Try our new research platform with insights from 80,000+ expert users
IT Security Architect at a government with 1,001-5,000 employees
Real User
Speed and quality of vulnerability scanning translates to reliable and timely results
Pros and Cons
  • "There are many integrations with things like the VMware NSX that are great, the reporting is really solid."
  • "Some difficulties with the online reporting and lack of integrations."

What is our primary use case?

We have a few primary use cases. The main one is looking at the visibility of devices that are on our network to keep track of things as they come and go, we're looking for known vulnerabilities whether it's the operating system, network devices, mobile devices, and the like. When we find the vulnerabilities we remediate them, so it's also our job to verify that remediations have been successful. In addition, we are now beginning to get involved in setting security baselines and configuring baselines and using InsightVM to audit those configurations.

We're scanning about 6,000 devices. There are about 4,000 users in our environment, they are all IT staff. We also have technical leads from our user services, which is our workstation support, mobile devices, laptops, etc. We've got our infrastructure office which is servers and cloud administration, the IT security group, which is myself, and then our network support team and network administrators as well. It means our IT leadership gets some definite value from the reporting there. The CTO, his assistant, and all the IT managers receive their information from there as well. We have one person working in maintenance, and that's not a full-time position. 

What is most valuable?

For us there are many integrations with things like the VMware NSX that are great, the reporting is really solid. I like the ability to set goals and SLAs for remediation. When a new vulnerability is found we can have an SLA associated with it automatically based on severity and some of those things. I like the integration with Cisco ISE for identity and doing automated containments and the like. But the biggest thing for me is the quality of the vulnerability scanning itself. The quality of the results and the timeliness, the speed with which they update with new checks for new vulnerabilities. That is the big thing for us.

What needs improvement?

There are some difficulties with the online reporting and lack of integrations, the information that you can get from the APIs in the software is not the best. There's still some fleshing out of their API that I think could benefit them as well. 

I'd like to see more integrations with ticketing systems. Right now, JIRA and ServiceNow are the only ticketing systems that have integration with Rapid7. Extending that would be big. Some additional integrations with some patch management solutions would be good too. IBM BigFix and SCCM. Microsoft has integrations there. In our situation, we're not using either of those and that feature doesn't really give us a whole lot. If there were to be new integrations added on, both on the patch management and the ITMS side, that would be a big improvement.

Additional features would be the additional integrations for ticketing systems that I mentioned. There are always updates rolling out for new scans and things. 

For how long have I used the solution?

We've been using the solution for quite a few years. 

Buyer's Guide
Rapid7 InsightVM
April 2025
Learn what your peers think about Rapid7 InsightVM. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
848,716 professionals have used our research since 2012.

What do I think about the stability of the solution?

I've been impressed with the stability. The only issues that have really come up have been on the cloud reporting aspect. We've had a couple of issues here or there, but their support people were able to get us fixed up in a couple of hours. As far as the on-premises stuff, the only issues we've honestly had with it were problems of our own making. We didn't keep an eye on storage and it filled up but that was a lack of monitoring on our side. Since then it's been rock solid.

What do I think about the scalability of the solution?

I haven't thrown anything at it that it can't handle. The report generation slows down the larger your environment gets, and the greater the number of scans you're trying to integrate into a single report. Even with the increased resources that we gave the server when we did a rebuild hasn't caused any problems. I would anticipate that if you're getting up into the tens of thousands of devices and trying to report across all of those, I could see that grinding to a halt a little bit.

Otherwise, scalability is great. We have more than doubled the number of devices that we're scaling since we did the initial install. We're up to somewhere around 6,000 now and it's chugging right along.

How are customer service and support?

The technical support have been a pleasure to work with. 

How was the initial setup?

The initial setup was pretty straightforward. There were a couple of things with integrating and some areas where it gets a bit more complex, but for the most part, it was very straightforward, especially for how powerful a solution it is. We're running a fairly advanced setup here with multiple scanning engines, scanning pools, and integrations into other systems in our environment and all of that. Defining all of the sites and asset grouping and all of those sorts of things, took some additional time after that. You'd have to do that no matter what. 

