June 2026 Release Notes
Copy link

The Command Platform release notes include information about what’s new, which are updated monthly, and improvements and fixes, which are updated weekly.

ℹ️

Last updated: June 22, 2026

What’s New
Copy link

Learn about new features across the Command Platform. These features were released over the past month and are available now:

Attack surface
Copy link

Your attack surface is comprised of all of the potential entry points that attackers could exploit across your systems, applications, and networks. Developing knowledge of your attack surface is a key goal in improving your company’s security posture.

Build reports from asset and identity filter tables
Copy link

In Attack Surface Management (Surface Command), Exposure Command, and Incident Command, you can now create dashboard widgets directly from your saved filter views, complementing the query-driven reporting you already use. This capability lets you build Attack Surface Management (Surface Command) dashboards in minutes without needing to learn the Cypher graph query language.

With this capability in Attack Surface Management (Surface Command), you can:

  • Build dashboards quickly using intuitive filter tables instead of custom queries.
  • Start leveraging ASM insights immediately with minimal learning curve.
  • Use filter-based reporting for most use cases while still accessing advanced queries when needed.

Top of page

Tune asset correlation for accurate attack surface reporting
Copy link

In Attack Surface Management (Surface Command), Exposure Command, and Incident Command, you now have improved visibility into asset correlation and the ability to address over-correlated assets where multiple assets are improperly grouped together. You can tune correlation settings to match your organization’s operational environment without requiring assistance from Rapid7 support.

With this capability in Attack Surface Management (Surface Command), you can:

  • Resolve over-correlation scenarios independently with intuitive tuning controls.
  • Improve attack surface reporting accuracy by aligning correlation with your environment.
  • Reduce reliance on support teams for correlation adjustments.

Top of page

Monitor Kubernetes runtime security with Cloud Security (InsightCloudSec)
Copy link

In Cloud Security (InsightCloudSec) and Exposure Command, you can now monitor and secure your Kubernetes workloads in real time with integrated container runtime security capabilities. Deploy sensors to detect threats and anomalous behavior, surface vulnerabilities, and identify misconfigurations, then respond instantly by pausing, stopping, or killing suspicious processes and containers. You can also generate and enforce least-privilege network policies and seccomp profiles to harden your environment before threats take hold.

With this capability in Cloud Security (InsightCloudSec), you can:

  • Deploy sensors to detect threats, anomalous behavior, vulnerabilities, and misconfigurations in your Kubernetes workloads in real time.
  • Respond to threats instantly by pausing, stopping, or killing suspicious processes and containers from the Command Platform.
  • Generate and enforce least-privilege network policies and seccomp profiles.
  • Gain unified visibility into container security alongside your broader cloud security posture.

Top of page

Risk
Copy link

Risk is the potential for loss or damage to your assets, operations, or reputation, due to vulnerabilities being exploited by a bad actor. Security teams must assess the risk level by evaluating the likelihood of a threat occurring and the impact that it would have if realized.

Speed up remediation with faster data updates in Remediation Hub
Copy link

In Remediation Hub, Attack Surface Management (Surface Command), Exposure Command, and Incident Command, remediation data across all assets assessed in Vulnerability Management (InsightVM) is now updated more frequently. With data available within one hour, teams can act quickly and confidently on remediation priorities.

With this capability in Risk > Remediation Hub, you can:

  • Access updated remediation data from Vulnerability Management (InsightVM) within one hour.
  • Act on remediation priorities with confidence using timely, reliable information.
  • Reduce delays between vulnerability discovery and remediation planning.
  • Make faster remediation decisions across your asset portfolio.

Top of page

Unify remediation with Microsoft Defender vulnerabilities in Remediation Hub
Copy link

In Remediation Hub, Attack Surface Management (Surface Command), Exposure Command, and Incident Command, Microsoft Defender vulnerabilities are now included in the same unified remediation view as other sources, giving you a complete picture of risk across your environment. Manage vulnerabilities from multiple tools in one place without switching between platforms.

With this capability in Risk > Remediation Hub, you can:

  • View vulnerabilities from Rapid7 and Microsoft Defender in a single, unified interface.
  • Prioritize all remediation opportunities without context switching between tools.
  • Make more confident remediation decisions with complete risk visibility.
  • Reduce delays caused by fragmented vulnerability data across multiple sources.

Requires MS Defender Connector v3.0 or later in Attack Surface Management (Surface Command).

Top of page

Create Cloud Security (InsightCloudSec) bots from JSON
Copy link

In Cloud Security (InsightCloudSec) and Exposure Command, you can now create bots directly from JSON configuration. Select Create Bot From JSON from the bot creation dropdown menu to streamline your workflow without needing to create a template first.

