Rapid7 InsightAppSec Reviews

Our main use case for Rapid7 InsightAppSec is to perform internal assessment of applications and external facing applications. We have a cloud engine plus on-premises engine, and we have been leveraging both to conduct our internal app sec and external web application security scanning.

There are some areas for improvements regarding false positives. The integration capabilities are limited, as options for integrations with other tools such as SNOW, Jira, or other integration tools have been lacking in Rapid7 InsightAppSec. Rapid7 has InsightConnect for automation, but it has not been readily available to us. We would appreciate the ability to integrate with other tools, which is currently lacking in the Rapid7 InsightAppSec platform.

We heavily rely on this platform to do our security work. We also use Security Scorecard, which is another vendor providing external security intelligence and external web application monitoring. We would appreciate if Rapid7 InsightAppSec could leverage its inbuilt functionalities and possibly integrate our own written tools.

From the strong points, it provides very good scan coverage and has excellent cloud-based engine scanning capabilities. It has a user-friendly interface, though it can be glitchy sometimes. The platform currently does not support AI-driven capabilities. They have recently released AI integrations to detect LLM-based attacks, but it is not leveraging LLMs; it's merely detecting LLM attack scenarios.

The centralized dashboard feature is very important in Rapid7 InsightAppSec. As part of the red teaming, while vulnerability management is not the only thing I do, it's crucial to see the statistics. If one engine is failing, I would mobilize my internal team to address it properly. It's super important to analyze critical issues, running scans, their effectiveness, and accessible metrics; these details are easily available in the centralized dashboard.

The flexibility in deployment options, including cloud native and on-prem, is very helpful for our infrastructure. We have Rapid7 AppSec installers, and when we attempt to leverage this platform for internal application scanning, the cloud engine cannot interact with our internal applications. This is why we need to depend on our own servers to install those installers from Rapid7 and use the on-premises feature.

We are leveraging the reporting feature of Rapid7 InsightAppSec, and the reporting functionality is excellent. The only issue occurs when using the user interface and exporting files, as it sometimes doesn't work. The issue stems from browser settings where cookies interfere with the user interface. A support technician confirmed they are working on improving this aspect, as browsers' built-in capabilities interfere with their ability to import or export files. The reports themselves are accurate and very good, except where many entries may be false positives.

There are areas for improvements regarding false positives. Integration capabilities are lacking, as options for integrations with other tools such as SNOW, Jira, or other integration tools are not sufficient in Rapid7 InsightAppSec.

The user interface sometimes has glitches, which may prevent appropriate results during navigation, and even when we get appropriate results, it can be impossible to export them to CSV records or download files.

Regarding scalability, Rapid7 InsightAppSec is not a scalable solution for our industry due to limited integration capabilities. Rapid7 relies on another tool called InsightConnect, which requires additional investment, detracting from scalability.

Another area that needs improvement is the integration of AI capabilities into the platform. Both Rapid7 InsightAppSec and InsightVM need to advance in that area.

In terms of behavioral and pattern recognition, identifying complex attacks such as SQL, blind SQL, JSON, and LDAP injections often results in 94% false positives. This necessitates improvement in their behavioral-based analytics feature.

Regarding stability, there are no complaints as it works as it should, but the issue of false positives is significant. Stability is fine, but we have to question the false positives. If those false positives were eliminated, it would be good; however, stability in general is not a concern for us.

Rapid7 InsightAppSec is not a scalable solution for our industry. Scalability will always factor in terms of integration possibilities. To scale something, you will always need the ability to integrate with other tools. At the moment, the integration capabilities are not very good, which is disappointing. Rapid7 tends to rely on another tool called InsightConnect for which you must spend more money, which detracts from scalability. If I had to rate scalability on a scale of one to ten, I would give it a four or five.

I have a very good impression of Rapid7's technical support. They have provided excellent technical support, and they are responsive. However, they seem to struggle with their own methods of handling tickets. We have support both on call and for any issues that arise, and it is always timely. What I would suggest is that while the technicians understand the problems and accept them, they do not adequately integrate feedback into their products. Hundreds of feedback items have been submitted over the past three years without notable improvements being integrated or implemented, which is disappointing. Otherwise, the technical support itself is satisfactory.