What about the implementation team?

We used professional services from Rapid7 to assist with the initial deployment and set up was completed in less than two days. They were great. They took their time and didn't just do the setup, they also included user education and they have continued to reach out since then and make sure we're getting value from the product.  

What's my experience with pricing, setup cost, and licensing?

Our licensing costs are somewhere around $40,000 annually. There are no additional fees. We will probably increase our license count annually as our environment kind of naturally grows. We started out with probably about a third of the network covered and we are up to probably 75, 80% now. We'll get that up to over 99%, I'm sure.

Which other solutions did I evaluate?

We looked at a few other options: Acunetix was on the list and we looked at Manage Engine, Nessus, Rubric, Alien Vault, Microfocus, ArcSight, FireMon and RedSeal. On the vulnerability management side, we were very, very impressed with Rapid7 and the Insight VMware product. We looked more in-depth at a few of the others but VMware Insight stood out. The ease of use on VMware Insight coming from an organization that doesn't have a large dedicated security team, and being able to split out some of those responsibilities amongst people who may have a strong IT background, but may not have an IT security background really helped us out. It became a no-brainer at that point.

What other advice do I have?

It's important to take the time to have a full understanding of how schemes are scheduled, how sites and asset groups are set up and make sure it's done upfront. It's a big help. If you remove an old site and recreate it with small differences you lose some of the data associated with the old site. Getting the organization sorted from the beginning would be the biggest piece of advice.

It's very important to know what your environment is made up of. People often leave companies without documenting things and there's a lot that not everybody knows about because it was in the back of someone's mind. We now have a great repository of information on what's active on our network, what's installed on it, how all of those systems are interacting, and really having that visibility is great. One of the big lessons we were able to get value from immediately was really just having good visibility of what's in our environment.

It's a very solid product, reporting is great, it's reliable. We have a lot of faith in the results it gives us. At least once a week, I get a notification with some great new features that they've added that I didn't really even know I wanted, but now I have it and can't imagine life without it. 

The product is cloud-based, but with an on-prem portion, but it all auto-updates. The actual scanning engine and all of that is on-prem for us. It's a SaaS solution, it's not one where we are running our own servers. It's provided as a service for us on the cloud. The on-premises stuff that we're running is just virtual machines on our VMware environment.

I would rate this product an eight out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Owner at Sidif Del Caribe Corporation
Reseller
A stable enterprise solution that can automatically detect new devices and scan them for vulnerabilities
Pros and Cons
  • "When you connect any new device to the network, Rapid7 has the ability to detect the new device immediately. It can scan that device to detect if it has any vulnerability. It tells you what is vulnerable and what has been misconfigured. It also tells you what is the risk of that misconfiguration or lack of patches and how to resolve the problem."
  • "In terms of improvements, its price could be better. Our main issue with Rapid7 is that it is too expensive. You can only sell it to enterprise accounts. In terms of new features, Rapid7 came up with a product called InsightIDR a couple of years ago, which is a good SIEM solution. We expect that Rapid7 will work on some sort of integration between InsightVM and InsightIDR, where vulnerability or anomaly detected by InsightVM can be reported in InsightIDR in some sort of real-time. Rapid7 doesn't patch. For example, if you have a vulnerability, some products can scan and also do the patching, but Rapid7 does not do the patching. It would be nice if it can also patch."

What is our primary use case?

We are system integrators. Our clients normally use it to detect vulnerabilities in terms of a lack of patches in certain systems and databases. Its console can be installed on-premise or on the Rapid7 data center.

What is most valuable?

When you connect any new device to the network, Rapid7 has the ability to detect the new device immediately. It can scan that device to detect if it has any vulnerability. 

It tells you what is vulnerable and what has been misconfigured. It also tells you what is the risk of that misconfiguration or lack of patches and how to resolve the problem.

