Rapid7 InsightIDR Reviews

Our company is a system integrator for Rapid7 InsightIDR. We use the latest SaaS version of the product. Rapid7 InsightIDR works as the foundation of the security operation center in our company. The solution is used in our organization for data ingesting for multiple security devices and solutions. Rapid7 InsightIDR provides insights and stability on the security aspects of the company. 

The unconventional detection rules of Rapid7 InsightIDR are quite beneficial. The solution provides satisfying native integration features. 

The searching feature in Rapid7 InsightIDR needs to evolve. For instance, when pursuing an incident handling task, extensive searching is required, and the solution's own query language can only be used. In situations similar to the aforementioned example, the solution becomes difficult to use. It would be interesting if the vendor could make the search feature like the Google search engine. 

I have been working with Rapid7 InsightIDR for three years. 

Overall, the solution is stable enough. I would rate the stability a nine out of ten. 

The product's scalability seems good enough. In our company, we are able to manage a couple of thousand devices comfortably using only one single tenant.

Through our company, thousands of users are using the interface of Rapid7 InsightIDR to process data and check incidents. I have implemented data ingestion for couple of thousand devices that include virtual machines, switches, routers and firewalls.

For all the aforementioned devices we haven't faced any issues in our company. Rapid7 InsightIDR is used in our company, majorly for medium and enterprise grade customers, where some enterprises have more than 5000 employees and some less than that. 

Our company mostly receives fast and suitable support from Rapid7 InsightIDR, but sometimes the response arrives quite slow. I would rate the technical support a seven out of ten. 

Neutral

I would rate the initial setup a nine out of ten. It's quite straightforward to put the solution to work. Once Rapid7 InsightIDR activates the tenant, the deployment process becomes straightforward. In our company, we just download the agents and install them in the customers' virtual machines.

Following the aforementioned step, some integration with Azure Entra ID authentication services or on-prem authentication is required. Thus, some base integration is required for login data. For the final stage of deployment, as part of the company, we configure a couple of customizations for the detection rules to start ingesting data; the niche customizations can be performed easily for the use cases. 

In our company we have an engineering deployment team who are highly skilled in setup processes. For client companies with less than 500 devices, usually one full-time engineer is enough for the deployment. For clients with 500 devices, when we at our company use automation to deploy the agents, it takes only a couple of days to finish the deployment process. 

The solution has a mid-range price point in the market. The licensing cost depends on the customer size and the negotiation on whether to add IVM. There are multiple add-ons to the base licensing fee, we use them only for specific customers of our organization. The additional licenses increase the pricing drastically, so we try to stick with the base license at our company. 

At our company, along with Rapid7 InsightIDR we use multiple cloud providers like Azure, Google, Oracle and AWS infrastructure to ingest data. 

I would advise others to select a reliable system integrator to implement Rapid7 InsightIDR for the correct use cases or business needs. The solution is satisfying, but there are multiple other solutions in the market, and having a partner can help a customer explore all the options before adopting one. Overall, I would rate Rapid7 InsightIDR an eight out of ten. 

The solution lacks an AI-driven capability. While other competitors emphasize AI as the most important feature.

I have been using Rapid7 InsightIDR as a distributor for seven years.

The product's stability is high. I rate the solution’s stability an eight out of ten.

Due to its cloud-based nature and numerous agents, its scalability is high. This, combined with its on-premise environment, ensures rapid performance. It can handle several thousand. It is best suited for large-scale businesses.

Support is slow. I'm not satisfied with the support so far.

Neutral

Due to the product's complexity, the initial setup can be challenging. Additionally, setting up the product and training the customer can be quite demanding. Deploying the appliance or sensor on-premises can take up to twelve months.

The product pricing is very cheap.

InsightIDR automates everything through InsightConnect in a seven-day cycle.

The product has improved significantly since its inception. However, based on feedback I've received from other products in the market, aside from InsightIDR.

It improved because several sensors are deployed within the on-premise environment. It can be very efficient if the customer implements and operates it effectively. 

If you combine it with InsightIDR, then it may become more compact. Maybe IBM was a bit larger. So, having MDR is the main key point for this product.

Overall, I rate the solution a four out of ten.

