We use Rapid7 InsightVM mostly for VM management.
Assistant Engineer at Harel Mallac Technologies Ltd
Plenty of options, reliable, and simple installation
Pros and Cons
- "The solution is good because it has a lot of options."
- "The solution could improve by being more secure."
What is our primary use case?
What is most valuable?
The solution is good because it has a lot of options.
What needs improvement?
The solution could improve by being more secure.
For how long have I used the solution?
I have been using Rapid7 InsightVM for approximately one month.
Buyer's Guide
Rapid7 InsightVM
November 2024
Learn what your peers think about Rapid7 InsightVM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
The solution has been stable.
What do I think about the scalability of the solution?
Rapid7 InsightVM is scalable.
How are customer service and support?
I have not needed to contact the support at this time.
How was the initial setup?
The installation is simple, it took us approximately six hours.
What about the implementation team?
I did the implementation myself.
What other advice do I have?
I would recommend this solution to others.
I rate Rapid7 InsightVM a nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
CoFounder & Head of Technology at intuity
Professional support, absolutely stable, and easy to use and deploy
Pros and Cons
- "I really love the new platform. It is really easy to understand, use, and deploy."
- "It would be great to have a mobile application client. Currently, you have to use a mobile web browser on a device, but it is not similar to the desktop web browser in terms of user experience. It would be nice to have a mobile application to access the platform."
What is our primary use case?
We are using InsightVM for vulnerability management services. We use it for providing professional services to our customers, and we also use it for our internal use.
We do on-premises and cloud deployments.
What is most valuable?
I really love the new platform. It is really easy to understand, use, and deploy.
Their support is very professional and good at troubleshooting issues.
What needs improvement?
It would be great to have a mobile application client. Currently, you have to use a mobile web browser on a device, but it is not similar to the desktop web browser in terms of user experience. It would be nice to have a mobile application to access the platform.
It would be nice to have someone in the technical support team who speaks Italian.
For how long have I used the solution?
We have been in a partnership with Rapid7 for five years.
What do I think about the stability of the solution?
It is absolutely stable.
What do I think about the scalability of the solution?
It is scalable. We have 40 customers who are using this solution.
How are customer service and technical support?
Their technical support is great, but it would be nice to have someone in the technical support team who speaks Italian.
We speak Italian with Safeguy. So, sometimes, Safeguy's technical teams also help us.
How was the initial setup?
Its initial setup is easy and quick. We are typically able to deploy it in a couple of hours.
We have 15 certified and dedicated engineers to handle its deployment and maintenance.
What's my experience with pricing, setup cost, and licensing?
In some cases, we procure the licenses. In some cases, the customers directly buy the license from Rapid7.
What other advice do I have?
I would rate Rapid7 InsightVM a nine out of 10.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Rapid7 InsightVM
November 2024
Learn what your peers think about Rapid7 InsightVM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
Director of Cyber Security (CISO) at a marketing services firm with 201-500 employees
Broad capabilities make this scanning solution able to cover a lot of ground
Pros and Cons
- "It is good and fits well with pretty much all of our use case needs."
- "You can bring in and get online to do reports fairly quickly,"
- "The product does not have the capability to do dynamic scanning of non-web applications."
- "Reporting could be expanded."
- "There are end-user needs and expectations that are being overlooked in the development that could be addressed by appointing a customer advisory board."
What is our primary use case?
In our first use case, we wanted to map the solution back to our NIS (Network and Information Systems) framework and the CIS (Center for Internet Security that publishes Critical Security Controls). That is the first part. The second part of this same use case is that we wanted to do continuous vulnerability scanning. That is we wanted to scan the complete network every month at a minimum. What we are finding out in practice is that we are scanning every week because of our network and the size of it. In the end, we are able to get even more aggressive than our original position.
The next use case was we wanted to identify the assets that were in our environment. We can identify how many servers we have, we have identified how many desktops and laptops we have got, et cetera. To that point is where we were looking at pretty good.