With this capability in Automation (InsightConnect) > Bot Factory, you can:

  • Create bots directly from JSON configurations without intermediate steps.
  • Streamline bot creation workflows for teams working with code-based configurations.
  • Reduce setup time and simplify the bot deployment process.
  • Use JSON-driven automation more efficiently across your cloud environment.

Top of page

New F5 BIG-IP Vulnerability Coverage
Copy link

We have released a vulnerability coverage update that will includes improvements for the F5 BIG-IP plugin. This update improves visibility into vulnerabilities that may already exist in your environment.

With this update in Vulnerability Management (InsightVM) and Nexpose, you may:

  • See see an increase in your vulnerabilities detected.
  • See vulnerabilities associated with older CVEs that remain unpatched. However, the “first found” date will appear recent because it reflects when detection became available.
  • See an increase in risk score. This is an indication of improved coverage, not an increase of actual risk.

No action is required to receive this vulnerability coverage, as it will be included in your next automatic or scheduled update.

Top of page

Threat
Copy link

A threat is any potential event or action that could exploit vulnerabilities in a system, causing harm to assets, data, or operations. Threats can originate from various sources, including malicious actors, natural disasters, or unintentional human errors.

Expand detection coverage with script visibility
Copy link

Following the release of this feature on June 12, 2026, our team identified an issue that impacted platform performance. To ensure stability and a seamless experience for our users, we have temporarily rolled back this capability as of June 17, 2026. We are actively working on a fix and plan to re-release this feature as soon as it meets our quality standards.

Impacted offerings:

  • SIEM (InsightIDR)
  • Managed Detection and Response

Top of page

Improvements and Fixes
Copy link

Keep track of improvements and fixes to core technology.

Application Security (InsightAppSec) and AppSpider
Copy link

No updates released at this time.

Top of page

Attack Surface Management (Surface Command)
Copy link

Version 1.0.918
Copy link

Software release date: June 16, 2026 | Release notes published: June 17, 2026

Improved:

  • External Attack Surface assets no longer include unreliable severity reasons, severities, or Common Vulnerabilities and Exposures (CVE) data from third-party sources.

Fixed:

  • Rapid7EASMCertificate subject and issuer fields now contain the full Distinguished Name (DN) instead of only the Common Name (CN).

Connectors

The following connectors were updated in the Extension Library  since the previous release. Connector updates are published independently and may have been available before this release date.

New Connectors

  • SonicWall Capture Client: SonicWall Capture Client is a cloud-managed service for endpoint security and device management. This connector imports endpoint devices, SentinelOne agents, users, groups, risky applications, and installed software from SonicWall Capture Client into the Rapid7 Platform.

Updated Connectors

  • AWS EC2: Updated how Asset:first_seen is derived for AwsEc2Instance objects. The value is now based on the earliest timestamp across related properties, such as attachment timestamps for network interfaces and volumes.
  • Anthropic:
    • Added detail to configuration instructions.
    • Updated dependencies.
  • Datadog: Fixed a schema error in DatadogPlatformHost where the macV example value was incorrectly defined as an array instead of a valid JSON string type.
  • GitHub and GHAS: Updated the documentation.
  • Kaseya VSA 9: Fixed ShowToolTip field type in KaseyaVSA9Agent (integer, not boolean).
  • ManageEngine OpManager: Fixed a bug where IP addresses were not being properly rejected from hostname correlation, which could lead to incorrect correlation results.
  • Microsoft Defender: Fixed the Recommendations query to use the or operator instead of in.
  • ServiceNow: Ensured that .json files are included when packaged for the Orchestrator.
  • Slack: Fixed an invalid_cursor error that occurred when paginating through users and channels.
  • Snow Atlas: Fixed schema validation errors for the SnowAtlasUser and SnowAtlasComputer types.
  • ThreatLocker: Updated the documentation to clarify API key access and permission requirements.

Version 1.0.917
Copy link

Software release date: June 9, 2026 | Release notes published: June 10, 2026

Improved:

  • External Attack Surface pages now display only data captured from sources within the last 10 days, removing outdated information.
  • Saved query and widget pages now include a dashboard filter to refine results when queries provide widgets across multiple dashboards.
  • Filter view names can now be up to 100 characters.
  • Saved query and ad hoc query names can now be up to 100 characters.
  • Widget names can now be up to 100 characters.

Connectors

The following connectors were updated in the Extension Library  since the previous release. Connector updates are published independently and may have been available before this release date.

Updated Connectors

  • Automox: AutomoxDevice: added property declarations for notes, organizational_unit, and reboot_deferral_count.
  • Lansweeper: Added optional filter by number of days since last seen.
  • Qualys VMDR:
    • Fixed SchemaValidationErrors with new QualysQidDetail2 type.
    • Increased the timeout for Qualys API calls to 10 minutes.
    • Migrated to the new Import Function framework.
    • Replaced reporting logic with List Hosts and List Host Detections APIs.
  • Slack: Fixed an issue with Slack pagination.
  • Tanium: Added support for Tanium instances without the Event Recorder module.

