Rapid7 Research

Building a safer world through open sources that go beyond code

View Open Datasets

Research at a Glance

Our Philosophy

We believe security is the responsibility of all technology users, manufacturers, and intermediaries and that collaboration is the only way to achieve long-term change. That’s why we’re committed to openly sharing security information, helping our peers to learn, grow, and develop new capabilities, and supporting each other in raising and addressing issues that affect the cybersecurity community.

Latest Research

NICER Protocol Deep Dive: Internet Exposure of Microsoft SQL Server (MS SQL) (UDP/1434)
Welcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or...
Tod Beardsley
Nov 23, 2020
Read More
Behind the Scenes: Under the Hoodie 2020 Video Series
Longtime fans of our Under the Hoodie video series may have noticed that this year’s videos looked, well, a little different. Because we were all working from home amid the COVID-19 pandemic, we realized that it was no longer feasible to sit down in person and interview our pen testing services teamers...
Bri Hand
Nov 18, 2020
Read More
Don’t Put It on the Internet: Tesla Backup Gateway Edition
Derek Abdine, formerly Director of Rapid7 Labs, now CTO at Censys, contributed this blog post. This blog post aims to increase user awareness of the privacy and security risks of connecting devices to the internet. In this edition, we address Tesla Backup Gateways and identify some key areas where Tesla...
Derek Abdine
Nov 17, 2020
Read More
View More Research
Impact Across Industries
Rapid7 researchers constantly work to uncover unknowns as far as technology reaches.
Consumer Technology
It’s hard to imagine our lives without tech glued to our hands. Reality is, security risks are present in even the most unassuming, commonplace devices. Over the years, our researchers have discovered and made public several critical vulnerabilities capable of compromising your personal data and safety in everything from printers, baby monitors, vehicles, and even children’s toys.
Business Technology
It’s no big secret that security has far-reaching impacts on a business—including on its bottom line. The work of our researchers has helped global organizations secure their internal processes, as well as the safety of the customers who rely on them; these improvements can be seen in medical devices, healthcare software, broadcasting equipment, corporate networks, and more.
Public Infrastructure
While most of us don’t spend our days thinking about critical infrastructure, it’s core to the functioning of our world as we know it. Therefore, as the need to innovate it grows, so does our need to secure it. Given our collective dependency on infrastructure, our researchers make it a priority to investigate how to secure emerging tech like smart sensors, while our Public Policy efforts aim to help governments adopt these innovations securely.

Vulnerability Disclosures

Stay ahead of attackers by keeping up with the latest disclosures. Rapid7 is a CVE Numbering Authority, helping drive industry standards for vuln and exposure identifiers and classification. Learn about our Vulnerability and Disclosure Policy.

CVE-2020-7378: OpenCRX Unverified Password Change (FIXED)
OpenCRX version 4.30 and version 5.0-20200717 suffers from an unverified password change vulnerability, which is an instance of CWE-620. This vulnerability has a CVSSv3 score of 9.1, which is usually CRITICAL, since it effectively allows anyone who can connect to the OpenCRX server to change the password...
Tod Beardsley
Nov 24, 2020
Read More
Vulntober: Multiple Mobile Browser Address Bar Spoofing Vulnerabilities
Today, we're announcing a coordinated vulnerability disclosure publication with our longtime mobile hacker friend, Rafay Baloch. If you'd like to just jump straight to the technical details for these vulnerabilities, I invite you to read his paper here. If you want to know more about why this vulnerability...
Tod Beardsley
Oct 20, 2020
Read More
CVE-2020-2021 Authentication Bypass in PAN-OS Security Assertion Markup Language (SAML) Authentication Disclosed
Overview of the SAML authentication vulnerability on PAN-OS devices <!--kg-card-begin: html-->On Monday, June 29, 2020, Palo Alto released details on CVE-2020-2021, a new, critical weakness in SAML authentication on PAN-OS devices. This vulnerability impacts: <!--kg-card-end: html--> PAN-OS 9.1 versions...
boB Rudis
Jun 29, 2020
Read More
Submit a Vulnerability
The Minds Behind the Research
Meet the Full Team
Tas Giakouminakis
Tas Giakouminakis
Bob Rudis
Bob Rudis
Tod Beardsley
Tod Beardsley
Deral Heiland
Deral Heiland

Where Research Meets the Roadmap

Explore how Rapid7’s unparalleled understanding of attackers makes our products more powerful.

  • Threat feed dashboard informed by Project Heisenberg honeypots in InsightVM
  • Attacker Based Analytics sourced from Projects Sonar and Heisenberg and threat intelligence in InsightIDR
  • Accelerated discovery and coverage of zero-days and other low-notice exploits in InsightVM
  • Discovery of internet-facing assets in InsightVM using integration with Project Sonar
  • Identification of weak or distrusted certs using research on SSL certificate ecosystem
View All Products

Want to dive deeper into our research data?

View Open Data