The vulnerability management platform that finds every weakness in your environment, tells you which ones actually matter, and helps you fix them fast — explained from zero.
Let's start from absolute zero — no jargon, no assumptions about what you already know.
A "vulnerability" is a flaw in software, hardware, or configuration that an attacker can exploit to gain unauthorized access or cause damage. Vulnerability management is the continuous practice of finding these flaws, deciding which are most dangerous, fixing them, and verifying they're gone.
Rapid7 is a publicly traded cybersecurity company founded in Boston, with over two decades of experience. They're best known for InsightVM (vulnerability management), InsightIDR (SIEM/XDR), and owning Metasploit — the world's most widely used penetration testing framework.
InsightVM evolved from Rapid7's original product, Nexpose. It consolidates what used to require a separate scanner, a risk scoring tool, a remediation ticketing workflow, a reporting system, and a compliance engine — into one unified platform.
Understanding the pain points makes everything about how InsightVM works click into place.
A mid-sized organization typically has tens of thousands of vulnerabilities at any given time. Most are low risk. If you try to fix everything, you'll fix nothing — you'll be overwhelmed before you start. Traditional scanners just dump a list with no real prioritization guidance.
The industry standard severity score (CVSS) often rates hundreds of vulnerabilities as "Critical 10.0." But a critical vulnerability with no public exploit in a non-internet-facing system is very different from one being actively attacked in the wild. CVSS can't tell the difference.
Security teams find vulnerabilities. IT teams fix them. But historically, security would throw a spreadsheet over the fence and IT would say "we don't understand this" or "our ticketing system doesn't connect to yours." The result: slow remediation, SLA breaches, and unpatched systems.
Modern environments never sit still. Developers spin up cloud instances, employees connect laptops from home, containers are created and destroyed in minutes. Legacy scanners that only run weekly scans miss vast amounts of infrastructure between scan windows.
Traditional scanners take a "photo" of your environment once a week. Between scans, new systems appear, new vulnerabilities are published, and attackers move fast. By the time the next scan runs, you might already be breached.
How do you know a patch was actually applied and worked? With legacy tools, you wait for the next scheduled scan — sometimes days or weeks. InsightVM's validation scanning lets you confirm a fix worked immediately, without waiting.
The full lifecycle from discovering assets to confirming fixes — step by step.
You can't protect what you don't know about. InsightVM uses multiple methods to discover every asset in your environment: network scanning (sending probes across IP ranges to find live systems), the Insight Agent (a lightweight piece of software installed on devices), and cloud integrations (directly querying AWS, Azure, and GCP APIs to discover cloud resources). Adaptive Security automatically detects and scans new devices the moment they appear on the network — no waiting for the next scheduled scan.
There are two types of scans: unauthenticated (like an outsider looking at what's exposed) and authenticated (logging into the system with credentials to see everything from the inside). Authenticated scans find far more vulnerabilities — missing patches, misconfigured services, outdated software installed locally. The Insight Agent always performs authenticated assessments automatically since it runs on the device itself, without needing stored credentials in InsightVM.
InsightVM checks every discovered service, software version, and configuration against its unified vulnerability database — updated every 6 hours and certified compatible with the MITRE CVE index. It looks for known vulnerabilities (CVEs), missing patches, end-of-life software (rated CVSS 10.0 by default since EOL means no more patches will ever come), policy violations (CIS benchmarks, DISA STIGs), and misconfigured cloud services.
Every vulnerability gets an Active Risk Score from 0–1000. This is not just CVSS. It incorporates: Is there a public exploit? Is it in Metasploit? Is it being actively exploited in the wild right now? Is the affected asset critical to your business? Is it internet-facing? This dramatically narrows the list from "everything is critical" to "fix these 15 things today." More detail in the Risk Scoring section.
InsightVM creates remediation projects — think of them as structured to-do lists for IT teams. Each project includes the exact fix needed (specific patch, configuration change, or software update), which assets are affected, a due date, and SLA tracking. These projects can be sent directly to ServiceNow, Jira, or other ticketing systems, so IT teams work within their existing tools. Projects can be static (fixed list) or dynamic (automatically pulling in newly discovered vulnerabilities matching a filter).
Once IT marks a fix as complete, InsightVM can immediately run a targeted validation scan against just that asset for just that vulnerability, using the most recent Scan Engine that assessed it. Within minutes, you get confirmation that the patch actually worked — without waiting for the next full scan cycle. This closes the loop and keeps risk scores current in real time.
InsightVM's live dashboards show your current risk posture, remediation progress, SLA compliance rates, trend data (is risk going up or down?), and compliance status against frameworks like PCI-DSS, HIPAA, NIST, and CIS benchmarks. Executive summaries are generated automatically each month. Custom SQL queries and the REST API let power users pull any data they need for custom reporting.
This is InsightVM's most important differentiator. Understanding it is key to understanding the whole product.
InsightVM's Active Risk combines six data sources, each contributing to the final 0–1000 score. Here's roughly how much weight each factor carries in determining whether a vulnerability is truly urgent.