Version 1.0.916
Copy link

Software release date: June 3, 2026 | Release notes published: June 8, 2026

Connectors

The following connectors were updated in the Extension Library  since the previous release. Connector updates are published independently and may have been available before this release date.

New Connectors

  • Nudge Security: Nudge Security is a SaaS security platform that discovers and manages every SaaS application in an organization’s environment without requiring agents or network changes. This connector imports SaaS apps, user accounts, groups, OAuth grants, and security findings from the Nudge Security API into Attack Surface Management (Surface Command).

Updated Connectors

Version 1.0.912
Copy link

Software release date: May 27, 2026 | Release notes published: June 1, 2026

Improved:

  • Rapid7EASMDomain assets in External Attack Surface Domains page now include registration expiry dates.

Connectors

The following connectors were updated in the Extension Library  since the previous release. Connector updates are published independently and may have been available before this release date.

New Connectors

  • Symmetry DataGuard DSPM: Symmetry Systems DataGuard is a data security posture management (DSPM) solution that provides visibility into data stores, identities, and permissions across hybrid cloud environments to secure sensitive data. This connector imports DataGuard-classified data stores, objects, and classification metadata into Surface Command for analysis.

Updated Connectors

Top of page

Cloud Security (InsightCloudSec)
Copy link

Release availability for self-hosted users

Self-hosted users are able to download the latest version usually 4 business days after SaaS users are upgraded from the following locations:

  • Terraform deployments: Public S3 bucket . Modules can be updated with the terraform get -update command.
  • Amazon Elastic Container Repository (ECR) deployments: You can obtain the ECR build images for this version from the InsightCloudSec ECR Gallery 

Version 26.6.23
Copy link

Software release date: June 23, 2026 | Release notes published: June 22, 2026

Improved

  • Released Kubernetes Scanner v5.1.0.
  • Updated the AwsWebAppHarvester to allow Network Load Balancers to appear under Related Resources for Web Apps.
  • Added EDH support resource for AWS Network Firewall.
  • Added direct link support for GCP Database Snapshots (Alloydb Backup).
  • Implemented support resources for deleting Google Private Image.
  • Enhanced permission remediation support across multiple cloud vendors:
    • Now supports remediation of missing permissions via CloudShell script for Azure, GCP, Oracle, and AliCloud.
    • Icons to invoke this remediation flow will show next to missing permissions on the cloud listing page. It can also be invoked directly from the missing permissions modal, found off the cloud listing page.

New Insights

  • Volume Unattached To Instances - Identifies Volumes which are not attached to any Instance.
  • Snapshot Is Unencrypted - Identifies Snapshots that are unencrypted.

New Query Filters

  • MemoryDB Cluster Transit Encryption Status - Allows filtering MemoryDB clusters by Transit Encryption status.
  • Volume Instance Association - Identifies Volume instance association status. By default, this Query Filter returns Volumes that are not attached to any Instance. Added new settings field “Attached to Instances” which alters the Query Filter to return Volumes that are attached to an Instance.
  • Snapshot Encrypted State - Identifies Snapshot encryption status. By default, this Query Filter returns Snapshots that are unencrypted.

Updated Query Filters

  • Renamed Query Filter Volume Orphaned to Volume Instance Association.
  • Renamed Query Filter Snapshot Unencrypted to Snapshot Encrypted State.
  • Deprecated Query Filter Snapshot Encrypted. This functionality can now be replicated by using Snapshot Encrypted State with the “Encrypted” toggle enabled.

Fixed

  • Fixed an issue where the Compliance Pack filter on the Insights Library page only displayed core packs when no Insight Source was selected.
  • Fixed an issue where CSV export was not applying the selected Compliance Pack filter.
  • Fixed IaC scan bug for Cache Instance not enforcing encryption at rest. Secondary cluster now inherits encryption from global replication group.

Version 26.6.16
Copy link

Software release date: June 16, 2026 | Release notes published: June 15, 2026

Improved

  • Updated the Control Names for controls within the following Compliance Packs:

    • CIS - GCP 1.3.0
    • CIS - GCP (Legacy)

  • Updated the error modal for the Scheduled Events page to better display Scheduled Events errors to users.

  • IaC jobs now determine whether any scans are actionable before initiating scan. If all insights are configured to be ignored, the scan will be dropped.

  • When managing configurations within IaC, the Apply button is now disabled until changes have been made.

  • Introduced a new harvester for the OpenSearch UI service to improve visibility into your AWS OpenSearch Dashboards. This update includes the ability to track encryption configurations and KMS key details for these instances.

