Rapid7 InsightVM Overview

Rapid7 InsightVM is the #2 ranked solution in our list of top Vulnerability Management tools. It is most often compared to Tenable Nessus: Rapid7 InsightVM vs Tenable Nessus

What is Rapid7 InsightVM?

Rapid7 InsightVM is the vulnerability assessment tool built for the modern web. InsightVM combines complete ecosystem visibility, an unparalleled understanding of the attacker mindset, and the agility of SecOps so you can act before impact.

Rapid7 InsightVM is also known as InsightVM, NeXpose.

Rapid7 InsightVM Buyer's Guide

Download the Rapid7 InsightVM Buyer's Guide including reviews and more. Updated: July 2021

Rapid7 InsightVM Customers

ACS, Acosta, AllianceData, amazon.com, biogen idec, CBRE, CATERPILLAR, Deloitte, COACH, GameStop, IBM

Rapid7 InsightVM Video

Pricing Advice

What users are saying about Rapid7 InsightVM pricing:
  • "Our licensing costs are somewhere around $40,000 annually. There are no additional fees."
  • "This solution is expensive, but it's fine for us as we have an open budget for security solutions. Protection and having the system secured is more important."
  • "Its price is too high. My only concern or issue with Rapid7 is its pricing."

Filter Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Bill Young
Director of Cyber Security (CISO) at a marketing services firm with 201-500 employees
Real User
Top 20
Broad capabilities make this scanning solution able to cover a lot of ground

What is our primary use case?

In our first use case, we wanted to map the solution back to our NIS (Network and Information Systems) framework and the CIS (Center for Internet Security that publishes Critical Security Controls). That is the first part. The second part of this same use case is that we wanted to do continuous vulnerability scanning. That is we wanted to scan the complete network every month at a minimum. What we are finding out in practice is that we are scanning every week because of our network and the size of it. In the end, we are able to get even more aggressive than our original position. The next use… more »

Pros and Cons

  • "It is good and fits well with pretty much all of our use case needs."
  • "You can bring in and get online to do reports fairly quickly,"
  • "The product does not have the capability to do dynamic scanning of non-web applications."
  • "Reporting could be expanded."
  • "There are end-user needs and expectations that are being overlooked in the development that could be addressed by appointing a customer advisory board."

What other advice do I have?

I had implemented InsightVM before at another company. I liked it when we were using it there which is why it ended up here. I have also had previous experience with Qualys. I did not have the time or the luxury to sit back and do a full analysis, RFI (Request for Information) and RFP (Request for Proposal) when we had to bring on the solution. We are not the CIA (Central Intelligence Agency), we are not the NSA (National Security Agency). We do not need any sophisticated solution or anything like that. We just needed something we could bring in, get online fairly quickly, and get running to…
RW
IT Security Architect at a government with 1,001-5,000 employees
Real User
Speed and quality of vulnerability scanning translates to reliable and timely results

What is our primary use case?

We have a few primary use cases. The main one is looking at the visibility of devices that are on our network to keep track of things as they come and go, we're looking for known vulnerabilities whether it's the operating system, network devices, mobile devices, and the like. When we find the vulnerabilities we remediate them, so it's also our job to verify that remediations have been successful. In addition, we are now beginning to get involved in setting security baselines and configuring baselines and using InsightVM to audit those configurations. We're scanning about 6,000 devices. There… more »

Pros and Cons

  • "There are many integrations with things like the VMware NSX that are great, the reporting is really solid."
  • "Some difficulties with the online reporting and lack of integrations."

What other advice do I have?

It's important to take the time to have a full understanding of how schemes are scheduled, how sites and asset groups are set up and make sure it's done upfront. It's a big help. If you remove an old site and recreate it with small differences you lose some of the data associated with the old site. Getting the organization sorted from the beginning would be the biggest piece of advice. It's very important to know what your environment is made up of. People often leave companies without documenting things and there's a lot that not everybody knows about because it was in the back of someone's…
Learn what your peers think about Rapid7 InsightVM. Get advice and tips from experienced pros sharing their opinions. Updated: July 2021.
522,946 professionals have used our research since 2012.
MH
Owner at a tech services company with 1-10 employees
Real User
Top 5
Understands and defends your network from vulnerabilities

What is our primary use case?

We used InsightVM mainly for vulnerability management. I thought it was a pretty interesting application. I'm a fan of Rapid7's Metasploit, so when I saw InsightVM I was like, "Let's see what else they have." I liked it up until we experienced some issues relating to scans. If I wanted to do mitigation, I needed to wait until the next scan was available or ran so that I could get to see if any indentations were made. While I was in there, if I was searching for a specific vulnerability, sometimes it was hard to find the specific ones. In the dashboard, it'll tell you the results from the… more »

Pros and Cons

  • "I liked the dashboard on it. I could customize my dashboard with different widgets and different heat maps."
  • "I would say that it improved our visibility, but it left things open."

What other advice do I have?

Do your proof of concepts if you can. Make sure you develop your risk strategy. That's important, because it's going to give you a risk number, it's going to give you critical: highs, mediums, but you need to understand what is the risk methodology that you're going to follow. Just because it says it's critical because of how many vulnerabilities you have, doesn't mean that you need to work on it right away. For example, there was a vulnerability that had 2,000 nodes affected. It put it as a high-risk, whereby there was another vulnerability where there were only about 10 hosts affected — it…
Kimeang-Suon
Technical Consultant at Yip Intsoi
Consultant
Top 20
Flexible, with good scanning, and rarely provides false positives

What is our primary use case?

