Cloud Risk Complete

Welcome to Cloud Risk Complete (CRC)!

What is CRC?

Cloud Risk Complete (CRC) allows you to identify and manage risk across cloud environments, endpoints, on-premises (on-prem) infrastructure, and web applications, while also providing hands-on onboarding support to accelerate time to value and reduce friction in the deployment process.

CRC delivers world-class cloud security (InsightCloudSec) along with unlimited on-premises vulnerability management (InsightVM), dynamic application security testing (InsightAppSec - CRC Advanced Only) and automation workflows (InsightConnect) in a single platform.

Cloud security

InsightCloudSec is a fully-integrated cloud-native security platform CNAPP (Cloud Native Application Protection Platform)—your whole cloud security toolbox in a single solution. With InsightCloudSec, Rapid7 is the first organization to bring together a single solution that integrates posture management, identity & access management, infrastructure-as-code, and Kubernetes workload protection to enable teams to safely speed up their cloud adoption without compromise.

For more information about the benefits and usage of InsightCloudSec, see the InsightCloudSec product documentation.

On-prem vulnerability management

InsightVM is a data-rich resource that can amplify the other solutions in your tech stack, from SIEMs and firewalls to ticketing systems. InsightVM brings together Rapid7’s library of vulnerability research knowledge from Nexpose, exploit knowledge from Metasploit, global attacker behavior, internet-wide scanning data, exposure analytics, and real-time reporting. On-prem vulnerability management is powered by the following:

Security Console

The Security Console is an on-premises vulnerability scanner and management system. Its core features allow you to identify risk in your environment, organize your devices, and prioritize remediation.


Run scans to extensively probe your devices for known vulnerabilities, exploits, and policy rules. Create sites to logically group your assets for targeted scans. The Security Console uses Scan Engines to perform the actual scan job, and you can configure/distribute them in a way that is best for your environment. Choose between several built-in Scan Templates (such as CIS policy compliance or Full audit without Web Spider) to determine which checks are performed for a particular scan. You can also tailor your own Scan Templates to quickly search for the vulnerabilities and policies that matter the most to your organization. Create scan schedules to automate your scan jobs and keep your security team informed on a regular basis.

Asset organization

Organize your scanned assets into dynamic or static asset groups according to a variety of traits, such as location, operating system, and owner. Use the Security Console’s tagging system to adjust risk scores and prioritize remediation for your most critical assets. Run filtered asset searches to find scanned assets based on over 40 unique parameters.


Generate reports of your scan results so your security teams know what to fix and how. Make use of our built-in report templates or leverage SQL query exports for fully customizable reports. The following example cases highlight some of our most popular report templates:

  • Leverage the Top Remediation report to prioritize the remediations that lead to the greatest reduction in risk.
  • If you’re a business that handles credit card transactions, use the PCI report to prepare for an upcoming PCI audit.
  • Generate the Vulnerability Trends report to examine your total detected assets, vulnerabilities, and exploits over custom date ranges.
Advanced features

InsightVM offers far more advanced functionality than we can cover in the scope of this guide, but we can talk about those features later. For now, just keep these core features in mind as they are the tools you’ll be using day to day.

Scan Engine

Distributed Scan Engines are separate from the Security Console and are strategically provisioned and located in a way that makes your scanning environment as efficient as possible.

For more information about usage and benefits of InsightVM, see the InsightVM product documentation.

Automation workflows

InsightConnect helps you automate workflows across IT and Security cloud apps, on-premise systems, employees, and administrators. To provide IT/Security professionals with a fast and flexible tool for automating work, InsightConnect combines a purpose-built security workflow automation platform with a user-friendly, no-code workflow builder.

For more information about the usage and benefits of InsightConnect, see the InsightConnect product documentation.

Application security testing (CRC Advanced only)

InsightAppSec is part of Rapid7's security suite, providing Dynamic Application Security Testing (DAST) for mature and maturing Application Security professionals. You can configure InsightAppSec to attack different aspects of your application to identify response behaviors that make your applications vulnerable to attackers during scheduled or adhoc scans. After the scan completes, you can view vulnerabilities by app or scan and details about each vulnerability.

For more information about usage and benefits of InsightAppSec, see the InsightAppSec product documentation.