June 2026 Release Notes
The Command Platform release notes include information about what’s new, which are updated monthly, and improvements and fixes, which are updated weekly.
Last updated: June 29, 2026
What’s New
Learn about new features across the Command Platform. These features were released over the past month and are available now:
- Attack surface: Attack Surface Management (Surface Command), Exposure Command, Incident Command
- Risk: Remediation Hub, Attack Surface Management (Surface Command), Exposure Command, Incident Command
- Threat: SIEM (InsightIDR)
Attack surface
Your attack surface is comprised of all of the potential entry points that attackers could exploit across your systems, applications, and networks. Developing knowledge of your attack surface is a key goal in improving your company’s security posture.
- Build reports from asset and identity filter tables
- Tune asset correlation for accurate attack surface reporting
- Monitor Kubernetes runtime security with Cloud Security (InsightCloudSec)
Build reports from asset and identity filter tables
In Attack Surface Management (Surface Command), Exposure Command, and Incident Command, you can now create dashboard widgets directly from your saved filter views, complementing the query-driven reporting you already use. This capability lets you build Attack Surface Management (Surface Command) dashboards in minutes without needing to learn the Cypher graph query language.
With this capability in Attack Surface Management (Surface Command), you can:
- Build dashboards quickly using intuitive filter tables instead of custom queries.
- Start leveraging ASM insights immediately with minimal learning curve.
- Use filter-based reporting for most use cases while still accessing advanced queries when needed.
Tune asset correlation for accurate attack surface reporting
In Attack Surface Management (Surface Command), Exposure Command, and Incident Command, you now have improved visibility into asset correlation and the ability to address over-correlated assets where multiple assets are improperly grouped together. You can tune correlation settings to match your organization’s operational environment without requiring assistance from Rapid7 support.
With this capability in Attack Surface Management (Surface Command), you can:
- Resolve over-correlation scenarios independently with intuitive tuning controls.
- Improve attack surface reporting accuracy by aligning correlation with your environment.
- Reduce reliance on support teams for correlation adjustments.
Monitor Kubernetes runtime security with Cloud Security (InsightCloudSec)
In Cloud Security (InsightCloudSec) and Exposure Command, you can now monitor and secure your Kubernetes workloads in real time with integrated container runtime security capabilities. Deploy sensors to detect threats and anomalous behavior, surface vulnerabilities, and identify misconfigurations, then respond instantly by pausing, stopping, or killing suspicious processes and containers. You can also generate and enforce least-privilege network policies and seccomp profiles to harden your environment before threats take hold.
With this capability in Cloud Security (InsightCloudSec), you can:
- Deploy sensors to detect threats, anomalous behavior, vulnerabilities, and misconfigurations in your Kubernetes workloads in real time.
- Respond to threats instantly by pausing, stopping, or killing suspicious processes and containers from the Command Platform.
- Generate and enforce least-privilege network policies and seccomp profiles.
- Gain unified visibility into container security alongside your broader cloud security posture.
Risk
Risk is the potential for loss or damage to your assets, operations, or reputation, due to vulnerabilities being exploited by a bad actor. Security teams must assess the risk level by evaluating the likelihood of a threat occurring and the impact that it would have if realized.
- Speed up remediation with faster data updates in Remediation Hub
- Unify remediation with Microsoft Defender vulnerabilities in Remediation Hub
- Create Cloud Security (InsightCloudSec) bots from JSON
- New F5 BIG-IP Vulnerability Coverage
Speed up remediation with faster data updates in Remediation Hub
In Remediation Hub, Attack Surface Management (Surface Command), Exposure Command, and Incident Command, remediation data across all assets assessed in Vulnerability Management (InsightVM) is now updated more frequently. With data available within one hour, teams can act quickly and confidently on remediation priorities.
With this capability in Risk > Remediation Hub, you can:
- Access updated remediation data from Vulnerability Management (InsightVM) within one hour.
- Act on remediation priorities with confidence using timely, reliable information.
- Reduce delays between vulnerability discovery and remediation planning.
- Make faster remediation decisions across your asset portfolio.
Unify remediation with Microsoft Defender vulnerabilities in Remediation Hub
In Remediation Hub, Attack Surface Management (Surface Command), Exposure Command, and Incident Command, Microsoft Defender vulnerabilities are now included in the same unified remediation view as other sources, giving you a complete picture of risk across your environment. Manage vulnerabilities from multiple tools in one place without switching between platforms.
With this capability in Risk > Remediation Hub, you can:
- View vulnerabilities from Rapid7 and Microsoft Defender in a single, unified interface.
- Prioritize all remediation opportunities without context switching between tools.
- Make more confident remediation decisions with complete risk visibility.
- Reduce delays caused by fragmented vulnerability data across multiple sources.
Requires MS Defender Connector v3.0 or later in Attack Surface Management (Surface Command).
Create Cloud Security (InsightCloudSec) bots from JSON
In Cloud Security (InsightCloudSec) and Exposure Command, you can now create bots directly from JSON configuration. Select Create Bot From JSON from the bot creation dropdown menu to streamline your workflow without needing to create a template first.
With this capability in Automation (InsightConnect) > Bot Factory, you can:
- Create bots directly from JSON configurations without intermediate steps.
- Streamline bot creation workflows for teams working with code-based configurations.
- Reduce setup time and simplify the bot deployment process.
- Use JSON-driven automation more efficiently across your cloud environment.
New F5 BIG-IP Vulnerability Coverage
We have released a vulnerability coverage update that will includes improvements for the F5 BIG-IP plugin. This update improves visibility into vulnerabilities that may already exist in your environment.
With this update in Vulnerability Management (InsightVM) and Nexpose, you may:
- See see an increase in your vulnerabilities detected.
- See vulnerabilities associated with older CVEs that remain unpatched. However, the “first found” date will appear recent because it reflects when detection became available.
- See an increase in risk score. This is an indication of improved coverage, not an increase of actual risk.
No action is required to receive this vulnerability coverage, as it will be included in your next automatic or scheduled update.
Threat
A threat is any potential event or action that could exploit vulnerabilities in a system, causing harm to assets, data, or operations. Threats can originate from various sources, including malicious actors, natural disasters, or unintentional human errors.
Expand detection coverage with script visibility
Following the release of this feature on June 12, 2026, our team identified an issue that impacted platform performance. To ensure stability and a seamless experience for our users, we have temporarily rolled back this capability as of June 17, 2026. We are actively working on a fix and plan to re-release this feature as soon as it meets our quality standards.
Impacted offerings:
- SIEM (InsightIDR)
- Managed Detection and Response
Improvements and Fixes
Keep track of improvements and fixes to core technology.
Application Security (InsightAppSec) and AppSpider
Version 7.5.027
Software release date: June 30, 2026 | Release notes published: June 30, 2026
New Features:
- AI Vulnerability Validator for Blind NoSQL - An integrated LLM verification using AWS Bedrock that automatically analyzes and triages content and timing-based Blind NoSQL Injection findings, minimizing manual verification requirements.
- OpenAPI 3.1 Parsing Support - Added endpoint parsing support for OpenAPI 3.1 documents.
- Strict JSON Parsing Requirements - Swagger 2.0 and OpenAPI 3.0 JSON-formatted documents are now required to conform to valid JSON standards.
- Non-conformant syntax, such as duplicate keys, single quotes, unquoted keys, hex numbers, leading/trailing decimals, or unescaped control characters, reports a parsing error.
- WordPress Admin Auditing - Added passive auditing rules to detect and alert on common publicly exposed WordPress administrative portal paths.
Improved:
-
Application Security Scan Engine
- Blind NoSQL Stability Checks - Added a response-stability verification loop to
BNoSQL03apath attacks, preventing false positive alarms caused by shifting edge responses like WAF interstitials or load-balanced variations. - Attack Data Defs - Updated analyze data profiles to include detection of current Drupal iterations.
- Crawl Result Optimization - Maintained Scan Engine caching mechanisms for inactive Crawl Results to preserve system memory boundaries.
- Blind NoSQL Stability Checks - Added a response-stability verification loop to
-
R7 Crawler / Automatic Login Framework (ALF)
- ALF Tracking Mechanics - Enhanced page-status tracking pipelines within ALF interactive sequences.
- ALF Video Processing - Rewrote video playback and frame handling routines to gracefully intercept thrown errors without crashing active workflows.
Fixed:
- Application Security Scan Engine
- Reflected XSS Execution Validation - Upgraded the Cross-Site Scripting module to perform browser-based script execution checks. This change allows the module to filter out benign input reflections in non-executable contexts and update validated vulnerabilities to High confidence.
- X-Frame-Options & CSP Frame Ancestors - Rewrote module logic to simultaneously evaluate XFO headers alongside Content-Security-Policy (CSP)
frame-ancestors. Recommendations are now intelligently calculated based on gaps. For example, advising XFO for legacy Internet Explorer compatibility if only CSP is present or advising both if unprotected. - SOAP/WSDL Vulnerability Coverage - Resolved a bug where structural elements and parameterless routines exhausted attack budgets. The engine now accurately analyzes and discovers SQL Injections hidden inside string parameters of WSDL web services.
- SQL Parameter Check Module - Fixed an issue that caused false negatives when evaluating parameter structures containing an equal (
=) operator character. - JavaScript Passive Hangs - Fixed a scanning loop failure where processing applications with large static JavaScript bundles caused the passive SQL Information Leakage checks to hang for several hours.
- LLM Throttling Fix - Resolved network timeout faults during complex LLM application scans by introducing request throttling parameters during Chatbot macro executions.
Attack Surface Management (Surface Command)
Version 1.0.922
Software release date: June 24, 2026 | Release notes published: June 24, 2026
Connectors
The following connectors were updated in the Extension Library since the previous release. Connector updates are published independently and may have been available before this release date.
New Connectors
- Exabeam New-Scale: Exabeam New-Scale is a cloud-native SIEM and security analytics platform that uses behavioral analytics to detect threats. This connector imports Site Collector agent details from Exabeam New-Scale into the Rapid7 Platform, enabling centralized visibility of collector agent status, configuration, and health.
- SUSE Manager: SUSE Manager is an open source infrastructure management and automation solution used to manage, monitor, and update Linux systems across physical, virtual, and cloud environments. This connector integrates managed Linux assets, installed software, and vulnerability findings (via errata) with the Rapid7 Platform.
- Ubuntu Landscape: Ubuntu Landscape is a central management and monitoring platform for Ubuntu systems. It allows administrators to manage large fleets of Ubuntu instances by automating updates, monitoring performance metrics, and auditing security compliance across physical, virtual, and cloud-based assets. This connector imports computers (with hardware and network details), installed packages, computer groups, and tags from Ubuntu Landscape.
- Zimperium MTD: Zimperium secures both mobile devices and applications so they can safely and securely access data. This connector integrates mobile application inventory and security findings data from the Zimperium API with the Rapid7 Platform, enabling visibility into mobile application security posture.
Updated Connectors
- Flexera One: Updated this connector to fetch software and produce the appropriate base types.
- GitHub and GHAS: Reduced the GraphQL page size for repository queries to prevent GitHub server-side timeouts (502 and 504).
- Microsoft Defender:
- Added a Software inventory feed with
SoftwareandSoftwareInstallationtypes. - Added the Priority subtype to
MicrosoftDefenderSecurityRecommendation.
- Added a Software inventory feed with
- Microsoft Intune:
- Added
MicrosoftIntuneSoftwareandMicrosoftIntuneSoftwareInstallationtypes for software inventory tracking. - Added
userExperienceAnalyticsWorkFromAnywhereMetricsenrichment data toMicrosoftIntuneDevice. - Added the Get User Experience Analytics Metrics setting.
- Added
- ServiceNow: Added the Exclude CI Types setting, allowing customers to exclude specific CI type categories from ingestion.
- SolarWinds IT Asset Management: Fixed schema validation errors on
SolarWindsITAMUserwhen department fields are null.
Version 1.0.918
Software release date: June 16, 2026 | Release notes published: June 17, 2026
Improved:
- External Attack Surface assets no longer include unreliable severity reasons, severities, or Common Vulnerabilities and Exposures (CVE) data from third-party sources.
Fixed:
- Rapid7EASMCertificate subject and issuer fields now contain the full Distinguished Name (DN) instead of only the Common Name (CN).
Connectors
The following connectors were updated in the Extension Library since the previous release. Connector updates are published independently and may have been available before this release date.
New Connectors
- SonicWall Capture Client: SonicWall Capture Client is a cloud-managed service for endpoint security and device management. This connector imports endpoint devices, SentinelOne agents, users, groups, risky applications, and installed software from SonicWall Capture Client into the Rapid7 Platform.
Updated Connectors
- AWS EC2: Updated how Asset:first_seen is derived for AwsEc2Instance objects. The value is now based on the earliest timestamp across related properties, such as attachment timestamps for network interfaces and volumes.
- Anthropic:
- Added detail to configuration instructions.
- Updated dependencies.
- Datadog: Fixed a schema error in DatadogPlatformHost where the macV example value was incorrectly defined as an array instead of a valid JSON string type.
- GitHub and GHAS: Updated the documentation.
- Kaseya VSA 9: Fixed ShowToolTip field type in KaseyaVSA9Agent (integer, not boolean).
- ManageEngine OpManager: Fixed a bug where IP addresses were not being properly rejected from hostname correlation, which could lead to incorrect correlation results.
- Microsoft Defender: Fixed the Recommendations query to use the
oroperator instead ofin. - ServiceNow: Ensured that
.jsonfiles are included when packaged for the Orchestrator. - Slack: Fixed an
invalid_cursorerror that occurred when paginating through users and channels. - Snow Atlas: Fixed schema validation errors for the
SnowAtlasUserandSnowAtlasComputertypes. - ThreatLocker: Updated the documentation to clarify API key access and permission requirements.
Version 1.0.917
Software release date: June 9, 2026 | Release notes published: June 10, 2026
Improved:
- External Attack Surface pages now display only data captured from sources within the last 10 days, removing outdated information.
- Saved query and widget pages now include a dashboard filter to refine results when queries provide widgets across multiple dashboards.
- Filter view names can now be up to 100 characters.
- Saved query and ad hoc query names can now be up to 100 characters.
- Widget names can now be up to 100 characters.
Connectors
The following connectors were updated in the Extension Library since the previous release. Connector updates are published independently and may have been available before this release date.
Updated Connectors
- Automox: AutomoxDevice: added property declarations for
notes,organizational_unit, andreboot_deferral_count. - Lansweeper: Added optional filter by number of days since last seen.
- Qualys VMDR:
- Fixed SchemaValidationErrors with new
QualysQidDetail2type. - Increased the timeout for Qualys API calls to 10 minutes.
- Migrated to the new Import Function framework.
- Replaced reporting logic with List Hosts and List Host Detections APIs.
- Fixed SchemaValidationErrors with new
- Slack: Fixed an issue with Slack pagination.
- Tanium: Added support for Tanium instances without the Event Recorder module.
Version 1.0.916
Software release date: June 3, 2026 | Release notes published: June 8, 2026
Connectors
The following connectors were updated in the Extension Library since the previous release. Connector updates are published independently and may have been available before this release date.
New Connectors
- Nudge Security: Nudge Security is a SaaS security platform that discovers and manages every SaaS application in an organization’s environment without requiring agents or network changes. This connector imports SaaS apps, user accounts, groups, OAuth grants, and security findings from the Nudge Security API into Attack Surface Management (Surface Command).
Updated Connectors
- AWS Core: Removed offline installation support.
- AWS EC2: Removed offline installation support.
- AWS IAM: Removed offline installation support.
- AWS Route53: Removed offline installation support.
- AWS S3: Removed offline installation support.
- Amazon Inspector: Removed offline installation support.
- Armis: Removed offline installation support.
- Atlassian Bitbucket Cloud: Removed offline installation support.
- Atlassian Jira Cloud: Removed offline installation support.
- Azure Core: Removed offline installation support.
- BigFix: Removed offline installation support.
- Bitdefender: Removed offline installation support.
- CrowdStrike Falcon: Removed offline installation support.
- Cyberhaven: Prevented import with masked values to avoid overcorrelation.
- Delinea Secret Server: Implemented on-premises and cloud authentication for Delinea Secret Server API.
- Device42: Removed offline installation support.
- Devo SIEM: Removed offline installation support.
- Exabeam: Removed offline installation support.
- ExtraHop: Removed offline installation support.
- GCP Core: Removed offline installation support.
- Google Workspace: Removed offline installation support.
- Infoblox BloxOne Threat Defense: Removed offline installation support.
- Jamf: Removed offline installation support.
- Lansweeper: Removed offline installation support.
- MITRE CWE: Removed offline installation support.
- ManageEngine OpManager: Added support for OpManager Enterprise edition.
- Microsoft Active Directory: Removed offline installation support and updated dependencies.
- Microsoft Defender: Removed offline installation support.
- Microsoft Entra ID (formerly Azure AD): Removed offline installation support.
- Microsoft Graph Security: Removed offline installation support.
- Microsoft Intune: Removed offline installation support.
- Microsoft SCCM: Removed offline installation support.
- Microsoft SQL: Removed offline installation support.
- Mosyle MDM: Removed offline installation support.
- Nexthink: Removed offline installation support.
- Okta: Removed offline installation support.
- Paessler PRTG Network Monitor: Added verify_tls setting to allow users to disable TLS verification if needed.
- Palo Alto Cortex Cloud CSPM: Removed offline installation support.
- Proofpoint TAP: Removed offline installation support.
- Red Hat Satellite: Fixed a schema validation error in RedHatSatelliteHost and resolved a correlation issue with locally assigned MAC addresses.
- SailPoint Security Cloud: Removed offline installation support.
- ServiceNow: Removed offline installation support.
- Slack:
- Added SlackChannel type to import Slack channels with member references. This update requires additional Slack app scopes: channels:read (and groups:read for private channels).
- Removed offline installation support.
- Snyk: Removed offline installation support.
- Splunk: Removed offline installation support.
- Tanium: Removed
configurationItemfrom endpoint query. - Tenable Security Center: Removed offline installation support.
- Tenable Vulnerability Management: Removed offline installation support.
Version 1.0.912
Software release date: May 27, 2026 | Release notes published: June 1, 2026
Improved:
- Rapid7EASMDomain assets in External Attack Surface Domains page now include registration expiry dates.
Connectors
The following connectors were updated in the Extension Library since the previous release. Connector updates are published independently and may have been available before this release date.
New Connectors
- Symmetry DataGuard DSPM: Symmetry Systems DataGuard is a data security posture management (DSPM) solution that provides visibility into data stores, identities, and permissions across hybrid cloud environments to secure sensitive data. This connector imports DataGuard-classified data stores, objects, and classification metadata into Surface Command for analysis.
Updated Connectors
- AWS Core: Fixed packaging error.
- BeyondTrust Endpoint Privilege Management (EPM): Fixed a problem with correlation for locally-assigned MAC addresses.
- Bitdefender: Fix a packaging error.
- Check Point Harmony Endpoint: Fixed a schema validation error for CheckPointHarmonyEndpointAsset.
- Cloudflare: Fixed a packaging error.
- Crowdstrike Falcon: Fixed alerts and vulnerabilities to work for Crowdstrike US Government environments.
- Datadog: Fixed a problem with correlation for locally-assigned MAC addresses.
- Google Security Command Center: Fixed packaging error.
- Infoblox BloxOne DDI: Fixed packaging error.
- Kaseya VSA 9: Schema validation error fix for KaseyaVSA9Asset type.
- Microsoft Defender:
- MicrosoftDefenderVulnFinding: This type is now deprecated and hidden.
- MicrosoftDefenderVulnerabilityFinding: Replaces MicrosoftDefenderVulnFinding and links to MicrosoftDefenderSecurityRecommendation.
- MicrosoftDefenderSecurityRecommendation: Records are now identified by each specific CVE.
- Microsoft Intune: Fixed serialization bug when trying to use the new last sync date filter.
- SentinelOne Singularity: Fixed packaging error.
- ServiceNow:
- Fixed packaging error.
- Fixed schema Validation Error in ServiceNowLocation2.
- Shodan: Fixed packaging error.
Cloud Security (InsightCloudSec)
Release availability for self-hosted users
Self-hosted users are able to download the latest version usually 4 business days after SaaS users are upgraded from the following locations:
- Terraform deployments: Public S3 bucket . Modules can be updated with the
terraform get -updatecommand. - Amazon Elastic Container Repository (ECR) deployments: You can obtain the ECR build images for this version from the InsightCloudSec ECR Gallery
Version 26.6.30
Software release date: June 30, 2026 | Release notes published: June 29, 2026
Deprecations
- Deprecated Insight ID 2061 — Ensure that the cluster has at least one active policy control mechanism in place (CIS Kubernetes Benchmark control 5.2.10, previously mapped as benchmark.2_6_10).
- Replacement: Insight ID 3080 — Ensure that the cluster has at least one active policy control mechanism in place (CIS Kubernetes Benchmark control 5.7.1, mapped as benchmark.2_17_1).
- What Changed: The CIS Kubernetes Benchmark v1.8 reorganized its control numbering. Control 5.2.10 (Pod Security Policies) was moved to section 5.7 (General Policies) as control 5.7.1, reflecting the deprecation of PodSecurityPolicy in Kubernetes and the shift toward Pod Security Admission.
- Action Required: Bots and saved filters using the deprecated Insight (ID 2061) will continue to function but should be updated to use the replacement Insight (ID 3080).
- Compliance packs have been updated to reference the new control.
Improved
- Renamed the CMMC v2.0 Compliance Pack to CMMC Level 2.
- Updated the CMMC Level 1 Compliance Pack to match
CMMC Level 1 v2.0documentation. - Added direct link support for
Airflow Environments. - Added harvesting for new attribute
Snapshot Block Public Access Statefor AWS Cloud Regions. This attribute denotes how snapshot public access is controlled in the region.- New AWS permissions are required:
ec2:GetSnapshotBlockPublicAccessState.
- New AWS permissions are required:
New Insights
- Network Interface Unused - Identifies AWS Elastic Network Interfaces (ENIs) that are unattached and left in an available status.
- Lightsail Bucket Publicly Accessible - Highlights Lightsail Buckets that are marked as ‘Publicly Accessible’.
- Snapshot Is Accessible to the Public - Identifies EBS Snapshots that are accessible to the public.
- Storage Area Network Volume Group Using Platform Managed Key - Identifies Storage Area Network Volume Groups that use Platform Managed Keys for encryption.
Updated Insights
- Renamed Insight Compute Instances Without Detailed Monitoring to Instance Without Detailed Monitoring.
New Query Filters
- Lightsail Resource Types - Allows filtering of Lightsail resources by their Resource Type.
- Lightsail Bucket Public Accessibility - Allows filtering of Lightsail buckets based on their Public Accessibility configuration.
- Cloud Region Snapshot Block Public Access State - Identifies Cloud Regions that have the selected Snapshot Block Public Access State. By default, this Query Filter identifies Cloud Regions with any of the selected Snapshot Block Public Access States.
- Snapshot Public Access - Identifies Snapshots depending on if they are accessible to the public. By default, this Query Filter will identify Snapshots that are accessible to the public.
- Storage Area Network Volume Group Encryption Type - Allows filtering of Storage Area Network Volume Groups by their encryption type.
Version 26.6.23
Software release date: June 23, 2026 | Release notes published: June 22, 2026
Improved
- Released Kubernetes Scanner v5.1.0.
- Updated the
AwsWebAppHarvesterto allow Network Load Balancers to appear underRelated Resourcesfor Web Apps. - Added EDH support resource for AWS Network Firewall.
- Added direct link support for GCP Database Snapshots (Alloydb Backup).
- Implemented support resources for deleting Google Private Image.
- Enhanced permission remediation support across multiple cloud vendors:
- Now supports remediation of missing permissions via CloudShell script for Azure, GCP, Oracle, and AliCloud.
- Icons to invoke this remediation flow will show next to missing permissions on the cloud listing page. It can also be invoked directly from the missing permissions modal, found off the cloud listing page.
New Insights
- Volume Unattached To Instances - Identifies Volumes which are not attached to any Instance.
- Snapshot Is Unencrypted - Identifies Snapshots that are unencrypted.
New Query Filters
- MemoryDB Cluster Transit Encryption Status - Allows filtering MemoryDB clusters by Transit Encryption status.
- Volume Instance Association - Identifies Volume instance association status. By default, this Query Filter returns Volumes that are not attached to any Instance. Added new settings field “Attached to Instances” which alters the Query Filter to return Volumes that are attached to an Instance.
- Snapshot Encrypted State - Identifies Snapshot encryption status. By default, this Query Filter returns Snapshots that are unencrypted.
Updated Query Filters
- Renamed Query Filter Volume Orphaned to Volume Instance Association.
- Renamed Query Filter Snapshot Unencrypted to Snapshot Encrypted State.
- Deprecated Query Filter Snapshot Encrypted. This functionality can now be replicated by using Snapshot Encrypted State with the “Encrypted” toggle enabled.
Fixed
- Fixed an issue where the Compliance Pack filter on the Insights Library page only displayed core packs when no Insight Source was selected.
- Fixed an issue where CSV export was not applying the selected Compliance Pack filter.
- Fixed IaC scan bug for Cache Instance not enforcing encryption at rest. Secondary cluster now inherits encryption from global replication group.
Version 26.6.16
Software release date: June 16, 2026 | Release notes published: June 15, 2026
Improved
-
Updated the Control Names for controls within the following Compliance Packs:
- CIS - GCP 1.3.0
- CIS - GCP (Legacy)
-
Updated the error modal for the Scheduled Events page to better display Scheduled Events errors to users.
-
IaC jobs now determine whether any scans are actionable before initiating scan. If all insights are configured to be ignored, the scan will be dropped.
-
When managing configurations within IaC, the Apply button is now disabled until changes have been made.
-
Introduced a new harvester for the OpenSearch UI service to improve visibility into your AWS OpenSearch Dashboards. This update includes the ability to track encryption configurations and KMS key details for these instances.
- Permissions required:
es:ListApplications,es:GetApplication.
- Permissions required:
New Insights:
- ECS Container Cluster Not Encrypted With Customer Managed Key - identifies ECS container clusters not encrypted with customer managed keys.
- Web App Load Balancer Access Logging Disabled - flags AWS Web Apps with an associated Load Balancer that has Access Logging disabled.
- Added to the CIS v8.1.2, NIST CSF v2.0, NIST 800-53 Rev. 5, and CMMC v2.0 Compliance Packs.
- ECS Task Definition Without Logging Configuration - identifies ECS task definitions without logging configuration.
- ECS Task Definition Passes Secrets as Container Environment Variables - identifies ECS task definitions that pass secrets as container environment variables.
- Instance Stopped for 90 Days or Longer (BackOffice Insight 2574) - identifies instances that have remained stopped for at least 90 days.
- Targets instance resources and currently supports
AWS,AWS_CHINA, andAWS_GOV. - Includes remediation and operational guidance for handling long-stopped instances, including optional scheduled deletion workflows.
- Mapped to the following compliance packs: CIS Controls v8.1.2, CMMC Level 2, NIST 800-53 Rev. 5, NIST 800-171, and NIST Cyber Security Framework CSF 2.0.
- Targets instance resources and currently supports
- Instance Running Longer Than 180 Days (Insight 2575) - identifies EC2 instances that have been running continuously for more than 180 days.
- Mapped to CIS Controls v8.1.2 and applicable compliance packs.
- Private Image Exceeds 90 Day Age Limit - identifies AWS private images (AMIs) older than 90 days that may not have the latest operating system patches applied.
- Supports
AWS,AWS_CHINA, andAWS_GOVclouds.
- Supports
- Storage Area Network Public Network Access Enabled - identifies storage area networks with public network access enabled.
Updated Insights:
- Task Definition Resource Has No Log Configuration - replaced by ECS Task Definition without Logging Configuration.
- Task Definition with Secret in Environment Variable Key - replaced by ECS Task Definition Passes Secrets as Container Environment Variables.
New Query Filters:
- Container Cluster Fargate Ephemeral Storage Encryption Key Type - identifies container cluster Fargate ephemeral storage encryption key types.
- Web App Load Balancer Access Logging State - flags AWS Web Apps with an associated Load Balancer based on its Access Logging configuration.
- ECS Task Definition Log Driver Configuration - identifies ECS task definition log driver configuration.
- Private Image Creation Date - identifies private images (AMIs) that are older than a configurable number of days based on their creation date.
- Storage Area Network Public Network Access - identifies storage area network public network access configuration.
Updated Query Filters:
- Added additional resource parsing to network_flow_logs_not_configured to enable this insight in IaC scans.
- Renamed Load Balancer without Logging to Load Balancer Access Logging Configuration to reflect its new functionality.
- Migrated Load Balancer with Logging functionality to Load Balancer Access Logging Configuration.
Fixed:
- Fixed an issue where dark mode theme was not applied correctly on initial page load.
- Fixed conversion bug with Redshift Cluster IaC scans.
- Added additional validation for the IaC Simulations to support the update to MySQL v8.4.
- Added a button to Kubernetes Cluster page to link directly to adding a runtime sensor.
Version 26.6.9
Software release date: June 9, 2026 | Release notes published: June 8, 2026
Deprecations
- Deprecated Query Filter: “Cloud Region without Default/Allow List Encryption Enabled”. Its functionality is now covered by 3 new Query Filters which can be combined as needed:
- “Cloud Region Disk Encryption”
- “Cloud Region Volume Association”
- “Cloud Region Disk Encryption Key”
- Deprecated Query Filter: “Cloud Region with Default Encryption Enabled”. Its functionality is now covered by the new Query Filter: “Cloud Region Disk Encryption”.
- Deprecated Insight: “Task Definition Running Containers without Read Only Filesystem”. Replaced by “ECS Task Definition Running Containers without Read Only Filesystem”.
- Deprecated Insight: “Task Definition Running in Privileged Mode”. Replaced by “ECS Task Definition Running in Privileged Mode”.
- Removed deprecated harvesting logic for harvesting “single” server types from Azure (
MariaDB,PostgreSQL,MySQL). Harvesting of “flexible” server types has not changed.
Improved
- Added the ability to exclude specific CloudTrail events from EventBridge rules when configuring EDH auto-provisioned consumers.
- Improved performance of writing Source Documents to the database.
- Added IaC support for network interfaces.
- Implemented support for deleting Google Private Image resources.
- Updated deprecated bot action “Wait” to “Wait (DEPRECATED - no-op)” to accurately represent that it performs no operation.
- Enhanced AWS Elastic Beanstalk resource harvesting to collect CloudWatch Logs configuration settings including:
- Stream logs status
- Delete-on-terminate settings
New Insights
- “Web App without Log Streaming Fully Configured”: Identifies AWS Elastic Beanstalk environments that do not have log streaming enabled or are not configured to retain logs after environment termination.
- Added to the following compliance packs:
- CIS Controls v8.1.2
- CMMC v2.0 Level 2
- NIST SP 800-53 Rev. 5
- NIST CSF v2.0
- Added to the following compliance packs:
- “ECS Task Definition without User-Defined Tags”: Identifies ECS task definitions missing user-defined tags.
- “ECS Container Cluster without User-Defined Tags”: Identifies ECS container clusters missing user-defined tags.
- “Container Services without User-Defined Tags”: Identifies container services missing user-defined tags.
- “ECS Container Cluster with Container Insight Disabled”: Identifies ECS container clusters with Container Insights disabled.
- “ECS Task Definition Running Containers without Read Only Filesystem”: Identifies ECS task definitions running containers without read-only filesystem (replaces deprecated insight).
- “ECS Task Definition Running in Privileged Mode”: Identifies ECS task definitions running in privileged mode (replaces deprecated insight).
Updated Insights
- Renamed “Cloud Region without Default Volume Encryption” to “Cloud Region without Default Volume Encryption”.
New Query Filters
- “Web App Log Streaming”: Identifies AWS Elastic Beanstalk environments with or without log streaming configuration.
- “ECS Resource without User-Defined Tags”: Identifies ECS resources missing user-defined tags.
- “ECS Container Cluster Container Insights Status”: Identifies ECS container clusters by Container Insights status.
- “Cloud Region Disk Encryption”: Identifies cloud regions by disk encryption configuration.
- “Cloud Region Volume Association”: Identifies cloud regions by volume association.
- “Cloud Region Disk Encryption Key”: Identifies cloud regions by disk encryption key configuration.
- “Database Cluster Minimal TLS Version”: Identifies database clusters by minimal TLS version.
Updated Query Filters
- The existing “Resource Does Not Support TLS 1.2 Minimum” and “Resource Does Not Support TLS 1.3 Minimum” Query Filters now also cover database clusters.
Fixed
- Fixed an issue where AWS accounts onboarded via an Organization could show incomplete region harvester results when a region becomes unreachable. Stale
ACTIVEregions are now automatically disabled during harvest, and globally excluded regions are respected during org propagation. - Fixed a server error when sorting by account name or cloud type on the CVM Settings assessment coverage pages.
Version 26.6.2
Software release date: June 2, 2026 | Release notes published: May 28, 2026
Deprecations
- Task Definition Resource Has Host Process Namespace: This insight has been deprecated and replaced with ECS Task Definition with pidMode set to ‘Host’.
Improved
- The existing environment variable for displaying Vulnerability Management (InsightVM) vulnerabilities has been replaced with a new section on the vulnerabilities settings page. Admin users can now enable the display of Vulnerability Management (InsightVM) vulnerabilities in the resource blade at the organization level. Customers may need to toggle this on to show the Vulnerability Management (InsightVM) sourced vulnerabilities after this release. Previously, the environment flag applied to all organizations in Cloud Security (InsightCloudSec); this flag is now configurable for individual organizations.
- Improved performance of
ContainerImageScanManagerorphan deletion. - Improved query efficiency in the
/v2/prototype/domain/organizations/inventoryendpoint. - Improved upfront validation and error messages when creating tags on GCE Resources.
- Improved cross-partition AWS onboarding UI for script pathway.
- Enhanced S3 harvesters (
StorageContainerHarvester,StorageContainerPropertyHarvester,ServiceAccessPointHarvester) to skip buckets in globally excluded regions and gracefully handle connection timeouts to unreachable regional endpoints instead of crashing the entire harvest. - Restricted vulnerability and software visibility (Security > Vulnerabilities) for basic users to only show data from cloud accounts they have been granted visibility over. If their scope doesn’t include all cloud accounts, they will also be unable to see full counts in the “Impacted Resources” column.
- Added the ability to filter insights by compliance pack and compliance rule in the Insights Library, enabling customers to quickly identify which insights satisfy specific compliance requirements.
- Added a new “Compliance Packs & Rules” section to the insight detail view that displays which compliance packs and rules each insight satisfies, organized by benchmark with direct links to the relevant compliance pack details.
- Enhanced the compliance pack detail view with a sortable Compliance Rule column and a new filter to show only insights that match specific compliance rules within that pack.
- Updates what is stored in the API activity table.
/v3/iac/scanis now recorded in the table without request or response data./private/iac/analysisand/private/iac/scans/<int:scan_id>/reportnow do not include request or response data. - Added Bot Failure Notifications into System Administrations > System Notifications. It can be enabled and configured to send emails when a bot fails.
- Added Direct Link support for the following GCP resources: Access List Rule, Backend Services, Cloud Dataset Table, Cloud Limit, Cloud Policy, Cloud Region, Cloud Role, Data Factory, Direct Connect, DNS Record, NAT Gateway, Network Endpoint Group, Network Endpoint Group Member, Network Flow Log, Network Interface, Network Peer, Notification Subscription, Pods, Secret, Spanner Database, SSH Key Pair, SSL Certificate Authority, Web Application Firewall, Vertex Custom Job, and Virtual Private Gateway.
New Resources
- Azure Container App Session Pool: Added support for harvesting Azure Container App Session Pool resources.
- Harvester:
ContainerAppSessionPoolHarvester - Available Bot Action: Add tags
- Reader Permissions Required:
Microsoft.App/sessionPools/read
- Harvester:
New Insights
- Container Service Not Using Latest Fargate Platform Version: Identifies AWS ECS services running on Fargate that are not using the latest platform version.
- ECS Task Definition with pidMode set to ‘Host’: Identifies ECS task definitions that have the PID mode set to ‘Host’, which allows containers to share the host’s process namespace.
- ECS Task Definition With Host Network Mode and Privileged or Root Container: Identifies ECS task definitions that use host network mode and contain privileged containers or containers running as root.
Updated Insights
- Resource Does Not Enforce Minimum TLS 1.2 Version: Updated to indicate that GCP resources are now supported.
- Instance Open to the Public (Validated): Now supports AliCloud compute instances.
- Compute Instance Open to the Public (Validated): Now supports AliCloud compute instances. Public AliCloud instances can be seen in Layered Context with the ‘Public (Validated)’ label under ‘Public Access’.
- OCI Encryption Key Age: Updated to check the current key version creation date instead of the key container creation date, ensuring rotated keys are correctly identified as compliant.
New Query Filters
- Container Service Not Using Latest Fargate Platform Version: Identifies AWS ECS services running on Fargate that are not using the latest platform version.
- ECS Task Definition With Privileged or Root Containers: Identifies ECS task definitions that contain privileged containers or containers running as root.
- Instance Open to the Public (Validated): Now supports filtering AliCloud compute instances.
Fixed
- Fixed an issue where invalid port range values in access list filters could cause an internal server error instead of returning a proper validation message.
- Fixed a bug where OCI Kubernetes insight findings were not being properly computed.
- Fixed an issue where clicking a resource in the Software Details drawer’s Resources tab did not open the Resource Details panel.
- Fixed a server error (HTTP 500) in the resource query API (
/v3/public/resource/queryand/v2/public/resource/query) that occurred when the insight parameter was provided without the requiredsource:idformat. The API now returns a clear validation error instead of crashing. - Fixed a
PendingRollbackErrorin theNewSessioncontext manager that occurred when a prior failed flush (for example, from a lost MySQL connection) poisoned the session. The session cleanup now gracefully rolls back instead of raising. - Fixed a race condition where DynamoDB table restore filters could incorrectly trigger bots when the harvester discovered a restored table before EDH processed the restore event. The
RestoreSummaryis now harvested directly from the table metadata, allowing restore-based filters to work reliably without depending on EDH event timing. - Fixed a bug where directly defined Insights were being ignored by exemption rules.
- Fixed an issue where bot action deletion would delete multiple actions instead of just the intended action.
- Fixed an issue where the web server could return HTTP 416 (Range Not Satisfiable) errors when serving the application index page to clients sending invalid Range request headers.
Release of Kubernetes Scanner v5.0.4
- Kubernetes Scanner v5.0.4: Released with vulnerability fixes. Internal components and their versions are in the chart value file.
- You can easily view the data using the following command:
helm show values <chart name> | grep -E 'Name:|Version:'. - You can update to new version using
helm upgrade --installcommand referenced in Kubernetes Scanner documentation.
- You can easily view the data using the following command:
Mimics Infrastructure as Code (IaC) Scanning Tool
No updates released at this time.
SIEM (InsightIDR)
No updates released at this time.
Vulnerability Management (InsightVM)
Version 8.50.0
Software release date: June 29, 2026 | Release notes published: June 26, 2026
Improved:
- Updated the bundled Scan Assistant to version 1.8.0.1, delivering improved stability and enhanced Windows policy scanning capabilities. This release also resolves an issue that could cause scans to fail on assets with multiple IP addresses or network interfaces.
- Updated the Java runtime branding from AdoptOpenJDK JRE to Eclipse Adoptium JRE, reflecting the project’s transition to the Eclipse Foundation. This is a branding update only and does not affect functionality.
Fixed:
- Resolved an issue that generated unnecessary null pointer errors in the Security Console logs and could affect user logout and manual scan operations, improving overall console stability.
- Fixed an issue where the API v3 endpoint for retrieving disabled rules in custom policies did not return any results. Disabled policy rules are now returned as expected.
- Restored availability of the SAML Service Provider metadata endpoint (/saml/metadata), allowing customers to download the metadata XML required to configure SAML Single Sign-On with their identity provider.
- On 23 June 2026, Rapid7 introduced automatic provisioning of Command Platform accounts for existing InsightVM Security Console users. Following customer impact identified during rollout, this change was reverted back on 25 June 2026 while we evaluate feedback and improvements to the experience.
Version 8.49.0
Software release date: June 22, 2026 | Release notes published: June 22, 2026
Improved:
- Added fingerprinting support for ASP.NET Core 10, improving application identification and inventory coverage.
- Improved asset search results to ensure Operating System information is displayed consistently in both search results and asset detail views.
- Refined fingerprinting logic for Azul Zulu JDK to reduce false positives and improve software identification accuracy.
- Added built-in policy support for CIS Microsoft Office Enterprise Benchmark v1.2.0.
- Updated DISA STIG support for Microsoft Windows Server 2022 from V2R4 to V2R8, providing coverage for the latest benchmark requirements.
Fixed:
- Resolved an issue affecting fingerprinting of Mozilla Firefox running within Citrix sessions.
- Fixed an issue that prevented Automated Actions configured with the “New Vulnerability Coverage Available” trigger from executing successfully. Automated actions now function as expected.
- Corrected an issue impacting fingerprinting accuracy for Google Chrome client, ensuring the browser is identified correctly during scans.
Version 8.48.0
Software release date: June 15, 2026 | Release notes published: June 11, 2026
Improved:
- Improved Linux scan accuracy to address a false positive affecting CVE-2025-40909 on AlmaLinux 8.10.
- Added fingerprinting support for Nutanix AHV, improving asset identification and inventory coverage.
- Increased the maximum configurable value for the
com.rapid7.net.unix.find.timeoutcustom property to 24 hours, allowing authenticated scans to complete file discovery on large or complex Unix file systems without timing out. - The Scan Engine now reports TLS 1.3 named groups (key exchange groups) supported by scanned endpoints, including Post-Quantum Cryptography (PQC) hybrid groups. Supported groups are displayed alongside existing cipher suite information in asset service details.
- Enhanced credential logging for SSH-enabled scans, providing visibility into which credential was successfully used during authentication.
- Improved the overall security posture of the Security Console by updating the bundled Bootstrap library.
- Added built-in policy support for:
- CIS Oracle MySQL Community Server 8.0 Benchmark v1.2.0
- CIS Microsoft IIS 10 Benchmark v1.2.1
Fixed:
- Resolved an issue where SSH credential scanning could fail against systems running newer versions of OpenSSH.
- Fixed an issue in the RPM version check handler to improve evaluation for Alma Linux and Rocky Linux packages with fingerprinted modules.
- Addressed an issue impacting the reliability of Microsoft Exchange fingerprinting during scans.
- Fixed an issue preventing automated actions based on CVSSv3 scores from triggering correctly.
- Resolved an issue where the /api/3/users endpoint could return an HTTP 400 error due to invalid site access data.
- Updated the report download API to return the correct Content-Type header for the requested report format and provide appropriate error messaging when request headers do not match the report type. API documentation has also been updated to reflect this behavior.
- Addressed an issue in API v3 to align with Security Console permissions, allowing users with the Assign Scan Engine permission to successfully assign scan engines to sites.
- Corrected an issue in API v3 to ensure both Scan Template ID and Scan Template Name are returned accurately.
- Resolved an issue where the Run Commands option was not consistently available in multi-silo Security Console environments.
- Fixed false positives affecting Palo Alto 11 policy checks.
Nexpose
Nexpose Version 8.50.0
Software release date: June 29, 2026 | Release notes published: June 26, 2026
Improved:
- Updated the bundled Scan Assistant to version 1.8.0.1, delivering improved stability and enhanced Windows policy scanning capabilities. This release also resolves an issue that could cause scans to fail on assets with multiple IP addresses or network interfaces.
- Updated the Java runtime branding from AdoptOpenJDK JRE to Eclipse Adoptium JRE, reflecting the project’s transition to the Eclipse Foundation. This is a branding update only and does not affect functionality.
Fixed:
- Resolved an issue that generated unnecessary null pointer errors in the Security Console logs and could affect user logout and manual scan operations, improving overall console stability.
- Fixed an issue where the API v3 endpoint for retrieving disabled rules in custom policies did not return any results. Disabled policy rules are now returned as expected.
- Restored availability of the SAML Service Provider metadata endpoint (/saml/metadata), allowing customers to download the metadata XML required to configure SAML Single Sign-On with their identity provider.
Nexpose Version 8.49.0
Software release date: June 22, 2026 | Release notes published: June 22, 2026
Improved:
- Added fingerprinting support for ASP.NET Core 10, improving application identification and inventory coverage.
- Improved asset search results to ensure Operating System information is displayed consistently in both search results and asset detail views.
- Refined fingerprinting logic for Azul Zulu JDK to reduce false positives and improve software identification accuracy.
- Added built-in policy support for CIS Microsoft Office Enterprise Benchmark v1.2.0.
- Updated DISA STIG support for Microsoft Windows Server 2022 from V2R4 to V2R8, providing coverage for the latest benchmark requirements.
Fixed:
- Resolved an issue affecting fingerprinting of Mozilla Firefox running within Citrix sessions.
- Fixed an issue that prevented Automated Actions configured with the “New Vulnerability Coverage Available” trigger from executing successfully. Automated actions now function as expected.
- Corrected an issue impacting fingerprinting accuracy for Google Chrome client, ensuring the browser is identified correctly during scans.
Nexpose Version 8.48.0
Software release date: June 15, 2026 | Release notes published: June 11, 2026
Improved:
- Improved Linux scan accuracy to address a false positive affecting CVE-2025-40909 on AlmaLinux 8.10.
- Added fingerprinting support for Nutanix AHV, improving asset identification and inventory coverage.
- Increased the maximum configurable value for the
com.rapid7.net.unix.find.timeoutcustom property to 24 hours, allowing authenticated scans to complete file discovery on large or complex Unix file systems without timing out. - The Scan Engine now reports TLS 1.3 named groups (key exchange groups) supported by scanned endpoints, including Post-Quantum Cryptography (PQC) hybrid groups. Supported groups are displayed alongside existing cipher suite information in asset service details.
- Enhanced credential logging for SSH-enabled scans, providing visibility into which credential was successfully used during authentication.
- Improved the overall security posture of the Security Console by updating the bundled Bootstrap library.
- Added built-in policy support for:
- CIS Oracle MySQL Community Server 8.0 Benchmark v1.2.0
- CIS Microsoft IIS 10 Benchmark v1.2.1
Fixed:
- Resolved an issue where SSH credential scanning could fail against systems running newer versions of OpenSSH.
- Fixed an issue in the RPM version check handler to improve evaluation for Alma Linux and Rocky Linux packages with fingerprinted modules.
- Addressed an issue impacting the reliability of Microsoft Exchange fingerprinting during scans.
- Fixed an issue preventing automated actions based on CVSSv3 scores from triggering correctly.
- Resolved an issue where the /api/3/users endpoint could return an HTTP 400 error due to invalid site access data.
- Updated the report download API to return the correct Content-Type header for the requested report format and provide appropriate error messaging when request headers do not match the report type. API documentation has also been updated to reflect this behavior.
- Addressed an issue in API v3 to align with Security Console permissions, allowing users with the Assign Scan Engine permission to successfully assign scan engines to sites.
- Corrected an issue in API v3 to ensure both Scan Template ID and Scan Template Name are returned accurately.
- Resolved an issue where the Run Commands option was not consistently available in multi-silo Security Console environments.
- Fixed false positives affecting Palo Alto 11 policy checks.
Digital Risk Protection (Threat Command)
No updates released at this time.
Rapid7 Agent (Insight Agent)
Version 4.1.1
New:
- Added Fedora 43 and Fedora 44 compatibility for all supported architectures.
Improved:
- Optimized Windows registry access in asset information collection to reduce unnecessary registry operations and improve collection efficiency.
- The Rapid7 Agent (Insight Agent) on macOS now logs a warning when no static hostname is configured. This warning helps administrators diagnose cases where an asset is reporting a dynamic or generic hostname instead of a persistent, static one.
- Improved the logic used to select the primary network address reported during asset information collection to ensure the most appropriate address is chosen for each asset.
- Removed the pyOpenSSL dependency from the Rapid7 Agent (Insight Agent), reducing the number of required libraries and simplifying cryptographic functionality.
Fixed:
- Rapid7 Agent (Insight Agent) installations on Windows no longer fail when the installer’s LockdownDirectory action encounters non-canonical ACLs in the target SSL directory.
- Event-driven asset information collection no longer triggers excessive back-to-back uploads. Uploads now occur at the expected 6-hour interval, reducing unnecessary load on affected hosts.
- Updated the Rapid7 Agent (Insight Agent) Go Toolchain to version 1.25.7 to address multiple security vulnerabilities.
- Windows OS fingerprinting in asset information collection now correctly identifies recent Windows releases, preventing incorrect product name results.
- Asset information collection on Windows no longer reports the OS product name as a build number when the CurrentBuildNumber registry key is absent.
- The Rapid7 Agent (Insight Agent) on macOS no longer raises an invalid exception when hardware UUID retrieval fails.
- Windows builds now include properly signed DLL files.
- Update packages no longer include duplicate get_proxy binaries, ensuring Bootstrap updates install the signed version.
Updated Operating System Support:
-
As of version 4.1.1, the Rapid7 Agent (Insight Agent) no longer supports the following operating systems for any architecture:
- Ubuntu 25.04
- Fedora 42
Next-Generation Antivirus
Software release date: June 23, 2026 | Release notes published: June 23, 2026
New:
Roll out endpoint prevention gradually across endpoint groups: You can now enable Next-Generation Antivirus (NGAV) for specific endpoint groups instead of deploying prevention across your entire organization at once. This enhancement gives you more control over how prevention is introduced in your environment, helping you evaluate policies, expand coverage gradually, and reduce operational risk during deployment.
With this capability, you can:
- Enable prevention for selected endpoint groups while other groups continue operating in Detection Only mode.
- Roll out prevention gradually across your environment.
- Monitor the impact of prevention policies in Detection Only mode before enabling blocking.
- Support pilot programs and phased adoption strategies.
- Reduce the risk associated with organization-wide prevention changes.
This enhancement makes prevention deployment more flexible and predictable while preserving existing configurations and workflows. If you’re already using NGAV or Ransomware Prevention, your existing configurations will continue to work as expected, and no action is required.
Ransomware Prevention
Software release date: June 23, 2026 | Release notes published: June 23, 2026
New:
Roll out endpoint prevention gradually across endpoint groups: You can now enable Ransomware Prevention for specific endpoint groups instead of deploying prevention across your entire organization at once. This enhancement gives you more control over how prevention is introduced in your environment, helping you evaluate policies, expand coverage gradually, and reduce operational risk during deployment.
With this capability, you can:
- Enable prevention for selected endpoint groups while other groups continue operating in Detection Only mode.
- Roll out prevention gradually across your environment.
- Monitor the impact of prevention policies in Detection Only mode before enabling blocking.
- Support pilot programs and phased adoption strategies.
- Reduce the risk associated with organization-wide prevention changes.
This enhancement makes prevention deployment more flexible and predictable while preserving existing configurations and workflows. If you’re already using Ransomware Prevention, your existing configurations will continue to work as expected, and no action is required.
Velociraptor
Version 0.74.4.26
Fixed:
Intermittent Rapid7 Velociraptor client crashes no longer cause the client to stop responding to commands for several minutes before recovering.
Automation (InsightConnect)
Automated Plugin Updates
We’ve improved the plugin update experience to make updates easier to find, review, and apply.
- Improved update visibility - New icons across workflow views make available plugin updates easier to identify.
- Bulk update support - You can now apply compatible major version updates in bulk. Documentation and impact analysis are available to help you evaluate updates before applying them.
- Improved manual updates - When updating plugins manually, action, connection, and input values are preserved whenever possible.
- Bug fixes - Resolved several minor issues related to plugin updates.
Rapid7 Orchestrator Updated Operating System Support
- As of version v1.67.0, the Rapid7 Orchestrator now supports RedHat Enterprise Linux version 9 and Ubuntu version 24.04.
Platform New Navigation
Log Search has moved
- Log search has moved from Alerts to Logs.