What needs improvement?

In terms of improvements, its price could be better. Our main issue with Rapid7 is that it is too expensive. You can only sell it to enterprise accounts. 

In terms of new features, Rapid7 came up with a product called InsightIDR a couple of years ago, which is a good SIEM solution. We expect that Rapid7 will work on some sort of integration between InsightVM and InsightIDR, where vulnerability or anomaly detected by InsightVM can be reported in InsightIDR in some sort of real-time.

Rapid7 doesn't patch. For example, if you have a vulnerability, some products can scan and also do the patching, but Rapid7 does not do the patching. It would be nice if it can also patch.

For how long have I used the solution?

We have been working with this solution for the last three years or so. 

What do I think about the stability of the solution?

It has been stable. There is nothing that has caused any major damage to our customers. Normally, what happens is that when something goes wrong, the customer normally blames the tool first before admitting that they touched something or whatever the case may be.

What do I think about the scalability of the solution?

We have a couple of customers with various company sizes, and we haven't had any scalability issues. Rapid7 is pretty much an enterprise solution. We're talking about customers with more than 1500 nodes to scan.

How are customer service and technical support?

Their technical support is very good.

How was the initial setup?

I don't handle the installation, but it was not difficult to implement. The basic setup took us about four days or so.

Normally, for a product like this, the complexity of implementation is proportional to the size of the infrastructure that is going to be scanned and also how heterogeneous it is. An enterprise product like this is not like using a coffee maker. You need to have some knowledge of where you are installing it. You also need to have some knowledge of the technology that you are going to scan. You can't scan everything in the same way.

What's my experience with pricing, setup cost, and licensing?

Its price is too high. My only concern or issue with Rapid7 is its pricing.

Which other solutions did I evaluate?

Our clients evaluate Qualys, Tenable, and Rapid7. It doesn't really matter which one you choose. You cannot go wrong with all of these products. They have been very well ranked by Gartner. The main difference is probably the pricing.

What other advice do I have?

I would recommend this solution. I would rate Rapid7 InsightVM an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Buyer's Guide
Rapid7 InsightVM
April 2025
Learn what your peers think about Rapid7 InsightVM. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
848,716 professionals have used our research since 2012.
reviewer1043379 - PeerSpot reviewer
Chief Executive Officer at a outsourcing company with 11-50 employees
Reseller
A single pane of glass with good functionality, and is easy to manage
Pros and Cons
  • "The cost is what is most valuable. Compared to the other products on the market, the cost is more palatable."
  • "We are a registered reseller and a trusted partner. However, for us to get any support from them I can't log a call directly with Rapid7 InsightVM. I have to work with the distributor to log the call for me."

What is our primary use case?

The main purpose for using Rapid7 InsightVM is vulnerability management and visibility.

What is most valuable?

The cost is what is most valuable. Compared to the other products on the market, the cost is more palatable. Also the functionality. 

It is a single pane of glass that I can do most things.

What needs improvement?

I see ongoing progress constantly. There isn't much opportunity to make recommendations for improvement from our end. Technology does what we want it to do.

The only issue I have with their business plan is how they interact with South African enterprises. 

They have one singular distributor that I must work with, and that is where my two points go. 

I can't interact with Rapid7 directly. I must work via the local incumbent, the distributor. And working with this third party can be tiresome at times.

Rapid7 InsightVM doesn't work with us directly. I have to work with a  distributor. If I need quotes or technical support, for example, I have to work with the distributor rather than Rapid7 InsightVM directly.

We are a registered reseller and a trusted partner. However, for us to get any support from them I can't log a call directly with Rapid7 InsightVM. I have to work with the distributor to log the call for me.

For how long have I used the solution?

I have been working with Rapid7 InsightVM for two to three years.

We are using the latest version.

What do I think about the stability of the solution?

Rapid7 InsightVM is very stable. I would rate the stability a five out of five.

What do I think about the scalability of the solution?