    • Permissions required: es:ListApplications, es:GetApplication.

New Insights:

  • ECS Container Cluster Not Encrypted With Customer Managed Key - identifies ECS container clusters not encrypted with customer managed keys.
  • Web App Load Balancer Access Logging Disabled - flags AWS Web Apps with an associated Load Balancer that has Access Logging disabled.
    • Added to the CIS v8.1.2, NIST CSF v2.0, NIST 800-53 Rev. 5, and CMMC v2.0 Compliance Packs.
  • ECS Task Definition Without Logging Configuration - identifies ECS task definitions without logging configuration.
  • ECS Task Definition Passes Secrets as Container Environment Variables - identifies ECS task definitions that pass secrets as container environment variables.
  • Instance Stopped for 90 Days or Longer (BackOffice Insight 2574) - identifies instances that have remained stopped for at least 90 days.
    • Targets instance resources and currently supports AWS, AWS_CHINA, and AWS_GOV.
    • Includes remediation and operational guidance for handling long-stopped instances, including optional scheduled deletion workflows.
    • Mapped to the following compliance packs: CIS Controls v8.1.2, CMMC Level 2, NIST 800-53 Rev. 5, NIST 800-171, and NIST Cyber Security Framework CSF 2.0.
  • Instance Running Longer Than 180 Days (Insight 2575) - identifies EC2 instances that have been running continuously for more than 180 days.
    • Mapped to CIS Controls v8.1.2 and applicable compliance packs.
  • Private Image Exceeds 90 Day Age Limit - identifies AWS private images (AMIs) older than 90 days that may not have the latest operating system patches applied.
    • Supports AWS, AWS_CHINA, and AWS_GOV clouds.
  • Storage Area Network Public Network Access Enabled - identifies storage area networks with public network access enabled.

Updated Insights:

  • Task Definition Resource Has No Log Configuration - replaced by ECS Task Definition without Logging Configuration.
  • Task Definition with Secret in Environment Variable Key - replaced by ECS Task Definition Passes Secrets as Container Environment Variables.

New Query Filters:

  • Container Cluster Fargate Ephemeral Storage Encryption Key Type - identifies container cluster Fargate ephemeral storage encryption key types.
  • Web App Load Balancer Access Logging State - flags AWS Web Apps with an associated Load Balancer based on its Access Logging configuration.
  • ECS Task Definition Log Driver Configuration - identifies ECS task definition log driver configuration.
  • Private Image Creation Date - identifies private images (AMIs) that are older than a configurable number of days based on their creation date.
  • Storage Area Network Public Network Access - identifies storage area network public network access configuration.

Updated Query Filters:

  • Added additional resource parsing to network_flow_logs_not_configured to enable this insight in IaC scans.
  • Renamed Load Balancer without Logging to Load Balancer Access Logging Configuration to reflect its new functionality.
  • Migrated Load Balancer with Logging functionality to Load Balancer Access Logging Configuration.

Fixed:

  • Fixed an issue where dark mode theme was not applied correctly on initial page load.
  • Fixed conversion bug with Redshift Cluster IaC scans.
  • Added additional validation for the IaC Simulations to support the update to MySQL v8.4.
  • Added a button to Kubernetes Cluster page to link directly to adding a runtime sensor.

Version 26.6.9
Copy link

Software release date: June 9, 2026 | Release notes published: June 8, 2026

Deprecations

  • Deprecated Query Filter: “Cloud Region without Default/Allow List Encryption Enabled”. Its functionality is now covered by 3 new Query Filters which can be combined as needed:
    • “Cloud Region Disk Encryption”
    • “Cloud Region Volume Association”
    • “Cloud Region Disk Encryption Key”
  • Deprecated Query Filter: “Cloud Region with Default Encryption Enabled”. Its functionality is now covered by the new Query Filter: “Cloud Region Disk Encryption”.
  • Deprecated Insight: “Task Definition Running Containers without Read Only Filesystem”. Replaced by “ECS Task Definition Running Containers without Read Only Filesystem”.
  • Deprecated Insight: “Task Definition Running in Privileged Mode”. Replaced by “ECS Task Definition Running in Privileged Mode”.
  • Removed deprecated harvesting logic for harvesting “single” server types from Azure (MariaDB, PostgreSQL, MySQL). Harvesting of “flexible” server types has not changed.

