnerability checks and policy-
based configuration assessment.

16
Network Changes:
InsightVM offers continuous live monitoring of exposures using Adaptive Security and Rapid7 Agents.
InsightVM Adaptive Security automatically detects and scans new devices as they enter your network
and identifies which devices have critical vulnerabilities as soon as they're released. This monitoring

17
uses dynamic connections to monitor assets as they join the network and performs automated actions
including adding the asset to a site, initiating a scan in real time, or tagging assets for prioritization,
remediation, or alerting. Users can also create filters for newly published vulnerabilities above a
specific threshold and set the environment to automatically scan for just those vulnerabilities. Users
can use a minimum severity, risk, or Common Vulnerability Scoring System (CVSS) score as a threshold
to track the threats of most concern.
Rapid7 Agents drive assessment of assets not on the corporate network or that are transient. Agents
collect all data required for assessment and pass that data to the Insight platform. Assessment takes
place in the Insight platform, not on a console and not in the agent itself. When connected, agents
accept “jobs” from the Insight platform and send data back for assessment. With agents, the concept
of a “scan” no longer exists; however, assets with agents can still be scanned in the traditional manner.
InsightVM plugs directly into network infrastructure in order to passively discover assets without the
need for scanning via dynamic discovery. Utilizing DHCP, hypervisors, and API calls, InsightVM can
identify asset activity and utilize triggers to initiate automated actions. Based on power status, time
since last scan, departure from network defense in depth, etc., scans and tagging can be automated to
ensure no gaps in vulnerability coverage exist.

Authenticated Scans:
Traditional scanning can be done with or without credentials. For authenticated scans, it is
recommended that administrative rights are used for more comprehensive and accurate vulnerability
findings. Results from scans are then uploaded to AWS for analysis in InsightVM.
Agents can also be used to assess the risk on remote workstations that cannot be scanned via
traditional network based scanning. In order to properly assess the security posture of these
workstations, administrative rights will be required by the agent.

Scanning Frequency:
InsightVM scheduled scans run within a repeatable, defined scan window. Duration, date and time, as
well as the length of time between scans are all configurable. Scheduled scans that are incomplete at
the end of the scan window are paused and the data collected up to that point is integrated into the
InsightVM central console. Users can specify whether incomplete scans should start over or resume
scanning from the point of interruption on the next scan.

Virtual & Cloud Environments:

Scan Engines simply require network connectivity to desired scan targets, regardless of where those
assets may be hosted. Scan engines may be deployed on physical or virtual hosts, and can discover and
scan hosts regardless of hosting environment (ex. within Rackspace).
The solution provides discovery connections for both Amazon AWS and Microsoft Azure. These
connections automatically discover new assets, import tags for asset filtering and risk score
modification, and sync to ensure that decommissioned/destroyed assets are removed. Rapid7 offers
pre-authorized virtual scanners in each respective marketplace.

18
Vulnerability Prioritisation and Risk Scoring:

Risk Scoring:
The solution offers five different risk strategies (or models) based on formulas that factor in likelihood
of compromise (associated malware and exploit modules), impact of compromise, temporal metrics,
and asset importance, allowing for risk analysis based on the organization’s unique security needs or
objectives. These strategies are: Real Risk, Temporal, TemporalPlus, Weighted, and PCI ASV 2.0
Risk. Rapid7 uses the Real Risk scoring strategy by default.
Real Risk: The Real Risk strategy can be summarized as base impact, modified by initial likelihood of
compromise, modified by maturity of threat exposure over time. This strategy is recommended
because you can use it to prioritize remediation for vulnerabilities for which exploits or malware kits
have been developed. The Real Risk algorithm applies unique exploit and malware exposure metrics
for each vulnerability to CVSS base metrics for likelihood and impact. Specifically, the model computes
impact between 0 and 1,000 based on the confidentiality impact, integrity impact, and availability
impact of the vulnerability.
Temporal: This strategy emphasizes the length of time that the vulnerability has been known to exist,
and is therefore useful for prioritizing older vulnerabilities for remediation. Older vulnerabilities are
regarded as likelier to be exploited because attackers have known about them for a longer period of
time. Also, the longer a vulnerability has been in an existence, the greater the chance that less
commonly known exploits exist.
TemporalPlus: Like the Temporal strategy, TemporalPlus emphasizes the length of time that the
vulnerability has been known to exist; however, it provides a more granular analysis of vulnerability
impact by expanding the risk contribution of partial impact vectors. The TemporalPlus risk strategy
aggregates proximity-based impact of the vulnerability, using confidentiality impact, integrity impact,
and availability impact in conjunction with access vector. The impact is tempered by an aggregation of
the exploit difficulty metrics, which are access complexity and authentication requirement. The risk
then grows over time with the vulnerability age.
Weighted: This strategy is based primarily on site importance, asset data, and vulnerability types, and
it emphasizes the following factors: vulnerability severity, number of vulnerability instances, number
and types of services, and level of importance assigned to a site. It can be useful if the organization
assigns levels of importance to sites or if you want to assess risk associated with services running on
target assets.
PCI ASV 2.0 Risk: The PCI ASV 2.0 Risk strategy applies a score based on the Payment Card Industry
Data Security Standard (PCI DSS) Version 2.0 to every discovered vulnerability. The scale ranges from 1
(lowest severity) to 5 (highest severity). With this model, Approved Scan Vendors (ASVs) and other
users can assess risk from a PCI perspective by sorting vulnerabilities based on PCI 2.0 scores and
viewing these scores in PCI reports. Also, the five-point severity scale provides a simple way for the
organization to assess risk at a glance.