When a major new vulnerability is actively exploited in the wild — like a zero-day in a Fortinet or Ivanti product — Rapid7's ETR program flags it immediately. InsightVM updates its detection content (usually within 24 hours of disclosure), so your next scan will find it. You'll see ETR-flagged vulnerabilities appear at the very top of your prioritization queue with an "Exploited in Wild" badge.
InsightVM now incorporates EPSS (Exploit Prediction Scoring System) data — a community-driven probability model that estimates the likelihood a specific CVE will be exploited in the real world within the next 30 days, based on historical patterns. A CVE with a CVSS of 9.8 but an EPSS of 0.1% is very different from one with CVSS 7.5 and EPSS of 85%.
You can tag assets in InsightVM with a criticality rating (Very High, High, Medium, Low, Very Low). A critical vulnerability on a domain controller or internet-facing web server scores much higher than the same vulnerability on a test laptop. Asset criticality is factored directly into Active Risk, so your remediation queue reflects business priorities, not just technical severity.
InsightVM offers 6 configurable risk strategies: Highest CVSS (traditional), Temporal (adjusts over time), Real Risk Factor, Aggressive Real Risk, NeXpose Default (original scoring), and Active Risk (the newest, AI-enriched model). Most organizations use Active Risk as their primary strategy. Different strategies can be applied to different asset groups for specialized reporting needs.
InsightVM is made up of several components that work together. Here's what each one does.
The on-premises brain of InsightVM — a web-based management interface where admins configure scans, view results, manage assets, run reports, and create remediation projects. Stores the vulnerability database and all scan data locally. Communicates with the Insight Platform cloud for real-time dashboards and the Insight Agent.
Separate servers that do the actual scanning work — probing network devices, running exploit checks, and testing configurations. Distributed Scan Engines are deployed strategically across your network (different offices, data centers, cloud regions) so they can reach assets locally without traffic crossing WAN links. Multiple engines can run parallel scans for large environments.
A lightweight software agent installed on individual devices — Windows, macOS, Linux. It continuously monitors the device for vulnerability data and sends results to the Insight Platform, even when the device is off the corporate network (like a remote employee's laptop). No credentials needed since it runs on the device itself. Also shared with InsightIDR for SIEM data collection.
A secure service installed on target assets that allows authenticated scanning without storing privileged admin credentials in InsightVM. Uses TLS with elliptic-curve encryption and digital certificates to create a trusted channel between the Scan Engine and the target. Significantly reduces the security risk of credential management and speeds up policy scans.
The cloud backbone that powers real-time dashboards, the Remediation Hub, agent management, cloud integrations (AWS, Azure, GCP), and the Command Platform experience. Data flows between your on-premises Security Console and the cloud platform, giving you both local scanning power and cloud-scale analytics and collaboration features.
A continuously updated library of over 200,000+ vulnerability definitions, updated every 6 hours. Certified compatible with the MITRE CVE index. Includes exploit information (Metasploit modules, ExploitDB), malware kit associations, patch information with step-by-step remediation guidance, and CVSS scores (both v3.1 and v2 for legacy compliance). Content auto-updates keep it current without admin intervention.
The most important things InsightVM does — beyond just finding vulnerabilities.
Made generally available to all customers in September 2025, the Remediation Hub is a centralized command center for vulnerability remediation. Powered by Active Risk scores, it groups vulnerabilities by the single fix that eliminates the most risk — often one patch addresses hundreds of CVEs. It uses intelligent supersedence logic (if Patch B supersedes Patch A, only show Patch B) to minimize rework. Teams can filter by asset group, business unit, or priority level.
Security creates a project in InsightVM. IT receives a ticket in ServiceNow, Jira, or their preferred ITSM tool — automatically, with all the context they need: which systems, which vulnerability, exactly how to fix it, and the deadline. When IT completes the ticket, the status syncs back. A validation scan runs automatically to confirm. Full audit trail of who did what and when — critical for compliance.
InsightVM connects to cloud provider APIs and checks cloud-native resources — S3 buckets, security groups, IAM roles, RDS instances, Kubernetes clusters — against security best practices and compliance frameworks. It flags misconfigurations like publicly exposed storage buckets, overly permissive firewall rules, or missing encryption settings. These are treated as vulnerabilities alongside traditional CVEs.
InsightVM scans container images for vulnerabilities before they're deployed — integrating with Docker registries and CI/CD pipelines. It also assesses running containers in Kubernetes clusters. Since containers are ephemeral (they're created and destroyed constantly), agent-based assessment ensures even short-lived containers are assessed before they disappear.
InsightVM checks systems against industry security standards: CIS benchmarks (Center for Internet Security — detailed hardening guides for every OS and application), DISA STIGs (US military security requirements), and PCI-DSS, HIPAA, NIST, and SOX controls. Failed policy checks appear alongside CVEs in the same prioritization queue. Compliance reports are generated automatically for auditors.
Live Monitoring watches your network for changes — new devices appearing, services starting, configurations changing — and updates vulnerability data immediately rather than waiting for the next scheduled scan. Adaptive Security automatically scans new devices the moment they're detected on the network. Together, these features give InsightVM near-real-time visibility rather than point-in-time snapshots.