The initial setup for Rapid7 InsightAppSec is very straightforward, and the installations have been seamless. That is why I have been recommending it; there were no errors or technical difficulties in the process. Anyone can easily set it up, provided they have appropriate and powerful servers. It truly boils down to your own infrastructure if you can deploy it correctly.

For us, it took approximately 40 minutes to deploy. We did not use an integrator, reseller, or consultant for deployment because the documentation was so apt that we managed to set it up ourselves. Although we had various kinds of consultants available, we didn't need to leverage them since we had the knowledge to install it, and it was super easy.

The behavior-based analytics feature in Rapid7 InsightAppSec has not been leveraged. From what I believe, it does not come out of the box within the Rapid7 InsightAppSec. The behavioral aspect appeared to focus on scanning, where blind SQL injections were mostly false positives that required manual tests to confirm.

The pricing for Rapid7 is very expensive. We are paying $14 per asset for Rapid7 InsightVM and have 6,000 assets, which amounts to approximately $29,000. We've compared this with other tools such as Burp Suite's DAS platform, QualysGuard, and HP Fortify. Despite having E5 and E3 licenses that offer free access to Microsoft's Vulnerability Management dashboard, our significant investments in Rapid7 prevent us from switching.

I would recommend Rapid7 InsightAppSec if you have a stable industry, not a hybrid one that relies on too many technologies. If you use different stacks in your technology, Rapid7 might not be the tool for you. It can be very efficient if you have a similar stack, such as a Linux environment or Windows environment, which is very specific to this profiling.

On a scale of one to ten, I rate this solution a seven.

I usually recommend this solution for financial institutions. Banks and financial institutions need this solution mostly because they have to follow stringent compliance advisory requirements, so they must have this solution.

My team is working with this product because we are a service provider and have provided this service to our customers. From that perspective, I cannot go into detail on the feature sets if you are interested in knowing that. However, as far as I know, we are providing the service, and customers are satisfied with it because we are getting renewals.

Customers use the product for scanning purposes and do not want to be restricted with respect to the number of scans they perform. The scanning can be scheduled daily, weekly, monthly, or whenever the need arises. This is a good feature that customers are getting.

Customers sometimes experience issues with performance. One thing that I recall is that most customers often want to have reporting as per their customized dashboard. This needs to be improved because although we guide them and let them know what they have to learn, some customers want to have some respect to their local environment. Some customers need help, support, or improvements in that platform if we can customize the reporting.

I have been dealing with this solution for more than three to four years now.

Regarding the pricing of Rapid7 InsightAppSec, I think it is reasonable because if a product is performing well, customers are happy to go with it even if it costs a little bit more. I have not received any complaints or issues regarding high price, so I would say it is acceptable.

I would rate the technical support by Rapid7 from one to ten at about seven.

Regarding the response time, I have to check with my respective team if they have any issues regarding that, but it has not been escalated. This means they are satisfied and are getting the response when the need arises for opening tickets or requesting support. The technical team responds, and sometimes we do that on behalf of our customers, so we get the response.

Positive

I have not heard any complaints.

I do not have any recommendations because customers were initially worried about the number of scans they used to perform, and now it has been enhanced or it will sometimes go to a maximum of unlimited number of scans they can do. This supports them, and I think that is acceptable. There is no such big issue here.

I do not think we always go with Rapid7 InsightAppSec in our basket to any customer. Even if someone is not using it, we pitch the same product to them as well. This is how we work and operate.

I would rate this review seven out of ten.

I am working with Rapid7 InsightAppSec as well as Insight VM.

Relatively speaking, InsightAppSec is good compared to Insight VM. I also tested InsightAppSec because Insight VM was not effective on web-based systems. I required a solution to manage on-premises, but I was not as satisfied as expected. I did note some good features in InsightAppSec compared to my existing solutions.

