February 2026 Release Notes

The Command Platform release notes include information about what’s new, which are updated monthly, and improvements and fixes, which are updated weekly.

What’s New

Learn about new features across the Command Platform. These features were released over the past month and are available now:

• Risk: Exposure Command, Vulnerability Management (InsightVM), Cloud Security (InsightCloudSec)

• Threat: SIEM (InsightIDR), Managed Detection and Response (MDR), Incident Command, Threat Intelligence (Intelligence Hub)

• Administration: Exposure Command, Application Security (InsightAppSec), Cloud Security (InsightCloudSec)

• Risk

  • Standardize Vulnerability Prioritization with Active Risk
  • Contextual Vulnerability Intelligence in Threat Intelligence (Intelligence Hub)
  • Drive Remediation Faster with AI-Generated Risk Insights

• Threat

  • Extend Protection Across Microsoft Environments with MDR for Microsoft
  • Remove Legacy UBA Detections from the SIEM UI

• Administration

  • Streamline Vulnerability Workflows with ServiceNow Zurich (AI)

Risk

Risk is the potential for loss or damage to your assets, operations, or reputation due to vulnerabilities being exploited by a bad actor. Security teams must assess risk by understanding likelihood, impact, and real-world threat context.

• Standardize Vulnerability Prioritization with Active Risk
• Contextual Vulnerability Intelligence in Threat Intelligence (Intelligence Hub)
• Drive Remediation Faster with AI-Generated Risk Insights

Standardize Vulnerability Prioritization with Active Risk

Teams using Vulnerability Management (InsightVM), Cloud Security (InsightCloudSec), and Exposure Command can now prioritize vulnerabilities using Active Risk as the single risk strategy across Rapid7. Active Risk replaces legacy risk strategies with one consistent, threat-aware strategy, so you can compare and prioritize vulnerabilities across the Command Platform using the same scoring approach.

With this capability across Vulnerability Management (InsightVM), Cloud Security (InsightCloudSec), and Exposure Command, you can:

• Prioritize vulnerabilities consistently across assets, products, and teams using one scoring model.
• Focus remediation on what matters most without reconciling multiple risk strategies.

Top of page

Contextual Vulnerability Intelligence in Threat Intelligence (Intelligence Hub)

Vulnerability Intelligence brings Rapid7 Labs exploitation intelligence together with your environment data in a centralized, actionable view. Integrated across Exposure Command and Threat Intelligence (Intelligence Hub), this capability helps teams quickly assess real-world risk and focus remediation on vulnerabilities that are actively exploited.

With this capability in Response & Remediation > Remediation Hub, you can:

• Understand which CVEs are actively exploited and how they are used.
• Connect external exploitation intelligence directly to impacted assets.
• Prioritize remediation based on threat context instead of static scores.
• Reduce mean time to remediate (MTTR) for exploited vulnerabilities.

Top of page

Drive Remediation Faster with AI-Generated Risk Insights

AI-generated risk insights in Remediation Hub turn complex vulnerability and asset data into clear, actionable guidance. Instead of manually triaging across tools and spreadsheets, teams receive concise summaries that highlight what matters most and where to start.

With this capability in Response & Remediation > Remediation Hub, you can:

• Get instant clarity with AI-generated summaries explaining affected assets, criticality, and ownership.
• Reduce triage time with concise, single-sentence summaries and automatic tag breakdowns.
• Close governance gaps by quickly identifying ownerless assets and missing criticality tags.
• Take action sooner with clear, prioritized next steps that focus remediation efforts where they’ll have the greatest impact.

Top of page

Threat

A threat is any potential event or action that could exploit vulnerabilities in a system, causing harm to assets, data, or operations. Threats can originate from malicious actors, compromised identities, or misconfigurations.

• Extend Protection Across Microsoft Environments with MDR for Microsoft
• Remove Legacy UBA Detections from the SIEM UI

Extend Protection Across Microsoft Environments with MDR for Microsoft

Managed Detection and Response (MDR) for Microsoft helps organizations extend expert threat detection and response across Microsoft environments with less cost and complexity. This expert threat detection and response capability is purpose-built to maximize protection across Microsoft ecosystems.