Improved

  • Added the ability to exclude specific CloudTrail events from EventBridge rules when configuring EDH auto-provisioned consumers.
  • Improved performance of writing Source Documents to the database.
  • Added IaC support for network interfaces.
  • Implemented support for deleting Google Private Image resources.
  • Updated deprecated bot action “Wait” to “Wait (DEPRECATED - no-op)” to accurately represent that it performs no operation.
  • Enhanced AWS Elastic Beanstalk resource harvesting to collect CloudWatch Logs configuration settings including:
    • Stream logs status
    • Delete-on-terminate settings

New Insights

  • “Web App without Log Streaming Fully Configured”: Identifies AWS Elastic Beanstalk environments that do not have log streaming enabled or are not configured to retain logs after environment termination.
    • Added to the following compliance packs:
      • CIS Controls v8.1.2
      • CMMC v2.0 Level 2
      • NIST SP 800-53 Rev. 5
      • NIST CSF v2.0
  • “ECS Task Definition without User-Defined Tags”: Identifies ECS task definitions missing user-defined tags.
  • “ECS Container Cluster without User-Defined Tags”: Identifies ECS container clusters missing user-defined tags.
  • “Container Services without User-Defined Tags”: Identifies container services missing user-defined tags.
  • “ECS Container Cluster with Container Insight Disabled”: Identifies ECS container clusters with Container Insights disabled.
  • “ECS Task Definition Running Containers without Read Only Filesystem”: Identifies ECS task definitions running containers without read-only filesystem (replaces deprecated insight).
  • “ECS Task Definition Running in Privileged Mode”: Identifies ECS task definitions running in privileged mode (replaces deprecated insight).

Updated Insights

  • Renamed “Cloud Region without Default Volume Encryption” to “Cloud Region without Default Volume Encryption”.

New Query Filters

  • “Web App Log Streaming”: Identifies AWS Elastic Beanstalk environments with or without log streaming configuration.
  • “ECS Resource without User-Defined Tags”: Identifies ECS resources missing user-defined tags.
  • “ECS Container Cluster Container Insights Status”: Identifies ECS container clusters by Container Insights status.
  • “Cloud Region Disk Encryption”: Identifies cloud regions by disk encryption configuration.
  • “Cloud Region Volume Association”: Identifies cloud regions by volume association.
  • “Cloud Region Disk Encryption Key”: Identifies cloud regions by disk encryption key configuration.
  • “Database Cluster Minimal TLS Version”: Identifies database clusters by minimal TLS version.

Updated Query Filters

  • The existing “Resource Does Not Support TLS 1.2 Minimum” and “Resource Does Not Support TLS 1.3 Minimum” Query Filters now also cover database clusters.

Fixed

  • Fixed an issue where AWS accounts onboarded via an Organization could show incomplete region harvester results when a region becomes unreachable. Stale ACTIVE regions are now automatically disabled during harvest, and globally excluded regions are respected during org propagation.
  • Fixed a server error when sorting by account name or cloud type on the CVM Settings assessment coverage pages.

Version 26.6.2
Copy link

Software release date: June 2, 2026 | Release notes published: May 28, 2026

Deprecations

  • Task Definition Resource Has Host Process Namespace: This insight has been deprecated and replaced with ECS Task Definition with pidMode set to ‘Host’.

Improved

  • The existing environment variable for displaying Vulnerability Management (InsightVM) vulnerabilities has been replaced with a new section on the vulnerabilities settings page. Admin users can now enable the display of Vulnerability Management (InsightVM) vulnerabilities in the resource blade at the organization level. Customers may need to toggle this on to show the Vulnerability Management (InsightVM) sourced vulnerabilities after this release. Previously, the environment flag applied to all organizations in Cloud Security (InsightCloudSec); this flag is now configurable for individual organizations.
  • Improved performance of ContainerImageScanManager orphan deletion.
  • Improved query efficiency in the /v2/prototype/domain/organizations/inventory endpoint.
  • Improved upfront validation and error messages when creating tags on GCE Resources.
  • Improved cross-partition AWS onboarding UI for script pathway.
  • Enhanced S3 harvesters (StorageContainerHarvester, StorageContainerPropertyHarvester, ServiceAccessPointHarvester) to skip buckets in globally excluded regions and gracefully handle connection timeouts to unreachable regional endpoints instead of crashing the entire harvest.
  • Restricted vulnerability and software visibility (Security > Vulnerabilities) for basic users to only show data from cloud accounts they have been granted visibility over. If their scope doesn’t include all cloud accounts, they will also be unable to see full counts in the “Impacted Resources” column.
  • Added the ability to filter insights by compliance pack and compliance rule in the Insights Library, enabling customers to quickly identify which insights satisfy specific compliance requirements.
  • Added a new “Compliance Packs & Rules” section to the insight detail view that displays which compliance packs and rules each insight satisfies, organized by benchmark with direct links to the relevant compliance pack details.
  • Enhanced the compliance pack detail view with a sortable Compliance Rule column and a new filter to show only insights that match specific compliance rules within that pack.
  • Updates what is stored in the API activity table. /v3/iac/scan is now recorded in the table without request or response data. /private/iac/analysis and /private/iac/scans/<int:scan_id>/report now do not include request or response data.
  • Added Bot Failure Notifications into System Administrations > System Notifications. It can be enabled and configured to send emails when a bot fails.
  • Added Direct Link support for the following GCP resources: Access List Rule, Backend Services, Cloud Dataset Table, Cloud Limit, Cloud Policy, Cloud Region, Cloud Role, Data Factory, Direct Connect, DNS Record, NAT Gateway, Network Endpoint Group, Network Endpoint Group Member, Network Flow Log, Network Interface, Network Peer, Notification Subscription, Pods, Secret, Spanner Database, SSH Key Pair, SSL Certificate Authority, Web Application Firewall, Vertex Custom Job, and Virtual Private Gateway.

