Incident Command overview
Incident Command is the AI-native security operations platform within the Rapid7 Command Platform. It provides a unified interface for detecting, investigating, and responding to security threats within your Security Operations Center (SOC). The platform combines key operational capabilities including threat detection, alert triage, case investigation, response actions, threat intelligence, automation, and attack surface monitoring in a single experience.
Incident Command is designed to reduce the overhead of managing multiple tools and to improve the efficiency of your security workflows. It uses AI models trained on real-world SOC data to prioritize alerts and add context to findings. This helps your teams focus on high-priority threats and take informed action without being overwhelmed by alert volume.
The platform supports both strategic and operational users. Security leaders can monitor risk posture and demonstrate outcomes, while analysts can use the platform to investigate alerts and coordinate responses. Incident Command includes core SIEM and SOAR functionality and scales to support more advanced use cases with AI-assisted triage, endpoint and network detection integrations, and remediation. By consolidating your detection and response tools into a single platform, Incident Command helps reduce noise, streamline triage and investigation, and support faster resolution of incidents.
Incident Command features
Rapid7 currently offers the following packaging options for Incident Command:
- Surface Command - for teams looking for unmatched visibility across their attack and detection surface.
- Incident Command Essentials - for teams looking to collect, enrich, and analyze all of their security data at scale.
- Incident Command Advanced - for teams looking for AI-driven security operations and threat intelligence.
- Incident Command Ultimate - for teams looking for full XDR including complete protection for endpoints, networks, and more with detection and response.
Surface Command is included with all Incident Command packages.
Feature comparison
The following table lists key differences between the Incident Command packages at a feature-level.
| Capability | Surface Command | Incident Command Essentials | Incident Command Advanced | Incident Command Ultimate |
|---|---|---|---|---|
| Asset Discovery (CAASM) | ✓ | ✓ | ✓ | ✓ |
| External Attack Surface Management (EASM) | ✓ | ✓ | ✓ | ✓ |
| Active Risk Prioritization | ✓ | ✓ | ✓ | ✓ |
| Remediation Hub | ✓ | ✓ | ✓ | ✓ |
| Automation & Response (SOAR) | ✓ | ✓ | ✓ | ✓ |
| Customer Support | ✓ | ✓ | ✓ | ✓ |
| APIs | ✓ | ✓ | ✓ | ✓ |
| Rapid7 Endpoint Agent, including Detection Library and Enhanced Endpoint Telemetry | - | ✓ | ✓ | ✓ |
| Log Management and Third-Party Event Sources | - | ✓ | ✓ | ✓ |
| Detection Triage, Investigation, and Reporting (SIEM) | - | ✓ | ✓ | ✓ |
| Detection Rule Library and Custom Rule Creation | - | ✓ | ✓ | ✓ |
| User Behavioral Analytics (UEBA) | - | ✓ | ✓ | ✓ |
| AI for Log Search | - | ✓ | ✓ | ✓ |
| Integrated Threat Intelligence from Rapid7 Labs | - | ✓ | ✓ | ✓ |
| Investigation and Response Playbooks | - | ✓ | ✓ | ✓ |
| Deployment and Training | - | Quick Start included in year 1 | Quick Start included in year 1 | Quick Start included in year 1 |
| Log Retention | - | 90 days + add-on | 180 days + add-on | 180 days + add-on |
| Alert and Audit Retention | - | 13 months + add-on | 13 months + add-on | 13 months + add-on |
| AI-Assisted Alert Triage and Disposition (AI-SOC), including AI-Suggested Dispositions and AI-Assisted Workflows | - | - | ✓ | ✓ |
| Intelligence Hub | - | - | ✓ | ✓ |
| Deception Technology, including honeypots, honey users, and honey files | - | - | ✓ | ✓ |
| Endpoint Detection & Response (EDR), including File Integrity Monitoring, Response Actions, and Next-Gen Antivirus (NGAV) (coming soon) | - | - | - | ✓ |
| Network Detection & Response (NDR) | - | - | - | ✓ |
| Intrusion Detection System (IDS) | - | - | - | ✓ |
| Hosted Velociraptor (DFIR) | - | - | - | ✓ |