We initially wanted to implement CSPM a couple of years back. We did the market research, performed analysis, understood the strengths, and so on. Then we implemented this tool within our environment as a part of CSPM.

Agentless scanning is a possible use with Rapid7 InsightCloudSec. You do not deploy the agents within your workload or to the cloud resources, which is an advantage. I also think there's an automation feature available within Rapid7 ICS, which is good.

Overall, Rapid7 ICS is good. There are no major drawbacks. However, there are a lot of other solutions in the market, not only providing the features of a CSPM, but also CNAPP. When it comes to CNAPP, if you have deployed many containerized-based applications within your environment, plus the containers, managing all those things becomes complex. It can't be easy to keep an eye on those resources because sometimes doing so requires an additional agent that one needs to deploy so that they can perform the scans on those workloads. However, there are a lot of tools in the market that provide these scans at the API level. One could connect Rapid7 with an API at the workload or cluster level, and you'll get all that information. However, the challenge is how easily you can implement those things within the environment. Sometimes, you'll encounter some complexity while implementing APIs. Some customers won't be happy getting complex things implemented. At the end of the day, they would prefer that things be simpler. That is something Rapid7 could improve on. Besides, the UI is a bit complex and not user-friendly, but they're working on that.

I have been working with this tool for more than 12 months.

As far as scalability is concerned, since it's a SaaS-based application, you just need to integrate it. Rapid7 only provides a platform, like with AWS, Azure, and G Suite, so you must integrate Rapid7's platform. Most of the resources within it will get replicated or harvested, so there aren't any immediate challenges regarding scalability.

There are a lot of other things to consider, though. When providing deep information about the cloud, the Rapid7 team needs to work on those areas. Let's say you have a Kubernetes cluster. Once you integrate your platform, you must do additional configurations to monitor the Kubernetes cluster deployed on a specific platform, such as AWS or Azure. Those additional configurations are not as straightforward as they would seem. Those are areas that require some modification from the Rapid7 team.

I rate Rapid7 ICS' scalability a six and a half out of ten since I haven't seen any issues with stability. Rapid7 ICS is just a tool that acts as a platform to expand your visibility to the cloud resources. ICS does not explicitly do something from Rapid7's end apart from just performing the scan. It's not a cloud platform like AWS or Azure.

The Rapid7 team has sync-up calls to help users understand the solution. When you have any issues, you can contact the team, who will help you.

Rapid7's deployment was not that complex. There are a lot of requirements, and the requirements vary as time passes. But once you deploy the solution and start using it, you'll discover which features are good and which could be improved. I rate the deployment a three out of five.

Companies generally buy this tool because the pricing is not that high. ICS's pricing is still per the market standard, but there are a lot of other solutions that are more expensive than Rapid7 ICs. Rapid7 ICS is good, considering the number of features they provide.

We need to stand parallel to our competition, meeting the market and user demands. We should ensure the tools we leverage within our environment are up to the market.

Apart from Rapid7 ICS, there are a lot of other tools available in the market which are also agentless. Most other solutions work on the API level, where you use the API to integrate them and perform the scans.

As for privileged access in Rapid7, you sometimes require privileged access to perform automatic remediations, which could be something that most customers are not comfortable with since they would not want someone outside their company to grant privileged access.

Considering Rapid7 ICS' shortcomings, Rapid7 is working on the same. But there are a lot of other competitors in the market providing better features. When it comes to keeping an eye on PII data, which is very sensitive, Rapid7 ICS does not detect if it is in the cloud resources. But other vendors' products could detect that. That feature is based on which one can compare Rapid7 with other tools.

People are still in the phase of developing most of the features. They might have Rapid7's documentation with them, but those require some prerequisites if you want to understand them. If you're a vendor and do not know anything, you must learn some things without directly jumping to the documentation part.

Rapid7 ICS is good, considering the number of features they provide. But that depends on your and the company's requirements. If the company just wants a tool that acts as a CSPM, Rapid7 ICS can be helpful. But if the company wants to not only buy a CSPM tool but wants a CSPM-cum-CNAPP, Rapid7 ICS is lacking in those areas.

There are a lot of pros and cons, but Rapid7 ICS is doing well as of now.

I rate the solution a six out of ten.