Threat Feeds:
Rapid7 solutions can identify potentially affected assets when a new zero-day comes out using the
advanced asset filtering criteria. For example, if a new zero-day affects known versions of OSes or

19
Software, then Rapid7 solutions can find the affected surface area and group them together for
targeted scanning.
Rapid7 strives to have solution-based coverage available as soon as possible for new zero days, which
can then be used to pinpoint the actual affected assets and track remediation efforts over time.
Rapid7's threat intelligence team brings expertise and data sources from the public sector, private
sector, and open sources to fuel threat detection and incident response. All threat feeds are included
with the InsightIDR subscription as part of the InsightIDR product.
Strategic threat intelligence is provided per industry sector and is aimed at decision makers and helps
shape threat prevention strategies to prevent threats from materializing.
Tactical threat intelligence is applied in our attacker behavior analysis methodologies and leverages
complex rules to generate investigative leads across multiple event sources and over time.
Operational threat intelligence is provided by way of proactive threat reports and indicates the
likelihood of an impending attack. Our reports include mitigation recommendations to increase
resilience against specific threats to your organization.
Technical threat intelligence in the form of indicators of compromise are applied across our customer
base. Rapid7 actively maintains the quality of the technical threat intelligence to ensure fidelity,
context, and timeliness for our threat intelligence.
Rapid7 believes it is imperative to identify and understand the risks associated with technical systems
and services so their users can take steps to protect themselves. This is why we invest in security
research. We analyze both enterprise and consumer technologies to understand their weaknesses,
configuration challenges, and vulnerabilities, and we share the resulting insights broadly and openly,
giving our community the information they need to learn about, and mitigate, their risk. Our approach
focuses on education and remediation, and we hope to help make technology safer for users, so they
can focus on reaping the benefits of technological innovation without threat of unintended negative
consequences.

Rapid7 is committed to continuous improvement in large part through extensive investments in

security research. We conduct a broad range of research across four areas:
Vulnerability Discovery and Exploit Development — The most frequent research we do at Rapid7,
vulnerability discovery and exploit development focuses on uncovering vulnerabilities in software and
creating exploits to exercise them. Our aim with this research is to identify potentially harmful issues
so they can be mitigated, either by the technology provider, or by the user. We coordinate our
disclosures with vendors and CERT to quickly develop and deploy fixes and publish our findings
routinely so other software developers can learn how to avoid similar problems and users can learn a
little more about the security issues that permeate their online lives.

20
Internet Telemetry — Our internet telemetry research involves the active and passive scanning of
different services and protocols around the world to gain insights into global exposure to common
vulnerabilities and better understand the threat landscape. We run two major telemetry projects:
Project Sonar is a flexible and stable framework for conducting internet-wide scans. Like our
vulnerability disclosures and exploits, we publish the data we collect for free to encourage scientists,
engineers, and anyone else interested in the nature and form of the internet to make their own
discoveries.
The Heisenberg Project is a collection of honeypots distributed both geographically and across IP
space. The honeypots offer the front end of various services to learn what other scanners are up to and
to conduct "passive scanning" that enhances our understanding of the threat landscape.
Quarterly Threat Intelligence Reports — We collect, anonymize, and analyze statistical security data
from a broad range of customers in order to suss out the security trends most relevant to enterprise
security teams as they form and move through our customer base, and share those learnings with a
broader audience. In our quarterly threat reports, we leverage data from Rapid7’s Insight platform,
Rapid7 Managed Detection and Response engagements, Project Sonar, and Heisenberg Cloud to dive
into notable security events, determine key takeaways, and provide helpful information for companies
continuing to build out their detection and response programs.
Rapid7 has also released our National Exposure Index 2018. This report delves into the nature of
internet exposure—services that either do not offer modern cryptographic protection, or are
otherwise unsuitable to offer on the increasingly hostile internet—and how those exposure levels look
around the globe. Powered by our Project Sonar technology and data science and research teams, the
report provides excellent insights into why certain services equal greater risk of susceptibility to cyber
threats.
Security Surveys — While direct measurement of internet technologies is in our DNA, there are some
questions that can only be answered by humans (for now). For these projects, we design meaningful
surveys and apply modern survey methodology to best craft the questions, reduce the bias and noise
generated, and target the audiences most relevant to the subject matter.
For example, we surveyed over 270 security professionals in order to collect some insight around the
average security team size, the adoption of cloud services, and the most pressing challenges those
teams face today. Our Under the Hoodie report summarizes actionable research from penetration
testing engagements.