With this capability in Alerts, customers can:

• Maximize their Microsoft investments
• Consolidate cost and complexity
• Confidently stop threats
• Strengthen cyber resilience

Top of page

Remove Legacy UBA Detections from the SIEM UI

As part of the ongoing migration from User Behavior Analytics (UBA) to Advanced Behavior Analytics (ABA), the legacy New Assets Authenticated detection will be removed from the UI within the next week. This update is limited to UI cleanup and does not affect active detections or alerting behavior.

Top of page

Administration

Administration focuses on refining platform controls, improving integrations, and streamlining configuration to support efficient security operations.

• Streamline Vulnerability Workflows with ServiceNow Zurich (AI)

Streamline Vulnerability Workflows with ServiceNow Zurich (AI)

Rapid7 has upgraded its ServiceNow integration to support the latest ServiceNow Zurich (AI) release for both Application Vulnerability Response (AVR) and IT Service Management (ITSM). This update enables tighter collaboration between Security, IT, and DevOps teams while maintaining consistent visibility.

With this integration from the ServiceNow App Store, you can:

• View and update vulnerability data bidirectionally without switching tools.
• Maintain consistent tracking of critical vulnerabilities across workflows.

Top of page

Improvements and Fixes

Keep track of improvements and fixes to core technology.

Application Security (InsightAppSec) and AppSpider

No updates released at this time.

Top of page

Cloud Security (InsightCloudSec)

• Version 26.2.3

Version 26.2.3

Software release date: February 3, 2026 | Release notes published: February 2, 2026

Improved

• Resource Download Functionality: Enhanced resource download functionality on the Resource Listing experience to allow for downloading multiple different resource types with a single button click, no longer requiring a Resource Type Index to be selected. Known limitations include no support for Query Filters or Scopes.
• HVA Settings: Updated HVA Settings to prompt users to apply filters to enable In-Scope Coverage.
• IaC Popover: Updated the IaC popover to include counts for excepted and non-applicable insights. Insights in the drawer will now display an “Excepted” status if all their underlying resources are excepted.
• Identity Analysis Page: Added Insight Finding Severity advanced filter option to the Identity Analysis page for improved filtering capabilities.
• Azure SQL Database Harvesting: Azure SQL database instances no longer harvest the Multi-AZ property. Harvesting for this value is now part of Azure SQL Database resources, a child resource of Azure SQL database instances. This is because Zone Redundancy (which we harvest as Multi-AZ) is configured at the database level for Azure SQL rather than the instance level.
• RestAPI Domain Harvesting: Refactored harvesting of Rest API Domain resources to remove redundant V2 related functionality.
• RestApiHarvester: Updated the RestApiHarvester to correctly harvest new Security Policies for AWS Rest API Domains.
• RestApiDomain Resources: Added a new minimum_tls_version property to RestApiDomain resources.

New Insights

• App Service Environment Without Internal Load Balancer: Identifies App Service Environments without internal load balancer configuration.
• Function App Service With App Authentication Not Enabled: Identifies Function App Services that do not have app authentication enabled.
• App Service Deployment Slot With Allow All Configured For CORS: Identifies App Service Deployment Slots with CORS configured to allow all origins.
• Function App With Allow All Configured For CORS: Identifies Function Apps with CORS configured to allow all origins.
• Function App Deployment Slot With Allow All Configured For CORS: Identifies Function App Deployment Slots with CORS configured to allow all origins.
• App Service Deployment Slot Not Using Minimum TLS Version 1.2 or Higher: Identifies App Service Deployment Slots not using minimum TLS version 1.2 or higher.
• Function App Not Using Minimum TLS Version 1.2 or Higher: Identifies Function Apps not using minimum TLS version 1.2 or higher.
• Function Deployment Slot Not Using Minimum TLS Version 1.2 or Higher: Identifies Function Deployment Slots not using minimum TLS version 1.2 or higher.
• Volumes With Data Access Auth Mode Disabled (Attached): Identifies attached volumes with data access authentication mode disabled.
• Elasticache Instance Has Pending Update: Identifies Elasticache instances with pending updates.

Updated Insights

• App Service Authentication Not Enabled: Extended the overview section for better clarity.
• App Service App With Allow All Configured For CORS: Renamed from “Web App with Allow All Configured for CORS” and updated overview and CIS Recommended Remediation Steps. Moved the following resource types to new dedicated insights:
  • App Service Deployment Slot moved to App Service Deployment Slot With Allow All Configured For CORS.
  • Function App moved to Function App With Allow All Configured For CORS.
  • Function App Deployment Slot moved to Function App Deployment Slot With Allow All Configured For CORS.
• App Service App Not Using Minimum TLS Version 1.2 or Higher: Renamed from “Web App set to TLS version 1.2 or higher” and narrowed scope to only return App Service App resources.
• Database Instance Not Multi-AZ: Changed to use the Query Filter Database Instance Is Not Multi-AZ instead of the now deprecated Database Instance Is Not Multi-Availability Zone. The insight’s results should not be impacted by this change.
• Deprecation Notices
  • Database Cluster Without Audit Logging (ID 595): To be deprecated in February 2026. Customers should use Database Cluster without CloudWatch Audit Logging (ID 2471), which checks that audit logs are being created and exported to CloudWatch. The RDS MySQL DB engine type was removed as multi-AZ clusters do not support auditing.
  • Database Instance Without Audit Logging (ID 350): To be deprecated in February 2026. Customers should use Database Instance without CloudWatch Audit Logging (ID 2472), which checks that audit logs are being created and exported to CloudWatch. Instances in RDS MySQL multi-AZ clusters are not flagged as they do not support auditing.

New Query Filters

• App Service Environment Without Internal Load Balancer: Identifies App Service Environments without internal load balancer configuration.
• Volume Does Not Have Data Access Auth Mode Enabled: Identifies volumes that do not have data access authentication mode enabled.
• Cache Instance Has Pending Update (AWS): Identifies AWS cache instances with pending updates.
• Database Cluster Without CloudWatch Audit Logging: Returns Neptune, DocumentDB, and Aurora MySQL DB clusters that aren’t exporting populated audit logs to CloudWatch.
• Database Cluster Without Auditing: Returns Neptune, DocumentDB, and Aurora MySQL DB clusters whose parameter group does not have audit log creation enabled.
• Database Cluster Parameter Group With Blank Parameter: Returns DB clusters associated with a parameter group where the specified parameter has been left blank (empty or null value).
• Database Instance Without CloudWatch Audit Logging: Returns RDS MySQL, Neptune, DocumentDB, and Aurora MySQL DB instances that aren’t exporting populated audit logs to CloudWatch.
• Database Instance Without Auditing: Returns RDS MySQL, Neptune, DocumentDB, and Aurora MySQL DB instances that do not have audit log creation enabled.
• Database Instance Is Not Multi-AZ: Identifies database instances that are not configured for Multi-AZ deployment.
• Database is Not Multi-AZ: Identifies databases that are not configured for Multi-AZ deployment.

Updated Query Filters

• Application Gateway Domain TLS Version: Updated to query against the new minimum_tls_version field.
• Resource Does Not Support TLS 1.2 Minimum: Updated to reflect changes made to the Application Gateway Domain TLS Version Query Filter.
• Database Instance Is Multi-Availability Zone: Renamed to Database Instance Is Multi-Availability Zone (Deprecated).
• Database Instance Is Not Multi-Availability Zone: Renamed to Database Instance Is Not Multi-Availability Zone (Deprecated).
• Database Instances With Multi-AZ: Renamed to Database Instances With Multi-AZ (Deprecated).
• Kubernetes Cluster Latest Version (EKS/AKS/GKE): Fixed an issue where Kubernetes cluster versions were compared as strings instead of correctly evaluating major, minor, patch, and cloud provider-build values. Also resolved cases where the latest version used for comparison could be outdated.

Updated Compliance Packs

• Storage Account with Infrastructure Encryption Disabled: Added to CIS Controls v8.1.2 compliance pack.
• Storage Account Encrypted using Cloud Managed Key Instead of Customer Managed Key: Added to CIS Controls v8.1.2 pack.
• Storage Account Allows Shared Key Access: Added to CIS Controls v8 pack.
• Account Without Latest SMB Protocol Versions: Added to CIS v8.1.2 pack.

The following new TLS-related insights were added to multiple compliance packs including CIS Controls v8.1.2, NIST 800-53 (Rev 5), Microsoft Cloud Security Benchmark, NIST 800-171, NIST Cybersecurity Framework 2.0, and CMMC v2.0:

• App Service Deployment Slot Not Using Minimum TLS Version 1.2 or Higher
• Function App Not Using Minimum TLS Version 1.2 or Higher
• Function Deployment Slot Not Using Minimum TLS Version 1.2 or Higher

Fixed

• Fixed insight severity edge case for IaC exception configuration creation.
• Fixed a bug with System Notifications for Health via Microsoft Teams that was causing an error.
• Fixed an issue where a UI error would occur when editing certain email subscription configurations.

