Rapid7 products on the Insight platform are designed to fit securely into your environment and adhere to security best practices. We regularly perform application security testing, vulnerability scanning, and internal and external penetration testing to ensure this.
The Insight platform offers multiple options for collecting data from across your IT environment. Whether you use collectors, the Rapid7 Insight Agent, scan engines, or direct connections to our platform, our unified data collection enables your teams to collect data once and use it across multiple products on the Insight platform. Each of our collection methods were designed and built from the ground up with the security of your data in mind to ensure we maintain the confidentiality and integrity of all collected data.
The Insight platform’s analytics engine relies on various types of databases to store and process your data. Each Rapid7 customer is assigned its own relational database schema within database instances. Data stored in object stores or distributed file systems is tokenized using a unique UUID that logically separates each customer’s data from one another.
The Insight platform’s high availability infrastructure is fully automated and regularly tested to ensure security policies and improvements are consistently applied. The principle of least privilege is applied throughout the Insight platform infrastructure and we have technical controls in place to enforce two-factor authentication, subnet separation, host-level firewalls, bastion/jump hosting, service segregation, and per-service least-privilege network access.
Our Platform Delivery and Information Security teams are leading the way in creative and automated mechanisms to deploy highly reliable, secure, and horizontally scalable cloud services. We have open sourced many components we’ve built to automate and secure our platform. Please visit our public github repositories to see how we automate and secure many components of our platform.
We have policies in place to ensure our environment and your data remain safe, secure, and accessible. Below is a brief overview of our internal security posture.
The Information Security team distributes relevant policies upon hire and all employees complete security awareness training at least annually. All employees undergo background checks prior to hiring, including reference checks, criminal background check, and education verification.
Rapid7 provisions all network and application access using the principle of least privilege. Key administrative access is limited and services accounts are only used sparingly for defined business needs. Upon termination or resignation, all access is removed on employee’s last day.
Secure password and two-factor authentication requirements are enforced throughout the entire organization. Networks are secured with WPA2 and all wireless networks are segmented from corporate wired networks and production networks. All Rapid7 endpoints have full-drive encryption enabled, are equipped with anti-malware and antivirus, and check for and install updates on a daily basis.
Security patches are deployed to workstations on a regular basis, as-needed. Out-of-band patching is performed for critical vulnerabilities. Network and agent-based vulnerability scans are conducted on a continuous basis, at least weekly. Rapid7 has a formal Change Management process in place. Engineering teams follow a documented Software Development Life Cycle which includes code review, automated testing, scenario testing, and internal and external penetration testing to ensure our products are secure from the start.
We use our InsightIDR tool to monitor on-premises and cloud environments for security incidents. We maintain a formal Incident Response process for analysis, containment, eradication, recovery, and follow up in the event of a security incident.
Rapid7 performs formal vendor security assessments on all third party vendors before bringing them into our environment. We take a risk-based approach to vendor security assessments to ensure all vendors meet our security, quality, and privacy standards.
We work hard to ensure all our products are secure from the start, but we want to know if you find a vulnerability or other security flaw when using one of our products. As a provider of security software, services, and research, we strive to set an example with our coordinated vulnerability disclosure philosophy.
If you believe you have discovered a vulnerability in a Rapid7 product, please fill out this form so our security team can ensure the issue is addressed.
If you need to report a security incident or get in contact with Rapid7’s security team for some other reason, contact us at firstname.lastname@example.org.
Please use our PGP public key - KeyID: 959D3EDA - if you feel the need to encrypt your communications with us.