Business Context:
The solution includes an optional Risk Score Adjustment setting, which allows the organization to
customize asset risk score calculations according to the business context of the asset. Using a feature
called RealContext, users can apply a variety of tags to assets, either manually or automatically using
dynamic asset groups. When the Risk Score Adjustment setting is enabled and assets have been tagged
with specific criticality levels, the solution then multiplies the original risk score (determined by the
selected risk strategy) by the custom modifier specified for that criticality tag. This functionality can be
used to automatically raise or lower the original risk score according to the business context (criticality)
of the asset.

21
Vulnerability Validation:
InsightVM performs a limited set of checks similar to that of a penetration testing tool, such as
checking default credentials on an asset or testing injection vulnerabilities with specific data. When
these types of vulnerabilities are detected, InsightVM uses this access to perform scanning of this
additional layer. This functionality is automatically included during scans.
For end-to-end, best-of-breed penetration testing, Rapid7 recommends Metasploit Pro, an automated
penetration testing platform that provides a complete set of audit and exploit tools for any penetration
tester. These solutions work in tandem to provide a security risk intelligence solution that actively
finds, tests, and categorizes weaknesses on the network. Users can perform discovery scans from a
built-in Nmap engine, launch automated exploits, gain and manage sessions on tested assets, collect
evidence, create reports, perform automated replicated phishing attacks, and more.
Metasploit is integrated with InsightVM to provide validation capabilities, allowing users to push scan
results to Metasploit, test detected vulnerabilities with any associated exploits, create exceptions for
those vulnerabilities that could not be exploited, and create asset groups for high priority assets that
were exploited. Those vulnerabilities that were exploitable can be tagged and pushed to InsightVM as
groups for remediation and risk monitoring, and those that were not exploitable can be pushed to
InsightVM as exceptions for compensating controls.
Metasploit integration provides vulnerability validation capabilities, allowing users to push scan results
to Metasploit, test detected vulnerabilities with any associated exploits, create exceptions for those
vulnerabilities that could not be exploited, and create asset groups for high priority assets that were
exploited. Those vulnerabilities that were exploitable can be tagged and pushed to InsightVM as
groups for remediation and risk monitoring, and those that were not exploitable can be pushed to
InsightVM as exceptions for compensating controls.
Using Rapid7's closed loop solution with Metasploit, users can test systems from a hacker’s
perspective, launching exploits against target systems to identify which systems are exploitable.

Note: please note that Metasploit Pro is acquired at an additional cost.

Remediation

Automated and IT-Integrated Patching:

InsightVM provides built-in integrations with Microsoft System Center Configuration Manager (SCCM)
and IBM BigFix. Customized integrations can also be facilitated by delivering scan data and using the
API to deploy patches.
InsightVM integrates with Microsoft SCCM via in-product automation workflows. After an assessment,
patches will be staged in Microsoft SCCM and a human decision point will be created in InsightVM.
Users will use SCCM to deploy the patches to their assets and then use the decision point to confirm
that the work is complete. At this point, InsightVM will kick off a rescan of the assets to validate
remediation efforts.

22
Role Assignment:
Assets can be automatically grouped based on specific criteria. Pre-built reports can be run at the
conclusion of each scan and automatically sent to specified asset owners (users/email addresses).
InsightVM Remediation Analytics offers a remediation workflow that is operationalized and
manageable in one unified view. The Projects feature allows administrators to group like assets and
solutions together using flexible filtering options, creating focused action plans for remediation teams.
Project creators can set an end date for a project and measure overall and individual solution progress
throughout its duration. Projects are updated as scans are completed: once the vulnerability has been
fixed, the remediation step is updated.