We use the solution to scan our internal OS and applications.

Pros and Cons

  • "The most important aspect of the solution is that it rarely gives false positives, especially compared to other products. It provides very clear reports for our IT teams to look at."
  • "There needs to be much clearer instructions surrounding scanning."

What other advice do I have?

We're a partner of InsightVM. We're most likely using the latest version of the solution, however, I'm not sure which exact version number it is. We've deployed on-premises with a local scan engine. I'd advise companies that are looking into vulnerability assessment or faster deployment, to check out InsightVM. It's easy to expand as necessary and offers flexibility in its pricing. I'd rate the solution nine out of ten.
HM
Information Security Senior Expert (Founding member, African Cybersecurity Center) at a financial services firm with 10,001+ employees
Real User
Top 5
Stable and Scalable solution with good technical support and reporting capabilities

What is our primary use case?

The primary use case of this solution is for critical business applications for the web. We have also implemented it to identify when we are changing and an older system like the application client-server, the server two, the network equipment like switch routers, and security solutions.

Pros and Cons

  • "The most valuable feature for us is the different types of reporting it provides."
  • "This solution integrates with another module in Metasploit, that doesn't exist in the other solutions. It is subscribed to on our roadmap, but we chose to implement both Nexppose and AppSpider."

What other advice do I have?

Rapid 7 is a leading solution that has been implemented in many companies. In Nexpose you have the console and the app assistant for Rapid 7. The design can be implemented in all of the segments of the network to scan, perform the scale of the scan, perform the reporting, generate the reports, and send it to the central console. I would suggest that customers acquire this solution. In addition to management, we are subscribed to the security dispense team and the company emergency dispense team. We always receive the bulletins, so we are always aware of the vulnerabilities. I appreciate this…
JS
Director Of Information Technology at a government with 201-500 employees
Real User
Top 20
Good at identifying vulnerabilities but had issues with scans and endpoint accuracy

What is our primary use case?

The solution is primarily used for vulnerability management, specifically vulnerability scanning of the endpoint devices.

Pros and Cons

  • "The main functionality of identifying item endpoints that weren't properly patched or had vulnerabilities is the solution's most valuable feature."
  • "We found that after you passed an endpoint, it didn't always reflect it in the next scan. I'm not sure if it was a glitch or some issue with the product's software. That was never clear. That was always an issue and something that definitely needed improvement."

What other advice do I have?

The company I worked for was just a customer and I was just an end-user. There was no business relationship between the two companies that I was aware of. The company is considering moving from on-premises to the cloud. I am unsure of which version of the solution is being used currently. I'm no longer at the company where I used the product. While the solution worked well, I have never compared other solutions, so I don't know if it's best in class or not. I'd rate the solution six out of ten.
ES
Owner at Sidif Del Caribe Corporation
Reseller
Top 10
A stable enterprise solution that can automatically detect new devices and scan them for vulnerabilities

What is our primary use case?

We are system integrators. Our clients normally use it to detect vulnerabilities in terms of a lack of patches in certain systems and databases. Its console can be installed on-premise or on the Rapid7 data center.

Pros and Cons

  • "When you connect any new device to the network, Rapid7 has the ability to detect the new device immediately. It can scan that device to detect if it has any vulnerability. It tells you what is vulnerable and what has been misconfigured. It also tells you what is the risk of that misconfiguration or lack of patches and how to resolve the problem."
  • "In terms of improvements, its price could be better. Our main issue with Rapid7 is that it is too expensive. You can only sell it to enterprise accounts. In terms of new features, Rapid7 came up with a product called InsightIDR a couple of years ago, which is a good SIEM solution. We expect that Rapid7 will work on some sort of integration between InsightVM and InsightIDR, where vulnerability or anomaly detected by InsightVM can be reported in InsightIDR in some sort of real-time. Rapid7 doesn't patch. For example, if you have a vulnerability, some products can scan and also do the patching, but Rapid7 does not do the patching. It would be nice if it can also patch."

What other advice do I have?

I would recommend this solution. I would rate Rapid7 InsightVM an eight out of ten.
MF
Infrastructure Security Architect at a comms service provider with 1,001-5,000 employees
Real User
Good site-level vulnerability scanning capability, and the dashboard is not difficult to manage

What is our primary use case?

We use Rapid7 for our vulnerability assessment. It scans the network, identifies all of the assets that are present, and then identifies all of the vulnerabilities due to non-patching those systems. Based on that, we can generate reports and make sure that those applications or servers are patched on both the operating system and application level.

Pros and Cons

  • "The most valuable feature is the site scanning, where we can provide a complete subnet and what it is we need to scan on those devices."
  • "The reporting is a little bit tricky because it can be difficult to exactly pinpoint some of the assets to filter them and generate a report."

What other advice do I have?

My advice for anybody who is implementing this solution is to begin by clearly identifying infrastructure and the most critical assets. This tool will give you good visibility into the network and the assets, but it is only the starting point. It is really the input for the process that you have in place to follow up and patch the assets. Simply knowing that they are vulnerable is not good enough, so the right process has to be put into place before it will work effectively. I would rate this solution an eight out of ten.
See 7 more Rapid7 InsightVM Reviews