Listing Thumbnail

    Insight AppSec - Web Application Security

     Info
    Sold by: Rapid7 
    Deployed on AWS
    InsightAppSec performs black-box security testing to automate identification, triage vulnerabilities, prioritize actions, and remediate application risk.

    Overview

    InsightAppSec is part of Rapid7s security suite, delivering Dynamic Application Security Testing DAST for both mature and growing application security teams. Modern applications are increasingly complex, leveraging JavaScript frameworks like React and Angular to enhance user experience and accelerate development. However, these advancements also introduce security challenges.

    Application security is complex, but using security tools should not be. While security scans often require extensive configuration, InsightAppSec comes with system defaults informed by Rapid7s years of expertise so you can focus on remediating vulnerabilities, not fine-tuning settings. When you need to balance speed and thoroughness, the intuitive Scan Configuration Wizard lets you customize scans to fit your organizations unique needs.

    With Rapid7 InsightAppSec, organizations can:

    Secure the modern web - Automatically assess web apps and APIs with fewer false positives and missed vulnerabilities.

    Collaborate with speed - Fast-track fixes with rich reporting, seamless integrations, and clear insights for compliance and development teams.

    Scale with ease - Manage security assessments across your entire application portfolio, no matter the size.

    Highlights

    • Dynamic Application Security Testing (DAST) - Get actionable, accurate insights with an industry leading attack framework and library.
    • Replay attacks & validate fixes - Speed up remediation and reduce dev team back-and-forth by providing self-service access.
    • Integrate into dev workflows - Better prevent risk early by adding security testing as part of the build pipeline and integrating dev and sec team workflows.

    Details

    Sold by

    Delivery method

    Deployed on AWS

    Unlock automation with AI agent solutions

    Fast-track AI initiatives with agents, tools, and solutions from AWS Partners.
    AI Agents

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    Insight AppSec - Web Application Security

     Info
    Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.

    12-month contract (1)

     Info
    Dimension
    Description
    Cost/12 months
    Insight AppSec
    Price based on 1 application.
    $2,100.00

    Vendor refund policy

    How can we make this page better?

    We'd like to hear your feedback and ideas on how to improve this page.
    We'd like to hear your feedback and ideas on how to improve this page.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    Software as a Service (SaaS)

    SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.

    Resources

    Vendor resources

    Support

    Vendor support

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Similar products

    Customer reviews

    Ratings and reviews

     Info
    3.5
    1 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    0%
    0%
    100%
    0%
    0%
    1 AWS reviews
    |
    10 external reviews
    Star ratings include only reviews from verified AWS customers. External reviews can also include a star rating, but star ratings from external reviews are not averaged in with the AWS customer star ratings.
    Shritam Bhowmick

    Provides reliable applications security but needs better integration options

    Reviewed on Jun 13, 2025
    Review from a verified AWS customer

    What is our primary use case?

    Our main use case for Rapid7 InsightAppSec  is to perform internal assessment of applications and external facing applications. We have a cloud engine plus on-premises engine, and we have been leveraging both to conduct our internal app sec and external web application security scanning.

    There are some areas for improvements regarding false positives. The integration capabilities are limited, as options for integrations with other tools such as SNOW, Jira , or other integration tools have been lacking in Rapid7 InsightAppSec . Rapid7 has InsightConnect for automation, but it has not been readily available to us. We would appreciate the ability to integrate with other tools, which is currently lacking in the Rapid7 InsightAppSec platform.

    We heavily rely on this platform to do our security work. We also use Security Scorecard, which is another vendor providing external security intelligence and external web application monitoring. We would appreciate if Rapid7 InsightAppSec could leverage its inbuilt functionalities and possibly integrate our own written tools.

    From the strong points, it provides very good scan coverage and has excellent cloud-based engine scanning capabilities. It has a user-friendly interface, though it can be glitchy sometimes. The platform currently does not support AI-driven capabilities. They have recently released AI integrations to detect LLM-based attacks, but it is not leveraging LLMs; it's merely detecting LLM attack scenarios.

    What is most valuable?