Automated Containment:
InsightVM drives efficiency by streamlining remediation, a traditionally tedious and time-consuming
task. InsightVM automates the steps of aggregating key information, retrieving fixes for identified
vulnerabilities, and applying patches. Upon completion, users can have InsightVM automatically re-
assess impacted assets to verify successful patching. This automation of more mundane and repetitive
aspects of vulnerability management allows users to refocus time and energy toward a larger
vulnerability management strategy.

23
InsightVM Remediation Analytics offers a remediation workflow that is operationalized and
manageable in one unified view. The Projects feature allows administrators to group like assets and
solutions together using flexible filtering options, creating focused action plans for remediation teams.
Project creators can set an end date for a project and measure overall and individual solution progress
throughout its duration. Projects are updated as scans are completed; once the vulnerability has been
fixed, the remediation step is updated.
By automating mundane, repeatable tasks such as applying patches to known vulnerabilities and
utilizing existing systems management tools (like IBM BigFix or Microsoft SCCM), users extract greater
strategic value from available resources. InsightVM's automated workflows give users back time which
was previously spent on repetitive tasks, allowing them to focus on more strategic objectives such as
long-term plans for risk reduction across the corporate IT network.

24
Automation-Assisted Patching in InsightVM gives users the autonomy to make key decisions in the
patching process, such as providing approval to apply certain patches to certain vulnerabilities, while
automating the patching process itself
Automated Containment decreases exposure from vulnerabilities by automatically implementing
temporary (or permanent) compensating controls via Network Access Control (NAC) systems, Firewalls,
and Endpoint Detection and Response tools

Remediation Analytics:
Vulnerability remediation can be monitored as the reduction of vulnerabilities and risk over time
through graphs, charts, and tables in the user interface and reports, as well as through point-to-point
comparisons through Baseline Comparison reports.
Assets can be automatically grouped based on specific criteria to track remediation progress. Pre-built
reports can be run at the conclusion of each scan and automatically sent to specified asset owners
(users/email addresses).
InsightVM Remediation Analytics offers a remediation workflow that is operationalized and
manageable in one unified view. The Projects feature allows administrators to group like assets and
solutions together using flexible filtering options, creating focused action plans for remediation teams.
Project creators can set an end date for a project and measure overall and individual solution progress
throughout its duration. Projects are updated as scans are completed: once the vulnerability has been
fixed, the remediation step is updated.

Planning for Remediation:

Remediation information is available for all vulnerabilities and presented in reports as either high-level
or detailed step-by-step instructions. Solutions are typically ordered by overall risk impact within the
scope of a particular report. Direct links to patch content are provided when applicable, and
configuration changes are listed as commands and steps to be applied by the user. Patch supersedence
is accounted for with rollup solutions. The 'Top Remediations by Risk with Details' report details the
most effective remediation solutions for assets in scope, as well as the steps required to perform the
fix. This allows organizations to generate a single, focused report that provides the biggest impact to
reducing risk across the environment.
The Remediation Plan template provides detailed remediation instructions for each discovered
vulnerability. Note that the report may provide solutions for a number of scenarios in addition to the
one that specifically applies to the affected target asset.

Reporting:

Consolidated Reporting:
InsightVM Dashboards are personalized views into your environment that can be customized to focus
on the information you care about. Dashboards are powered by the Rapid7 Insight platform and allow
you to explore all of your vulnerability management data in one place. They also include pre-packaged
analytics that answer security questions for you without exploration. Dashboards are made up of data
cards that explain your security data in simple ways.

25
You can navigate back and forth between your on-premise InsightVM console and the dashboard
powered by the Rapid7 Insight Platform. Dashboards give you the big picture of the status of your
environment, and on trends over time. Cards in your dashboard give you an overview of a situation,
and you can expand and filter the data to focus in on specific subjects of interest. You can create
custom cards and add them to new dashboards. You will be automatically logged into the dashboard,
and your data will be based on the assets and information to which you have access in InsightVM.
InsightVM Liveboards provide a live pulse of your vulnerability management program with insight into
vulnerabilities, assets, risks, asset groups, sites, teams, credentials, and more. Users are able to create
their own liveboards, made up of various “cards,” (e.g. newly released vulnerabilities, expiring SSL
certs) and view that information together. Cards can be expanded to reveal a plethora of information
that users can interact with, explore, and filter easily. InsightVM offers dozens of different data cards
that users can select from a library and customize. Moving or reconfiguring items on a liveboard will
automatically save a liveboard. There is no limit to the number of liveboards users can create. Users
can also duplicate and edit any liveboard they have access to, as well as share their liveboards with
others. Liveboards are viewed in the context of only information the user can see. In other words,
information a user can see is based on the assets the user has access to, as determined by RBAC. Users
are able to create remediation projects directly from the assets/vulnerabilities and assets page.
Scan data can be consolidated to produce a single report or parsed in any number of ways according to
the needs of the organization and the users managing the assets themselves.
InsightVM supports consolidated reporting from a central management console . The console system
hosts the InsightVM database, which contains aggregate scan data from collected from every scanner.
This provides a single point of management for all reports regardless of where scans occur on the
network. No additional modules or costs are associated.