New Resources

  • Azure Container App Session Pool: Added support for harvesting Azure Container App Session Pool resources.
    • Harvester: ContainerAppSessionPoolHarvester
    • Available Bot Action: Add tags
    • Reader Permissions Required: Microsoft.App/sessionPools/read

New Insights

  • Container Service Not Using Latest Fargate Platform Version: Identifies AWS ECS services running on Fargate that are not using the latest platform version.
  • ECS Task Definition with pidMode set to ‘Host’: Identifies ECS task definitions that have the PID mode set to ‘Host’, which allows containers to share the host’s process namespace.
  • ECS Task Definition With Host Network Mode and Privileged or Root Container: Identifies ECS task definitions that use host network mode and contain privileged containers or containers running as root.

Updated Insights

  • Resource Does Not Enforce Minimum TLS 1.2 Version: Updated to indicate that GCP resources are now supported.
  • Instance Open to the Public (Validated): Now supports AliCloud compute instances.
  • Compute Instance Open to the Public (Validated): Now supports AliCloud compute instances. Public AliCloud instances can be seen in Layered Context with the ‘Public (Validated)’ label under ‘Public Access’.
  • OCI Encryption Key Age: Updated to check the current key version creation date instead of the key container creation date, ensuring rotated keys are correctly identified as compliant.

New Query Filters

  • Container Service Not Using Latest Fargate Platform Version: Identifies AWS ECS services running on Fargate that are not using the latest platform version.
  • ECS Task Definition With Privileged or Root Containers: Identifies ECS task definitions that contain privileged containers or containers running as root.
  • Instance Open to the Public (Validated): Now supports filtering AliCloud compute instances.

Fixed

  • Fixed an issue where invalid port range values in access list filters could cause an internal server error instead of returning a proper validation message.
  • Fixed a bug where OCI Kubernetes insight findings were not being properly computed.
  • Fixed an issue where clicking a resource in the Software Details drawer’s Resources tab did not open the Resource Details panel.
  • Fixed a server error (HTTP 500) in the resource query API (/v3/public/resource/query and /v2/public/resource/query) that occurred when the insight parameter was provided without the required source:id format. The API now returns a clear validation error instead of crashing.
  • Fixed a PendingRollbackError in the NewSession context manager that occurred when a prior failed flush (for example, from a lost MySQL connection) poisoned the session. The session cleanup now gracefully rolls back instead of raising.
  • Fixed a race condition where DynamoDB table restore filters could incorrectly trigger bots when the harvester discovered a restored table before EDH processed the restore event. The RestoreSummary is now harvested directly from the table metadata, allowing restore-based filters to work reliably without depending on EDH event timing.
  • Fixed a bug where directly defined Insights were being ignored by exemption rules.
  • Fixed an issue where bot action deletion would delete multiple actions instead of just the intended action.
  • Fixed an issue where the web server could return HTTP 416 (Range Not Satisfiable) errors when serving the application index page to clients sending invalid Range request headers.

Release of Kubernetes Scanner v5.0.4

  • Kubernetes Scanner v5.0.4: Released with vulnerability fixes. Internal components and their versions are in the chart value file.
    • You can easily view the data using the following command: helm show values <chart name> | grep -E 'Name:|Version:'.
    • You can update to new version using helm upgrade --install command referenced in Kubernetes Scanner documentation.

Top of page

Mimics Infrastructure as Code (IaC) Scanning Tool
Copy link

No updates released at this time.

Top of page

SIEM (InsightIDR)
Copy link

No updates released at this time.

Top of page

Vulnerability Management (InsightVM)
Copy link

Version 8.49.0
Copy link

Software release date: June 22, 2026 | Release notes published: June 22, 2026

Improved:

  • Added fingerprinting support for ASP.NET Core 10, improving application identification and inventory coverage.
  • Improved asset search results to ensure Operating System information is displayed consistently in both search results and asset detail views.
  • Refined fingerprinting logic for Azul Zulu JDK to reduce false positives and improve software identification accuracy.
  • Added built-in policy support for CIS Microsoft Office Enterprise Benchmark v1.2.0.
  • Updated DISA STIG support for Microsoft Windows Server 2022 from V2R4 to V2R8, providing coverage for the latest benchmark requirements.

