May 2026 Release Notes
Copy link

The Command Platform release notes include information about what’s new, which are updated monthly, and improvements and fixes, which are updated weekly.

ℹ️

Last updated: May 11, 2026

What’s New
Copy link

Learn about new features across the Command Platform. These features were released over the past month and are available now:

Risk
Copy link

Risk is the potential for loss or damage to your assets, operations, or reputation due to vulnerabilities being exploited by a bad actor. Security teams must assess risk by understanding likelihood, impact, and real-world threat context.

Gain Clearer Asset Visibility with Expanded Patch and Endpoint Protection Data
Copy link

Remediation Hub now provides expanded asset-level visibility for patch management and endpoint protection coverage. You can see which solutions provide coverage for each asset, identify the source of that data, and determine whether a reboot is still required after patching. This information is available in remediation details, filters, exports, and Automation (InsightConnect) workflows.

With this update in Risk > Remediation Hub, you can:

  • See the source of endpoint protection and patch management coverage for each asset.
  • Identify assets that still require a reboot after patching.
  • Filter and export data to quickly find and share assets that need follow-up action.

Top of page

Remediate Faster with Targeted Filtering in Remediation Hub
Copy link

Remediation Hub now includes enhanced filtering with resource type and categorized filters. Categorized filters help you distinguish between those that apply to all assets and those specific to Vulnerability Management (InsightVM) or Cloud Security (InsightCloudSec), making it easier to find and apply the right filters.

With this capability in Risk > Remediation Hub, you can:

  • Prioritize newly disclosed vulnerabilities using CVE publish date filters.
  • Quickly identify relevant filters with category-based organization.
  • Focus on the most relevant assets by filtering by resource type.
  • Navigate filters more efficiently with improved structure.

Top of page

Threat
Copy link

A threat is any potential event or action that could exploit vulnerabilities in a system, causing harm to assets, data, or operations. Threats can originate from malicious actors, compromised identities, or misconfigurations.

Accelerate Threat Hunting with Integrated Log Search
Copy link

You can now move directly from Threat Intelligence (Intelligence Hub) to Log Search without manually building queries. From Campaign and Threat Actor profiles, SIEM (InsightIDR) automatically generates and opens pre-filled queries with the relevant indicators of compromise (IOCs), mapped log sources, and time ranges.

With this capability in Command Platform > Intelligence > Campaigns and Command Platform > Intelligence > Threat Actors, you can:

  • Launch ready-to-run log searches with automatically generated queries based on selected IOCs.
  • Improve hunt accuracy using standardized queries grouped by IOC type, such as IP addresses, domains, and file hashes.
  • Reduce manual effort and errors by eliminating the need to copy, map, and format indicators across log sources.
  • Move from intelligence to investigation in seconds, improving analyst efficiency and response time.

Top of page

Prioritize CVEs Faster with Rapid7 Labs Technical Assessments
Copy link

Rapid7 Labs technical assessments are now embedded directly in CVE Library, giving your team clear, analyst-backed insight into how vulnerabilities are exploited and why they matter. Instead of piecing together external research, you can now evaluate exploitability, attacker value, and real-world risk in one place.

With this capability in Command Platform > Intelligence > CVE Library, you can:

  • Access Rapid7 Labs technical assessments for notable CVEs directly within each CVE record.
  • Understand why a vulnerability matters using structured signals like exploitability, attacker value, and exposure conditions.
  • Prioritize remediation faster with analyst narrative, affected product details, and real-world risk context.

Top of page

Eliminate Context Switching with Native IOC Management
Copy link

IOC Sources are now integrated directly into the Command Platform, providing a centralized interface to manage public, private, and custom Threat Intelligence (Intelligence Hub) feeds. This enhancement streamlines workflows by reducing the need to switch between tools and improves performance when working with large volumes of IOCs.

With this update in Command Platform > Data Connectors > Sources, you can:

  • Manage all indicators and IOC sources directly within the core platform.
  • Experience drastically improved load times and a modernized UI for searching millions of IOCs.

Top of page

Improve Data Reliability with Platform-Native Vulnerability Management (InsightVM) Integration
Copy link

Vulnerability Management (InsightVM) data now flows into SIEM (InsightIDR) through a platform-native integration powered by the Rapid7 data mesh. This update removes the need for manual configuration, improves reliability, and ensures consistent vulnerability context across SIEM (InsightIDR), MDR/MTC, and Incident Command without impacting existing functionality.

