Rapid7 InsightAppSec Reviews

We use Rapid7 InsightAppSec for dynamic application security scanning. We scan our web applications to identify vulnerabilities and then address the issues based on the report. It is a task solution used for enterprise or customer applications.

Dynamic application security scanning provides predefined templates and supports customization. The ability to scan external and internal applications, including on-premises ones, is precious. Additionally, it is a cloud platform, so we don't need to deploy servers or resources. This makes it time-efficient and cost-effective. 

The dynamic scanning feature has simplified and improved the security testing process. I suggest adding a SaaS feature to the solution to support scanning SaaS applications, making it more comprehensive.

It would be beneficial if the solution could also scan mobile applications. It only scans web applications, but it should also cover mobile applications, including firmware recommendations.

I have been working with Rapid7 InsightAppSec for the past two years.

From my experience with Rapid7 InsightAppSec, I haven't had any stability or performance issues. The platform continuously improves, adds new features, and enhances its capabilities.

It's highly scalable since it's a cloud solution. We currently have a license for several applications, but we can quickly scale and purchase more licenses as needed.

Regarding technical support for Rapid7 InsightAppSec, they usually respond within one or two days. I think the response time should be improved to within one day.

Positive

The deployment process for Rapid7 InsightAppSec is straightforward since it's a cloud platform. We don't need to deploy on-premises; It requires creating an account, which takes one or two minutes, and we can start scanning immediately. No maintenance is required as Rapid7 maintains everything.

I would recommend Rapid7 InsightAppSec to other users looking to implement a similar solution. We have many customers, and when they require a dynamic solution, we recommend Rapid7. We provide demos and presentations to clients, and if they are satisfied, they proceed with a license.

The AI capabilities in Rapid7 InsightAppSec enhance application vulnerability scans significantly. AI and machine learning are integral to the solution, helping us schedule scans and improve the scanning results.

I would rate InsightAppSec eight out of ten. It's a great solution, but there's always room for improvement. 

We use it as a web application scanner. It runs a ton of different detections and tests against our web applications and provides us with results. It connects directly with our SDLC for an API. We can automate the scanning of a web application during the development process when it changes from development to test and test to production.

I like that the product allows us to have an internal and external scanner. We can authenticate scans and pick and choose which attacks we want to use. It is a very robust solution.

The number of web applications we can scan is limited. There's a cost associated with how many web apps we want to scan.

I have been using the solution for a year.

I have not had any issues. For over a year, the tool has not been down.

The tool is completely cloud-based. So, the scalability is fine for external scanning. For internal scanning, we must create another scanner on our internal network. We can scale it at mass.

The support is great. The problem with the support team is that it does not have a calling number. The best way to get a hold of the support team is by contacting the customer success manager and getting somebody in the support team. We could open a ticket, but we cannot call. Sometimes, I want to be able to just call somebody. I don't want to put a ticket in and wait for a response. The support team is responsive.

Neutral

We used Qualys before. Rapid7 is better than Qualys.

The initial setup is quite simple. I rate the ease of setup a nine out of ten. We can just connect to the web application and access our site. We can get it up and running within 20 minutes.

The solution does not require maintenance since it is SaaS-based.

Rapid7 just came out with a new package called Cloud Risk Complete, which gives us unlimited insight into scanning and unlimited AppSec scanning. It also gives us InsightCloudSec.

The product can do everything. We are struggling to get our DevOps team to commit to utilizing our web application scanners. We are siloed with it.

Overall, I rate the product an eight out of ten.

We are using it for DAST, dynamic scanning.

I like the user interface and the friendly nature of the tool. It is very user-friendly for anyone to use it. The customization part for scanning is also good. 

You have various attack modules, and you also have the Attack Replay feature for the attack sequence. You can reproduce an attack and see it. That is a very good feature I noticed in this solution. It helps developers as well.

Scanning can be better. When you add new projects for the same product, it either duplicates or replaces the scan configuration. If I run a scan for the same product with a different scan configuration, it should keep the previous scan configuration and not replace it with the new scan configuration. It should just add the new scan configuration. That would be helpful. They do keep the results as it is, but the scan configuration keeps changing. For example, I have set a scan configuration to a full scan, and next week, I want to run a new scan for the same product with some changes or new functionalities. I want to run a partial scan. Currently, if I change the scan configuration to partial, it changes the old one also to partial. That should be improved.

They need to work on the user interface and management of all the projects. Their support can also be improved a little.