    The centralized dashboard feature is very important in Rapid7 InsightAppSec. As part of the red teaming, while vulnerability management is not the only thing I do, it's crucial to see the statistics. If one engine is failing, I would mobilize my internal team to address it properly. It's super important to analyze critical issues, running scans, their effectiveness, and accessible metrics; these details are easily available in the centralized dashboard.

    The flexibility in deployment options, including cloud native and on-prem, is very helpful for our infrastructure. We have Rapid7 AppSec installers, and when we attempt to leverage this platform for internal application scanning, the cloud engine cannot interact with our internal applications. This is why we need to depend on our own servers to install those installers from Rapid7 and use the on-premises feature.

    We are leveraging the reporting feature of Rapid7 InsightAppSec, and the reporting functionality is excellent. The only issue occurs when using the user interface and exporting files, as it sometimes doesn't work. The issue stems from browser settings where cookies interfere with the user interface. A support technician confirmed they are working on improving this aspect, as browsers' built-in capabilities interfere with their ability to import or export files. The reports themselves are accurate and very good, except where many entries may be false positives.

    What needs improvement?

    There are areas for improvements regarding false positives. Integration capabilities are lacking, as options for integrations with other tools such as SNOW, Jira , or other integration tools are not sufficient in Rapid7 InsightAppSec.

    The user interface sometimes has glitches, which may prevent appropriate results during navigation, and even when we get appropriate results, it can be impossible to export them to CSV records or download files.

    Regarding scalability, Rapid7 InsightAppSec is not a scalable solution for our industry due to limited integration capabilities. Rapid7 relies on another tool called InsightConnect, which requires additional investment, detracting from scalability.

    Another area that needs improvement is the integration of AI capabilities into the platform. Both Rapid7 InsightAppSec and InsightVM  need to advance in that area.

    In terms of behavioral and pattern recognition, identifying complex attacks such as SQL, blind SQL, JSON, and LDAP injections often results in 94% false positives. This necessitates improvement in their behavioral-based analytics feature.

    What do I think about the stability of the solution?

    Regarding stability, there are no complaints as it works as it should, but the issue of false positives is significant. Stability is fine, but we have to question the false positives. If those false positives were eliminated, it would be good; however, stability in general is not a concern for us.

    What do I think about the scalability of the solution?

    Rapid7 InsightAppSec is not a scalable solution for our industry. Scalability will always factor in terms of integration possibilities. To scale something, you will always need the ability to integrate with other tools. At the moment, the integration capabilities are not very good, which is disappointing. Rapid7 tends to rely on another tool called InsightConnect for which you must spend more money, which detracts from scalability. If I had to rate scalability on a scale of one to ten, I would give it a four or five.

    How are customer service and support?

    I have a very good impression of Rapid7's technical support. They have provided excellent technical support, and they are responsive. However, they seem to struggle with their own methods of handling tickets. We have support both on call and for any issues that arise, and it is always timely. What I would suggest is that while the technicians understand the problems and accept them, they do not adequately integrate feedback into their products. Hundreds of feedback items have been submitted over the past three years without notable improvements being integrated or implemented, which is disappointing. Otherwise, the technical support itself is satisfactory.

    How would you rate customer service and support?

    How was the initial setup?

    The initial setup for Rapid7 InsightAppSec is very straightforward, and the installations have been seamless. That is why I have been recommending it; there were no errors or technical difficulties in the process. Anyone can easily set it up, provided they have appropriate and powerful servers. It truly boils down to your own infrastructure if you can deploy it correctly.

    For us, it took approximately 40 minutes to deploy. We did not use an integrator, reseller, or consultant for deployment because the documentation was so apt that we managed to set it up ourselves. Although we had various kinds of consultants available, we didn't need to leverage them since we had the knowledge to install it, and it was super easy.

    What other advice do I have?

    The behavior-based analytics feature in Rapid7 InsightAppSec has not been leveraged. From what I believe, it does not come out of the box within the Rapid7 InsightAppSec. The behavioral aspect appeared to focus on scanning, where blind SQL injections were mostly false positives that required manual tests to confirm.