Rapid7 InsightVM is a scalable product. I would rate the scalability a five out of five.

We have approximately 1, 500 endpoints in our company.

It's not users, but endpoints, because the model is built around the endpoints you want to monitor. We run on around 1,500 endpoints. It is not user-specific.

One person can easily manage this solution, but we have a team of four engineers to manage our environment.

How are customer service and support?

I have not contacted technical support directly.

Which solution did I use previously and why did I switch?

We also use Tenable Nessus.

How was the initial setup?

I am not involved with the initial setup. I have a support team that is managing that.

We deploy it depending on our client's requirements. We use it as well as our clients.

What about the implementation team?

The deployment was done in-house. We do it ourselves.

We had four, and all four worked on the project. This is not to say that there is just one primary job or four main jobs. Our engineers all work as a team.

What was our ROI?

I can definitely see a return on investment.

It's good. We get the value from the product.

What's my experience with pricing, setup cost, and licensing?

We purchase annual licenses.

We provide our own support. We have resources that have been certified to work on the product. It is purely the license fee.

In terms of affordability, I would rate it a three out of five.

What other advice do I have?

I believe they see us as resellers because we resell it, but when we use it for professional services, they regard us as partners. They use both terms in the same sentence.

We support it.

I strongly recommend it. It's a good product. 

It's only the backend support that needs to be improved. However, there isn't very much that has room for improvement in the product right now.

They are not flawless. We have had problems here and there, but overall, I would rate Rapid7 InsightVM an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
reviewer2510463 - PeerSpot reviewer
Information Security, Cyber Operations Analyst at a consultancy with 5,001-10,000 employees
Real User
Has a good user interface, but its threat intelligence could be improved
Pros and Cons
  • "The solution's user interface is good and has some vulnerability prioritization."
  • "Rapid7 InsightVM should improve its threat intelligence."

What is our primary use case?

We use the solution mainly for servers and vulnerability management.

What is most valuable?

The solution's user interface is good and has some vulnerability prioritization. Rapid7 InsightVM has good integrations with ServiceNow and its own remediation project creation options.

What needs improvement?

Rapid7 InsightVM is not PCI certified, which didn't help us in the London office because of the Cyber Essentials Plus certification, which is mandatory there. We had to outsource the vulnerability management for the London office.

One of the most important things for a vulnerability management tool is the identification of vulnerabilities. When it comes to Rapid7 InsightVM, the vulnerabilities are not updated within its database. This is one of the major things that should be changed in Rapid7 when it comes to customer reliability. If the database is not updated, it could jeopardize the customer's servers and data.

The solution's support staff does not reply on time, which should be improved. Rapid7 InsightVM should improve its threat intelligence.

For how long have I used the solution?

I have been using Rapid7 InsightVM for the last few years.

How was the initial setup?

The solution's initial setup is good.

What other advice do I have?

Overall, I rate the solution a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Andrei Bigdan - PeerSpot reviewer
Executive Manager at B2B-Solutions LLC
Real User
Top 5
Particularly useful for focusing on customer-facing systems and offers excellent scalability
Pros and Cons
  • "InsightVM offers a robust platform for identifying, prioritizing, and addressing vulnerabilities across an organization's IT infrastructure."
  • "One area I would like to improve in InsightVM is its integration with other solutions."

What is our primary use case?

With InsightVM, I continuously monitor my network by setting up regular scans to identify vulnerabilities in real-time. It IS particularly useful for focusing on customer-facing systems at our perimeter, helping me prioritize and quickly address any security risks.

What is most valuable?

InsightVM offers a robust platform for identifying, prioritizing, and addressing vulnerabilities across an organization's IT infrastructure.

What needs improvement?

One area I would like to improve in InsightVM is its integration with other solutions, particularly for better compatibility with upcoming tools we plan to adopt. Enhanced functionality for budget management or change management databases could also be beneficial.

For how long have I used the solution?

I have been working with InsightVM for over two years.