26
Asset Groups:
Asset groups provide different ways for members of your organization to grant access to, view, scan,
and report on asset information. Asset groups allow you to create logical groupings that you can
configure to dynamically incorporate new assets that meet specific criteria. You can define an asset
group within a site in order to scan based on these groupings.
Dynamic Asset Groups
A dynamic asset group allows you to track changes to your live asset inventory and security posture
and create reports based on the most current data. A dynamic asset group contains scanned assets
that meet a specific set of search criteria that are defined with asset search filters, such as IP address
range or hosted operating systems. The list of assets in a dynamic group is subject to change with every
scan. Assets that no longer meet the group’s Asset Filter criteria after a scan will be removed from the
list and newly discovered assets that meet the criteria will be added to the list after the application
completes a scan and integrates the new asset information in the database.
Static Asset Groups
A static asset group does not change unless it is altered manually, providing time-frozen views of an
environment that can be used for reference or comparison. It contains assets that meet a set of criteria
defined according to your organization’s needs.

Report Templates & Customization:

The following is a list of built-in report templates:
Document
Audit Report
Baseline Comparison
Executive Overview
Newly Discovered Assets
Highest Risk Vulnerabilities
PCI Attestation of Compliance
PCI Executive Summary
PCI Host Details
PCI Vulnerability Details
Policy Compliance Status
Policy Details
Policy Evaluation
Policy Rule Breakdown Summary
Remediation Plan
Report Card
Risk Scorecard
Top 10 Assets by Vulnerability Risk
Top 10 Assets by Vulnerabilities
Top Policy Remediations
Top Policy Remediations with Details
Top Remediations
Top Remediations with Details
Vulnerability Exception Activity

27
Vulnerability Trends
Export
Asset Report Format (ARF)
CSV
XML
SCAP XML
SQL Query Export
XCCDF XMLs
Default reports can be customized to support risk management goals of the end-user. Sections can be
added and removed through new custom report templates or modification of default templates,
allowing configuration and vulnerability assessment data to be included in reports in varying capacities.
InsightVM can also create custom reports based on specific hosts by first creating a Dynamic Asset
Group for only hosts matching specific criteria, such as those running a Windows operating system,
running a specific application, within a specific sub-network. This can be applied as the set of assets in
report scope definition. Users can also filter vulnerability content for each asset in scope of the report.
This can be filtered by severity, vulnerability status (potential, vulnerable version, or vulnerable), and
category (platform, check type, protocol). Users can only view scan or report data on those devices or
collections of devices to which they have access.
InsightVM reports can be scheduled for generation and distribution ad-hoc, after each time a scan is
performed, or on a repeating date and time. InsightVM reports can be delivered via email to any list of
addresses specified as a file or zipped attachment.

28
Remediation Validation:
The solution provides proof of detection and remediation solutions for each vulnerability, both within
the interface and several reports. Remediation information includes clear and concise steps required to
remediate a vulnerability. Re-scans using the solution will validate whether or not a vulnerability has
been remediated.
The solution can be used to target specific vulnerabilities for exploits using the Metasploit exploit
framework. Verifying vulnerabilities through exploits helps users focus remediation tasks on the most
critical gaps in security. For each discovered vulnerability, the application indicates whether there is an
associated exploit and the required skill level for that exploit. If a Metasploit exploit is available, the
console displays the appropriate icon and a link to a Metasploit module that provides detailed exploit
information. Some vulnerabilities, once successfully exploited using Metasploit, can be tagged
accordingly to increase risk score and therefore visibility within reporting and analytics.

Asset and Vulnerability Filtering:

The solution provides options to filter reports by vulnerability severity levels and vulnerability
categories, which are based on platforms, software, protocols, vulnerability types and services affected
Reporting scope can be set anywhere from a single asset to the whole environment, including
automatically populated dynamic asset groups and asset tags. In addition to specifying a scope of

29
assets, users can utilize filters to include/exclude particular vulnerabilities, allowing for very targeted
and actionable reporting. Nexpose filters vulnerabilities in reports by both severity and category, which
are based on platform, software, protocol, vulnerability type, and service affected.

