Provides reliable applications security but needs better integration options
What is our primary use case?
Our main use case for Rapid7 InsightAppSec is to perform internal assessment of applications and external facing applications. We have a cloud engine plus on-premises engine, and we have been leveraging both to conduct our internal app sec and external web application security scanning.
There are some areas for improvements regarding false positives. The integration capabilities are limited, as options for integrations with other tools such as SNOW, Jira, or other integration tools have been lacking in Rapid7 InsightAppSec. Rapid7 has InsightConnect for automation, but it has not been readily available to us. We would appreciate the ability to integrate with other tools, which is currently lacking in the Rapid7 InsightAppSec platform.
We heavily rely on this platform to do our security work. We also use Security Scorecard, which is another vendor providing external security intelligence and external web application monitoring. We would appreciate if Rapid7 InsightAppSec could leverage its inbuilt functionalities and possibly integrate our own written tools.
From the strong points, it provides very good scan coverage and has excellent cloud-based engine scanning capabilities. It has a user-friendly interface, though it can be glitchy sometimes. The platform currently does not support AI-driven capabilities. They have recently released AI integrations to detect LLM-based attacks, but it is not leveraging LLMs; it's merely detecting LLM attack scenarios.
What is most valuable?
The centralized dashboard feature is very important in Rapid7 InsightAppSec. As part of the red teaming, while vulnerability management is not the only thing I do, it's crucial to see the statistics. If one engine is failing, I would mobilize my internal team to address it properly. It's super important to analyze critical issues, running scans, their effectiveness, and accessible metrics; these details are easily available in the centralized dashboard.
The flexibility in deployment options, including cloud native and on-prem, is very helpful for our infrastructure. We have Rapid7 AppSec installers, and when we attempt to leverage this platform for internal application scanning, the cloud engine cannot interact with our internal applications. This is why we need to depend on our own servers to install those installers from Rapid7 and use the on-premises feature.
We are leveraging the reporting feature of Rapid7 InsightAppSec, and the reporting functionality is excellent. The only issue occurs when using the user interface and exporting files, as it sometimes doesn't work. The issue stems from browser settings where cookies interfere with the user interface. A support technician confirmed they are working on improving this aspect, as browsers' built-in capabilities interfere with their ability to import or export files. The reports themselves are accurate and very good, except where many entries may be false positives.
What needs improvement?
There are areas for improvements regarding false positives. Integration capabilities are lacking, as options for integrations with other tools such as SNOW, Jira, or other integration tools are not sufficient in Rapid7 InsightAppSec.
The user interface sometimes has glitches, which may prevent appropriate results during navigation, and even when we get appropriate results, it can be impossible to export them to CSV records or download files.
Regarding scalability, Rapid7 InsightAppSec is not a scalable solution for our industry due to limited integration capabilities. Rapid7 relies on another tool called InsightConnect, which requires additional investment, detracting from scalability.
Another area that needs improvement is the integration of AI capabilities into the platform. Both Rapid7 InsightAppSec and InsightVM need to advance in that area.
In terms of behavioral and pattern recognition, identifying complex attacks such as SQL, blind SQL, JSON, and LDAP injections often results in 94% false positives. This necessitates improvement in their behavioral-based analytics feature.
What do I think about the stability of the solution?
Regarding stability, there are no complaints as it works as it should, but the issue of false positives is significant. Stability is fine, but we have to question the false positives. If those false positives were eliminated, it would be good; however, stability in general is not a concern for us.
What do I think about the scalability of the solution?
Rapid7 InsightAppSec is not a scalable solution for our industry. Scalability will always factor in terms of integration possibilities. To scale something, you will always need the ability to integrate with other tools. At the moment, the integration capabilities are not very good, which is disappointing. Rapid7 tends to rely on another tool called InsightConnect for which you must spend more money, which detracts from scalability. If I had to rate scalability on a scale of one to ten, I would give it a four or five.
How are customer service and support?
I have a very good impression of Rapid7's technical support. They have provided excellent technical support, and they are responsive. However, they seem to struggle with their own methods of handling tickets. We have support both on call and for any issues that arise, and it is always timely. What I would suggest is that while the technicians understand the problems and accept them, they do not adequately integrate feedback into their products. Hundreds of feedback items have been submitted over the past three years without notable improvements being integrated or implemented, which is disappointing. Otherwise, the technical support itself is satisfactory.
How would you rate customer service and support?
How was the initial setup?
The initial setup for Rapid7 InsightAppSec is very straightforward, and the installations have been seamless. That is why I have been recommending it; there were no errors or technical difficulties in the process. Anyone can easily set it up, provided they have appropriate and powerful servers. It truly boils down to your own infrastructure if you can deploy it correctly.
