Rapid7 InsightVM Reviews

With InsightVM, I continuously monitor my network by setting up regular scans to identify vulnerabilities in real-time. It IS particularly useful for focusing on customer-facing systems at our perimeter, helping me prioritize and quickly address any security risks.

InsightVM offers a robust platform for identifying, prioritizing, and addressing vulnerabilities across an organization's IT infrastructure.

One area I would like to improve in InsightVM is its integration with other solutions, particularly for better compatibility with upcoming tools we plan to adopt. Enhanced functionality for budget management or change management databases could also be beneficial.

I have been working with InsightVM for over two years.

I would rate the stability of the solution as a nine out of ten.

InsightVM's scalability is top-notch and I would rate it a solid nine out of ten. Being a cloud-based solution, it effortlessly adjusts to accommodate varying needs and can easily scale from small to large environments.

Rapid7's technical support is highly responsive and helpful. I would rate them as a nine out of ten.

Positive

I chose Rapid7 over Tenable Nessus because of its better performance, comprehensive functionality, and stronger support for operating systems and services. While Tenable Nessus may be cheaper, it lacks integration with other features and is more suited for SMBs rather than enterprises.

Implementing InsightVM was straightforward. Setting it up to scan external networks at the perimeter was effortless; I just needed to create a cloud account and start using the solution. For internal network scanning, I installed the software on my notebook, which took about five to ten minutes for a single version setup, but it is important to note that it doesn't support Windows platforms.

InsightVM's pricing can vary depending on the coverage needed. While it may not be the cheapest option, purchasing an unlimited license could be cost-effective for larger environments. For smaller needs, it might be more expensive compared to competitors. I would rate the affordability of the product at a four out of ten.

I prioritize vulnerabilities in InsightVM by first focusing on customer-facing systems at our perimeter, which helps me quickly identify and address any security risks. Then, I utilize the cloud-based engine to scan internal networks and ensure comprehensive coverage without the need for complex on-premise solutions, making it easy to manage from my notebook connected to the internet.

Additionally, in InsightVM, we prioritize vulnerabilities by utilizing comprehensive data sources like the NVD and Rapid7's specialized risk calculation methods. The solution provides detailed information, including exploitability and impact, and evaluates whether vulnerabilities could be exploited in specific environments like NetApp.

I would recommend InsightVM to others. Overall, I would rate the product as an eight out of ten.

We primarily use it for inventory and vulnerability management in our environment. We also use it to identify real risks and focus on container email scanning.

The most valuable feature for me is the risk calculation based on monthly effects. It's interactive, and the risk calculation depends on various factors such as quantity, hardware, and package used.

The team needs to improve the speed and focus on the new bandwidth feed. Sometimes, it takes a while to scan, especially with new updates. So, they should update the database quickly for the scanning to work more efficiently. Additionally, they should add pack management solutions for better integration with products like Microsoft FC and IBM Bigfoot.

They need to add more features or focus on work screening, and adding pack management solutions would be great. Moreover, there is room for improvement in technical support.

I've been using it for about three years now.

It is a stable product, and I would give it a seven.

It is a scalable product. Currently, there are around 1,000 users in my company using Rapid7 InsightVM.

Customer service and support are usually responsive, but there is room for improvement in their response time. The quality of support is good.

The initial setup is simple.

Along with Rapid7 InsightVM, we use Metasploit for already scanning. We also use it for website vulnerability scanning. For vulnerability scanning, we also use solutions from Tenable Network Security. Tenable is better because of its more frequent updates. However, it may depend on the industry and the use case. For now, Nessus is better for vulnerability scanning because of its ability to quickly and accurately detect vulnerabilities. However, Rapid7's team should work on improving the capacity of InsightVM to do the same.

Overall, I would rate the solution an eight out of ten.

We are system integrators. Our clients normally use it to detect vulnerabilities in terms of a lack of patches in certain systems and databases. Its console can be installed on-premise or on the Rapid7 data center.

When you connect any new device to the network, Rapid7 has the ability to detect the new device immediately. It can scan that device to detect if it has any vulnerability. 

It tells you what is vulnerable and what has been misconfigured. It also tells you what is the risk of that misconfiguration or lack of patches and how to resolve the problem.

In terms of improvements, its price could be better. Our main issue with Rapid7 is that it is too expensive. You can only sell it to enterprise accounts. 