Our next use case was the obvious next step where we wanted to identify vulnerabilities. That meant identifying all the vulnerabilities from critical all the way down to the low. We needed to know what they were and how many. Also, we wanted to know how many are unique versus how many there are in total.
We also wanted to get away from tracking vulnerabilities on spreadsheets. It was incredibly cumbersome, incredibly hard to do, and it was not efficient. The IT guys kept telling me that they did not know how to fix certain issues. So I thought we needed to do CVSS ( Common Vulnerability Scoring System) on it. They were a bit resistant to that idea. Well, I was not about to start doing that for them. So InsightVM gives us the ability now to track the issues and communicate how the remediation should occur to fix vulnerabilities.
Then the last thing is we wanted was to have a dashboard for management. We had to have a dashboard to be able to have a CIO (Chief Information Officer) log in and find out where we sit with things. Like where do we sit with remediation where are we failing to make expected progress and things of that nature.
Rapid7 gave us the ability to do a lot of that, and it was not a cumbersome tool to implement. It is good and fits well with pretty much all of our use case needs. It only falls short in a couple of spots.
What needs improvement?
Now that we have been using it, I think there are some things Rapid7 needs to consider and address in improving InsightsVM. I think the reporting piece has room for improvement. While they have a lot of reporting, and some of the reporting is really good, there are some things that I think they can do better on. They need to add some categories that are not covered and expand a few things that have only surface coverage.
I would love to be on a customer advisory board so that I could provide feedback to them and show them what their solution does not do. For example, I could point out things that I can not do with a widget on the dashboard that I would expect it to be able to do. Things like that might help them improve the product from a real user's perspective. That could amount to a lot of different things, but ideally, it would focus on your most common issues.
There were a couple of things I know that the security analyst and I were looking at and we were wondering why Rapid7 would choose to implement it that way. Like if they did not include something we needed as part of a report, we could not do what we expected when running the report. That is a little frustrating. I would say that they need to spend some more time evaluating enhancements suggested by customers so that they can get those things implemented and round out the user experience. That is the reason why I think a CAB (Customer Advisory Board) is important for vendors like Rapid7.
For how long have I used the solution?
We rolled it out in our operations between June and September. So we have been using it since June of 2020.
What do I think about the scalability of the solution?
I do not know at this point just how scalable this solution is. We bought it for an enterprise solution, so our enterprise need is getting solved. I do not know how much scaling we have to do on top of that. I do not like the fact that as a vulnerability scanner, this product has a fault to a certain extent. We want to be able to scan applications dynamically and this solution does not give us that ability. It does for web apps. But if you are a company that does not have a lot of web apps, something is getting left uncovered.
Let's say you have a third-party app. You go to that third-party developer and you ask if they have ever done a security attestation on the application. They look at you and like they have no idea what the heck you are talking about and they have no idea what that means. It would be good, in that case, to be able to take the Rapid7 product and point it at that third-party app and scan it dynamically. That way you can get code vulnerabilities or functional vulnerabilities. What would otherwise be a problem is something you could identify and isolate. If Rapid7 looked at the scripting and identified a secret injection attack at line 1,141 — or something to that effect — it could be vetted. It does do that, but it only does that on web applications. Why stop there?
In order to solve that issue, you have to go out and buy another third-party product that allows you to scan the application to do dynamic or static vulnerability scanning on the application. I do not like that omission because I had that capability with Qualys. We could take Qualys and we could point it at an application and get dynamic scanning reports from it. It told us a line that needed to be fixed and everything.
I have not yet gotten into the bowels of that discussion with Rapid7, but I want to. What I did find out about it is our current setup does not cover that type of potential application vulnerability. It does allow for some scanning of web applications, but we are not a company that has a lot of web applications. We are not a retail organization. We do not sell anything. We do have web applications, but they are mainly used for marketing.
We probably have close to a dozen people in our organization who are currently interfacing in some way with Rapid7 InsightVM. That part is scalable. The utility does have those certain limitations, however.
How are customer service and technical support?
