Our main use case for Rapid7 InsightAppSec is to perform internal assessment of applications and external facing applications. We have a cloud engine plus on-premises engine, and we have been leveraging both to conduct our internal app sec and external web application security scanning.

There are some areas for improvements regarding false positives. The integration capabilities are limited, as options for integrations with other tools such as SNOW, Jira, or other integration tools have been lacking in Rapid7 InsightAppSec. Rapid7 has InsightConnect for automation, but it has not been readily available to us. We would appreciate the ability to integrate with other tools, which is currently lacking in the Rapid7 InsightAppSec platform.

We heavily rely on this platform to do our security work. We also use Security Scorecard, which is another vendor providing external security intelligence and external web application monitoring. We would appreciate if Rapid7 InsightAppSec could leverage its inbuilt functionalities and possibly integrate our own written tools.

From the strong points, it provides very good scan coverage and has excellent cloud-based engine scanning capabilities. It has a user-friendly interface, though it can be glitchy sometimes. The platform currently does not support AI-driven capabilities. They have recently released AI integrations to detect LLM-based attacks, but it is not leveraging LLMs; it's merely detecting LLM attack scenarios.

The centralized dashboard feature is very important in Rapid7 InsightAppSec. As part of the red teaming, while vulnerability management is not the only thing I do, it's crucial to see the statistics. If one engine is failing, I would mobilize my internal team to address it properly. It's super important to analyze critical issues, running scans, their effectiveness, and accessible metrics; these details are easily available in the centralized dashboard.

The flexibility in deployment options, including cloud native and on-prem, is very helpful for our infrastructure. We have Rapid7 AppSec installers, and when we attempt to leverage this platform for internal application scanning, the cloud engine cannot interact with our internal applications. This is why we need to depend on our own servers to install those installers from Rapid7 and use the on-premises feature.

We are leveraging the reporting feature of Rapid7 InsightAppSec, and the reporting functionality is excellent. The only issue occurs when using the user interface and exporting files, as it sometimes doesn't work. The issue stems from browser settings where cookies interfere with the user interface. A support technician confirmed they are working on improving this aspect, as browsers' built-in capabilities interfere with their ability to import or export files. The reports themselves are accurate and very good, except where many entries may be false positives.

There are areas for improvements regarding false positives. Integration capabilities are lacking, as options for integrations with other tools such as SNOW, Jira, or other integration tools are not sufficient in Rapid7 InsightAppSec.

The user interface sometimes has glitches, which may prevent appropriate results during navigation, and even when we get appropriate results, it can be impossible to export them to CSV records or download files.

Regarding scalability, Rapid7 InsightAppSec is not a scalable solution for our industry due to limited integration capabilities. Rapid7 relies on another tool called InsightConnect, which requires additional investment, detracting from scalability.

Another area that needs improvement is the integration of AI capabilities into the platform. Both Rapid7 InsightAppSec and InsightVM need to advance in that area.

In terms of behavioral and pattern recognition, identifying complex attacks such as SQL, blind SQL, JSON, and LDAP injections often results in 94% false positives. This necessitates improvement in their behavioral-based analytics feature.

Regarding stability, there are no complaints as it works as it should, but the issue of false positives is significant. Stability is fine, but we have to question the false positives. If those false positives were eliminated, it would be good; however, stability in general is not a concern for us.

Rapid7 InsightAppSec is not a scalable solution for our industry. Scalability will always factor in terms of integration possibilities. To scale something, you will always need the ability to integrate with other tools. At the moment, the integration capabilities are not very good, which is disappointing. Rapid7 tends to rely on another tool called InsightConnect for which you must spend more money, which detracts from scalability. If I had to rate scalability on a scale of one to ten, I would give it a four or five.

