Rapid7 Trust

Security

Security at Rapid7 encompasses more than just our products. Rapid7 has policies and procedures in place to keep both our data and products secure, so that we can continue keeping our customers secure.

Platform Security

Rapid7 products on the Insight platform are designed to fit securely into your environment and adhere to security best practices. We regularly perform application security testing, vulnerability scanning, and internal and external penetration testing to ensure this.

Data Collection

The Insight platform offers multiple options for collecting data from across your IT environment. Whether you use collectors, the Rapid7 Insight Agent, scan engines, or direct connections to our platform, our unified data collection enables your teams to collect data once and use it across multiple products on the Insight platform.  Each of our collection methods were designed and built from the ground up with the security of your data in mind to ensure we maintain the confidentiality and integrity of all collected data.

Data Processing

The Insight platform’s analytics engine relies on various types of databases to store and process your data. Each Rapid7 customer is assigned its own relational database schema within database instances. Data stored in object stores or distributed file systems is tokenized using a unique UUID that logically separates each customer’s data from one another.

Infrastructure

The Insight platform’s high availability infrastructure is fully automated and regularly tested to ensure security policies and improvements are consistently applied. The principle of least privilege is applied throughout the Insight platform infrastructure and we have technical controls in place to enforce two-factor authentication, subnet separation, host-level firewalls, bastion/jump hosting, service segregation, and per-service least-privilege network access.

Delivery

Our Platform Delivery and Information Security teams are leading the way in creative and automated mechanisms to deploy highly reliable, secure, and horizontally scalable cloud services. We have open sourced many components we’ve built to automate and secure our platform. Please visit our public github repositories to see how we automate and secure many components of our platform.

Platform Security Whitepaper  


Internal Security

We have policies in place to ensure our environment and your data remain safe, secure, and accessible. Below is a brief overview of our internal security posture.

Organizational

The​ ​Information​ ​Security​ ​team​ ​distributes​ ​relevant​ ​policies​ ​upon​ ​hire and all employees complete security awareness training at least annually. All employees undergo background checks prior to hiring, including reference checks, criminal background check, and education verification.

Access

Rapid7​ ​provisions​ ​all​ ​network​ ​and​ ​application​ ​access​ ​using​ ​the​ ​principle​ ​of​ ​least​ ​privilege.​ Key administrative access is limited and services accounts are only used sparingly for defined business needs. Upon termination or resignation, all access is removed on employee’s last day.

Infrastructure and Endpoints

Secure password and two-factor authentication requirements are enforced throughout the entire organization. Networks are secured with WPA2 and all wireless networks are segmented from corporate wired networks and production networks. All Rapid7 endpoints have full-drive encryption enabled, are equipped with anti-malware and antivirus, and check for and install updates on a daily basis.

Security Operations

Security​ ​patches​ ​are​ ​deployed​ ​to​ ​workstations​ ​on a​ ​regular​ ​basis,​ ​as-needed.​ ​Out-of-band​ ​patching​ ​is​ ​performed​ ​for​ ​critical​ ​vulnerabilities. Network and agent-based vulnerability scans are conducted ​on​ ​a​ ​continuous​ ​basis,​ ​at​ ​least​ ​weekly​.​ Rapid7 has a formal Change Management process in place. Engineering teams follow a documented Software Development Life Cycle which includes code review, automated testing, scenario testing, and internal and external penetration testing to ensure our products are secure from the start.

Incident Detection and Response

We use our InsightIDR tool to monitor on-premises and cloud environments for security incidents. We maintain a formal Incident Response process for analysis, containment, eradication, recovery, and follow up in the event of a security incident.

Vendor Security Assessments

Rapid7 performs formal vendor security assessments on all third party vendors before bringing them into our environment. We take a risk-based approach to vendor security assessments to ensure all vendors meet our security, quality, and privacy standards.

Information Security Whitepaper  


Vulnerability Handling and Disclosure

We work hard to ensure all our products are secure from the start, but we want to know if you find a vulnerability or other security flaw when using one of our products. As a provider of security software, services, and research, we strive to set an example with our coordinated vulnerability disclosure philosophy.

If you believe you have discovered a vulnerability in a Rapid7 product, please fill out this form so our security team can ensure the issue is addressed.

Read our full vulnerability disclosure policy

If you need to report a security incident or get in contact with Rapid7’s security team for some other reason, contact us at security@rapid7.com.

Please use our PGP public key - KeyID: 959D3EDA - if you feel the need to encrypt your communications with us.