The most valuable feature of the product for managing security events stems from the fact that the product's intelligence part is very good since it offers its own threat intelligence and vulnerability management platform. The tool also has its own cloud security posture management platform. The tool also is a dynamic application security testing platform. The aforementioned tools fall under Rapid7 InsightIDR's kitty. The intelligence and the data that Rapid7 gathers from customers across the globe enrich the quality of its detection capabilities. All other tools in the market depend on third-party solutions for intelligence. Rapid7 InsightIDr has the intelligence part natively available within the product, giving it a good edge over other vendors.

I believe that Rapid7 InsightIDR has moved to a complete cloud-first strategy. The tools offered by Rapid7 InsightIDR are amazing. The product should have provided some capabilities to users who wanted to stay or use the tool's on-premises version, as it would have provided the solution with more acceptance in the market, especially in the Middle East region.

It takes time for the product's support team to resolve issues, making it an area of concern where improvements are required.

I have been using Rapid7 InsightIDR for three to four years.

As I haven't heard any complaints about the product, I rate the solution's stability a nine out of ten.

Scalability-wise, I rate the solution a ten out of ten. As a cloud tool, the product is highly scalable.

The product is meant for medium-sized customers and large enterprises and not for corporate or government organizations since the product is available only on the cloud. Customers who have the privilege of using cloud solutions can use Rapid7 InsightIDR. Cloud solutions' use is less in government spaces in the Middle East region since there are some regulations to use cloud-based products. In the private space, I feel that Rapid7 InsightIDR is considered to be a fairly strong product.

It is difficult for enterprise businesses to use the solution, especially the ones regulated by governments. There are no problems with the solution when it comes to a private company or a private enterprise. I think Rapid7 InsightIDR provides the best tools. The tool won't work for you if you are not allowed to use a public cloud.

I rate the technical support a six to seven out of ten.

Neutral

The tool has improved the efficiency of security incident detection and response in our company as it works fairly well. It is possible to enhance the capabilities of the platform since the solution offers a whole stack or suite of tools. When dealing with Rapid7 InsightIDR, you will see the integration capabilities offered are extremely seamless. Rapid7 InsightIDR offers its own set of features that enrich the capabilities of the vulnerability management tool. In general, the product's features increase the solution's overall capabilities in terms of reporting and detection of vulnerabilities.

I can't remember a scenario where the product was effective in threat hunting or investigation. Rapid7 InsightIDR is a very acceptable product for people who want a cloud-based solution. The product is not available on an on-premises version. The product can be useful for industries ranging from SMBs to large-sized companies where there is a need for a tool that can be very easily rolled out at a very effective and attractive price point that gives them very good coverage from a cybersecurity perspective.

Speaking about how the product has enhanced the security posture in our company, I would say that I am not really sure about the capabilities of the UABA part of the solution since I haven't seen many use cases around it.

Rapid7 InsightIDR mean time-to-detect and mean time-to-respond are fairly good because Rapid7's support team does pick up a ticket whenever it is raised from the users' end, but its mean time-to-resolve has some concerns since some of the tools under Rapid7 are available on an on-premises model. In specific to InsightIDR, I think that everything is very good, including areas like detection, MTTD, and MTTR, which are very good in InsightIDR specifically. The product can improve a bit in the area of MTTD and MTTR.

Rapid7 InsightIDR's integration capabilities with other tools are not an area I have experience with since the product is completely available on the cloud. I believe that whatever integrations users want from the product would work since it is a solution that is available on the cloud. I don't have personal experience with the integration part.

I rate the overall tool a seven out of ten.

I used it in my previous company. We were the integrator of the solution, and also a partner of Rapid7 at the time. 

We used it for security monitoring and also for analytics. We used it for our own company, and like an MSSP, we sold this to our customers. So, we did security monitoring for our customers and interim response for them.

It was cloud-based, and I was using its latest version.

Previously, when something happened, such as when a hacker was attacking one of our customers, we were always behind, or we didn't know that we were hacked until the ransomware started. With the Rapid7 solution, at every step, we could online see what a person was doing, and we could prevent ransomware. Previously, we could never say it can be really prevented, but with Rapid7, we could see the first steps of what they were trying to do, and we could mitigate those steps before there is a big outage.