We have a client service manager for Rapid7 tech support. He is an appointed customer service manager where we have him for the first year. We are working with him to identify things, correct things, implement, attune, and things like that. Because of that relationship, I do not have a need to call their regular tech support right now. We just worked through the service manager.
Which solution did I use previously and why did I switch?
I have had some previous experience with Qualys and using Rapid7 now is really a matter of what I chose to bring on based on my personal user experience. Each has its own advantages and neither is a bad product.
How was the initial setup?
The initial installation and setup were pretty much straightforward. We did run into an issue with credentialing. We ended up working through that and got that correct.
I think it was done fairly quickly overall. When we ran into that credentialing issue, we spent about three weeks or so — almost a month — working through that. The issue meant involving some guys from some of the other IT teams and getting them into the mix to help us out.
What other advice do I have?
I had implemented InsightVM before at another company. I liked it when we were using it there which is why it ended up here. I have also had previous experience with Qualys. I did not have the time or the luxury to sit back and do a full analysis, RFI (Request for Information) and RFP (Request for Proposal) when we had to bring on the solution. We are not the CIA (Central Intelligence Agency), we are not the NSA (National Security Agency). We do not need any sophisticated solution or anything like that. We just needed something we could bring in, get online fairly quickly, and get running to do reports. Rapid7 InsightsVM fit the bill.
On a scale of one to ten (where one is the worst and ten is the best), I would rate Rapid7 InsightVM as probably about an eight-out-of-ten. It gets an eight rather than scoring higher just because of some of the other stuff that I wish we had.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cloud and Cyber-Security Technician at Software Productivity Group
It lets you scan your entire network for vulnerabilities, but it lacks patch management
Pros and Cons
- "I like Rapid7's scan optimization options."
- "Patch management is the only missing feature I can think of. Rapid7 detects vulnerabilities, but it should also help you manage patches."
What is our primary use case?
Rapid7 allows you to scan the entire network to discover information about devices, such as the type of operating system.
What is most valuable?
I like Rapid7's scan optimization options.
What needs improvement?
Patch management is the only missing feature I can think of. Rapid7 detects vulnerabilities, but it should also help you manage patches.
For how long have I used the solution?
I have used Rapid7 for about five months.
What do I think about the stability of the solution?
The product isn't stable. Sometimes I attempt to log in using the correct password, but I can't access the server. It tells me that the password is wrong, so I have to reboot the server to access it.
What's my experience with pricing, setup cost, and licensing?
We pay a monthly license.
What other advice do I have?
I rate Rapid7 InsightVM seven out of 10.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Head of Cybersecurity Assurance & Controls Director at a tech services company with 1,001-5,000 employees
Poor reporting, lacking in features, but the technical support is not bad
Pros and Cons
- "I have been in contact with technical support and they are not bad."
- "The reporting is very bad when you compare it with other vulnerability assessment tools."
What is our primary use case?
I primarily using Rapid7 for vulnerability assessment and reporting.
How has it helped my organization?
At this point, we are not happy with Rapid7.
What needs improvement?
The reporting is very bad when you compare it with other vulnerability assessment tools.
This product is for basic vulnerability assessments, only, and is lacking in features such as compliance, assessment, assets, inventory, and batch management.
For how long have I used the solution?
I have been using Rapid7 InsightVM for five years.
What do I think about the scalability of the solution?
I would say that the scalability is 50-50. It does not offer much in terms of being able to scale. We have approximately 3,000 users.
How are customer service and technical support?
I have been in contact with technical support and they are not bad.
What's my experience with pricing, setup cost, and licensing?
Comparing the price with the value that we receive, I am not happy with it.
Which other solutions did I evaluate?
We are currently looking to replace Rapid7 with another product.
Currently, we are working with Tenable Nessus and Qualys.
What other advice do I have?
I would rate this solution a five out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technical Consultant at Yip Intsoi
Flexible, with good scanning, and rarely provides false positives
Pros and Cons
- "The most important aspect of the solution is that it rarely gives false positives, especially compared to other products. It provides very clear reports for our IT teams to look at."
