We primarily use Rapid7 InsightAppSec for application security within our organization. We perform penetration testing on our in-house-built, Java-based web applications to comply with regulatory standards. We use InsightAppSec to scan both web applications and APIs, executing penetration tests once a month to ensure compliance and security.

Rapid7 InsightAppSec helps us in both regulatory compliance and in strengthening our security posture. We make sure all APIs go through production scanning, and we receive alerts to address potential security threats.

When considering DAST, it is not attributed to a singular feature but rather the capabilities of the engine that provides a genuine penetration testing experience and delivers insightful reports.

The attacks simulate real-world scenarios, providing a view into potential vulnerabilities. These capabilities have greatly assisted us in maintaining a secure environment, particularly in our financial domain.

The reporting feature of Rapid7 InsightAppSec needs improvement as it currently provides basic reports. It would be beneficial if there were an option for customers to customize reports to include more details.

Additionally, the interface is a bit complicated for new users, especially for configuring modern applications and APIs. An intuitive wizard-based configuration would be helpful.

I have been using Rapid7 InsightAppSec for about six years.

Rapid7 InsightAppSec is 100% scalable.

The support team at Rapid7 is commendable and always available to assist, especially when configuring applications which can be a bit complex without developer support.

We also use Qualys WAS for vulnerability management and have been a Qualys customer for seven to eight years.

InsightAppSec's configuration is a bit complex for fresh users, particularly when dealing with API scanning. A modern, wizard-based setup would be beneficial.

The DAST capabilities of Rapid7 InsightAppSec provide an ultimate level experience, showcasing real-world scenarios and payload strengths, which are truly impressive.

We have been using Qualys WAS for vulnerability management aside from InsightAppSec.

I would recommend separating the configuration of application and API scanning. Moreover, improving the reporting feature would be beneficial. On a scale of one to ten, I would rate Rapid7 InsightAppSec an eight out of ten for penetration testing.

I use InsightAppSec with our customers. I help them create and realize scans in the environment. I also use the setup technology to scan our environment. I have experience as both a user and administrator.

The automatic automation of the automated authorization to the SCANNET environment is valuable. We can use automated actions or create a macro with the authorization sequence. It's very helpful when we send information to the developer, and when they can test the purchase or remediation provided during the development process themselves.

The previous product, AppSpyder, had a virtual patching module where we could generate patches for third-party web application firewalls, such as Imperva or F5. Currently, InsightAppSec lacks similar functionality. Customers must wait for remediation during the developers' preparation of a new version. Virtual patching could help protect web pages shortly after finishing the scan process.

I have used this solution for a few years till now.

I rate stability ten out of ten. It always works.

Scalability is pretty easy.

In general, it is very simple to set up. It's running from the cloud environment. The customer has to read the console, and if they want, they must implement a local scan engine. However, when we started with the product, we had a complete environment with cloud-based scan engines, making the initial implementation very easy.

Competitors could be enabled with a VAS scanner and maybe Acunetix. Acunetix can use or buy small companies because the price is lower, if I remember correctly. I don't know the details from Qualys, however, Qualys has a vulnerability web application scanner too, making them another potential competitor.

I would give an overall product rating of eight out of ten.

We use Rapid7 InsightAppSec for dynamic application security scanning. We scan our web applications to identify vulnerabilities and then address the issues based on the report. It is a task solution used for enterprise or customer applications.

Dynamic application security scanning provides predefined templates and supports customization. The ability to scan external and internal applications, including on-premises ones, is precious. Additionally, it is a cloud platform, so we don't need to deploy servers or resources. This makes it time-efficient and cost-effective.

The dynamic scanning feature has simplified and improved the security testing process. I suggest adding a SaaS feature to the solution to support scanning SaaS applications, making it more comprehensive.

It would be beneficial if the solution could also scan mobile applications. It only scans web applications, but it should also cover mobile applications, including firmware recommendations.

I have been working with Rapid7 InsightAppSec for the past two years.

From my experience with Rapid7 InsightAppSec, I haven't had any stability or performance issues. The platform continuously improves, adds new features, and enhances its capabilities.

It's highly scalable since it's a cloud solution. We currently have a license for several applications, but we can quickly scale and purchase more licenses as needed.

Regarding technical support for Rapid7 InsightAppSec, they usually respond within one or two days. I think the response time should be improved to within one day.

The deployment process for Rapid7 InsightAppSec is straightforward since it's a cloud platform. We don't need to deploy on-premises; It requires creating an account, which takes one or two minutes, and we can start scanning immediately. No maintenance is required as Rapid7 maintains everything.

I would recommend Rapid7 InsightAppSec to other users looking to implement a similar solution. We have many customers, and when they require a dynamic solution, we recommend Rapid7. We provide demos and presentations to clients, and if they are satisfied, they proceed with a license.