I have a very good impression of Rapid7's technical support. They have provided excellent technical support, and they are responsive. However, they seem to struggle with their own methods of handling tickets. We have support both on call and for any issues that arise, and it is always timely. What I would suggest is that while the technicians understand the problems and accept them, they do not adequately integrate feedback into their products. Hundreds of feedback items have been submitted over the past three years without notable improvements being integrated or implemented, which is disappointing. Otherwise, the technical support itself is satisfactory.

The initial setup for Rapid7 InsightAppSec is very straightforward, and the installations have been seamless. That is why I have been recommending it; there were no errors or technical difficulties in the process. Anyone can easily set it up, provided they have appropriate and powerful servers. It truly boils down to your own infrastructure if you can deploy it correctly.

For us, it took approximately 40 minutes to deploy. We did not use an integrator, reseller, or consultant for deployment because the documentation was so apt that we managed to set it up ourselves. Although we had various kinds of consultants available, we didn't need to leverage them since we had the knowledge to install it, and it was super easy.

The behavior-based analytics feature in Rapid7 InsightAppSec has not been leveraged. From what I believe, it does not come out of the box within the Rapid7 InsightAppSec. The behavioral aspect appeared to focus on scanning, where blind SQL injections were mostly false positives that required manual tests to confirm.

The pricing for Rapid7 is very expensive. We are paying $14 per asset for Rapid7 InsightVM and have 6,000 assets, which amounts to approximately $29,000. We've compared this with other tools such as Burp Suite's DAS platform, QualysGuard, and HP Fortify. Despite having E5 and E3 licenses that offer free access to Microsoft's Vulnerability Management dashboard, our significant investments in Rapid7 prevent us from switching.

I would recommend Rapid7 InsightAppSec if you have a stable industry, not a hybrid one that relies on too many technologies. If you use different stacks in your technology, Rapid7 might not be the tool for you. It can be very efficient if you have a similar stack, such as a Linux environment or Windows environment, which is very specific to this profiling.

On a scale of one to ten, I rate this solution a seven.

Neutral

Positive

We primarily use Rapid7 InsightAppSec for application security within our organization. We perform penetration testing on our in-house-built, Java-based web applications to comply with regulatory standards. We use InsightAppSec to scan both web applications and APIs, executing penetration tests once a month to ensure compliance and security.

Rapid7 InsightAppSec helps us in both regulatory compliance and in strengthening our security posture. We make sure all APIs go through production scanning, and we receive alerts to address potential security threats.

When considering DAST, it is not attributed to a singular feature but rather the capabilities of the engine that provides a genuine penetration testing experience and delivers insightful reports. 

The attacks simulate real-world scenarios, providing a view into potential vulnerabilities. These capabilities have greatly assisted us in maintaining a secure environment, particularly in our financial domain.

The reporting feature of Rapid7 InsightAppSec needs improvement as it currently provides basic reports. It would be beneficial if there were an option for customers to customize reports to include more details. 

Additionally, the interface is a bit complicated for new users, especially for configuring modern applications and APIs. An intuitive wizard-based configuration would be helpful.

I have been using Rapid7 InsightAppSec for about six years.

Rapid7 InsightAppSec is 100% scalable.

The support team at Rapid7 is commendable and always available to assist, especially when configuring applications which can be a bit complex without developer support.

Neutral

We also use Qualys WAS for vulnerability management and have been a Qualys customer for seven to eight years.

InsightAppSec's configuration is a bit complex for fresh users, particularly when dealing with API scanning. A modern, wizard-based setup would be beneficial.

The DAST capabilities of Rapid7 InsightAppSec provide an ultimate level experience, showcasing real-world scenarios and payload strengths, which are truly impressive.

We have been using Qualys WAS for vulnerability management aside from InsightAppSec.

I would recommend separating the configuration of application and API scanning. Moreover, improving the reporting feature would be beneficial. On a scale of one to ten, I would rate Rapid7 InsightAppSec an eight out of ten for penetration testing. 

I am working with Rapid7 InsightAppSec as well as Insight VM.

