What is our primary use case?
We use Rapid7 for our vulnerability assessment. It scans the network, identifies all of the assets that are present, and then identifies all of the vulnerabilities due to non-patching those systems. Based on that, we can generate reports and make sure that those applications or servers are patched on both the operating system and application level.
What is most valuable?
The most valuable feature is the site scanning, where we can provide a complete subnet and what it is we need to scan on those devices. It will extract all of the information, including the rating and vulnerabilities, in all of the applications that are present, on each of those machines. This is quite relevant because if you have many applications on one server then you don't know if they are individually patched, or not.
The dashboard is not difficult to manage.
What needs improvement?
The reporting is a little bit tricky because it can be difficult to exactly pinpoint some of the assets to filter them and generate a report. Improving the filtering capability would make the reporting easier.
We would like to have penetration testing features built into Nexpose, as it is the next area that we are going to be concentrating on. We have not yet tried it, but it is on our roadmap.
For how long have I used the solution?
We have been using this solution for one year.
What do I think about the stability of the solution?
We have not had any issues with stability. For what we are using it for, it is okay, and we use it on a weekly basis.
What do I think about the scalability of the solution?
We have five people who are working with Nexpose and we have not yet needed to scale.
How are customer service and technical support?
We have been in touch with support on one or two occasions but I was not the person who dealt with them.
How was the initial setup?
The initial setup is not complex. As soon as you deploy, you start by opening all of the needed communication tools on all of the target systems. In our situation, we deployed gradually as opposed to doing everyone at the same time.
We have five people who have access to this solution and can maintain it. They do not work on it full-time but can do site scanning and generate reports when needed.
What about the implementation team?
A third-party was brought in to implement this solution. However, I have done some of the upgrades and I would say that it is straightforward enough that it is not necessary to bring in anybody else.
What other advice do I have?
My advice for anybody who is implementing this solution is to begin by clearly identifying infrastructure and the most critical assets. This tool will give you good visibility into the network and the assets, but it is only the starting point. It is really the input for the process that you have in place to follow up and patch the assets. Simply knowing that they are vulnerable is not good enough, so the right process has to be put into place before it will work effectively.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?