In terms of new features, Rapid7 came up with a product called InsightIDR a couple of years ago, which is a good SIEM solution. We expect that Rapid7 will work on some sort of integration between InsightVM and InsightIDR, where vulnerability or anomaly detected by InsightVM can be reported in InsightIDR in some sort of real-time.

Rapid7 doesn't patch. For example, if you have a vulnerability, some products can scan and also do the patching, but Rapid7 does not do the patching. It would be nice if it can also patch.

We have been working with this solution for the last three years or so. 

It has been stable. There is nothing that has caused any major damage to our customers. Normally, what happens is that when something goes wrong, the customer normally blames the tool first before admitting that they touched something or whatever the case may be.

We have a couple of customers with various company sizes, and we haven't had any scalability issues. Rapid7 is pretty much an enterprise solution. We're talking about customers with more than 1500 nodes to scan.

Their technical support is very good.

I don't handle the installation, but it was not difficult to implement. The basic setup took us about four days or so.

Normally, for a product like this, the complexity of implementation is proportional to the size of the infrastructure that is going to be scanned and also how heterogeneous it is. An enterprise product like this is not like using a coffee maker. You need to have some knowledge of where you are installing it. You also need to have some knowledge of the technology that you are going to scan. You can't scan everything in the same way.

Its price is too high. My only concern or issue with Rapid7 is its pricing.

Our clients evaluate Qualys, Tenable, and Rapid7. It doesn't really matter which one you choose. You cannot go wrong with all of these products. They have been very well ranked by Gartner. The main difference is probably the pricing.

I would recommend this solution. I would rate Rapid7 InsightVM an eight out of ten.

The main purpose for using Rapid7 InsightVM is vulnerability management and visibility.

The cost is what is most valuable. Compared to the other products on the market, the cost is more palatable. Also the functionality. 

It is a single pane of glass that I can do most things.

I see ongoing progress constantly. There isn't much opportunity to make recommendations for improvement from our end. Technology does what we want it to do.

The only issue I have with their business plan is how they interact with South African enterprises. 

They have one singular distributor that I must work with, and that is where my two points go. 

I can't interact with Rapid7 directly. I must work via the local incumbent, the distributor. And working with this third party can be tiresome at times.

Rapid7 InsightVM doesn't work with us directly. I have to work with a  distributor. If I need quotes or technical support, for example, I have to work with the distributor rather than Rapid7 InsightVM directly.

We are a registered reseller and a trusted partner. However, for us to get any support from them I can't log a call directly with Rapid7 InsightVM. I have to work with the distributor to log the call for me.

I have been working with Rapid7 InsightVM for two to three years.

We are using the latest version.

Rapid7 InsightVM is very stable. I would rate the stability a five out of five.

Rapid7 InsightVM is a scalable product. I would rate the scalability a five out of five.

We have approximately 1, 500 endpoints in our company.

It's not users, but endpoints, because the model is built around the endpoints you want to monitor. We run on around 1,500 endpoints. It is not user-specific.

One person can easily manage this solution, but we have a team of four engineers to manage our environment.

I have not contacted technical support directly.

We also use Tenable Nessus.

I am not involved with the initial setup. I have a support team that is managing that.

We deploy it depending on our client's requirements. We use it as well as our clients.

The deployment was done in-house. We do it ourselves.

We had four, and all four worked on the project. This is not to say that there is just one primary job or four main jobs. Our engineers all work as a team.

I can definitely see a return on investment.

It's good. We get the value from the product.

We purchase annual licenses.

We provide our own support. We have resources that have been certified to work on the product. It is purely the license fee.

In terms of affordability, I would rate it a three out of five.

I believe they see us as resellers because we resell it, but when we use it for professional services, they regard us as partners. They use both terms in the same sentence.

We support it.

I strongly recommend it. It's a good product. 

It's only the backend support that needs to be improved. However, there isn't very much that has room for improvement in the product right now.

They are not flawless. We have had problems here and there, but overall, I would rate Rapid7 InsightVM an eight out of ten.

We use the solution mainly for servers and vulnerability management.

The solution's user interface is good and has some vulnerability prioritization. Rapid7 InsightVM has good integrations with ServiceNow and its own remediation project creation options.