For us, it took approximately 40 minutes to deploy. We did not use an integrator, reseller, or consultant for deployment because the documentation was so apt that we managed to set it up ourselves. Although we had various kinds of consultants available, we didn't need to leverage them since we had the knowledge to install it, and it was super easy.
What other advice do I have?
The behavior-based analytics feature in Rapid7 InsightAppSec has not been leveraged. From what I believe, it does not come out of the box within the Rapid7 InsightAppSec. The behavioral aspect appeared to focus on scanning, where blind SQL injections were mostly false positives that required manual tests to confirm.
The pricing for Rapid7 is very expensive. We are paying $14 per asset for Rapid7 InsightVM and have 6,000 assets, which amounts to approximately $29,000. We've compared this with other tools such as Burp Suite's DAS platform, QualysGuard, and HP Fortify. Despite having E5 and E3 licenses that offer free access to Microsoft's Vulnerability Management dashboard, our significant investments in Rapid7 prevent us from switching.
I would recommend Rapid7 InsightAppSec if you have a stable industry, not a hybrid one that relies on too many technologies. If you use different stacks in your technology, Rapid7 might not be the tool for you. It can be very efficient if you have a similar stack, such as a Linux environment or Windows environment, which is very specific to this profiling.
On a scale of one to ten, I rate this solution a seven.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Benefit from accurate vulnerability detection and user-friendly reports for application security testing
What is our primary use case?
I use
Rapid7 InsightAppSec for dynamic application security testing. My main focus is on the quality of detection, specifically detecting vulnerabilities correctly. I also use it to provide neat reports, which my security team can use for validation. These reports are user-friendly, allowing us to open them and click 'validate' to check if the validation is accurate.
What is most valuable?
Rapid7 InsightAppSec is a good product for dynamic application security testing. It provides neat reports that include validation actions, and it helps to generate web application firewall rules for web applications. Additionally, the attack replay function is beneficial for security testing applications.
What needs improvement?
Currently, I do not see any specific areas for improvement except for possibly lowering the price.
For how long have I used the solution?
I have been working with Rapid7 InsightAppSec for six years.
What do I think about the stability of the solution?
I would rate the stability of Rapid7 InsightAppSec between eight or nine out of ten. It is a stable solution.
What do I think about the scalability of the solution?
Scalability is quite easy with Rapid7 InsightAppSec. It's easy to expand and accommodate more users or applications.
How are customer service and support?
The technical support from Rapid7 is not bad, but the response time can be quite slow sometimes. I would rate it a seven out of ten.
How was the initial setup?
The initial setup is quite simple because it is cloud-based, which makes onboarding applications on-premise not so complicated.
What's my experience with pricing, setup cost, and licensing?
The price could potentially be lower for users.
Which other solutions did I evaluate?
In the Vietnamese market for now, I could compare Rapid7 InsightAppSec to solutions from Microsoft, specifically Web Inspect.
What other advice do I have?
I have an idea for additional functions, but maybe in the future. I would recommend Rapid7 InsightAppSec because it offers some valuable features for customers, and I see the value it provides. My overall final rating for the product would be eight or nine out of ten.
Robust technical support and effective vulnerability remediation enhance security operations
What is our primary use case?
Our primary use case for
Rapid7 InsightAppSec is to scan for vulnerabilities on our APIs and UIs. We provide this service while being based at a client location, where we look after the
Rapid7 InsightAppSec tool for them.
What is most valuable?
The most valuable feature of Rapid7 InsightAppSec is the remediation part, which we use the most. This aspect of the tool helps in addressing vulnerabilities effectively, making it one of the most utilized features in our operations.
What needs improvement?
There is room for improvement in Rapid7 InsightAppSec by giving clients the ability for extra columns on reports and enabling the extraction of remediation reports into a CSV format. Currently, the PDF format is cumbersome to go through when dealing with thousands of pages.
For how long have I used the solution?
I have approximately two years of experience working with this tool.
What do I think about the stability of the solution?
On a scale from one to ten, I would rate the stability of the solution at nine.
What do I think about the scalability of the solution?
On a scale from one to ten, the scalability of this solution is rated a nine.
How are customer service and support?
I would rate the technical support from Rapid7 a ten, indicating high-quality support.
How would you rate customer service and support?
How was the initial setup?
The initial setup of this tool is straightforward.
What's my experience with pricing, setup cost, and licensing?
The price of this solution is fair.
What other advice do I have?
Based on my experience, I would recommend Rapid7 InsightAppSec to other people. It's a fantastic solution when it works up to your capabilities. I would rate this tool overall at eight on a scale from one to ten.