The biggest reason why we chose Rapid7 was to gain value in a really quick time. Its deployment doesn't take months. It just takes a few days.

When something is happening, such as there is hacking or something else going on, the information provided is really helpful. It almost tells you what to do. It is enriched with a lot of information.

One of the things that could be better is digital forensics. It is there, but it can be better. They could provide more on the endpoint detection level.

It could have intelligence. It is available as a separate product but not as a part of the platform itself.

It is definitely stable. We never have any outages. I would rate it a ten out of ten in terms of stability.

It is definitely scalable. I would rate it a ten out of ten in terms of scalability.

We had six users who were monitoring the systems. There were 10 customers with about 10,000 employees in total.

They are responsive, but there is scope for improvement. I would rate them an eight out of ten.

Positive

It is straightforward. I would rate it a nine out of ten in terms of the ease of setup.

In terms of maintenance, it is all cloud-based. So, the maintenance is done by the vendor.

It must be really high, but we never looked at the real numbers.

It is on a yearly basis. For our own company, for about 250 users, it was 16,000 euros a year.

We had a list of three products. We tried them all, and in the end, we went for Rapid7 because it was easy to deploy, and it required little or no maintenance. The price was another reason.

One of the biggest reasons why we chose it as our security platform was that it is not only for security monitoring. We could see a lot of improvements coming over the next couple of years. Automation is one of the things that will be really important in the next few years. It is already there, but we didn't buy it.

I would rate it a nine out of ten.

Visibility and response.

I am able to run automated actions based on the output of reports, leaving me extra time to focus on more pressing matters.

The ability to ingest Office 365 log files, then process them into events and display them on a map. This feature is particularly useful as it allows us to view students who are attempting to bypass our content filters, and it shows us users who have been phished.

Personally, I feel it would greatly benefit from more supported log sources. Additionally, the ability to tune the collector for custom logs would greatly help.

Product is cloud-based. Thus far, it has proven to be stable.

No product scales extremely well

The technical support is a solid 10 out of 10 as they take the time to answer any questions or problems which may arise in a reasonable time frame.

Initial setup was straightforward. 

I had a support engineer sit with me through the whole process over the course of three days. He was a huge help!

This is a great product. The team is very willing to work with companies. My suggestion is to call the Rapid7 sales department and see how they can help.

We did PoC with a couple of other products. However, Rapid7 InsightIDR was the best product for our needs and budget.

We evaluated LogRhythm and AlienVault. Both were inferior in regards to pricing or performance.

I was looking for a behavior analytics solution to help me monitor our users' activity and to notify of any suspicious activity.

InsightIDR was able to meet those needs and even exceed it by providing full SIEM capabilities, even for devices they don’t support directly. Most importantly, I don’t need a team of people dedicated to log collecting and sifting.

With the full suite of Rapid7 products, I am able to provide effective oversight to the information security program with measurable progress. This is a very difficult thing to measure with the ever-changing threat landscape. Dashboards, including the main screen, provide much-needed information at a glance, without hours of coding and sifting through logs to find it. In case of an actual security incident, I have faith that insightIDR has retained all logs in a secure manner that prevents log tampering as well.

InsightIDR’s ability to process millions of transactions per day, and to notify me of the most critical ones, is priceless. InsightIDR has the alerts tuned, and has the ability to quickly drill down to determine the threat level, which is very important to me as a one-person security department.

Another very important part of insightIDR is the ability to collect data from endpoint devices via agent software. With a large remote workforce, this allows visibility into the endpoints that are connected to the internet, but not to the corporate network.

I would like the ability to adjust the threshold of certain existing alerts.  Currently the only option is to change the notifications or create my own alert. 

I have not encountered any stability issues with the local collector. On the rare occasion that the cloud part of insightIDR is undergoing maintenance or having other issues, I usually receive a notification from Rapid7 before I even notice a problem.

I have not seen any issues with scalability. On average, insightIDR is processing about 60 million events per day from my environment.

The technical support folks at Rapid7 are a great bunch of folks. I haven’t had much need to contact them, but when I have they have been extremely professional and will escalate issues and suggestions to developers, if needed.