They should also focus on a wider integration scale and end-to-end scanning.

It has been almost one year.

It is stable. Like most products, there is some downtime here and there when they do some patches. Sometimes, it might be stuck as well. So, there are minor challenges, but there is nothing major. The support is helpful during those challenges. Whenever they have some patches or planned downtime, they inform us well before so that we can prepare ourselves. For the past year, I did not face any major challenges.

It is definitely scalable. We have been changing and upgrading its usage in phases.

At present, we have more than 150 users. It is being used on a weekly or a monthly basis. We are only using it for dynamic scanning. Once the environment is ready, we run the scan. We have not automated the scans as of now. We will be doing that in the next quarter, and we will schedule the scans on a monthly or quarterly basis, where once we set the configuration for a particular project, the scan will automatically trigger. Currently, our release cycle is not consistent. That's the reason we have not automated it, but eventually, we will be doing that.

When I joined, the agreement with Rapid7 was already in place. They have only email support, and if they have 24/7 phone support as well, that would be really helpful. Most of the technical support people are in the US time zone, whereas we span across different regions. We have a few folks in the UK and a few folks in India. We need to manage the time as well. So, we need a resolution as soon as possible. That is a little challenging for us at times. 

Neutral

I have used Fortify on Demand and other solutions. Each solution, whether it is Fortify, Qualys, or Veracode, has its own pros and cons. 

Qualys has a wider integration scale, and also from the cloud perspective, when you want to install the Qualys agents on any of your ECS or VMs, it is usually easy to integrate. Rapid7 is also easy, but it doesn't offer anything to scan everything from end to end. It is still improving. I recently attended one of their sessions, and I know they are coming up with new features, but they need to fasten up based on what the current market is and what other products offer. 

We have been using it only from the AppSec perspective, and it has been working well for us. If I go with Rapid7 for extensive use, including vulnerability management and infrastructure, it would become a little challenging for us because it doesn't offer so many features compared to Qualys or any other products.

It is straightforward. You don't need to have any complex solutions for it. They do provide all the documentation with all the steps. It is easy to follow the documentation.

It took a few hours to set it up. We did not immediately engage in it. We did the setup in phases. We modeled it that way. So, it was very quick for us because we had planned it that way. 

It was implemented in-house. In terms of maintenance, it doesn't require much maintenance. So far, I have not seen any major maintenance requirements. There are only regular updates.

They offer a good price, but I don't remember its cost. It is fair as compared to the competition. We have opted for project-based licensing, not user-based. We can add any number of users. That doesn't matter.

It is worth the money. I would rate it a four out of five in terms of pricing.

When you want to buy a tool, the main thing is whether it meets the requirements based on your business needs. In my previous company, I was in the financial sector, which has a lot of PCI transactions, et cetera. Now, I am in the media industry, and we don't have PCI transactions. It all depends on what kind of business you have, what are the requirements, and whether the product meets your requirements. For our needs, Rapid7 was the ideal go-to tool. Based on the budget, pricing, and features, we went for Rapid7.

I would rate it a nine out of ten.

We use Rapid7 InsightAppSec to fetch the vulnerabilities in the web application. We can get insights on missing codes in the configurations as well.

The product’s most valuable feature is UI. It is easy to manage and find vulnerabilities in the application.

The product’s pricing could be flexible compared to Acronis.

We have been using Rapid7 InsightAppSec for seven months.

I rate the product’s stability an eight out of ten. Some functions could be included in the essential version rather than the advanced version.

It is a scalable platform. It is suitable for medium and large enterprises.

The initial setup is simple. It is deployed in cloud and hybrid environments.

I rate Rapid7 InsightAppSec’s pricing an eight out of ten.

I rate Rapid7 InsightAppSec a nine out of ten.

They have you using this for your endpoint assets with AppSec, and inside AppSec there's a feature connected to all the applications, so you can check for vulnerability and it'll give you information about the event, a description, and location.

We have weekly scans going within Rapid7, and it's really seamless.

The most valuable feature of this solution is the graphical interface. It's pretty good, I would rate it a four out of five. Because even, for example, to go and find how to reach your support, let's say you have a ticket, or you want to open for discussion, or you have a question or there's something wrong and you have to create a ticket. 

But even to create the ticket, it's not really seamless to find because they have changed their website around. But besides that, it's pretty easy, 

I would say four out of five, like I said, to kind of go around their app. It's not too, too difficult, but it's not the easiest.