There is room for improvement in the response time of customer service and support levels. Rapid7 could improve the reporting and the depth of the research or assessment. Integration with other tools could also be enhanced. The pricing is also expensive, and I need a fairer price with potential discounts.

I tested Rapid7 InsightAppSec for eight months.

The technical support is good, however, there can be improvements in response time and support levels.

Negative

Before InsightAppSec, I worked with solutions that were on-premises. I switched to InsightAppSec to manage my needs, however, I was not fully satisfied.

Pricing is expensive for me, similar to IBM. Both are costly, and there is a need for a discount.

For improvement, features could be more like Nessus and other similar tools.

I am not very comfortable with the reports and their presentation. Rating the solution from one to ten, I would give it a six. I have considered other options but have not yet decided.

Positive

We primarily use Rapid7 InsightAppSec for application security within our organization. We perform penetration testing on our in-house-built, Java-based web applications to comply with regulatory standards. We use InsightAppSec to scan both web applications and APIs, executing penetration tests once a month to ensure compliance and security.

Rapid7 InsightAppSec helps us in both regulatory compliance and in strengthening our security posture. We make sure all APIs go through production scanning, and we receive alerts to address potential security threats.

When considering DAST, it is not attributed to a singular feature but rather the capabilities of the engine that provides a genuine penetration testing experience and delivers insightful reports. 

The attacks simulate real-world scenarios, providing a view into potential vulnerabilities. These capabilities have greatly assisted us in maintaining a secure environment, particularly in our financial domain.

The reporting feature of Rapid7 InsightAppSec needs improvement as it currently provides basic reports. It would be beneficial if there were an option for customers to customize reports to include more details. 

Additionally, the interface is a bit complicated for new users, especially for configuring modern applications and APIs. An intuitive wizard-based configuration would be helpful.

I have been using Rapid7 InsightAppSec for about six years.

Rapid7 InsightAppSec is 100% scalable.

The support team at Rapid7 is commendable and always available to assist, especially when configuring applications which can be a bit complex without developer support.

Neutral

We also use Qualys WAS for vulnerability management and have been a Qualys customer for seven to eight years.

InsightAppSec's configuration is a bit complex for fresh users, particularly when dealing with API scanning. A modern, wizard-based setup would be beneficial.

The DAST capabilities of Rapid7 InsightAppSec provide an ultimate level experience, showcasing real-world scenarios and payload strengths, which are truly impressive.

We have been using Qualys WAS for vulnerability management aside from InsightAppSec.

I would recommend separating the configuration of application and API scanning. Moreover, improving the reporting feature would be beneficial. On a scale of one to ten, I would rate Rapid7 InsightAppSec an eight out of ten for penetration testing. 

I use InsightAppSec with our customers. I help them create and realize scans in the environment. I also use the setup technology to scan our environment. I have experience as both a user and administrator.

The automatic automation of the automated authorization to the SCANNET environment is valuable. We can use automated actions or create a macro with the authorization sequence. It's very helpful when we send information to the developer, and when they can test the purchase or remediation provided during the development process themselves.

The previous product, AppSpyder, had a virtual patching module where we could generate patches for third-party web application firewalls, such as Imperva or F5. Currently, InsightAppSec lacks similar functionality. Customers must wait for remediation during the developers' preparation of a new version. Virtual patching could help protect web pages shortly after finishing the scan process.

I have used this solution for a few years till now.

I rate stability ten out of ten. It always works.

Scalability is pretty easy.

In general, it is very simple to set up. It's running from the cloud environment. The customer has to read the console, and if they want, they must implement a local scan engine. However, when we started with the product, we had a complete environment with cloud-based scan engines, making the initial implementation very easy.

Competitors could be enabled with a VAS scanner and maybe Acunetix. Acunetix can use or buy small companies because the price is lower, if I remember correctly. I don't know the details from Qualys, however, Qualys has a vulnerability web application scanner too, making them another potential competitor.

I would give an overall product rating of eight out of ten.