Dashboards:
InsightVM Dashboards are personalized views into your environment that can be customized to focus
on the information you care about. Dashboards are powered by the Rapid7 Insight platform and allow
you to explore all of your vulnerability management data in one place. They also include pre-packaged
analytics that answer security questions for you without exploration. Dashboards are made up of data
cards that explain your security data in simple ways.
You can navigate back and forth between your on-premise InsightVM console and the dashboard
powered by the Rapid7 Insight Platform. Dashboards give you the big picture of the status of your
environment, and on trends over time. Cards in your dashboard give you an overview of a situation,
and you can expand and filter the data to focus in on specific subjects of interest. You can create
custom cards and add them to new dashboards. You will be automatically logged into the dashboard,
and your data will be based on the assets and information to which you have access in InsightVM.
InsightVM Liveboards provide a live pulse of your vulnerability management program with insight into
vulnerabilities, assets, risks, asset groups, sites, teams, credentials, and more. Users are able to create
their own liveboards, made up of various “cards,” (e.g. newly released vulnerabilities, expiring SSL
certs) and view that information together. Cards can be expanded to reveal a plethora of information
that users can interact with, explore, and filter easily. InsightVM offers dozens of different data cards
that users can select from a library and customize. Moving or reconfiguring items on a liveboard will
automatically save a liveboard. There is no limit to the number of liveboards users can create. Users
can also duplicate and edit any liveboard they have access to, as well as share their liveboards with
others. Liveboards are viewed in the context of only information the user can see. In other words,
information a user can see is based on the assets the user has access to, as determined by RBAC. Users
are able to create remediation projects directly from the assets/vulnerabilities and assets page.

Database Queries:
SQL queries can be run directly against the reporting data model and then output the results in a
comma-separated value (CSV) format. This gives you the flexibility to access and share asset and
vulnerability data that is specific to the needs of your security team. Leveraging the capabilities of CSV
format, you can create pivot tables, charts, and graphs to manipulate the query output for effective
presentation.

30
Compliance & Configuration Assessment:

Compliance Assessment:
Rapid7 is a certified ASV by the PCI Security Standards Council. Pre-configured, best-practice PCI
templates are included in InsightVM. These templates offer comprehensive scanning and audience-
based reporting for risk monitoring, remediation, and documentation of compliance. PCI scanning
services, including an Attestation of Scan Compliance report, can be provided by our certified ASV
partner, Coalfire, who uses Rapid7 solutions for PCI scanning.
Rapid7 acts as a trusted advisor in the eyes of PCI as the only vulnerability management company with
multiple members of its executive board invited to join the PCI Steering Committee, a group dedicated
to revising and improving the PCI DSS. Rapid7’s Professional PCI Services engagements leverage
certified security professionals, minimizing the scope of the PCI environment, tracking progress to
compliance, and providing security-driven, compliance-initiative consultation.
Configuration and compliance management is built into InsightVM and available at no extra cost.
InsightVM is a SCAP compliant tool and provides best practice, built-in scan templates for PCI, HIPAA,
SOX, CIS Benchmark, FDCC, USGCB, FISMA, and NERC regulatory compliance mandates, with built-in
checks and optimization for coverage of the different types of platforms scanned under these
regulations.

31
InsightVM provides the ability to scan for all necessary scans/checks in one pass via our easy to use
scan template configuration. InsightVM performs both internal and external vulnerability assessments,
providing a complete picture of risk and the tools to reduce it within the range of compliance. This
includes a Remediation Plan report with engineer-level step-by-step instructions for the timely
remediation of each asset. InsightVM also provides a Policy Evaluation report template for identifying
compliance by policy element and system. Reporting on policy compliance is provided by the asset-
centric reporting, which customers would use to include a "policy evaluation" section.

Configuration Assessment:
InsightVM provides the ability to scan for all necessary scans/checks in one pass via our easy to use
scan template configuration. Policies can be managed and modified (where applicable) within the
InsightVM interface. InsightVM also includes pre-built policy remediation reports to help drive towards
higher levels of compliance.

Administration:

Role-Based Access:
InsightVM provides comprehensive role-based access controls (RBACs) that govern functionality such
as scanning capabilities, scan configuration creation/modification, asset grouping, reporting,
administrative functions, and other settings. Along with functional access controls, RBAC extends to
visibility of scan target assets. Users can only view scan or report data on those devices or collections
of devices to which they have access. InsightVM includes pre-defined user roles addressing core
permission sets that can be customized as needed. Additional custom roles can be created and
assigned to users, allowing for efficient management of user access.
For additional information regarding roles and permissions, please refer
to: https://insightvm.help.rapid7.com/docs/managing-users-and-authentication.