I actually purchased the predecessor, InsightUBA, which quickly changed into the insightIDR that we have today. There was no other previous solution.

Setup was extremely simple. An implementation specialist was assigned to me to help get me started and to learn my environment and challenges.

For the most part, all communications are sent to a log aggregation server. It is as simple as pointing syslogs to that server. For some, such as Active Directory and Exchange, there are plugins that are simple to install on those servers to make sure the appropriate logs are sent.

From InsightIDR, it is as simple as choosing from a list of supported log sources, or you can create a generic log source by specifying a port number. It’s that simple.

Licensing is straightforward. If, for some reason, you don’t meet the minimum licensing requirements, there is a third-party managed service that can help.

I did not consider any other options in depth. Most other options I saw required one or more full-time employees to maintain.

In the past I have made several requests and have had the opportunity to work with developers and user-interface specialists to add enhancements to the product. The effort that Rapid7 puts into the user interface, after gaining first-hand use-case information directly from us, the end users, is unprecedented.  Even when I worked for much larger companies, I did not see so many suggestions turn into reality.

Be sure to take full advantage of the agents. I have not seen any performance problems on the endpoints, and having this level of information from outside the network is difficult otherwise.

Normally, we use the solution as an event viewer to collect and resume cases and playbooks.

The main problem lies in the processes within the client's operating systems. XDR is superior to CMs. Observing how the processes function within the machine is essential if you are monitoring the client or servers, and not only the event with the first or second line but the third line is most important.

I've been familiar with the solution for six months.

The solution is very stable and works very well for what I need it to do. The solution is completely different in an experienced environment and a real environment.

I have worked with Wazuh before, but only to try it. Wazuh is more or less the same as Rapid7 InsightIDR.

I rate Rapid7 InsightIDR an eight out of ten.

Centralized SIEM / Intrusion Detection System.

The focus on users/endpoints gives us so much more understanding of the events going on across the network, allowing us to step back from looking at logs only to see the actual behavior patterns instead.

The incident case management is the most valuable feature. Even though there's always something I find I would like to add to that feature, the ability to quickly sort through all the logs, network and endpoint data, etc., and add it to an incident case as part of the investigation, is nice. Having it automatically timeline that additional data into the original incident timeline, and correlate it to other notable events and activities on the network, results in a huge improvement in our overall confidence that we've quickly traced down the right source of an issue.

The reporting is the weakest aspect. There needs to be multi-level grouping for events (for example, group by user and destination). Right now, we can do a group by user and a separate table or group by destination. But I'd be more interested in where a person was logging into instead of who was logging in or where he was logging in.

We have rarely encountered any issues with stability. The primary source of stability issues has been the couple times where there have been lost log messages online. While that's unavoidable, it's definitely not desirable if I happen to have an incident at that time.

We haven't had any issues with scalability yet. (We'll keep trying).

Technical support for InsightIDR has been fantastic. We've used Rapid7 for over a year now, and, while support calls happen, it's rarely over something simple that's just not working. Normally we call because of something heavily situational, and the techs have always figured it out.

A private ELK stack was used originally. We moved off of it as we wanted to ensure that we were focusing on the security of the company, and not writing log parsing rules all day.

The initial setup was pretty straightforward, but it takes a little bit of a mental leap to understand how it all works together. What's key to remember is that it is user and endpoint centric, and not account centric. That means that, over time, it will start associating user.a on host1 to user.a on host2 and treating them as the same. It could be a little confusing for some companies if they don't use standardized permissions or don't use administrative-only accounts, but for most current user-access mechanisms, it shouldn't lead to any abnormal results.

Licensing is by endpoint and amount of retention time (at least ours is). Default retention was one year, but we are able to push the retention further if needed. There's also a provide-your-own-S3 option for longer retention if you don't want to pay for the additional retention years in your Rapid7 agreement.

AlienVault, LogRhythm, Qualys.

Have a plan going forward (Syslog exports, agent-based collection, etc.) and ensure WMI is available if using Windows Servers. It was very easy to set up, but troubleshooting can be "fun" if an endpoint doesn't connect correctly. Don't be shy of support requests. They'd rather you be "that person" that keeps getting support, rather than being the one that ran into an issue and stopped using the product.