Relatively speaking, InsightAppSec is good compared to Insight VM. I also tested InsightAppSec because Insight VM was not effective on web-based systems. I required a solution to manage on-premises, but I was not as satisfied as expected. I did note some good features in InsightAppSec compared to my existing solutions.

There is room for improvement in the response time of customer service and support levels. Rapid7 could improve the reporting and the depth of the research or assessment. Integration with other tools could also be enhanced. The pricing is also expensive, and I need a fairer price with potential discounts.

I tested Rapid7 InsightAppSec for eight months.

The technical support is good, however, there can be improvements in response time and support levels.

Negative

Before InsightAppSec, I worked with solutions that were on-premises. I switched to InsightAppSec to manage my needs, however, I was not fully satisfied.

Pricing is expensive for me, similar to IBM. Both are costly, and there is a need for a discount.

For improvement, features could be more like Nessus and other similar tools.

I am not very comfortable with the reports and their presentation. Rating the solution from one to ten, I would give it a six. I have considered other options but have not yet decided.

I use InsightAppSec with our customers. I help them create and realize scans in the environment. I also use the setup technology to scan our environment. I have experience as both a user and administrator.

The automatic automation of the automated authorization to the SCANNET environment is valuable. We can use automated actions or create a macro with the authorization sequence. It's very helpful when we send information to the developer, and when they can test the purchase or remediation provided during the development process themselves.

The previous product, AppSpyder, had a virtual patching module where we could generate patches for third-party web application firewalls, such as Imperva or F5. Currently, InsightAppSec lacks similar functionality. Customers must wait for remediation during the developers' preparation of a new version. Virtual patching could help protect web pages shortly after finishing the scan process.

I have used this solution for a few years till now.

I rate stability ten out of ten. It always works.

Scalability is pretty easy.

In general, it is very simple to set up. It's running from the cloud environment. The customer has to read the console, and if they want, they must implement a local scan engine. However, when we started with the product, we had a complete environment with cloud-based scan engines, making the initial implementation very easy.

Competitors could be enabled with a VAS scanner and maybe Acunetix. Acunetix can use or buy small companies because the price is lower, if I remember correctly. I don't know the details from Qualys, however, Qualys has a vulnerability web application scanner too, making them another potential competitor.

I would give an overall product rating of eight out of ten.

We use Rapid7 InsightAppSec for dynamic application security scanning. We scan our web applications to identify vulnerabilities and then address the issues based on the report. It is a task solution used for enterprise or customer applications.

Dynamic application security scanning provides predefined templates and supports customization. The ability to scan external and internal applications, including on-premises ones, is precious. Additionally, it is a cloud platform, so we don't need to deploy servers or resources. This makes it time-efficient and cost-effective. 

The dynamic scanning feature has simplified and improved the security testing process. I suggest adding a SaaS feature to the solution to support scanning SaaS applications, making it more comprehensive.

It would be beneficial if the solution could also scan mobile applications. It only scans web applications, but it should also cover mobile applications, including firmware recommendations.

I have been working with Rapid7 InsightAppSec for the past two years.

From my experience with Rapid7 InsightAppSec, I haven't had any stability or performance issues. The platform continuously improves, adds new features, and enhances its capabilities.

It's highly scalable since it's a cloud solution. We currently have a license for several applications, but we can quickly scale and purchase more licenses as needed.

Regarding technical support for Rapid7 InsightAppSec, they usually respond within one or two days. I think the response time should be improved to within one day.

Positive

The deployment process for Rapid7 InsightAppSec is straightforward since it's a cloud platform. We don't need to deploy on-premises; It requires creating an account, which takes one or two minutes, and we can start scanning immediately. No maintenance is required as Rapid7 maintains everything.

I would recommend Rapid7 InsightAppSec to other users looking to implement a similar solution. We have many customers, and when they require a dynamic solution, we recommend Rapid7. We provide demos and presentations to clients, and if they are satisfied, they proceed with a license.