Exceptions Management:
Vulnerability exceptions are supported at the instance, asset, scan group, and global levels.
Permissions are available for exception submission, approval, and expiration. Users can denote the
reason for exception as well as further comments. The Security or Audit team can accept or reject
these exceptions for any given time. Expiration dates can also be defined on specific exceptions,
allowing the exception to inactivate after a certain period of time. Once the expiration date passes, the
vulnerability will again appear on reports.

Application Updates:
By default, the solution automatically checks for, downloads, and applies any available updates from
Rapid7’s update servers every six hours. Updates are divided into two categories:
Product updates: these include new features, bug fixes and performance enhancements. Major
releases are typically provided on a quarterly basis, with point releases on a bi-weekly basis.
Content updates: These include new and updated vulnerability and compliance checks, exploit
modules, checks for security policy compliance, fingerprinting enhancements, and improvements to
scanning. Rapid7 provides weekly and often daily coverage updates. New vulnerability signatures are

32
released out-of-band for newly published exploits, and Rapid7 often has the capability to deliver
coverage of exploits built into Metasploit from internal research or from the Metasploit community of
over 200,000, which act as sensors in researching and developing new exploit content. Previous
definitions are actively reviewed and modified based upon vendor/community updates, internal
Rapid7 testing and inaccurate or inconsistent results reported by a customer.
Automatic product updates can be disabled and performed manually by the user through the Security
Console web interface. Content updates can only be disabled by restricting console connectivity to
Rapid7’s update servers. Both types of updates can be performed offline, and Rapid7 offers a separate
offline activation and update wizard for this process. The Security Console service will restart after
applying product updates. Content updates are loaded dynamically as the service is running and may
occasionally require a service restart. System downtime is confined to brief service restarts that can
take place automatically, manually, or on a set schedule. The solution includes proxy configuration
settings to set up an update proxy for sequestered environments.
All updates are free to customers with active licensing.
If your network environment is isolated from the Internet, you can apply an update by running the
installer that is released with that update. When you start the installer, it automatically scans your
current installation for files to repair or update and then applies those changes. An "update"
installation leaves your database and configuration settings intact. The only changes it makes to your
deployment are the updates.
At least one computer with internet access is required in order to download the most recent installer.
Please refer to the following Help page for additional information:
https://insightvm.help.rapid7.com/docs/managing-versions-updates-and-licenses#section-managing-
updates-without-an-internet-connection.

Coverage Updates:
Vulnerability coverage is updated on an ad hoc basis, and new checks are loaded dynamically, separate
from core product updates. Rapid7’s Vulnerability Development Team uses all available resources to
detect, analyze and develop signatures for new vulnerabilities, including publicly available vulnerability
databases, vendor knowledgebases, and internal research. Rapid7 uses the knowledgebase available
from major vendors such as Microsoft and Oracle, vulnerability databases such as Bugtraq, Secunia,
SANS, and more, and detects additional vulnerability alerts through Internet newsgroups, security
portals, security companies and distribution lists.
Rapid7 provides weekly coverage updates, Patch Tuesday vulnerability updates, and out of band
coverage updates for critical 0-day vulnerabilities.

Integration:

Virtual & Cloud Environments:

Scan Engines simply require network connectivity to desired scan targets, regardless of where those
assets may be hosted. Scan engines may be deployed on physical or virtual hosts, and can discover and
scan hosts regardless of hosting environment (ex. within Rackspace).
The solution provides discovery connections for both Amazon AWS and Microsoft Azure. These
connections automatically discover new assets, import tags for asset filtering and risk score

33
modification, and sync to ensure that decommissioned/destroyed assets are removed. Rapid7 offers
pre-authorized virtual scanners in each respective marketplace.

IT Security Solutions:
The Rapid7 technology alliances team is deeply focused on delivering the most interoperable ecosystem
of best-of-breed solutions for our customers. The Rapid7 product portfolio is one of the most connected
with more than 110 points of interoperability across more than 50 partners including patch
management, ticketing, network topology, IDS/IPS, GRC, NAC, and SIEM solutions. Many of the joint
solutions we build with our partners are focused on eliminating manual processes, reducing time to
mitigate threats, getting the most out of customers' security data, and simply improving the overall
experience of using our products day-to-day.