- "There needs to be much clearer instructions surrounding scanning."
What is our primary use case?
We use the solution to scan our internal OS and applications.
How has it helped my organization?
The solution protects us from vulnerabilities. If it sees anything, it can tell us about the vulnerability and ranks it as critical or high risk. It allows us to take action immediately to protect our company from attacks.
What is most valuable?
The most important aspect of the solution is that it rarely gives false positives, especially compared to other products. It provides very clear reports for our IT teams to look at.
The solution has an excellent feature that scans for vulnerabilities that may affect the Windows operating system. It helps us avoid being affected by WannaCry or other malicious attacks of that nature. It's one of the most useful features that we have. We're able to see more vulnerabilities before they become an issue due to the fact that it's so protective. It's great at helping us avoid malware or ransomware.
What needs improvement?
The solution needs to improve its smart monitoring.
There needs to be much clearer instructions surrounding scanning.
As for new features, I can't think of anything that's lacking. It's pretty good overall in terms of feature offerings.
For how long have I used the solution?
I've only been using the solution for half a year - approximately six months. It hasn't been too long.
What do I think about the stability of the solution?
The solution is very stable. There are no bugs or glitches that I have witnessed. The solution doesn't crash. It's very reliable.
What do I think about the scalability of the solution?
The solution is very flexible and very scalable. A company that needs to add it to their endpoints should have no issues doing so. I don't think there is a limit as to how many are possible.
Typically we deploy this solution to medium-sized enterprises in microfinance and insurance.
How are customer service and technical support?
I've been in contact with technical support in the past. they're very good. We're satisfied with the level or attention they give us and the information they share.
How was the initial setup?
The solution doesn't really have a complex setup. It's easy to set up and integrate with the endpoint. We install insights at our endpoints to help us collect vulnerability information from there.
We can also install it again and again and use active scanning to conduct vulnerability testing at the endpoints. It's very simple.
Deployment doesn't take long at all. Currently, we can deploy in around two or three days and then integrate it with the endpoint after we've gotten clear instructions from InsightVM.
The steps we choose for implementation are as follows: we first need to follow the instructions to install network communication, from the endpoint to InsightVM. Network communication from the endpoint will go to the scan engine and from the scan engine to the management console of Insight.
After we satisfy this, we start implementation and we start to deploy the engine to the endpoint. After that, we run a scan from the site configuration of each endpoint scope and we file the report displayed on the dashboard. Lastly, we export the report and provide it to the correct person that needs to be involved at the IT end of things.
In terms of the number of staff we use for deployment, from our side, we have two people to help manage everything. For the customer, we have four people to coordinate with the internal team. In total, we have six people involved with deployment. Our team includes a deployment engineer and from the customer's side, members of security operations.
What about the implementation team?
Normally, we have both the reseller and the vendor to assist with deployment. From the vendor, we just consult on the step and classify each endpoint. After that, we'll discuss next steps with our team. Currently, we have a distributor that provides this product to us. We work with the vendor and work with the reseller to deploy everything to the customer's systems.
What's my experience with pricing, setup cost, and licensing?
The solution offers flexible pricing.
What other advice do I have?
We're a partner of InsightVM.
We're most likely using the latest version of the solution, however, I'm not sure which exact version number it is.
We've deployed on-premises with a local scan engine.
I'd advise companies that are looking into vulnerability assessment or faster deployment, to check out InsightVM. It's easy to expand as necessary and offers flexibility in its pricing.
I'd rate the solution nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Cybersecurity Consultant at a wholesaler/distributor with 51-200 employees
Easy to use and great for both vulnerability scanning and remediation
Pros and Cons
- "The pricing is reasonable."
- "There should be containerization within the VM."
What is our primary use case?
I'm helping customers manage vulnerabilities in their organization. It's for vulnerability scanning.
What is most valuable?
It helps with the scanning of vulnerabilities. It's great at handling remediation after you've found an issue and managing the process of vulnerability remediation. The solution provides great advice.