Rapid7 InsightVM is not PCI certified, which didn't help us in the London office because of the Cyber Essentials Plus certification, which is mandatory there. We had to outsource the vulnerability management for the London office.

One of the most important things for a vulnerability management tool is the identification of vulnerabilities. When it comes to Rapid7 InsightVM, the vulnerabilities are not updated within its database. This is one of the major things that should be changed in Rapid7 when it comes to customer reliability. If the database is not updated, it could jeopardize the customer's servers and data.

The solution's support staff does not reply on time, which should be improved. Rapid7 InsightVM should improve its threat intelligence.

I have been using Rapid7 InsightVM for the last few years.

The solution's initial setup is good.

Overall, I rate the solution a six out of ten.

I don't use this solution directly because I'm not a security admin, but my use case is checking servers against it to see what our patching penetration looks like and whether there are any vulnerabilities that need to be cleared up. We are customers of Insight VM.

One of the great features is reporting where you know exactly what the solution has found, and you're also provided with a resolution to any problem. It's great. I also like the fact that it can go through and scan not just the Windows server but also all the Linux boxes. The same applies to Unix boxes which provide a full report regarding vulnerabilities that need to be rectified or packages that need to be applied. 

There are some issues with how it scans patches. Sometimes one patch will have been superseded by another but it won't see that, because one little key hasn't changed. 

I've been using this solution for several years. 

It's a scanning system, so of course there are resource issues. That said, it's a stable solution. 

Scalability is good; it has supported all of our servers from Windows to Linux, and does it rather well. 

I recommend reviewing the documentation and studying the built-in reports because they are a valuable resource. It's a great product that reports everything that's wrong with a system, providing detailed and high-level reports. 

I rate the solution nine out of 10. 

We implemented it to scan all the assets. In terms of deployment, in my previous organization, it was deployed on-prem, but in my current organization, it is on the cloud.

The assessment is most valuable.

Their customer support should be improved, and the effectiveness of scans also needs to be improved.

I am an implementor. I have been working with this product from time to time. I started working with it around 2016 for a project. After that, we implemented it in 2019 for another project. Currently, I am not using it, but it is being used in the organization.

Its stability is fine.

Its scalability is okay. We have approximately 3,000 members. Every asset gets scanned. So, indirectly or directly, everyone is using this product.

We plan to keep using this tool. We don't want to get into another scanning tool right now. It has been selected as an enterprise tool, and we aren't going to move to another tool. Any new employees would get added to this tool.

Their support could be better. I would rate them a three out of five.

We were using Qualys. We switched because of the organization's standard.

It is not complex. I would rate it a three out of five in terms of the ease of the setup.

I would rate this solution a seven out of ten.

In our first use case, we wanted to map the solution back to our NIS (Network and Information Systems) framework and the CIS (Center for Internet Security that publishes Critical Security Controls). That is the first part. The second part of this same use case is that we wanted to do continuous vulnerability scanning. That is we wanted to scan the complete network every month at a minimum. What we are finding out in practice is that we are scanning every week because of our network and the size of it. In the end, we are able to get even more aggressive than our original position.  

The next use case was we wanted to identify the assets that were in our environment. We can identify how many servers we have, we have identified how many desktops and laptops we have got, et cetera. To that point is where we were looking at pretty good.  

Our next use case was the obvious next step where we wanted to identify vulnerabilities. That meant identifying all the vulnerabilities from critical all the way down to the low. We needed to know what they were and how many. Also, we wanted to know how many are unique versus how many there are in total.  

We also wanted to get away from tracking vulnerabilities on spreadsheets. It was incredibly cumbersome, incredibly hard to do, and it was not efficient. The IT guys kept telling me that they did not know how to fix certain issues. So I thought we needed to do CVSS ( Common Vulnerability Scoring System) on it. They were a bit resistant to that idea. Well, I was not about to start doing that for them. So InsightVM gives us the ability now to track the issues and communicate how the remediation should occur to fix vulnerabilities.  

Then the last thing is we wanted was to have a dashboard for management. We had to have a dashboard to be able to have a CIO (Chief Information Officer) log in and find out where we sit with things. Like where do we sit with remediation where are we failing to make expected progress and things of that nature.  

Rapid7 gave us the ability to do a lot of that, and it was not a cumbersome tool to implement. It is good and fits well with pretty much all of our use case needs. It only falls short in a couple of spots.  