34
We have a dedicated team of partner solution engineers who work closely with our customers to
iterate on the solutions we build with partners to ensure we are helping create the most valuable
integration offering on the market. For a complete list of Rapid7's integration partners, please refer
to: https://www.rapid7.com/company/partners/integration.php.
Rapid7’s technology partners include:
Agiliance RiskVision
Amazon Web Services
ArcSight
Box
BMC Software
Brinqa Risk Analytics
Cisco
CyberArk
EiQ
FireEye
FireMon Risk Analyzer
ForeScout
Google Apps
HP Quality Center
HP TippingPoint
Imperva
Jenkins
JIRA
Kenna
Lieberman
Lockpath Keylight
Lumeta
LogRhythm
Windows Server Update Services
Microsoft System Center Configuration Manager
Office365
McAfee
Modulo Risk Manager
NetIQ
NOPSEC
Okta
IBM QRadar
RedSeal
RSA Archer
RSA enVision
RSA Security Analytics
RSA VRM
Rsam
Salesforce

35
ServiceNow
SkyBox
SolarWinds LEM
SourceFire
Splunk
VCE
VMware
Thycotic
Trace Security

Enterprise Ticketing Systems:

InsightVM integrates with leading ticketing solutions using either the API or in-product remediation
workflows. Depending on the integration point and organization's needs, tickets can be generated per
asset, per vulnerability, or per solution by respective remediation owner. This allows for very flexible
ticket creation without overwhelming the ticketing system and/or the remediation teams.
Ticketing integration with ServiceNow and JIRA is configurable within InsightVM's user interface as part
of remediation workflows. The solution also includes a RESTful API to allow for integration with a
variety of custom ticketing systems.
For more information, please visit https://www.rapid7.com/company/partners/integration.php.

Virtual Appliance:
Rapid7 provides the Virtual Appliance as an Open Virtualization Archive (OVA) file. You can download
either a Virtual Appliance Security Console (VA) or the Virtual Appliance Scan Engine (VASE). Product
updates will happen automatically as defined in the console configuration. Details of how to update
the operating system can be found here: https://kb.help.rapid7.com/docs/insightvm-and-nexpose-
virtual-appliance-guide#section-updating-the-host-s-operating-system

Training:
Rapid7 products are intuitively designed with user experience in mind, but we want to make sure you
are comfortable using them to their full potential to ensure that your business is receiving maximum
value. Whether it’s becoming fully certified in our products, keeping your skills sharp to stay a step
ahead of attackers with our product and skills training, or you’re looking for custom training tailored to
your business needs, our highly skilled Rapid7 experts can help you take your security and IT skills to
the next level.
We offer formalized, curriculum-based training for Rapid7 products with hands-on technical lab
exercises. Custom training is also an option for your organization. We build a class or entire curriculum
suited to your specific training objectives. Courses can include introductory or advanced product
topics and can cover one or more products.
Rapid7's certifications are designed to help demonstrate your level of knowledge and use of Rapid7's
products. Training for your certification prepares you to install, configure, and operate your Rapid7
solution.
Additional information on our available training courses may be found at:
https://www.rapid7.com/services/training-certification/.

36
Updates
By default, the solution automatically checks for, downloads, and applies any available updates from
Rapid7’s update servers every six hours. Updates are divided into two categories:
Product updates: these include new features, bug fixes and performance enhancements. Major
releases are typically provided on a quarterly basis, with point releases on a bi-weekly basis.
Content updates: These include new and updated vulnerability and compliance checks, exploit
modules, checks for security policy compliance, fingerprinting enhancements, and improvements to
scanning. Rapid7 provides weekly and often daily coverage updates. New vulnerability signatures are
released out-of-band for newly published exploits, and Rapid7 often has the capability to deliver
coverage of exploits built into Metasploit from internal research or from the Metasploit community of
over 200,000, which act as sensors in researching and developing new exploit content. Previous
definitions are actively reviewed and modified based upon vendor/community updates, internal
Rapid7 testing and inaccurate or inconsistent results reported by a customer.
Automatic product updates can be disabled and performed manually by the user through the Security
Console web interface. Content updates can only be disabled by restricting console connectivity to
Rapid7’s update servers. Both types of updates can be performed offline, and Rapid7 offers a separate
offline activation and update wizard for this process. The Security Console service will restart after
applying product updates. Content updates are loaded dynamically as the service is running and may
occasionally require a service restart. System downtime is confined to brief service restarts that can
take place automatically, manually, or on a set schedule. The solution includes proxy configuration
settings to set up an update proxy for sequestered environments.
All updates are free to customers with active licensing.

37