The solution offers very good intelligence and tracking the process of remediation.
It goes very deep and doesn't just find the problem - it helps fix things too.
The setup is easy.
The solution is easy to use.
It offers good scalability.
It's stable.
The pricing is reasonable.
The solution can scale.
What needs improvement?
At times, some customers want more on-premises solutions, and yet vendors want us to load features onto the cloud. While it works in a hybrid way, they need to ensure they keep a customer's needs in mind.
There should be containerization within the VM.
For how long have I used the solution?
I've been using the solution for two years.
What do I think about the stability of the solution?
It is stable and reliable. I haven't had issues with it. There are no bugs or glitches. It doesn't crash or freeze.
What do I think about the scalability of the solution?
The solution offers very good scalability. One license allows you to have three consoles. It's good for a distributed environment.
Which solution did I use previously and why did I switch?
I didn't use different solutions previously.
How was the initial setup?
The initial setup is quite easy. It's easy to use. You can deploy it in less than one hour. Everything happens very fast. It just depends on how long you want to test before implementation. The tuning, however, is a bigger process.
What's my experience with pricing, setup cost, and licensing?
The solution isn't too expensive. The company offers good bundles. The pricing is simple and based on assets. It's transparent.
Which other solutions did I evaluate?
I did evaluate other solutions before using this solution. I looked online.
What other advice do I have?
I'm a partner, not a customer.
I've been using the solution's latest version and updating it often.
I'd advise people to use the product as a vulnerability scanner and as a remediation tool. They should look at the whole brand and see if any of their other products can integrate with the scanner.
I would rate the solution nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Senior Consultant at a tech services company with 11-50 employees
Good visibility in the event of an attack
Pros and Cons
- "When it comes to the process, installation is very easy and does not take long."
- "All products have room for increased security and Rapid7 InsightVM is no exception."
What is our primary use case?
The solution is similar to Tenable, but Rapid7 also comes with Insight - Detection and Response, which integrates with InsightVM. This alerts the customer in the event of an attack or updates him about the status of a vulnerability. The solution provides increased visibility in the environment when integrating between these two products.
What needs improvement?
All products have room for increased security and Rapid7 InsightVM is no exception. This is why I do not give a perfect score to any product on principle.
For how long have I used the solution?
We have been using Rapid7 InsightVM for a couple of months.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is scalable.
We have plans to increase its usage.
Which solution did I use previously and why did I switch?
I have some experience with Tenable Nessus, although I did not use it on a professional basis.
How was the initial setup?
When it comes to the process, installation is very easy and does not take long. As a matter of course, installing a VM and connecting to a portal is easy. That is all that is needed. Time-wise, this may take an hour. Once the portal and scanner are connected one can start getting the environment.
What's my experience with pricing, setup cost, and licensing?
The license is annual and this is the optimal approach when it comes to most software.
What other advice do I have?
The solution is hybrid, meaning that if installation is required it must be done on the environment itself, on-premises, the portal being cloud-based.
The solution has very good integration, so I see no need for improvements in this regard at present.
I have no issues with the stability, security, user interface, reporting, monitoring board or Techstar reports. These are all good.
The documentation is quite detailed and straightforward. It is provided to me via the internet.
Off the top of my head, I cannot think of anything needing improvement.
We have a single customer who is utilizing the solution, but he makes use of IDR, not IVM.
I would recommend the solution to others.
I rate Rapid7 InsightVM as an eight out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free Rapid7 InsightVM Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Risk-Based Vulnerability ManagementPopular Comparisons
Qualys VMDR
Tenable Security Center
Tenable Vulnerability Management
Microsoft Defender Vulnerability Management
Nucleus
Arctic Wolf Managed Risk
Cisco Vulnerability Management (formerly Kenna.VM)
SanerNow CyberHygiene Platform
SecureWorks Taegis VDR
Fortra's Vulnerability Management
Buyer's Guide
Download our free Rapid7 InsightVM Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions: