June 2026 Release Notes

The Command Platform release notes include information about what’s new, which are updated monthly, and improvements and fixes, which are updated weekly.

What’s New

Learn about new features across the Command Platform. These features were released over the past month and are available now:

• Attack surface: Attack Surface Management (Surface Command), Exposure Command, Incident Command
  • Build reports from asset and identity filter tables
  • Tune asset correlation for accurate attack surface reporting
  • Monitor Kubernetes runtime security with Cloud Security (InsightCloudSec)
• Risk: Remediation Hub, Attack Surface Management (Surface Command), Exposure Command, Incident Command
  • Speed up remediation with faster data updates in Remediation Hub
  • Unify remediation with Microsoft Defender vulnerabilities in Remediation Hub
  • Create Cloud Security (InsightCloudSec) bots from JSON
• Threat: SIEM (InsightIDR)
  • Share open source behavioral detections with Rapid7 DaC library

Attack surface

Your attack surface is comprised of all of the potential entry points that attackers could exploit across your systems, applications, and networks. Developing knowledge of your attack surface is a key goal in improving your company’s security posture.

• Build reports from asset and identity filter tables
• Tune asset correlation for accurate attack surface reporting
• Monitor Kubernetes runtime security with Cloud Security (InsightCloudSec)

Build reports from asset and identity filter tables

In Attack Surface Management (Surface Command), Exposure Command, and Incident Command, you can now create dashboard widgets directly from your saved filter views, complementing the query-driven reporting you already use. This capability lets you build Attack Surface Management (Surface Command) dashboards in minutes without needing to learn the Cypher graph query language.

With this capability in Attack Surface Management (Surface Command), you can:

• Build dashboards quickly using intuitive filter tables instead of custom queries.
• Start leveraging ASM insights immediately with minimal learning curve.
• Use filter-based reporting for most use cases while still accessing advanced queries when needed.

Top of page

Tune asset correlation for accurate attack surface reporting

In Attack Surface Management (Surface Command), Exposure Command, and Incident Command, you now have improved visibility into asset correlation and the ability to address over-correlated assets where multiple assets are improperly grouped together. You can tune correlation settings to match your organization’s operational environment without requiring assistance from Rapid7 support.

With this capability in Attack Surface Management (Surface Command), you can:

• Resolve over-correlation scenarios independently with intuitive tuning controls.
• Improve attack surface reporting accuracy by aligning correlation with your environment.
• Reduce reliance on support teams for correlation adjustments.

Top of page

Monitor Kubernetes runtime security with Cloud Security (InsightCloudSec)

In Cloud Security (InsightCloudSec) and Exposure Command, you can now monitor and secure your Kubernetes workloads in real time with integrated container runtime security capabilities. Deploy sensors to detect threats and anomalous behavior, surface vulnerabilities, and identify misconfigurations, then respond instantly by pausing, stopping, or killing suspicious processes and containers. You can also generate and enforce least-privilege network policies and seccomp profiles to harden your environment before threats take hold.

With this capability in Cloud Security (InsightCloudSec), you can:

• Deploy sensors to detect threats, anomalous behavior, vulnerabilities, and misconfigurations in your Kubernetes workloads in real time.
• Respond to threats instantly by pausing, stopping, or killing suspicious processes and containers from the Command Platform.
• Generate and enforce least-privilege network policies and seccomp profiles.
• Gain unified visibility into container security alongside your broader cloud security posture.

Top of page

Risk

Risk is the potential for loss or damage to your assets, operations, or reputation, due to vulnerabilities being exploited by a bad actor. Security teams must assess the risk level by evaluating the likelihood of a threat occurring and the impact that it would have if realized.

• Speed up remediation with faster data updates in Remediation Hub
• Unify remediation with Microsoft Defender vulnerabilities in Remediation Hub
• Create Cloud Security (InsightCloudSec) bots from JSON

Speed up remediation with faster data updates in Remediation Hub

In Remediation Hub, Attack Surface Management (Surface Command), Exposure Command, and Incident Command, remediation data across all assets assessed in Vulnerability Management (InsightVM) is now updated more frequently. With data available within one hour, teams can act quickly and confidently on remediation priorities.

With this capability in Risk > Remediation Hub, you can:

• Access updated remediation data from Vulnerability Management (InsightVM) within one hour.
• Act on remediation priorities with confidence using timely, reliable information.
• Reduce delays between vulnerability discovery and remediation planning.
• Make faster remediation decisions across your asset portfolio.

Top of page

Unify remediation with Microsoft Defender vulnerabilities in Remediation Hub

In Remediation Hub, Attack Surface Management (Surface Command), Exposure Command, and Incident Command, Microsoft Defender vulnerabilities are now included in the same unified remediation view as other sources, giving you a complete picture of risk across your environment. Manage vulnerabilities from multiple tools in one place without switching between platforms.

With this capability in Risk > Remediation Hub, you can:

• View vulnerabilities from Rapid7 and Microsoft Defender in a single, unified interface.
• Prioritize all remediation opportunities without context switching between tools.
• Make more confident remediation decisions with complete risk visibility.
• Reduce delays caused by fragmented vulnerability data across multiple sources.

Requires MS Defender Connector v3.0 or later in Attack Surface Management (Surface Command).

Top of page

Create Cloud Security (InsightCloudSec) bots from JSON

In Cloud Security (InsightCloudSec) and Exposure Command, you can now create bots directly from JSON configuration. Select Create Bot From JSON from the bot creation dropdown menu to streamline your workflow without needing to create a template first.

With this capability in Automation (InsightConnect) > Bot Factory, you can:

• Create bots directly from JSON configurations without intermediate steps.
• Streamline bot creation workflows for teams working with code-based configurations.
• Reduce setup time and simplify the bot deployment process.
• Use JSON-driven automation more efficiently across your cloud environment.

Top of page

Threat

A threat is any potential event or action that could exploit vulnerabilities in a system, causing harm to assets, data, or operations. Threats can originate from various sources, including malicious actors, natural disasters, or unintentional human errors.

• Share open source behavioral detections with Rapid7 DaC library

Share open source behavioral detections with Rapid7 DaC library

In SIEM (InsightIDR), Rapid7’s open source Detections as Code (DaC) library now provides security practitioners and managed security customers with transparent, adaptable behavioral detections designed for real-world tuning and customization. The curated library includes readable, reviewable, and reusable detections that organizations can adapt to their own environments, helping teams accelerate detection engineering and strengthen defensive coverage.

With this capability in SIEM (InsightIDR), you can:

• Access a curated set of open source behavioral detections with broad defensive value.
• Review and adapt detections to align with your organization’s environment and security workflows.
• Reuse transparent detection logic as a foundation for custom detection engineering and threat monitoring.

Read more about the DaC library [here](Link TBD).

Top of page

Improvements and Fixes

Keep track of improvements and fixes to core technology.

Application Security (InsightAppSec) and AppSpider

No updates released at this time.

Top of page

Attack Surface Management (Surface Command)

• Version 1.0.912

Version 1.0.912

Software release date: May 27, 2026 | Release notes published: June 1, 2026

Improved:

• Rapid7EASMDomain assets in External Attack Surface Domains page now include registration expiry dates.

Connectors

The following connectors were updated in the Extension Library  since the previous release. Connector updates are published independently and may have been available before this release date.

New Connectors

• Symmetry DataGuard DSPM: Symmetry Systems DataGuard is a data security posture management (DSPM) solution that provides visibility into data stores, identities, and permissions across hybrid cloud environments to secure sensitive data. This connector imports DataGuard-classified data stores, objects, and classification metadata into Surface Command for analysis.

Updated Connectors

• AWS Core: Fixed packaging error.
• BeyondTrust Endpoint Privilege Management (EPM): Fixed a problem with correlation for locally-assigned MAC addresses.
• Bitdefender: Fix a packaging error.
• Check Point Harmony Endpoint: Fixed a schema validation error for CheckPointHarmonyEndpointAsset.
• Cloudflare: Fixed a packaging error.
• Crowdstrike Falcon: Fixed alerts and vulnerabilities to work for Crowdstrike US Government environments.
• Datadog: Fixed a problem with correlation for locally-assigned MAC addresses.
• Google Security Command Center: Fixed packaging error.
• Infoblox BloxOne DDI: Fixed packaging error.
• Kaseya VSA 9: Schema validation error fix for KaseyaVSA9Asset type.
• Microsoft Defender:
  • MicrosoftDefenderVulnFinding: This type is now deprecated and hidden.
  • MicrosoftDefenderVulnerabilityFinding: Replaces MicrosoftDefenderVulnFinding and links to MicrosoftDefenderSecurityRecommendation.
  • MicrosoftDefenderSecurityRecommendation: Records are now identified by each specific CVE.
• Microsoft Intune: Fixed serialization bug when trying to use the new last sync date filter.
• SentinelOne Singularity: Fixed packaging error.
• ServiceNow:
  • Fixed packaging error.
  • Fixed schema Validation Error in ServiceNowLocation2.
• Shodan: Fixed packaging error.

Top of page

Cloud Security (InsightCloudSec)

• Version 26.6.2

Version 26.6.2

Software release date: June 2, 2026 | Release notes published: May 28, 2026

Deprecations

• Task Definition Resource Has Host Process Namespace: This insight has been deprecated and replaced with ECS Task Definition with pidMode set to ‘Host’.

Improved

• The existing environment variable for displaying Vulnerability Management (InsightVM) vulnerabilities has been replaced with a new section on the vulnerabilities settings page. Admin users can now enable the display of Vulnerability Management (InsightVM) vulnerabilities in the resource blade at the organization level. Customers may need to toggle this on to show the Vulnerability Management (InsightVM) sourced vulnerabilities after this release. Previously, the environment flag applied to all organizations in Cloud Security (InsightCloudSec); this flag is now configurable for individual organizations.
• Improved performance of ContainerImageScanManager orphan deletion.
• Improved query efficiency in the /v2/prototype/domain/organizations/inventory endpoint.
• Improved upfront validation and error messages when creating tags on GCE Resources.
• Improved cross-partition AWS onboarding UI for script pathway.
• Enhanced S3 harvesters (StorageContainerHarvester, StorageContainerPropertyHarvester, ServiceAccessPointHarvester) to skip buckets in globally excluded regions and gracefully handle connection timeouts to unreachable regional endpoints instead of crashing the entire harvest.
• Restricted vulnerability and software visibility (Security > Vulnerabilities) for basic users to only show data from cloud accounts they have been granted visibility over. If their scope doesn’t include all cloud accounts, they will also be unable to see full counts in the “Impacted Resources” column.
• Added the ability to filter insights by compliance pack and compliance rule in the Insights Library, enabling customers to quickly identify which insights satisfy specific compliance requirements.
• Added a new “Compliance Packs & Rules” section to the insight detail view that displays which compliance packs and rules each insight satisfies, organized by benchmark with direct links to the relevant compliance pack details.
• Enhanced the compliance pack detail view with a sortable Compliance Rule column and a new filter to show only insights that match specific compliance rules within that pack.
• Updates what is stored in the API activity table. /v3/iac/scan is now recorded in the table without request or response data. /private/iac/analysis and /private/iac/scans/<int:scan_id>/report now do not include request or response data.
• Added Bot Failure Notifications into System Administrations > System Notifications. It can be enabled and configured to send emails when a bot fails.
• Added Direct Link support for the following GCP resources: Access List Rule, Backend Services, Cloud Dataset Table, Cloud Limit, Cloud Policy, Cloud Region, Cloud Role, Data Factory, Direct Connect, DNS Record, NAT Gateway, Network Endpoint Group, Network Endpoint Group Member, Network Flow Log, Network Interface, Network Peer, Notification Subscription, Pods, Secret, Spanner Database, SSH Key Pair, SSL Certificate Authority, Web Application Firewall, Vertex Custom Job, and Virtual Private Gateway.

New Resources

• Azure Container App Session Pool: Added support for harvesting Azure Container App Session Pool resources.
  • Harvester: ContainerAppSessionPoolHarvester
  • Available Bot Action: Add tags
  • Reader Permissions Required: Microsoft.App/sessionPools/read

New Insights

• Container Service Not Using Latest Fargate Platform Version: Identifies AWS ECS services running on Fargate that are not using the latest platform version.
• ECS Task Definition with pidMode set to ‘Host’: Identifies ECS task definitions that have the PID mode set to ‘Host’, which allows containers to share the host’s process namespace.
• ECS Task Definition With Host Network Mode and Privileged or Root Container: Identifies ECS task definitions that use host network mode and contain privileged containers or containers running as root.

Updated Insights

• Resource Does Not Enforce Minimum TLS 1.2 Version: Updated to indicate that GCP resources are now supported.
• Instance Open to the Public (Validated): Now supports AliCloud compute instances.
• Compute Instance Open to the Public (Validated): Now supports AliCloud compute instances. Public AliCloud instances can be seen in Layered Context with the ‘Public (Validated)’ label under ‘Public Access’.
• OCI Encryption Key Age: Updated to check the current key version creation date instead of the key container creation date, ensuring rotated keys are correctly identified as compliant.

New Query Filters

• Container Service Not Using Latest Fargate Platform Version: Identifies AWS ECS services running on Fargate that are not using the latest platform version.
• ECS Task Definition With Privileged or Root Containers: Identifies ECS task definitions that contain privileged containers or containers running as root.
• Instance Open to the Public (Validated): Now supports filtering AliCloud compute instances.

Fixed

• Fixed an issue where invalid port range values in access list filters could cause an internal server error instead of returning a proper validation message.
• Fixed a bug where OCI Kubernetes insight findings were not being properly computed.
• Fixed an issue where clicking a resource in the Software Details drawer’s Resources tab did not open the Resource Details panel.
• Fixed a server error (HTTP 500) in the resource query API (/v3/public/resource/query and /v2/public/resource/query) that occurred when the insight parameter was provided without the required source:id format. The API now returns a clear validation error instead of crashing.
• Fixed a PendingRollbackError in the NewSession context manager that occurred when a prior failed flush (for example, from a lost MySQL connection) poisoned the session. The session cleanup now gracefully rolls back instead of raising.
• Fixed a race condition where DynamoDB table restore filters could incorrectly trigger bots when the harvester discovered a restored table before EDH processed the restore event. The RestoreSummary is now harvested directly from the table metadata, allowing restore-based filters to work reliably without depending on EDH event timing.
• Fixed a bug where directly defined Insights were being ignored by exemption rules.
• Fixed an issue where bot action deletion would delete multiple actions instead of just the intended action.
• Fixed an issue where the web server could return HTTP 416 (Range Not Satisfiable) errors when serving the application index page to clients sending invalid Range request headers.

Release of Kubernetes Scanner v5.0.4

• Kubernetes Scanner v5.0.4: Released with vulnerability fixes. Internal components and their versions are in the chart value file.
  • You can easily view the data using the following command: helm show values <chart name> | grep -E 'Name:|Version:'.
  • You can update to new version using helm upgrade --install command referenced in Kubernetes Scanner documentation.

Top of page

Mimics Infrastructure as Code (IaC) Scanning Tool

No updates released at this time.

Top of page

SIEM (InsightIDR)

No updates released at this time.

Top of page

Vulnerability Management (InsightVM)

No updates released at this time.

Top of page

Nexpose

No updates released at this time.

Top of page

Digital Risk Protection (Threat Command)

No updates released at this time.

Top of page

Rapid7 Agent (Insight Agent)

No updates released at this time.

Top of page

Next-Generation Antivirus

No updates released at this time.

Top of page

Ransomware Prevention

No updates released at this time.

Top of page

Velociraptor

No updates released at this time.

Automation (InsightConnect)

No updates released at this time.

Platform New Navigation

Log Search has moved

Log search has moved from Alerts to Logs.

Top of page