Rapid7 InsightVM Reviews

We mainly use it for vulnerability management, generating monthly reports to address and resolve vulnerabilities. The main use cases involve receiving alerts based on predefined settings by Rapid7, investigating these alerts to understand their causes, and performing fine-tuning activities.

The most valuable features of Rapid7 InsightVM for me are creating dynamic asset tags, generating reports, and deploying the agent. The agent scans assets every four hours, providing real-time data on any devices. Although there weren't any significant new features compared to our previous tool, having both SIEM and vulnerability management handled by one tool made things easier. We could gather logs from different devices and cloud sources, and perform detailed investigations without switching tools.

I haven't worked with the automation capabilities of InsightVM. For remediation prioritization, we check the vulnerability, search for solutions on open platforms, and work with different teams to apply patches after proper testing. Currently, we don’t have any AI or ASM projects assisted by InsightVM

I’d like to see Rapid7 InsightVM improve by adding a knowledge base similar to what Qualys offers. This would help us easily check and search for vulnerabilities using Rapid7 IDs associated with CVs or CVSS.

From a features perspective, everything was fine at the time, and the security features of Rapid7 InsightVM were effective.

I've been working with Rapid7 InsightVM since December.

Overall, I would recommend Rapid7 InsightVM to others. My advice would be to first understand your requirements and infrastructure before implementing the product. I would rate InsightVM as an eight.

We use the solution for vulnerability management. We perform scanning and security patching in selected network zones utilizing it.

The solution's most valuable features are the simplicity of use, identifying vulnerable assets, and the ability to create remediation projects.

They should integrate the solution with multiple products along with ServiceNow.

We have been using the solution for two or three months.

I rate the solution's stability as an eight.

We have a few tens of users of the solution. They include IT specialists, engineers, and administrators. We can easily install scan engines in different zones of our network. But, we face difficulties pairing the scan engines to the management console. 

I rate the solution's scalability as an eight.

The vendor team helps us install the solution.

The solution's pricing depends on the number of users per month as per our contract. We have a limit of scanning around 4000 appliances. It covers a sufficient scope regarding our requirements.

The solution works well. I recommend it to others and rate it as an eight.

We used InsightVM mainly for vulnerability management. I thought it was a pretty interesting application. I'm a fan of Rapid7's Metasploit, so when I saw InsightVM I was like, "Let's see what else they have." I liked it up until we experienced some issues relating to scans. If I wanted to do mitigation, I needed to wait until the next scan was available or ran so that I could get to see if any indentations were made. 

While I was in there, if I was searching for a specific vulnerability, sometimes it was hard to find the specific ones. In the dashboard, it'll tell you the results from the scans, and it will also tell you the vulnerabilities and it will rank them for risk. I would have liked to have been able to click on the vulnerability and it would take me to another area that just has the vulnerability with all the hosts. It wouldn't let you do that. You had to come back out of that window and go into another window and search for it. Well, you wouldn't get the same results as the number of hosts. I had to work a little bit harder to find exactly what I needed.

Within our organization, there were two of us using it. Both of us were IT analysts. One was an IT analyst III (which was me), and the other one was the IT analyst manager.

I would say that it improved our visibility, but it left things open.

I liked the dashboard on it. I could customize my dashboard with different widgets and different heat maps. I liked that. That was a feature I liked. If your manager had a different dashboard that they liked, and you tried to go into a meeting and they say, "Well, I think your numbers are wrong because my dashboard says this" Well, you couldn't rapidly say, "Here's the default dashboard for this for risk." Whereas, with Tenable, you could go through a dashboard just for risks, and say, "Hey, let's switch to this dashboard so we're seeing the same numbers without customization."

They just need to fix it to make it more fluid. If it shows you vulnerabilities, I want to be able to click on the vulnerability and drill down into the vulnerability. If it's rating it as a 10 and it says it's got 30 hosts in it for this vulnerability, I want to click on that vulnerability and get a separate report that says, "Here's the vulnerability specific and here's the host involved." That way I could export it and say, "Hey, this vulnerability's out there, it matches a CVE number that is critical, that Microsoft, Cisco, whatever, has put a patch out there, and here guys, here's what it is and here's the proof. Here's your host that's vulnerable. Here's a change request, fix it, send me back the proof that you fixed it, then allow me to rerun a scan specific to that, on-demand, to say 'Yes, boss, we have mitigated it.'"

I want to be able to just drill down on the reports. If it showing me there's a vulnerability and there's a said number of nodes that's vulnerable to it, I want to be able to drill down and export that list without having to come back out of it, going into my assets, trying to find the name of the vulnerability, which doesn't match what the dashboard says. To me, that was backward.