    The pricing for Rapid7 is very expensive. We are paying $14 per asset for Rapid7 InsightVM  and have 6,000 assets, which amounts to approximately $29,000. We've compared this with other tools such as Burp  Suite's DAS platform, QualysGuard, and HP Fortify. Despite having E5 and E3 licenses that offer free access to Microsoft's Vulnerability Management  dashboard, our significant investments in Rapid7 prevent us from switching.

    I would recommend Rapid7 InsightAppSec if you have a stable industry, not a hybrid one that relies on too many technologies. If you use different stacks in your technology, Rapid7 might not be the tool for you. It can be very efficient if you have a similar stack, such as a Linux environment or Windows environment, which is very specific to this profiling.

    On a scale of one to ten, I rate this solution a seven.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    SonNguyen3

    Benefit from accurate vulnerability detection and user-friendly reports for application security testing

    Reviewed on Apr 10, 2025
    Review provided by PeerSpot

    What is our primary use case?

    I use Rapid7 InsightAppSec  for dynamic application security testing. My main focus is on the quality of detection, specifically detecting vulnerabilities correctly. I also use it to provide neat reports, which my security team can use for validation. These reports are user-friendly, allowing us to open them and click 'validate' to check if the validation is accurate.

    What is most valuable?

    Rapid7 InsightAppSec  is a good product for dynamic application security testing. It provides neat reports that include validation actions, and it helps to generate web application firewall rules for web applications. Additionally, the attack replay function is beneficial for security testing applications.

    What needs improvement?

    Currently, I do not see any specific areas for improvement except for possibly lowering the price.

    For how long have I used the solution?

    I have been working with Rapid7 InsightAppSec for six years.

    What do I think about the stability of the solution?

    I would rate the stability of Rapid7 InsightAppSec between eight or nine out of ten. It is a stable solution.

    What do I think about the scalability of the solution?

    Scalability is quite easy with Rapid7 InsightAppSec. It's easy to expand and accommodate more users or applications.

    How are customer service and support?

    The technical support from Rapid7 is not bad, but the response time can be quite slow sometimes. I would rate it a seven out of ten.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    The initial setup is quite simple because it is cloud-based, which makes onboarding applications on-premise not so complicated.

    What's my experience with pricing, setup cost, and licensing?

    The price could potentially be lower for users.

    Which other solutions did I evaluate?

    In the Vietnamese market for now, I could compare Rapid7 InsightAppSec to solutions from Microsoft, specifically Web Inspect.

    What other advice do I have?

    I have an idea for additional functions, but maybe in the future. I would recommend Rapid7 InsightAppSec because it offers some valuable features for customers, and I see the value it provides. My overall final rating for the product would be eight or nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    reviewer2677461

    Robust technical support and effective vulnerability remediation enhance security operations

    Reviewed on Mar 20, 2025
    Review provided by PeerSpot

    What is our primary use case?

    Our primary use case for Rapid7 InsightAppSec  is to scan for vulnerabilities on our APIs and UIs. We provide this service while being based at a client location, where we look after the Rapid7 InsightAppSec  tool for them.

    What is most valuable?

    The most valuable feature of Rapid7 InsightAppSec is the remediation part, which we use the most. This aspect of the tool helps in addressing vulnerabilities effectively, making it one of the most utilized features in our operations.

    What needs improvement?

    There is room for improvement in Rapid7 InsightAppSec by giving clients the ability for extra columns on reports and enabling the extraction of remediation reports into a CSV format. Currently, the PDF format is cumbersome to go through when dealing with thousands of pages.

    For how long have I used the solution?

    I have approximately two years of experience working with this tool.

    What do I think about the stability of the solution?

    On a scale from one to ten, I would rate the stability of the solution at nine.

    What do I think about the scalability of the solution?

    On a scale from one to ten, the scalability of this solution is rated a nine.

    How are customer service and support?

    I would rate the technical support from Rapid7 a ten, indicating high-quality support.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    The initial setup of this tool is straightforward.

    What's my experience with pricing, setup cost, and licensing?

    The price of this solution is fair.

    What other advice do I have?