InsightVM lets you define SLA policies — for example, "all Critical vulnerabilities on internet-facing assets must be remediated within 7 days." The platform tracks compliance with these policies, alerts when deadlines are approaching or breached, and reports SLA compliance rates over time. This creates accountability and gives security managers data to show executives and auditors.
InsightVM exports comprehensive asset and vulnerability data in Parquet format via a high-performance GraphQL API — designed for direct ingestion into Power BI, Snowflake, Databricks, or any modern data platform. SQL-based Advanced Search lets analysts query the vulnerability database directly in the console. 500+ native integrations connect InsightVM to your broader security and IT stack.
Rapid7 owns Metasploit — the world's most used penetration testing framework. This gives InsightVM a unique and powerful advantage.
Metasploit is an open-source framework containing thousands of exploit modules — ready-to-use code that can actually exploit known vulnerabilities. Security teams use it to test their own defenses. Attackers study it. With over 1,000 exploit modules and a massive community, Metasploit is the gold standard reference for "can this vulnerability actually be exploited in practice?"
Because Rapid7 owns Metasploit, InsightVM knows exactly which vulnerabilities have a working Metasploit module. This data is baked directly into the Active Risk score — a vulnerability with a Metasploit module is treated as significantly more dangerous because any attacker with basic skills can exploit it with a single command. It's one of the highest-quality risk indicators available.
InsightVM can integrate with Metasploit to actively validate discovered vulnerabilities — actually running the exploit against a target in a controlled test to confirm it's genuinely exploitable, not a false positive. This is invaluable when remediation teams push back on scan results. You can say "we didn't just detect this — we confirmed it works." Metasploit is the only exploit framework that InsightVM's validation feature supports.
Rapid7 operates AttackerKB — a community platform where security researchers and penetration testers share technical assessments of vulnerabilities. Is it easy to exploit? What's the real-world impact? Is it worth bothering with? This crowdsourced intelligence feeds directly into InsightVM's Active Risk scoring, adding practitioner judgment on top of raw CVE data.
You'll hear both names constantly. Here's how to keep them straight.
InsightVM is the risk/vulnerability pillar of Rapid7's broader Command Platform. Here's how it connects.
Rapid7 has organized its products around a unified "Command Platform" — a common cloud backend, shared data, and consistent dashboards. InsightVM is the foundation of the Risk pillar, feeding vulnerability data into other products and consuming threat intelligence from them.
When InsightIDR detects suspicious activity on a host, it can pull InsightVM data to see what vulnerabilities that host has — helping analysts understand the blast radius of a potential compromise. Conversely, if a new critical CVE is published, InsightVM can show which assets InsightIDR is monitoring that are affected. The Insight Agent is shared across both products, reducing endpoint footprint.
InsightCloudSec handles cloud-native misconfigurations at cloud scale (thousands of cloud resources). InsightVM handles traditional vulnerability scanning including cloud VMs and containers. Together via Exposure Command, they give a unified risk view across on-premises, hybrid, and cloud-native environments — all in one prioritized dashboard for security and compliance teams.
From a scrappy vulnerability scanner to a billion-dollar platform — how we got here.
Rapid7 is founded in Boston with a focus on network security and vulnerability assessment. Their early product, NeXpose (later Nexpose), becomes one of the first commercial vulnerability scanners and earns a reputation for accuracy and depth.
Rapid7 acquires HD Moore's Metasploit project — the world's most widely used penetration testing framework. This is the move that distinguishes Rapid7 from every other VM vendor: they now have the world's largest library of working exploits directly integrated into their risk scoring.
Rapid7 completes its IPO. The capital fuels aggressive R&D and the build-out of the broader Insight platform — moving from a single scanner to a multi-product cloud security platform. InsightIDR (SIEM) launches the same year.
InsightVM officially launches as the cloud-enabled successor to Nexpose. It brings real-time dashboards via the Insight Platform, the Insight Agent for roaming devices, and the first version of attacker-aware risk scoring. Nexpose continues as the fully on-premises option.
Rapid7 builds out InsightCloudSec (cloud security), InsightAppSec (application security), and tightens platform integration. The Insight Agent becomes the shared data collection layer across InsightVM and InsightIDR — reducing endpoint footprint for customers using multiple products.
Rapid7 rebrands its platform as the "Command Platform," organizing products into Risk (InsightVM, InsightCloudSec), Threat (InsightIDR), and Exposure (Surface Command, Exposure Command, Vector Command) pillars. Active Risk — the new AI-enriched 0–1000 scoring model — launches as the sixth risk strategy, incorporating EPSS, CISA KEV, Metasploit, and AttackerKB data.
Remediation Hub becomes generally available to all InsightVM customers (September 2025), bringing AI-powered remediation grouping and supersedence logic. The Security Console UI gets a major visual refresh to align with the Command Platform design language. EPSS scoring integration added. macOS Tahoe (macOS 26) support added to the Insight Agent.
How to build real expertise and get recognized for it.
Every important term from this guide, defined in plain English.