What do I think about the stability of the solution?

I would rate the stability of the solution as a nine out of ten.

What do I think about the scalability of the solution?

InsightVM's scalability is top-notch and I would rate it a solid nine out of ten. Being a cloud-based solution, it effortlessly adjusts to accommodate varying needs and can easily scale from small to large environments.

How are customer service and support?

Rapid7's technical support is highly responsive and helpful. I would rate them as a nine out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I chose Rapid7 over Tenable Nessus because of its better performance, comprehensive functionality, and stronger support for operating systems and services. While Tenable Nessus may be cheaper, it lacks integration with other features and is more suited for SMBs rather than enterprises.

How was the initial setup?

Implementing InsightVM was straightforward. Setting it up to scan external networks at the perimeter was effortless; I just needed to create a cloud account and start using the solution. For internal network scanning, I installed the software on my notebook, which took about five to ten minutes for a single version setup, but it is important to note that it doesn't support Windows platforms.

What's my experience with pricing, setup cost, and licensing?

InsightVM's pricing can vary depending on the coverage needed. While it may not be the cheapest option, purchasing an unlimited license could be cost-effective for larger environments. For smaller needs, it might be more expensive compared to competitors. I would rate the affordability of the product at a four out of ten.

What other advice do I have?

I prioritize vulnerabilities in InsightVM by first focusing on customer-facing systems at our perimeter, which helps me quickly identify and address any security risks. Then, I utilize the cloud-based engine to scan internal networks and ensure comprehensive coverage without the need for complex on-premise solutions, making it easy to manage from my notebook connected to the internet.

Additionally, in InsightVM, we prioritize vulnerabilities by utilizing comprehensive data sources like the NVD and Rapid7's specialized risk calculation methods. The solution provides detailed information, including exploitability and impact, and evaluates whether vulnerabilities could be exploited in specific environments like NetApp.

I would recommend InsightVM to others. Overall, I would rate the product as an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer:
PeerSpot user
SonNguyen3 - PeerSpot reviewer
Technical Manager at a computer software company with 11-50 employees
Real User
Top 20
Good for inventory and vulnerability management
Pros and Cons
  • "The most valuable feature for me is the risk calculation based on monthly effects."
  • "The team needs to improve the speed and focus on the new bandwidth feed. Sometimes, it takes a while to scan, especially with new updates."

What is our primary use case?

We primarily use it for inventory and vulnerability management in our environment. We also use it to identify real risks and focus on container email scanning.

What is most valuable?

The most valuable feature for me is the risk calculation based on monthly effects. It's interactive, and the risk calculation depends on various factors such as quantity, hardware, and package used.

What needs improvement?

The team needs to improve the speed and focus on the new bandwidth feed. Sometimes, it takes a while to scan, especially with new updates. So, they should update the database quickly for the scanning to work more efficiently. Additionally, they should add pack management solutions for better integration with products like Microsoft FC and IBM Bigfoot.

They need to add more features or focus on work screening, and adding pack management solutions would be great. Moreover, there is room for improvement in technical support.

For how long have I used the solution?

I've been using it for about three years now.

What do I think about the stability of the solution?

It is a stable product, and I would give it a seven.

What do I think about the scalability of the solution?

It is a scalable product. Currently, there are around 1,000 users in my company using Rapid7 InsightVM.

How are customer service and support?

Customer service and support are usually responsive, but there is room for improvement in their response time. The quality of support is good.

How was the initial setup?

The initial setup is simple.

Which other solutions did I evaluate?

Along with Rapid7 InsightVM, we use Metasploit for already scanning. We also use it for website vulnerability scanning. For vulnerability scanning, we also use solutions from Tenable Network Security. Tenable is better because of its more frequent updates. However, it may depend on the industry and the use case. For now, Nessus is better for vulnerability scanning because of its ability to quickly and accurately detect vulnerabilities. However, Rapid7's team should work on improving the capacity of InsightVM to do the same.

What other advice do I have?