Fixed:

  • Resolved an issue affecting fingerprinting of Mozilla Firefox running within Citrix sessions.
  • Fixed an issue that prevented Automated Actions configured with the “New Vulnerability Coverage Available” trigger from executing successfully. Automated actions now function as expected.
  • Corrected an issue impacting fingerprinting accuracy for Google Chrome client, ensuring the browser is identified correctly during scans.

Version 8.48.0
Copy link

Software release date: June 15, 2026 | Release notes published: June 11, 2026

Improved:

  • Improved Linux scan accuracy to address a false positive affecting CVE-2025-40909 on AlmaLinux 8.10.
  • Added fingerprinting support for Nutanix AHV, improving asset identification and inventory coverage.
  • Increased the maximum configurable scan timeout to 24 hours, enabling authenticated scans to complete file discovery on large or complex Unix file systems without timing out.
  • The Scan Engine now reports TLS 1.3 named groups (key exchange groups) supported by scanned endpoints, including Post-Quantum Cryptography (PQC) hybrid groups. Supported groups are displayed alongside existing cipher suite information in asset service details.
  • Enhanced credential logging for SSH-enabled scans, providing visibility into which credential was successfully used during authentication.
  • Improved the overall security posture of the Security Console by updating the bundled Bootstrap library.
  • Added built-in policy support for:
    • CIS Oracle MySQL Community Server 8.0 Benchmark v1.2.0
    • CIS Microsoft IIS 10 Benchmark v1.2.1

Fixed:

  • Resolved an issue where SSH credential scanning could fail against systems running newer versions of OpenSSH.
  • Fixed an issue in the RPM version check handler to improve evaluation for Alma Linux and Rocky Linux packages with fingerprinted modules.
  • Addressed an issue impacting the reliability of Microsoft Exchange fingerprinting during scans.
  • Fixed an issue preventing automated actions based on CVSSv3 scores from triggering correctly.
  • Resolved an issue where the /api/3/users endpoint could return an HTTP 400 error due to invalid site access data.
  • Updated the report download API to return the correct Content-Type header for the requested report format and provide appropriate error messaging when request headers do not match the report type. API documentation has also been updated to reflect this behavior.
  • Addressed an issue in API v3 to align with Security Console permissions, allowing users with the Assign Scan Engine permission to successfully assign scan engines to sites.
  • Corrected an issue in API v3 to ensure both Scan Template ID and Scan Template Name are returned accurately.
  • Resolved an issue where the Run Commands option was not consistently available in multi-silo Security Console environments.
  • Fixed false positives affecting Palo Alto 11 policy checks.

Top of page

Nexpose
Copy link

Nexpose Version 8.49.0
Copy link

Software release date: June 22, 2026 | Release notes published: June 22, 2026

Improved:

  • Added fingerprinting support for ASP.NET Core 10, improving application identification and inventory coverage.
  • Improved asset search results to ensure Operating System information is displayed consistently in both search results and asset detail views.
  • Refined fingerprinting logic for Azul Zulu JDK to reduce false positives and improve software identification accuracy.
  • Added built-in policy support for CIS Microsoft Office Enterprise Benchmark v1.2.0.
  • Updated DISA STIG support for Microsoft Windows Server 2022 from V2R4 to V2R8, providing coverage for the latest benchmark requirements.

Fixed:

  • Resolved an issue affecting fingerprinting of Mozilla Firefox running within Citrix sessions.
  • Fixed an issue that prevented Automated Actions configured with the “New Vulnerability Coverage Available” trigger from executing successfully. Automated actions now function as expected.
  • Corrected an issue impacting fingerprinting accuracy for Google Chrome client, ensuring the browser is identified correctly during scans.

Nexpose Version 8.48.0
Copy link

Software release date: June 15, 2026 | Release notes published: June 11, 2026

Improved:

  • Improved Linux scan accuracy to address a false positive affecting CVE-2025-40909 on AlmaLinux 8.10.
  • Added fingerprinting support for Nutanix AHV, improving asset identification and inventory coverage.
  • Increased the maximum configurable scan timeout to 24 hours, enabling authenticated scans to complete file discovery on large or complex Unix file systems without timing out.
  • The Scan Engine now reports TLS 1.3 named groups (key exchange groups) supported by scanned endpoints, including Post-Quantum Cryptography (PQC) hybrid groups. Supported groups are displayed alongside existing cipher suite information in asset service details.
  • Enhanced credential logging for SSH-enabled scans, providing visibility into which credential was successfully used during authentication.
  • Improved the overall security posture of the Security Console by updating the bundled Bootstrap library.
  • Added built-in policy support for:
    • CIS Oracle MySQL Community Server 8.0 Benchmark v1.2.0
    • CIS Microsoft IIS 10 Benchmark v1.2.1

