Rapid7 InsightVM Reviews

We primarily use the solution for vulnerability management and monitoring the progress of the remediation process.

The remediation feature has been quite useful. 

It's easy to set up the solution. 

It's stable.

The solution scales well.

The solution isn't missing any features, and I haven't noticed any shortcomings. 

There was functionality present previously, however, currently, we can't integrate directly with Jira Service Desk - only the cloud version. That, or we must share to the internet on-prem Jira Service Desk. It's not easy for us since we use only the on-prem Service Desk service, and we don't straight to the internet for our service.

InsightVM can only directly connect to the internet. So, we can't use this integration and send tasks to our technical team from InsightVM. We, therefore, need better integration with Jira Service Desk. 

The stability has been good overall. I would rate it five out of five in terms of reliability. The performance is good. There are no bugs or glitches, and it doesn't crash or freeze. 

The solution is suitable for big or small organizations. We have clients of different sizes using the product. 

It's used at the engineering level, with security and administrators using it regularly.

I'd rate it five out of five in terms of the ease of scaling. 

The solution is straightforward to set up. I'd rate it four out of five in terms of ease of implementation. 

We have one or two team members that can set up the solution. 

How long it takes to deploy depends on the customer. For a small customer, it's less than one month or sometimes two weeks. For a big customer with many assets and services, it takes two or three months to deploy.

We only need to have one or two people on hand to handle maintenance tasks. 

The solution is not overly expensive.

We use this solution for our clients.

We're dealing with the latest version of the product.

InsightVM is a solution based on on-prem infrastructure connected to the cloud service, so it's a hybrid solution.

Overall, it's a nice tool. 

I'd rate the solution nine out of ten. 

InsightVM is mainly used for vulnerability management.

InsightVM's most valuable feature is risk scoring, a formula based on different vectors like the ease of exploitation and the availability of the machine. It can be customized according to the customer's needs - for example, if they have an asset that is more vulnerable, they can adjust the risk score according to their infrastructure. It also has a very robust dashboard system and good integration.

InsightVM could be improved by providing passive scanning as an option. They could also introduce license packages for fewer than 128 users for smaller organizations.

I've been using InsightVM for almost five years.

InsightVM is stable.

InsightVM has the option of implementing the scan engine separately, which helps with scalability.

InsightVM's technical support is very good.

Positive

InsightVM is easy to implement and deploy, even for small and medium businesses.

InsightVM's licensing starts at a minimum of 128 IPs and can scale up to over 1,000.

InsightVM is easy to use, has a well-defined dashboard, and can be customized according to your needs. You can also segregate your assets and define IP ranges. I would give InsightVM a rating of nine out of ten.

Their channel program and the process of their deal registration could be improved.

Some of our customers want to be completely cloud based, and Rapid7 doesn't offer this as an option. 

I have used this solution for one year. 

This solution is fairly stable.

This is a scalable solution suitable for large environments. 

We initially worked with Qualys and found that Qualys has a better reputation but it is expensive. Companies with bigger budgets and who would like a cloud solution, usually prefer Qualys. This is also because of the product maturity and the research they provide.

The challenge with Qualys is that they do not have any distributors in Pakistan. They do not have an on-premises product, which caters more towards the enterprise accounts in Pakistan. I prefer going with Rapid7 for this reason. Rapid7 have a good distribution network with good support and market presence. 

My advice is to explore many options and look at the integrations available. My personal experience is that only implementing vulnerability management doesn't solve all of the problems. We also needed evaluator integrations that provide preventative measures.

I would rate this solution an eight out of ten. 

We are using Rapid7 InsightVM to have a vulnerability assessment solution in our organization to overcome the audit points.

We are at the stage where we are deciding if the solution will be useful for us or not.

We generate the reports for our IT sessions and try to take the recommended actions. After the action is made, we generate another report to check if this action covers the vulnerability points or not.

The reports in Rapid7 InsightVM are useful when compared to competitors.

Rapid7 InsightVM could be easier to use for those who are using it for the first time.

The updates should be fixed in the next release.

I have been using Rapid7 InsightVM for a few months.

The stability of Rapid7 InsightVM has been fine in the three months we have used it.

We are using a virtual environment with Rapid7 InsightVM and we can expand it if we want.

We have approximately three people using this solution in my company. We use the solution weekly or monthly. We would increase the use of the solution if our tests go well.

The support that we are receiving at this time is from our partner who handles the issue with the vendor if needed.

The initial setup was not straightforward because it was our first time doing it.

We did a POC first and this took us two months to make the environment. After we received the license we went into production.

We had a partner help us with the implementation of Rapid7 InsightVM.

We have an IT department that does the maintenance and support of Rapid7 InsightVM.

We have an annual license to use Rapid7 InsightVM and if we want to extend it, we will possibly choose more than one year.

I recommend this solution to others and for them to use a partner for the implementation. It can be difficult for the first time.

I rate Rapid7 InsightVM an eight out of ten.

We used InsightVM mainly for vulnerability management. I thought it was a pretty interesting application. I'm a fan of Rapid7's Metasploit, so when I saw InsightVM I was like, "Let's see what else they have." I liked it up until we experienced some issues relating to scans. If I wanted to do mitigation, I needed to wait until the next scan was available or ran so that I could get to see if any indentations were made. 

While I was in there, if I was searching for a specific vulnerability, sometimes it was hard to find the specific ones. In the dashboard, it'll tell you the results from the scans, and it will also tell you the vulnerabilities and it will rank them for risk. I would have liked to have been able to click on the vulnerability and it would take me to another area that just has the vulnerability with all the hosts. It wouldn't let you do that. You had to come back out of that window and go into another window and search for it. Well, you wouldn't get the same results as the number of hosts. I had to work a little bit harder to find exactly what I needed.

Within our organization, there were two of us using it. Both of us were IT analysts. One was an IT analyst III (which was me), and the other one was the IT analyst manager.

I would say that it improved our visibility, but it left things open.

I liked the dashboard on it. I could customize my dashboard with different widgets and different heat maps. I liked that. That was a feature I liked. If your manager had a different dashboard that they liked, and you tried to go into a meeting and they say, "Well, I think your numbers are wrong because my dashboard says this" Well, you couldn't rapidly say, "Here's the default dashboard for this for risk." Whereas, with Tenable, you could go through a dashboard just for risks, and say, "Hey, let's switch to this dashboard so we're seeing the same numbers without customization."

They just need to fix it to make it more fluid. If it shows you vulnerabilities, I want to be able to click on the vulnerability and drill down into the vulnerability. If it's rating it as a 10 and it says it's got 30 hosts in it for this vulnerability, I want to click on that vulnerability and get a separate report that says, "Here's the vulnerability specific and here's the host involved." That way I could export it and say, "Hey, this vulnerability's out there, it matches a CVE number that is critical, that Microsoft, Cisco, whatever, has put a patch out there, and here guys, here's what it is and here's the proof. Here's your host that's vulnerable. Here's a change request, fix it, send me back the proof that you fixed it, then allow me to rerun a scan specific to that, on-demand, to say 'Yes, boss, we have mitigated it.'"

I want to be able to just drill down on the reports. If it showing me there's a vulnerability and there's a said number of nodes that's vulnerable to it, I want to be able to drill down and export that list without having to come back out of it, going into my assets, trying to find the name of the vulnerability, which doesn't match what the dashboard says. To me, that was backward.

I have used this solution for one year.

It was pretty stable. We didn't have any real hiccups, but it was stable. We didn't have any real hiccups there.

As far as I know, it says it's scalable. I'm not sure if that company I used to work for had to scale it up or down.

The tech support was very helpful. Actually, I knew a couple of them so it was very helpful.

I would give their tech support a rating of 10 — I knew them from using Metasploit and some other products. It was more of a, "Hey, I got this issue, how can you help me with it?" They'd point me and say, "Hey, check this out."