Neutral

I use the solution to check multiple websites, particularly dynamic and e-commerce websites, for vulnerabilities within the code. The tool helps identify any vulnerabilities present in the code, providing precise information about the code that contains vulnerabilities.

In Rapid7 InsightAppSec, a distinctive feature is the provision of a CDM for integrating web servers and web applications. To establish the connection between these applications, you only need to paste the provided CDN into your metadata. Once connected, every piece of information, including vulnerabilities, can be accessed. It also offers demo sessions. 

If there is any malicious network traffic targeting a specific web application, it is designed to detect and showcase the entire scenario. It provides insights into potential vulnerabilities, including issues related to process scripting or content security policy vulnerabilities.

Setting up and configuring scans within the tool is easy, and I would rate it a nine out of ten. It provides videos on YouTube, along with documentation that breaks down the process into step-by-step instructions. 

Rapid7 InsightAppSec needs improvement in detecting phishing pages. 

I have been using the product for four years. 

I rate the solution's stability a six out of ten. There have been instances where fetching data, even for old users, took a long time.

I would rate the scalability at an eight out of ten on a scale from one to ten. There are occasional challenges with the product, particularly in onboarding, where delays can be experienced. This delay sometimes makes it difficult to address issues promptly, and reliance on queries may not always yield the desired results due to occasional bugs. Additionally, there have been instances where data retrieval after deployment takes time, sometimes up to 30 minutes to an hour. Scanning a single website can also be time-consuming, ranging from 25 to 30 minutes, and for multi-vendor e-commerce websites, it may take even longer to scan the entire site.

The initial setup is easy, to the extent that even a non-IT person can set it up. 

Rapid7 InsightAppSec is cheap. 

In a scenario involving the tool and preventing potential security breaches, let's consider a case where a security feature is deployed using Rapid7 InsightAppSec. Although I haven't personally experienced this, I can provide an example. Suppose there is a vulnerability in WordPress or Apache servers, and it identifies a new one-level zero-day attack template associated with it. In this case, it may have detected this vulnerability three months after its initial occurrence.

We utilize dynamic application security testing. It involves deploying an application by onboarding it onto a device, which is then linked to the application. The notable aspect is that we don't need to maintain a server for this process. Instead, we simply log in and configure Splunk Enterprise to connect with the product. There is no need to deploy a separate server. It provides clear, step-by-step instructions, including the provision of a dynamic key by the application, making it easy to implement with documentation.

I rate it an eight out of ten. 

We use it as a web application scanner. It runs a ton of different detections and tests against our web applications and provides us with results. It connects directly with our SDLC for an API. We can automate the scanning of a web application during the development process when it changes from development to test and test to production.

I like that the product allows us to have an internal and external scanner. We can authenticate scans and pick and choose which attacks we want to use. It is a very robust solution.

The number of web applications we can scan is limited. There's a cost associated with how many web apps we want to scan.

I have been using the solution for a year.

I have not had any issues. For over a year, the tool has not been down.

The tool is completely cloud-based. So, the scalability is fine for external scanning. For internal scanning, we must create another scanner on our internal network. We can scale it at mass.

The support is great. The problem with the support team is that it does not have a calling number. The best way to get a hold of the support team is by contacting the customer success manager and getting somebody in the support team. We could open a ticket, but we cannot call. Sometimes, I want to be able to just call somebody. I don't want to put a ticket in and wait for a response. The support team is responsive.

Neutral

We used Qualys before. Rapid7 is better than Qualys.

The initial setup is quite simple. I rate the ease of setup a nine out of ten. We can just connect to the web application and access our site. We can get it up and running within 20 minutes.

The solution does not require maintenance since it is SaaS-based.

Rapid7 just came out with a new package called Cloud Risk Complete, which gives us unlimited insight into scanning and unlimited AppSec scanning. It also gives us InsightCloudSec.

The product can do everything. We are struggling to get our DevOps team to commit to utilizing our web application scanners. We are siloed with it.

Overall, I rate the product an eight out of ten.