    Based on my experience, I would recommend Rapid7 InsightAppSec to other people. It's a fantastic solution when it works up to your capabilities. I would rate this tool overall at eight on a scale from one to ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Midhun Kumar

    Effective penetration testing enhances security posture

    Reviewed on Feb 25, 2025
    Review provided by PeerSpot

    What is our primary use case?

    We primarily use Rapid7 InsightAppSec  for application security within our organization. We perform penetration testing on our in-house-built, Java-based web applications to comply with regulatory standards. We use InsightAppSec  to scan both web applications and APIs, executing penetration tests once a month to ensure compliance and security.

    How has it helped my organization?

    Rapid7 InsightAppSec helps us in both regulatory compliance and in strengthening our security posture. We make sure all APIs go through production scanning, and we receive alerts to address potential security threats.

    What is most valuable?

    When considering DAST, it is not attributed to a singular feature but rather the capabilities of the engine that provides a genuine penetration testing experience and delivers insightful reports. 

    The attacks simulate real-world scenarios, providing a view into potential vulnerabilities. These capabilities have greatly assisted us in maintaining a secure environment, particularly in our financial domain.

    What needs improvement?

    The reporting feature of Rapid7 InsightAppSec needs improvement as it currently provides basic reports. It would be beneficial if there were an option for customers to customize reports to include more details. 

    Additionally, the interface is a bit complicated for new users, especially for configuring modern applications and APIs. An intuitive wizard-based configuration would be helpful.

    For how long have I used the solution?

    I have been using Rapid7 InsightAppSec for about six years.

    What do I think about the scalability of the solution?

    Rapid7 InsightAppSec is 100% scalable.

    How are customer service and support?

    The support team at Rapid7 is commendable and always available to assist, especially when configuring applications which can be a bit complex without developer support.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    We also use Qualys WAS  for vulnerability management and have been a Qualys customer for seven to eight years.

    How was the initial setup?

    InsightAppSec's configuration is a bit complex for fresh users, particularly when dealing with API scanning. A modern, wizard-based setup would be beneficial.

    What was our ROI?

    The DAST capabilities of Rapid7 InsightAppSec provide an ultimate level experience, showcasing real-world scenarios and payload strengths, which are truly impressive.

    Which other solutions did I evaluate?

    We have been using Qualys WAS  for vulnerability management aside from InsightAppSec.

    What other advice do I have?

    I would recommend separating the configuration of application and API scanning. Moreover, improving the reporting feature would be beneficial. On a scale of one to ten, I would rate Rapid7 InsightAppSec an eight out of ten for penetration testing. 

    reviewer2284569

    AppSec features show promise but customer support needs improvement

    Reviewed on Feb 24, 2025
    Review provided by PeerSpot

    What is our primary use case?

    I am working with Rapid7 InsightAppSec  as well as Insight VM.

    What is most valuable?

    Relatively speaking, InsightAppSec  is good compared to Insight VM. I also tested InsightAppSec because Insight VM was not effective on web-based systems. I required a solution to manage on-premises, but I was not as satisfied as expected. I did note some good features in InsightAppSec compared to my existing solutions.

    What needs improvement?

    There is room for improvement in the response time of customer service and support levels. Rapid7 could improve the reporting and the depth of the research or assessment. Integration with other tools could also be enhanced. The pricing is also expensive, and I need a fairer price with potential discounts.

    For how long have I used the solution?

    I tested Rapid7 InsightAppSec for eight months.

    How are customer service and support?

    The technical support is good, however, there can be improvements in response time and support levels.

    How would you rate customer service and support?

    Negative

    Which solution did I use previously and why did I switch?

    Before InsightAppSec, I worked with solutions that were on-premises. I switched to InsightAppSec to manage my needs, however, I was not fully satisfied.

    What's my experience with pricing, setup cost, and licensing?

    Pricing is expensive for me, similar to IBM. Both are costly, and there is a need for a discount.

    Which other solutions did I evaluate?

    For improvement, features could be more like Nessus and other similar tools.

    What other advice do I have?

    I am not very comfortable with the reports and their presentation. Rating the solution from one to ten, I would give it a six. I have considered other options but have not yet decided.

    Which deployment model are you using for this solution?

    On-premises
    View all reviews