Overall, I would rate the solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Head of Cyber Security at Super Secure
Reseller
Top 10
Easy deployment, but technical support could respond faster
Pros and Cons
  • "The ease of deployment and configuration allows users to onboard quickly."
  • "Technical support does not respond quickly."

What is our primary use case?

The core domain use of the solution is verification, scanning, and finding out the vulnerabilities in real time.

How has it helped my organization?

The ease of deployment and configuration allows users to onboard quickly, aligning smoothly with various functionalities.

What is most valuable?

The data sheet is good in pricing and promises. The customers are very price-conscious. You have to satisfy technical requirements. This combo makes the product valuable and usable.

What needs improvement?

Two things are consistent. The rest of the things run fine. The technical side does not respond quickly. They take a lot of time. The priority should be to respond to the customer to serve the customer.

For how long have I used the solution?

I have been using Rapid7 InsightVM for more than three years.

What do I think about the stability of the solution?

The solution’s stability is good. It keeps on running. There are no system complaints.

What do I think about the scalability of the solution?

The solution’s scalability is linked to the new scope and the cost.

Which solution did I use previously and why did I switch?

We are actively seeking alternatives. If you can offer a better solution, superior after-sales service, and overall better everything, we would like to explore what you have to offer.

How was the initial setup?

The initial setup is not so complex. It is quickly deployable configurable and integrated with your existing setup.

The common process for Rapid7 InsightVM involves comparing it against their standard procedures to ensure compliance with the required licenses and resources. Users download the necessary files and initiate/reactivate licenses. Certain configurations are also set up. This process typically takes two to three days for the department, but we usually allocate a week for completion.

Our team feels enabled enough after completing the training session on Rapid7 InsightVM. We conduct our tests independently, and whenever we need support, we seek assistance directly from Rapid7. This process isn't overly complex or time-consuming. We ensure thorough preparation by gathering all necessary information, addressing internet concerns, and informing the customer. Once fully prepared, we proceed forward.

What's my experience with pricing, setup cost, and licensing?

The solution’s pricing is good because the value proposition delivers a report box. It is not very costly.

What other advice do I have?

Since the product is cloud-based, there's no maintenance. Whatever the information or the customization of the customer needs to be confirmed. The hardware needs maintenance.

Overall, I rate the solution a six out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
IRM Technical Consultant at Shell
Real User
Provides good assessment, but the effectiveness of scans can be better
Pros and Cons
  • "The assessment is most valuable."
  • "Their customer support should be improved, and the effectiveness of scans also needs to be improved."

What is our primary use case?

We implemented it to scan all the assets. In terms of deployment, in my previous organization, it was deployed on-prem, but in my current organization, it is on the cloud.

What is most valuable?

The assessment is most valuable.

What needs improvement?

Their customer support should be improved, and the effectiveness of scans also needs to be improved.

For how long have I used the solution?

I am an implementor. I have been working with this product from time to time. I started working with it around 2016 for a project. After that, we implemented it in 2019 for another project. Currently, I am not using it, but it is being used in the organization.

What do I think about the stability of the solution?

Its stability is fine.

What do I think about the scalability of the solution?

Its scalability is okay. We have approximately 3,000 members. Every asset gets scanned. So, indirectly or directly, everyone is using this product.

We plan to keep using this tool. We don't want to get into another scanning tool right now. It has been selected as an enterprise tool, and we aren't going to move to another tool. Any new employees would get added to this tool.

How are customer service and support?

Their support could be better. I would rate them a three out of five.

Which solution did I use previously and why did I switch?

We were using Qualys. We switched because of the organization's standard.

How was the initial setup?

It is not complex. I would rate it a three out of five in terms of the ease of the setup.

What other advice do I have?

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Rapid7 InsightVM Report and get advice and tips from experienced pros sharing their opinions.
Updated: April 2025
Buyer's Guide
Download our free Rapid7 InsightVM Report and get advice and tips from experienced pros sharing their opinions.