I wasn't involved in the initial setup, so I can't comment on that.

Do your proof of concepts if you can. Make sure you develop your risk strategy. That's important, because it's going to give you a risk number, it's going to give you critical: highs, mediums, but you need to understand what is the risk methodology that you're going to follow. Just because it says it's critical because of how many vulnerabilities you have, doesn't mean that you need to work on it right away.

For example, there was a vulnerability that had 2,000 nodes affected. It put it as a high-risk, whereby there was another vulnerability where there were only about 10 hosts affected — it put it at medium-risk. However, the high-risk one, because it had more nodes affected, did not have a POC associated with it. A novice person looking at it would say, "I need to work on these 1,000 vulnerabilities because it's a high-risk, and ignore the medium." Well, the medium one had an active POC on it. If you didn't have a person who understood how to read the report and what it's actually telling you, then you would say, "Hey, you know what, I'm going to use these, I'm going to cut my risk down because I got 1,000 nodes with this vulnerability and I'm going to put this chain out real quick and I'm going to reduce my risk real quick because of the numbers." Well, in my opinion, you didn't reduce your risk because you have 10 nodes out there with a vulnerability that's rated medium and it has a POC on it.

Overall, on a scale from one to ten, I would give this solution a rating of eight. I'm going to say that is because shame on Rapid7 for having such great applications, but then that little piece there that they know about hasn't been fixed. If I remember, if I go probably log back into the community, it's probably been asked a couple of times.

Our primary use case for this solution is to gain insight into internal systems vulnerabilities and remediation tasks.

Rapid7 InsightVM has given us a practical view of the vulnerabilities present in our organization. Not only does it verify the vulnerability, but scores it against the skill level of an attacker.

The feature that we find most valuable is the granularity. You can view your assets however makes the most sense to your business. We found that we could isolate systems easily via tagging and site setup.

A definite improvement would be to make it easier to run ad-hoc scans without needing to assign the asset to a site or group.

We use the solution for vulnerability management of our on-cloud environments.

The solution provides all the required features for vulnerability management.

They should improve the cybersecurity feature of the solution.

We have been using the solution for a month.

It is a stable solution. We can connect it with other platforms easily.

We have four to five solution users in our organization.

The solution's initial setup process is easy.

The solution's license costs around $30 per month. It is less expensive compared to other competitors.

I advise others to consider the number of IP addresses required to be scanned for their network while opting for Rapid7. I rate the solution as a nine.

A big vulnerability was discovered last year for jshell. We got a lot of questions from our customers about which services are vulnerable. We could give an answer in just a few minutes to the customers and also warn them.

The risk score that they provide makes it easier to find out the biggest risks. It helped the security officers to understand where the biggest risks are so that they can act on them. They can instruct their IT teams to give them a higher priority and mitigate them.

It is still not a fully cloud-based solution. It will be helpful for customers if it is a complete cloud solution. It is a hybrid solution at the moment.

I have been working with this solution for two years. It is a cloud solution, and I have been using its latest version.

It is definitely stable.

It is made for scalability. We use it to monitor our own company with 250 users. Day-to-day, three people are monitoring the environment.

It is perfect. I would rate them a nine out of ten.

Positive

It was straightforward. It took a couple of hours. I would rate it a nine out of ten in terms of ease of setup.

In terms of maintenance, it is all self-updating.

It is difficult to estimate the ROI. For our management, it is a really important tool. It helps us to understand if something is not going perfectly. 

Its licensing is yearly. Everything is included in the price for one year.

We checked other solutions. We went for it because it has a cloud platform inside, which integrates with our SIEM solution, and it has many more capabilities than other products.

I would advise others to make sure that every asset in the environment is monitored by the tool. I see many customers who think they have full coverage of all assets, but they are missing a part of the network. In such a case, they will get an incorrect understanding of their security.

I would rate this solution a nine out of ten.