I have used this solution for one year.

It was pretty stable. We didn't have any real hiccups, but it was stable. We didn't have any real hiccups there.

As far as I know, it says it's scalable. I'm not sure if that company I used to work for had to scale it up or down.

The tech support was very helpful. Actually, I knew a couple of them so it was very helpful.

I would give their tech support a rating of 10 — I knew them from using Metasploit and some other products. It was more of a, "Hey, I got this issue, how can you help me with it?" They'd point me and say, "Hey, check this out."

I wasn't involved in the initial setup, so I can't comment on that.

Do your proof of concepts if you can. Make sure you develop your risk strategy. That's important, because it's going to give you a risk number, it's going to give you critical: highs, mediums, but you need to understand what is the risk methodology that you're going to follow. Just because it says it's critical because of how many vulnerabilities you have, doesn't mean that you need to work on it right away.

For example, there was a vulnerability that had 2,000 nodes affected. It put it as a high-risk, whereby there was another vulnerability where there were only about 10 hosts affected — it put it at medium-risk. However, the high-risk one, because it had more nodes affected, did not have a POC associated with it. A novice person looking at it would say, "I need to work on these 1,000 vulnerabilities because it's a high-risk, and ignore the medium." Well, the medium one had an active POC on it. If you didn't have a person who understood how to read the report and what it's actually telling you, then you would say, "Hey, you know what, I'm going to use these, I'm going to cut my risk down because I got 1,000 nodes with this vulnerability and I'm going to put this chain out real quick and I'm going to reduce my risk real quick because of the numbers." Well, in my opinion, you didn't reduce your risk because you have 10 nodes out there with a vulnerability that's rated medium and it has a POC on it.

Overall, on a scale from one to ten, I would give this solution a rating of eight. I'm going to say that is because shame on Rapid7 for having such great applications, but then that little piece there that they know about hasn't been fixed. If I remember, if I go probably log back into the community, it's probably been asked a couple of times.

The core domain use of the solution is verification, scanning, and finding out the vulnerabilities in real time.

The ease of deployment and configuration allows users to onboard quickly, aligning smoothly with various functionalities.

The data sheet is good in pricing and promises. The customers are very price-conscious. You have to satisfy technical requirements. This combo makes the product valuable and usable.

Two things are consistent. The rest of the things run fine. The technical side does not respond quickly. They take a lot of time. The priority should be to respond to the customer to serve the customer.

I have been using Rapid7 InsightVM for more than three years.

The solution’s stability is good. It keeps on running. There are no system complaints.

The solution’s scalability is linked to the new scope and the cost.

We are actively seeking alternatives. If you can offer a better solution, superior after-sales service, and overall better everything, we would like to explore what you have to offer.

The initial setup is not so complex. It is quickly deployable configurable and integrated with your existing setup.

The common process for Rapid7 InsightVM involves comparing it against their standard procedures to ensure compliance with the required licenses and resources. Users download the necessary files and initiate/reactivate licenses. Certain configurations are also set up. This process typically takes two to three days for the department, but we usually allocate a week for completion.

Our team feels enabled enough after completing the training session on Rapid7 InsightVM. We conduct our tests independently, and whenever we need support, we seek assistance directly from Rapid7. This process isn't overly complex or time-consuming. We ensure thorough preparation by gathering all necessary information, addressing internet concerns, and informing the customer. Once fully prepared, we proceed forward.

The solution’s pricing is good because the value proposition delivers a report box. It is not very costly.

Since the product is cloud-based, there's no maintenance. Whatever the information or the customization of the customer needs to be confirmed. The hardware needs maintenance.

Overall, I rate the solution a six out of ten.

I don't use this solution directly because I'm not a security admin, but my use case is checking servers against it to see what our patching penetration looks like and whether there are any vulnerabilities that need to be cleared up. We are customers of Insight VM.

One of the great features is reporting where you know exactly what the solution has found, and you're also provided with a resolution to any problem. It's great. I also like the fact that it can go through and scan not just the Windows server but also all the Linux boxes. The same applies to Unix boxes which provide a full report regarding vulnerabilities that need to be rectified or packages that need to be applied. 

There are some issues with how it scans patches. Sometimes one patch will have been superseded by another but it won't see that, because one little key hasn't changed. 

I've been using this solution for several years. 

It's a scanning system, so of course there are resource issues. That said, it's a stable solution. 

Scalability is good; it has supported all of our servers from Windows to Linux, and does it rather well. 

I recommend reviewing the documentation and studying the built-in reports because they are a valuable resource. It's a great product that reports everything that's wrong with a system, providing detailed and high-level reports. 

I rate the solution nine out of 10. 