We are using it for DAST, dynamic scanning.

I like the user interface and the friendly nature of the tool. It is very user-friendly for anyone to use it. The customization part for scanning is also good. 

You have various attack modules, and you also have the Attack Replay feature for the attack sequence. You can reproduce an attack and see it. That is a very good feature I noticed in this solution. It helps developers as well.

Scanning can be better. When you add new projects for the same product, it either duplicates or replaces the scan configuration. If I run a scan for the same product with a different scan configuration, it should keep the previous scan configuration and not replace it with the new scan configuration. It should just add the new scan configuration. That would be helpful. They do keep the results as it is, but the scan configuration keeps changing. For example, I have set a scan configuration to a full scan, and next week, I want to run a new scan for the same product with some changes or new functionalities. I want to run a partial scan. Currently, if I change the scan configuration to partial, it changes the old one also to partial. That should be improved.

They need to work on the user interface and management of all the projects. Their support can also be improved a little.

They should also focus on a wider integration scale and end-to-end scanning.

It has been almost one year.

It is stable. Like most products, there is some downtime here and there when they do some patches. Sometimes, it might be stuck as well. So, there are minor challenges, but there is nothing major. The support is helpful during those challenges. Whenever they have some patches or planned downtime, they inform us well before so that we can prepare ourselves. For the past year, I did not face any major challenges.

It is definitely scalable. We have been changing and upgrading its usage in phases.

At present, we have more than 150 users. It is being used on a weekly or a monthly basis. We are only using it for dynamic scanning. Once the environment is ready, we run the scan. We have not automated the scans as of now. We will be doing that in the next quarter, and we will schedule the scans on a monthly or quarterly basis, where once we set the configuration for a particular project, the scan will automatically trigger. Currently, our release cycle is not consistent. That's the reason we have not automated it, but eventually, we will be doing that.

When I joined, the agreement with Rapid7 was already in place. They have only email support, and if they have 24/7 phone support as well, that would be really helpful. Most of the technical support people are in the US time zone, whereas we span across different regions. We have a few folks in the UK and a few folks in India. We need to manage the time as well. So, we need a resolution as soon as possible. That is a little challenging for us at times. 

Neutral

I have used Fortify on Demand and other solutions. Each solution, whether it is Fortify, Qualys, or Veracode, has its own pros and cons. 

Qualys has a wider integration scale, and also from the cloud perspective, when you want to install the Qualys agents on any of your ECS or VMs, it is usually easy to integrate. Rapid7 is also easy, but it doesn't offer anything to scan everything from end to end. It is still improving. I recently attended one of their sessions, and I know they are coming up with new features, but they need to fasten up based on what the current market is and what other products offer. 

We have been using it only from the AppSec perspective, and it has been working well for us. If I go with Rapid7 for extensive use, including vulnerability management and infrastructure, it would become a little challenging for us because it doesn't offer so many features compared to Qualys or any other products.

It is straightforward. You don't need to have any complex solutions for it. They do provide all the documentation with all the steps. It is easy to follow the documentation.

It took a few hours to set it up. We did not immediately engage in it. We did the setup in phases. We modeled it that way. So, it was very quick for us because we had planned it that way. 

It was implemented in-house. In terms of maintenance, it doesn't require much maintenance. So far, I have not seen any major maintenance requirements. There are only regular updates.

They offer a good price, but I don't remember its cost. It is fair as compared to the competition. We have opted for project-based licensing, not user-based. We can add any number of users. That doesn't matter.

It is worth the money. I would rate it a four out of five in terms of pricing.

When you want to buy a tool, the main thing is whether it meets the requirements based on your business needs. In my previous company, I was in the financial sector, which has a lot of PCI transactions, et cetera. Now, I am in the media industry, and we don't have PCI transactions. It all depends on what kind of business you have, what are the requirements, and whether the product meets your requirements. For our needs, Rapid7 was the ideal go-to tool. Based on the budget, pricing, and features, we went for Rapid7.

I would rate it a nine out of ten.