Top of page

Mimics Infrastructure as Code (IaC) Scanning Tool

No updates released at this time.

Top of page

SIEM (InsightIDR)

No updates released at this time.

Top of page

Vulnerability Management (InsightVM)

• 8.35.0

Version 8.35.0

Software release date: Feb 2, 2026 | Release notes published: Jan 29, 2026

New:

• Added support for scanning macOS assets using the Nexpose Scan Assistant. This release introduces Scan Assistant support for macOS Sonoma, Sequoia, and Tahoe, with installers available for both Intel-based and Apple Silicon users. The macOS Scan Assistant can be downloaded from the Scan Assistant documentation page .
• New Policy Content: Support has been added for the following versions of CIS and DISA STIG benchmarks to enable organizations to adhere to the latest security best practices:

  • Linux:

    • CIS Debian Linux 11 STIG Benchmark v1.0.0
    • CIS Ubuntu Linux 22.04 LTS Benchmark v3.0.0
    • CIS Oracle Linux 8 Benchmark v4.0.0
    • CIS AlmaLinux OS 10 Benchmark v1.0.0

  • Microsoft Windows Server:

    • DISA STIG Microsoft Windows 11 Benchmark Version 2, Release 6
    • DISA STIG Microsoft Windows Server 2019 Benchmark Version 3, Release 6

  • Apple macOS:

    • CIS Apple macOS 15.0 Sequoia Benchmark v2.0.0

  • Web Browsers:

    • CIS Google Chrome Group Policy Benchmark v1.0.0

Improved:

• Improved Oracle Linux kernel fingerprinting, reducing false positives.
• Improved consistency of CVSS scoring in PCI vulnerability reports. Custom PCI report templates now display CVSS v2 and v3 scores consistently with the Security Console, ensuring severity ratings accurately reflect the underlying vulnerability data.
• Policy Content Updates: Corrected policy evaluation issues in the CIS Rocky Linux 9 Benchmark v2.0.0.

Top of page

Nexpose

• 8.35.0

Version 8.35.0

Software release date: Feb 2, 2026 | Release notes published: Jan 29, 2026

New:

• Added support for scanning macOS assets using the Nexpose Scan Assistant. This release introduces Scan Assistant support for macOS Sonoma, Sequoia, and Tahoe, with installers available for both Intel-based and Apple Silicon users. The macOS Scan Assistant can be downloaded from the Scan Assistant documentation page .
• New Policy Content: Support has been added for the following versions of CIS and DISA STIG benchmarks to enable organizations to adhere to the latest security best practices:

  • Linux:

    • CIS Debian Linux 11 STIG Benchmark v1.0.0
    • CIS Ubuntu Linux 22.04 LTS Benchmark v3.0.0
    • CIS Oracle Linux 8 Benchmark v4.0.0
    • CIS AlmaLinux OS 10 Benchmark v1.0.0

  • Microsoft Windows Server:

    • DISA STIG Microsoft Windows 11 Benchmark Version 2, Release 6
    • DISA STIG Microsoft Windows Server 2019 Benchmark Version 3, Release 6

  • Apple macOS:

    • CIS Apple macOS 15.0 Sequoia Benchmark v2.0.0

  • Web Browsers:

    • CIS Google Chrome Group Policy Benchmark v1.0.0

Improved:

• Improved Oracle Linux kernel fingerprinting, reducing false positives.
• Improved consistency of CVSS scoring in PCI vulnerability reports. Custom PCI report templates now display CVSS v2 and v3 scores consistently with the Security Console, ensuring severity ratings accurately reflect the underlying vulnerability data.
• Policy Content Updates: Corrected policy evaluation issues in the CIS Rocky Linux 9 Benchmark v2.0.0.

Top of page

Digital Risk Protection (Threat Command)

No updates released at this time.

Top of page

Rapid7 Agent

No updates released at this time.

Top of page

Next-Generation Antivirus

No updates released at this time.

Top of page

Ransomware Prevention

No updates released at this time.

Top of page

Velociraptor

No updates released at this time.

Top of page