The AI capabilities in Rapid7 InsightAppSec enhance application vulnerability scans significantly. AI and machine learning are integral to the solution, helping us schedule scans and improve the scanning results.

I would rate InsightAppSec eight out of ten. It's a great solution, but there's always room for improvement. 

I use the solution to check multiple websites, particularly dynamic and e-commerce websites, for vulnerabilities within the code. The tool helps identify any vulnerabilities present in the code, providing precise information about the code that contains vulnerabilities.

In Rapid7 InsightAppSec, a distinctive feature is the provision of a CDM for integrating web servers and web applications. To establish the connection between these applications, you only need to paste the provided CDN into your metadata. Once connected, every piece of information, including vulnerabilities, can be accessed. It also offers demo sessions. 

If there is any malicious network traffic targeting a specific web application, it is designed to detect and showcase the entire scenario. It provides insights into potential vulnerabilities, including issues related to process scripting or content security policy vulnerabilities.

Setting up and configuring scans within the tool is easy, and I would rate it a nine out of ten. It provides videos on YouTube, along with documentation that breaks down the process into step-by-step instructions. 

Rapid7 InsightAppSec needs improvement in detecting phishing pages. 

I have been using the product for four years. 

I rate the solution's stability a six out of ten. There have been instances where fetching data, even for old users, took a long time.

I would rate the scalability at an eight out of ten on a scale from one to ten. There are occasional challenges with the product, particularly in onboarding, where delays can be experienced. This delay sometimes makes it difficult to address issues promptly, and reliance on queries may not always yield the desired results due to occasional bugs. Additionally, there have been instances where data retrieval after deployment takes time, sometimes up to 30 minutes to an hour. Scanning a single website can also be time-consuming, ranging from 25 to 30 minutes, and for multi-vendor e-commerce websites, it may take even longer to scan the entire site.

The initial setup is easy, to the extent that even a non-IT person can set it up. 

Rapid7 InsightAppSec is cheap. 

In a scenario involving the tool and preventing potential security breaches, let's consider a case where a security feature is deployed using Rapid7 InsightAppSec. Although I haven't personally experienced this, I can provide an example. Suppose there is a vulnerability in WordPress or Apache servers, and it identifies a new one-level zero-day attack template associated with it. In this case, it may have detected this vulnerability three months after its initial occurrence.

We utilize dynamic application security testing. It involves deploying an application by onboarding it onto a device, which is then linked to the application. The notable aspect is that we don't need to maintain a server for this process. Instead, we simply log in and configure Splunk Enterprise to connect with the product. There is no need to deploy a separate server. It provides clear, step-by-step instructions, including the provision of a dynamic key by the application, making it easy to implement with documentation.

I rate it an eight out of ten. 

We use the product for dynamic application security testing. 

It is very convenient to get reports from the tool, which offers high-level environmental statistics. 

We get a lot of false positives during the tests. 

Rapid7 InsightAppSec's scalability is good. 

You will get good support if you pay for good licensing options. It depends on the vendors. 

Neutral

The tool's deployment is straightforward. 

I rate Rapid7 InsightAppSec a seven out of ten. 

We use Rapid7 InsightAppSec to fetch the vulnerabilities in the web application. We can get insights on missing codes in the configurations as well.

The product’s most valuable feature is UI. It is easy to manage and find vulnerabilities in the application.

The product’s pricing could be flexible compared to Acronis.

We have been using Rapid7 InsightAppSec for seven months.

I rate the product’s stability an eight out of ten. Some functions could be included in the essential version rather than the advanced version.

It is a scalable platform. It is suitable for medium and large enterprises.

The initial setup is simple. It is deployed in cloud and hybrid environments.

I rate Rapid7 InsightAppSec’s pricing an eight out of ten.

I rate Rapid7 InsightAppSec a nine out of ten.