The only concern I have with Rapid7 is that it does not provide enough information about vulnerabilities within AppSec. 

You can prepare a report, for example, but even inside the report, you must have some knowledge of Rapid7 and know how to explore certain vulnerabilities.

Out of five, I would rate Rapid7 a 3.5.

I have been working with Rapid7 InsightAppSec for five years.

Rapid7 InsightAppSec is quite stable. There are no outages.

It is one of the popular players.

Even with their support, I feel like their support is lacking. I don't think it's much support as compared to other tools. 

You create a ticket, and it appears that you are deciding when the engineers will work with me. I feel like the customer has to push to get that quality service from them.

I did not originally set it up. 

All of the projects that I have had with Rapid7 have already had it set up in that environment, but I believe once it's set up, they work with you to get it set up in your environment. That is my understanding.

I'm not sure how much it costs exactly, but I know it's expensive.

I would absolutely suggest that you Google, Rapid7 competitors, you will probably find another tool that is a little bit cheaper and has the same features and capabilities.

I would rate Rapid7 InsightAppSec an eight out of ten.

We use the product for dynamic application security testing. 

It is very convenient to get reports from the tool, which offers high-level environmental statistics. 

We get a lot of false positives during the tests. 

Rapid7 InsightAppSec's scalability is good. 

You will get good support if you pay for good licensing options. It depends on the vendors. 

Neutral

The tool's deployment is straightforward. 

I rate Rapid7 InsightAppSec a seven out of ten. 

We are using it to scan code. We have developers who write a lot of web applications. We use InsightAppSec to scan them. When an application is running, it goes through the application and identifies any faults.

It's very easy to use and user-friendly. It does the job.

They should add more features. I would like to see them do a little more on static analysis and also interactivity analysis. Currently, it does very basic static analysis. It could do a little more static analysis, which is something that would help. A lot more interactivity analysis should also be there. It should basically look at security during interactivity.

I've been using it for almost a year.

It's very stable. There are no challenges.

It's scalable. In terms of its usage, we just have one license, which is being used by a developing team with 20 developers. We don't need to have a lot of licenses. Once the code is done, we need to just put it in a common place and then scan it. So, we have just one license for it.

They're very knowledgeable. They respond fast. They were able to help me. I would rate them a five out of five.

Positive

I've used HCL AppScan. AppScan does a lot more. It looks at static analysis. It looks at the code when it's not being executed and when it's executing. It also looks at interactivity. The only problem with AppScan is that it's a bit expensive because, for each scan, you need to pay. You need to get a license for each scan. So, every time I scan, it becomes a bit more expensive. That's the only reason why we went with InsightAppSec.

It's straightforward. I would rate its setup a five out of five in terms of ease.

Its price is competitive. It is not expensive.

You need to understand its capabilities. It has good capabilities, but its capabilities and features can be improved. 

I would rate it an eight out of ten. 

We use the solution for testing before deployment on customers and looking for some issues when customers need to verify the problem with using that product. Basically, it's for testing before deployment. 

AppSec is a Software as a Service. So we don't need to upgrade it.

It is easy to use and deploy to the customer.

The recorder for the login sequence to the customer application is great.

The solution is stable.

It is very easy to scale. Users can expand it if they need to.

We'd like to see integrations with WAF solutions. That could be improved. 

Rapid7 has a new solution to test a secure application and integrate with the secure application, however, sometimes, our customer has a Web Application Firewall externally.

I've been using the solution for three years. I've used it for a while now. 

The stability has been very good. I would rate it five out of five in terms of reliability. It doesn't crash or freeze. There are no bugs or glitches. The performance is good. 

It's quite simple to scale the product. You just have to define a new application, and that's all. I'd rate it five out of five in terms of ease of deployment. 

Three of us are using the solution right now. 

Technical support has been very helpful and responsive. We are satisfied with their level of support.

Positive

The initial setup is very straightforward and simple. It's not a complex process. 

We only need three people to deploy the solution.

The process only takes a few days. It depends on the number of secured applications of the customer. When the customer has a small setup, it's faster.  

We only need one or maybe two people to maintain the solution. 

We provide deployments for customers. We can handle implementations. 

I'm on the technical side and therefore do not directly deal with costs or licensing. I'm not sure how much we pay or what the licensing agreement is.

We're a partner. 

We support our customers with products from Rapid7 and Tenable. We provide support to our clients.

I'd rate the solution nine out of ten.