Now that we have been using it, I think there are some things Rapid7 needs to consider and address in improving InsightsVM. I think the reporting piece has room for improvement. While they have a lot of reporting, and some of the reporting is really good, there are some things that I think they can do better on. They need to add some categories that are not covered and expand a few things that have only surface coverage.  

I would love to be on a customer advisory board so that I could provide feedback to them and show them what their solution does not do. For example, I could point out things that I can not do with a widget on the dashboard that I would expect it to be able to do. Things like that might help them improve the product from a real user's perspective. That could amount to a lot of different things, but ideally, it would focus on your most common issues.  

There were a couple of things I know that the security analyst and I were looking at and we were wondering why Rapid7 would choose to implement it that way. Like if they did not include something we needed as part of a report, we could not do what we expected when running the report. That is a little frustrating. I would say that they need to spend some more time evaluating enhancements suggested by customers so that they can get those things implemented and round out the user experience. That is the reason why I think a CAB (Customer Advisory Board) is important for vendors like Rapid7.  

We rolled it out in our operations between June and September. So we have been using it since June of 2020.  

I do not know at this point just how scalable this solution is. We bought it for an enterprise solution, so our enterprise need is getting solved. I do not know how much scaling we have to do on top of that. I do not like the fact that as a vulnerability scanner, this product has a fault to a certain extent. We want to be able to scan applications dynamically and this solution does not give us that ability. It does for web apps. But if you are a company that does not have a lot of web apps, something is getting left uncovered.  

Let's say you have a third-party app. You go to that third-party developer and you ask if they have ever done a security attestation on the application. They look at you and like they have no idea what the heck you are talking about and they have no idea what that means. It would be good, in that case, to be able to take the Rapid7 product and point it at that third-party app and scan it dynamically. That way you can get code vulnerabilities or functional vulnerabilities. What would otherwise be a problem is something you could identify and isolate. If Rapid7 looked at the scripting and identified a secret injection attack at line 1,141 — or something to that effect — it could be vetted. It does do that, but it only does that on web applications. Why stop there?  

In order to solve that issue, you have to go out and buy another third-party product that allows you to scan the application to do dynamic or static vulnerability scanning on the application. I do not like that omission because I had that capability with Qualys. We could take Qualys and we could point it at an application and get dynamic scanning reports from it. It told us a line that needed to be fixed and everything.  

I have not yet gotten into the bowels of that discussion with Rapid7, but I want to. What I did find out about it is our current setup does not cover that type of potential application vulnerability. It does allow for some scanning of web applications, but we are not a company that has a lot of web applications. We are not a retail organization. We do not sell anything. We do have web applications, but they are mainly used for marketing.  

We probably have close to a dozen people in our organization who are currently interfacing in some way with Rapid7 InsightVM. That part is scalable. The utility does have those certain limitations, however.  

We have a client service manager for Rapid7 tech support. He is an appointed customer service manager where we have him for the first year. We are working with him to identify things, correct things, implement, attune, and things like that. Because of that relationship, I do not have a need to call their regular tech support right now. We just worked through the service manager.  

I have had some previous experience with Qualys and using Rapid7 now is really a matter of what I chose to bring on based on my personal user experience. Each has its own advantages and neither is a bad product.   

The initial installation and setup were pretty much straightforward. We did run into an issue with credentialing. We ended up working through that and got that correct.  

I think it was done fairly quickly overall. When we ran into that credentialing issue, we spent about three weeks or so — almost a month — working through that. The issue meant involving some guys from some of the other IT teams and getting them into the mix to help us out.  

I had implemented InsightVM before at another company. I liked it when we were using it there which is why it ended up here. I have also had previous experience with Qualys. I did not have the time or the luxury to sit back and do a full analysis, RFI (Request for Information) and RFP (Request for Proposal) when we had to bring on the solution. We are not the CIA (Central Intelligence Agency), we are not the NSA (National Security Agency). We do not need any sophisticated solution or anything like that. We just needed something we could bring in, get online fairly quickly, and get running to do reports. Rapid7 InsightsVM fit the bill.  

On a scale of one to ten (where one is the worst and ten is the best), I would rate Rapid7 InsightVM as probably about an eight-out-of-ten. It gets an eight rather than scoring higher just because of some of the other stuff that I wish we had.