The AI capabilities in Rapid7 InsightAppSec enhance application vulnerability scans significantly. AI and machine learning are integral to the solution, helping us schedule scans and improve the scanning results.

I would rate InsightAppSec eight out of ten. It's a great solution, but there's always room for improvement.

I use the solution to check multiple websites, particularly dynamic and e-commerce websites, for vulnerabilities within the code. The tool helps identify any vulnerabilities present in the code, providing precise information about the code that contains vulnerabilities.

In Rapid7 InsightAppSec, a distinctive feature is the provision of a CDM for integrating web servers and web applications. To establish the connection between these applications, you only need to paste the provided CDN into your metadata. Once connected, every piece of information, including vulnerabilities, can be accessed. It also offers demo sessions.

If there is any malicious network traffic targeting a specific web application, it is designed to detect and showcase the entire scenario. It provides insights into potential vulnerabilities, including issues related to process scripting or content security policy vulnerabilities.

Setting up and configuring scans within the tool is easy, and I would rate it a nine out of ten. It provides videos on YouTube, along with documentation that breaks down the process into step-by-step instructions.

Rapid7 InsightAppSec needs improvement in detecting phishing pages.

I have been using the product for four years.

I rate the solution's stability a six out of ten. There have been instances where fetching data, even for old users, took a long time.

I would rate the scalability at an eight out of ten on a scale from one to ten. There are occasional challenges with the product, particularly in onboarding, where delays can be experienced. This delay sometimes makes it difficult to address issues promptly, and reliance on queries may not always yield the desired results due to occasional bugs. Additionally, there have been instances where data retrieval after deployment takes time, sometimes up to 30 minutes to an hour. Scanning a single website can also be time-consuming, ranging from 25 to 30 minutes, and for multi-vendor e-commerce websites, it may take even longer to scan the entire site.

The initial setup is easy, to the extent that even a non-IT person can set it up.

Rapid7 InsightAppSec is cheap.

In a scenario involving the tool and preventing potential security breaches, let's consider a case where a security feature is deployed using Rapid7 InsightAppSec. Although I haven't personally experienced this, I can provide an example. Suppose there is a vulnerability in WordPress or Apache servers, and it identifies a new one-level zero-day attack template associated with it. In this case, it may have detected this vulnerability three months after its initial occurrence.

We utilize dynamic application security testing. It involves deploying an application by onboarding it onto a device, which is then linked to the application. The notable aspect is that we don't need to maintain a server for this process. Instead, we simply log in and configure Splunk Enterprise to connect with the product. There is no need to deploy a separate server. It provides clear, step-by-step instructions, including the provision of a dynamic key by the application, making it easy to implement with documentation.

I rate it an eight out of ten.

We use Rapid7 InsightAppSec to fetch the vulnerabilities in the web application. We can get insights on missing codes in the configurations as well.

The product’s most valuable feature is UI. It is easy to manage and find vulnerabilities in the application.

The product’s pricing could be flexible compared to Acronis.

We have been using Rapid7 InsightAppSec for seven months.

I rate the product’s stability an eight out of ten. Some functions could be included in the essential version rather than the advanced version.

It is a scalable platform. It is suitable for medium and large enterprises.

The initial setup is simple. It is deployed in cloud and hybrid environments.

I rate Rapid7 InsightAppSec’s pricing an eight out of ten.

I rate Rapid7 InsightAppSec a nine out of ten.

We use it as a web application scanner. It runs a ton of different detections and tests against our web applications and provides us with results. It connects directly with our SDLC for an API. We can automate the scanning of a web application during the development process when it changes from development to test and test to production.

I like that the product allows us to have an internal and external scanner. We can authenticate scans and pick and choose which attacks we want to use. It is a very robust solution.

The number of web applications we can scan is limited. There's a cost associated with how many web apps we want to scan.

I have been using the solution for a year.

I have not had any issues. For over a year, the tool has not been down.

The tool is completely cloud-based. So, the scalability is fine for external scanning. For internal scanning, we must create another scanner on our internal network. We can scale it at mass.

The support is great. The problem with the support team is that it does not have a calling number. The best way to get a hold of the support team is by contacting the customer success manager and getting somebody in the support team. We could open a ticket, but we cannot call. Sometimes, I want to be able to just call somebody. I don't want to put a ticket in and wait for a response. The support team is responsive.

We used Qualys before. Rapid7 is better than Qualys.

The initial setup is quite simple. I rate the ease of setup a nine out of ten. We can just connect to the web application and access our site. We can get it up and running within 20 minutes.

The solution does not require maintenance since it is SaaS-based.

Rapid7 just came out with a new package called Cloud Risk Complete, which gives us unlimited insight into scanning and unlimited AppSec scanning. It also gives us InsightCloudSec.

The product can do everything. We are struggling to get our DevOps team to commit to utilizing our web application scanners. We are siloed with it.

Overall, I rate the product an eight out of ten.