Fixed:

  • Resolved an issue where SSH credential scanning could fail against systems running newer versions of OpenSSH.
  • Fixed an issue in the RPM version check handler to improve evaluation for Alma Linux and Rocky Linux packages with fingerprinted modules.
  • Addressed an issue impacting the reliability of Microsoft Exchange fingerprinting during scans.
  • Fixed an issue preventing automated actions based on CVSSv3 scores from triggering correctly.
  • Resolved an issue where the /api/3/users endpoint could return an HTTP 400 error due to invalid site access data.
  • Updated the report download API to return the correct Content-Type header for the requested report format and provide appropriate error messaging when request headers do not match the report type. API documentation has also been updated to reflect this behavior.
  • Addressed an issue in API v3 to align with Security Console permissions, allowing users with the Assign Scan Engine permission to successfully assign scan engines to sites.
  • Corrected an issue in API v3 to ensure both Scan Template ID and Scan Template Name are returned accurately.
  • Resolved an issue where the Run Commands option was not consistently available in multi-silo Security Console environments.
  • Fixed false positives affecting Palo Alto 11 policy checks.

Top of page

Digital Risk Protection (Threat Command)
Copy link

No updates released at this time.

Top of page

Rapid7 Agent (Insight Agent)
Copy link

Version 4.1.1
Copy link

New:

  • Added Fedora 43 and Fedora 44 compatibility for all supported architectures.

Improved:

  • Optimized Windows registry access in asset information collection to reduce unnecessary registry operations and improve collection efficiency.
  • The Rapid7 Agent (Insight Agent) on macOS now logs a warning when no static hostname is configured. This warning helps administrators diagnose cases where an asset is reporting a dynamic or generic hostname instead of a persistent, static one.
  • Improved the logic used to select the primary network address reported during asset information collection to ensure the most appropriate address is chosen for each asset.
  • Removed the pyOpenSSL dependency from the Rapid7 Agent (Insight Agent), reducing the number of required libraries and simplifying cryptographic functionality.

Fixed:

  • Rapid7 Agent (Insight Agent) installations on Windows no longer fail when the installer’s LockdownDirectory action encounters non-canonical ACLs in the target SSL directory.
  • Event-driven asset information collection no longer triggers excessive back-to-back uploads. Uploads now occur at the expected 6-hour interval, reducing unnecessary load on affected hosts.
  • Updated the Rapid7 Agent (Insight Agent) Go Toolchain to version 1.25.7 to address multiple security vulnerabilities.
  • Windows OS fingerprinting in asset information collection now correctly identifies recent Windows releases, preventing incorrect product name results.
  • Asset information collection on Windows no longer reports the OS product name as a build number when the CurrentBuildNumber registry key is absent.
  • The Rapid7 Agent (Insight Agent) on macOS no longer raises an invalid exception when hardware UUID retrieval fails.
  • Windows builds now include properly signed DLL files.
  • Update packages no longer include duplicate get_proxy binaries, ensuring Bootstrap updates install the signed version.

Updated Operating System Support:

  • As of version 4.1.1, the Rapid7 Agent (Insight Agent) no longer supports the following operating systems for any architecture:

    • Ubuntu 25.04
    • Fedora 42

Top of page

Next-Generation Antivirus
Copy link

No updates released at this time.

Top of page

Ransomware Prevention
Copy link

No updates released at this time.

Top of page

Velociraptor
Copy link

Version 0.74.4.26
Copy link

Fixed:

Intermittent Rapid7 Velociraptor client crashes no longer cause the client to stop responding to commands for several minutes before recovering.

Automation (InsightConnect)
Copy link

Automated Plugin Updates
Copy link

We’ve improved the plugin update experience to make updates easier to find, review, and apply.

  • Improved update visibility - New icons across workflow views make available plugin updates easier to identify.
  • Bulk update support - You can now apply compatible major version updates in bulk. Documentation and impact analysis are available to help you evaluate updates before applying them.
  • Improved manual updates - When updating plugins manually, action, connection, and input values are preserved whenever possible.
  • Bug fixes - Resolved several minor issues related to plugin updates.

Rapid7 Orchestrator Updated Operating System Support
Copy link

  • As of version v1.67.0, the Rapid7 Orchestrator now supports RedHat Enterprise Linux version 9 and Ubuntu version 24.04.

Platform New Navigation
Copy link

Log Search has moved

  • Log search has moved from Alerts to Logs.

Top of page