Uncovering actionable insights to make the world a safer place

Society's rapidly increasing reliance on technology in both personal and professional realms offers great benefits. But it also introduces risk as these systems are complex and likely contain vulnerabilities or configuration challenges. Rapid7 believes it is imperative to identify and understand the risks associated with technical systems and services so their users can take steps to protect themselves. This is why we invest in security research. We analyze both enterprise and consumer technologies to understand their weaknesses, configuration challenges, and vulnerabilities, and we share the resulting insights broadly and openly, giving our community the information they need to learn about, and mitigate, their risk. Our approach focuses on education and remediation, and we hope to help make technology safer for users, so they can focus on reaping the benefits of technological innovation without threat of unintended negative consequences.

We conduct a broad range of research across four areas:

Our community philosophy

We believe security is the responsibility of all technology users, manufacturers, and intermediaries and that collaboration is the only way to achieve long-term change. That's why we're committed to openly sharing security information, helping our peers to learn, grow, and develop new capabilities, and supporting each other in raising and addressing issues that affect the cybersecurity community.


Vulnerability Discovery and Exploit Development  

The most frequent research we do at Rapid7, vulnerability discovery and exploit development focuses on uncovering vulnerabilities in software and creating exploits to exercise them. /flat-inc/img/open-requirement.png

Our aim with this research is to identify potentially harmful issues so they can be mitigated, either by the technology provider, or by the user. It's not our intent to shame the companies who introduce these bugs. Rather, we coordinate our disclosures with vendors and CERT to quickly develop and deploy fixes and publish our findings routinely so other software developers can learn how to avoid similar problems and users can learn a little more about the security issues that permeate their online lives.

Recent Disclosures

Public vulnerability disclosures issued by Rapid7 over the previous 12 months can be found below.
You can also stay current by visiting our Information Security blog.

All of these issues were disclosed in accordance with our public disclosure policy.

Sometimes, a research project grows beyond the bounds of a single product or vulnerability. In these cases, we produce original research reports regarding these classes of vulnerabilities, such as Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities.

Internet Telemetry  

Our internet telemetry research involves the active and passive scanning of different services and protocols around the world to gain insights into global exposure to common vulnerabilities and better understand the threat landscape. /flat-inc/img/open-requirement.png

We run two major telemetry projects:

Project Sonar

Project Sonar is a flexible and stable framework for conducting internet-wide scans. Like our vulnerability disclosures and exploits, we publish the data we collect for free to encourage scientists, engineers, and anyone else interested in the nature and form of the internet to make their own discoveries.

Read more

Heisenberg Project

The Heisenberg Project is a collection of honeypots distributed both geographically and across IP space. The honeypots offer the front end of various services to learn what other scanners are up to (usually no good) and to conduct "passive scanning" to help enhance our understanding of the threat landscape.

Read more

Security Surveys  

While direct measurement of internet technologies is in our DNA, there are some questions that can only be answered by humans (for now). /flat-inc/img/open-requirement.png

For these projects, we design meaningful surveys and apply modern survey methodology to best craft the questions, reduce the bias and noise generated, and target the audiences most relevant to the subject matter.

For example, we recently surveyed over 270 security professionals in order to collect some insight around the average security team size, the adoption of cloud services, and the most pressing challenges those teams face today.

Read more