Our company uses the solution to discover, identify, and patch vulnerabilities or disable certain services. The solution provides the patch recommendations that we implement via another tool. 

Four team members manage the solution internally and for various clients who each have fifty users. 

The solution helps to identify lots of misconfigurations, flaws, or security risks. Anything insecure is exposed easily. 

The solution is automatically scheduled so it runs by itself. 

The solution should include a tighter integration with third-party threat modeling and threat intelligence tools. Rapid7 is the solution's own threat intelligence platform but third-party platforms would be a great addition. 

It would be nice to have patching capabilities built within the solution rather than using third-party products. 

I have been using the solution for three years. 

The solution is extremely stable. 

The solution is easily scalable with the purchase of additional licenses. 

Technical support is extremely good and we get support quite fast. Technical support is rated a ten out of ten. 

Positive

The setup is very straightforward so I rate it a ten out of ten. 

We implement the solution for customers. 

The solution is a bit more reasonably priced than other products. 

Most products in this category are similar with no real difference so it all comes down to price. 

It is important to have a strong patch management plan that prioritizes what and how you need to patch. 

The solution does the vast majority of work but you need a proper system so you can take output to your operations team for patching. A good workflow between teams is important. 

I rate the solution a ten out of ten. 

One of the most valuable features is it's graphical dashboard feature. It is quite easy to manage the widgets, and we can customize those according to our queries.

The other most valuable feature is that we can integrate Rapid7 InsightVM with JIRA. If a vulnerability in our services or server is found, it directly connects with JIRA and will assign a ticket. We can then share that with our development team or infrastructure team. Within a team, we can share it and assign the ticket, and we can smoothly do the mitigation process.

Also, InsightVM has an image container that can be utilized via a CI/CD pipeline. We can directly integrate with building tools, and we can have vulnerability assessment throughout the development life cycle.

Rapid7's initiative Project Sonar digs out the vulnerabilities arising all over the world and sends feedback to the systems. They then immediately update their databases and begin mitigation processes.

Within InsightVM, there is no feature to assign a ticket. If we can have more API calls, we can do that from InsightVM.

There is room for improvement when it comes to JIRA integration. If they can collaborate with the JIRA team, then it will be easier for people to use it.

If we can configure and define more features such as the critical elite level through InsightVM, it would be better.

I would prefer to have vulnerability assessment with more features, like code analysis, code coverage, etc.

I would also prefer to have a method of custom image analysis for assessment.

In the SDLC (software development lifecycle), if we could easily integrate with a particular lifecycle, then we could have more descriptive reports.

I have worked with this solution for two years now.

It is definitely stable.

The scalability is quite good. We can increase the number of assets by paying either onsite or online. Also, we have an onsite engine, and we can install it in our cloud or AWS cloud, for instance.

The technical support team has answered our questions within a couple of hours. They have provided precise answers so far to all the questions we have asked them.

The initial setup was an easy task because we have a Linux server installed.

InsightVM has a framework that's very interesting, and they have very detailed documentation. They have step-by-step directions for the installation process, and we can download them from their site. This means that anyone can easily install it and configure it.

The harder part is writing the queries. We need to have knowledge of InsightVM and how queries, assets, and conditional formats occur. Extensive knowledge can be valuable at this stage of the process.

Pricing is reasonable because we pay according to asset usage. We can define our assets and sites according to our preference.

I recommend doing a comparison of Qualys, Rapid7, and Nessus. Because the scope is different from company to company and cluster to cluster, it would be good to research each product and decide according to your needs.

If I were to rate Rapid7 InsightVM, I would rate it at seven on a scale from one to ten.

We'll use Rapid7 InsightVM for on-premises scanning and the virtual machine option for cloud-based environments.

It is a good tool for comprehensive risk management, including prioritization and remediation.

It is a great endpoint agent. It gives you reliable information about that infrastructure and offers strong accuracy for risk management. However, unlike other management tools that have improved precision testing, InsightVM requires an additional purchase for full access to some of its advanced features.

Other solutions, like Cisco, have strengths, but Rapid7 InsightVM has some solid features, such as the RapidServer Active Response, the ability to create endpoint agents, and a live dashboard. However, the main concern is the system's reliability. For instance, during a scan on an Ubuntu machine, the system mistakenly identified the OS as Windows. This kind of inaccuracy is problematic.

I have been using Rapid7 InsightVM for a year. 

The response takes some time.

Neutral

Rapid7 is a bit expensive.

Tenable has 20% lower pricing and includes built-in web application testing, which gives it an advantage over Rapid7 InsightVM.

I recommend Tennable for small and Rapid for big enterprises.

Overall, I rate the solution an eight out of ten.