Rapid7 InsightVM Room for Improvement
Now that we have been using it, I think there are some things Rapid7 needs to consider and address in improving InsightsVM. I think the reporting piece has room for improvement. While they have a lot of reporting, and some of the reporting is really good, there are some things that I think they can do better on. They need to add some categories that are not covered and expand a few things that have only surface coverage.
I would love to be on a customer advisory board so that I could provide feedback to them and show them what their solution does not do. For example, I could point out things that I can not do with a widget on the dashboard that I would expect it to be able to do. Things like that might help them improve the product from a real user's perspective. That could amount to a lot of different things, but ideally, it would focus on your most common issues.
There were a couple of things I know that the security analyst and I were looking at and we were wondering why Rapid7 would choose to implement it that way. Like if they did not include something we needed as part of a report, we could not do what we expected when running the report. That is a little frustrating. I would say that they need to spend some more time evaluating enhancements suggested by customers so that they can get those things implemented and round out the user experience. That is the reason why I think a CAB (Customer Advisory Board) is important for vendors like Rapid7.
IT Security Architect at a government with 1,001-5,000 employees
There are some difficulties with the online reporting and lack of integrations, the information that you can get from the APIs in the software is not the best. There's still some fleshing out of their API that I think could benefit them as well.
I'd like to see more integrations with ticketing systems. Right now, JIRA and ServiceNow are the only ticketing systems that have integration with Rapid7. Extending that would be big. Some additional integrations with some patch management solutions would be good too. IBM BigFix and SCCM. Microsoft has integrations there. In our situation, we're not using either of those and that feature doesn't really give us a whole lot. If there were to be new integrations added on, both on the patch management and the ITMS side, that would be a big improvement.
Additional features would be the additional integrations for ticketing systems that I mentioned. There are always updates rolling out for new scans and things.
Owner at a tech services company with 1-10 employees
They just need to fix it to make it more fluid. If it shows you vulnerabilities, I want to be able to click on the vulnerability and drill down into the vulnerability. If it's rating it as a 10 and it says it's got 30 hosts in it for this vulnerability, I want to click on that vulnerability and get a separate report that says, "Here's the vulnerability specific and here's the host involved." That way I could export it and say, "Hey, this vulnerability's out there, it matches a CVE number that is critical, that Microsoft, Cisco, whatever, has put a patch out there, and here guys, here's what it is and here's the proof. Here's your host that's vulnerable. Here's a change request, fix it, send me back the proof that you fixed it, then allow me to rerun a scan specific to that, on-demand, to say 'Yes, boss, we have mitigated it.'"
I want to be able to just drill down on the reports. If it showing me there's a vulnerability and there's a said number of nodes that's vulnerable to it, I want to be able to drill down and export that list without having to come back out of it, going into my assets, trying to find the name of the vulnerability, which doesn't match what the dashboard says. To me, that was backward.View full review »
The solution needs to improve its smart monitoring.
There needs to be much clearer instructions surrounding scanning.
As for new features, I can't think of anything that's lacking. It's pretty good overall in terms of feature offerings.View full review »
Information Security Senior Expert (Founding member, African Cybersecurity Center) at a financial services firm with 10,001+ employees
We need to scan and identify the different RPGs, the critical ones and the major ones that can generate risk or a measure of risk. We generate the reporting from the system and relay the report to our internal developers. We have our internal developers in the bank.
This solution integrates with another module in Metasploit, that doesn't exist in the other solutions. It is subscribed to on our roadmap, but we chose to implement both Nexppose and AppSpider.View full review »
Director Of Information Technology at a government with 201-500 employees
We found that after you passed an endpoint, it didn't always reflect it in the next scan. I'm not sure if it was a glitch or some issue with the product's software. That was never clear. That was always an issue and something that definitely needed improvement.View full review »
Owner at Sidif Del Caribe Corporation
In terms of improvements, its price could be better. Our main issue with Rapid7 is that it is too expensive. You can only sell it to enterprise accounts.
In terms of new features, Rapid7 came up with a product called InsightIDR a couple of years ago, which is a good SIEM solution. We expect that Rapid7 will work on some sort of integration between InsightVM and InsightIDR, where vulnerability or anomaly detected by InsightVM can be reported in InsightIDR in some sort of real-time.
Rapid7 doesn't patch. For example, if you have a vulnerability, some products can scan and also do the patching, but Rapid7 does not do the patching. It would be nice if it can also patch.View full review »
Infrastructure Security Architect at a comms service provider with 1,001-5,000 employees
The reporting is a little bit tricky because it can be difficult to exactly pinpoint some of the assets to filter them and generate a report. Improving the filtering capability would make the reporting easier.
We would like to have penetration testing features built into Nexpose, as it is the next area that we are going to be concentrating on. We have not yet tried it, but it is on our roadmap.View full review »
It would be nice to have an additional feature that would provide reports on who has logged onto the console or who did what on the console. I don't have the time to log onto the console and use SSH to go through the logs.
We have some users with certain privileges, and sometimes they do things that I don't like. This is why it would be nice to have an easy way to report what is in the logs.
In the next release, I would like to see reporting added to the console. It would be helpful to have reports to tell you who did what, who created reports, who created groups or who created tags.View full review »
Enterprise ICT Security Architect at a tech services company with 1-10 employees
There have been instances where technical support takes a long time to update the status of a ticket, which is something that can be improved.View full review »
Senior Consultant at a tech services company with 11-50 employees
All products have room for increased security and Rapid7 InsightVM is no exception. This is why I do not give a perfect score to any product on principle.View full review »
The reporting has room for improvement. You cannot customize any report. If I need a specific requirement, I have to create a new report for it. I cannot pull up two or three things in one report.View full review »
I have had some difficult problems with InsightVM. The InsightVM cannot scan if we connect to our customer by the VPN. I asked the Rapid7 support, they told me that the InsightVM can only work on the same network. We cannot use InsightVM by VPN. It also consumes a lot of memory. It would be good if they could resolve that.View full review »
Head of Cybersecurity Assurance & Controls Director at a tech services company with 1,001-5,000 employees
The reporting is very bad when you compare it with other vulnerability assessment tools.
This product is for basic vulnerability assessments, only, and is lacking in features such as compliance, assessment, assets, inventory, and batch management.View full review »