With this capability, you can:

  • Automatically access Vulnerability Management (InsightVM) data in SIEM (InsightIDR) without additional setup.
  • Reduce configuration issues and ongoing maintenance.
  • Ensure vulnerability context in SIEM (InsightIDR) aligns with Vulnerability Management (InsightVM) data.
  • Continue using existing features and customizations without changes.

Top of page

Improve Triage for Multi-Vector and Thresholded Detections with Full Alert Context
Copy link

SIEM (InsightIDR) now preserves and displays additional contributing payloads for multi-vector and thresholded detections, instead of showing only the final triggering event. This gives SOC analysts full visibility into the activity behind complex detections.

With this update in Alert Details > View in Log Search, you can:

  • See additional evidence that contributed to a multi-vector or thresholded detection.
  • Triage complex alerts faster with clearer context.
  • Reduce ambiguity, false positives, and investigation time.

This enhancement improves analyst confidence and trust by ensuring detection context is complete from detection through response.

Top of page

Create and Deploy Detections as Code in SIEM (InsightIDR)
Copy link

You can now create, validate, and deploy detections as code in SIEM (InsightIDR) using Terraform. This capability enables security teams to define detection logic in a version-controlled workflow, validate detections before deployment, and promote them across environments. By treating detections as software, you can improve consistency across tenants, reduce configuration drift, and accelerate time to detection.

With this capability, you can:

  • Define and manage detections using Terraform in your existing CI/CD workflows.
  • Deploy and manage custom detections without relying on manual UI configuration.
  • Promote detections consistently across single- and multi-tenant environments.
  • Maintain auditability and version control for detection changes.
  • Create up to 200 custom detection rules, up from the previous default of 50.

Top of page

Administration
Copy link

Administration focuses on refining platform controls, improving integrations, and streamlining configuration to support efficient security operations.

Streamline User Management with Unified User Resources and Settings
Copy link

Manage user preferences and access from a single, centralized location across the Command Platform. This update simplifies how users configure settings, access resources, and maintain their profile, providing a unified experience for managing user-level settings and resources while reducing friction and eliminating the need to navigate across multiple areas of the platform.

With this update in Command Platform > Profile > User Settings, you can:

  • Manage profile preferences, including theme, time zone, and default landing page.
  • View and update communication and notification preferences.
  • Configure access and security settings.
  • Access customer support and educational resources.

Top of page

Reduce False Positives with AI-Enhanced Attack Modules
Copy link

Use AI to deliver more accurate vulnerability results in your scan outputs. This feature helps your team focus on true web app vulnerabilities, streamlining remediation workflows and reducing manual triage efforts.

With this feature in Application Security > Settings > Scan Options, you can:

  • Automatically assess scan output using LLM-based vulnerability pre-triage.
  • Focus on real risk, with false positives removed from your environment.
  • Reduce manual review processes, helping prioritize remediation efforts with greater confidence in your findings.

Due to specific model infrastructure requirements, this feature is currently not available in APS2 and ME regions. The CA region may experience varied results due to these limitations.

Top of page

Improvements and Fixes
Copy link

Keep track of improvements and fixes to core technology.

Application Security (InsightAppSec) and AppSpider
Copy link

No updates released at this time.

Top of page

Attack Surface Management (Surface Command)
Copy link

Version 1.0.909
Copy link

Software release date: May 6, 2026 | Release notes published: May 11, 2026

Improved:

  • “Data ingest is queued” message in Import Feeds now clarifies that queue is cross-customer and not actionable by stopping feeds.

Connectors

The following connectors were updated in the Extension Library  since the previous release. Connector updates are published independently and may have been available before this release date.

New Connectors

  • Airlock Digital: Airlock Digital is an application control and allowlisting platform that enforces a Deny by Default security posture on endpoints. It centrally manages application control across Windows, macOS, and Linux environments. This connector integrates asset data from Airlock Digital into the Rapid7 Platform, importing agents and groups.
  • Gophish: Gophish is an open-source phishing toolkit designed for businesses and security professionals to test and enhance their organization’s defenses against phishing attacks. This connector integrates phishing campaigns and target groups from Gophish with the Rapid7 Platform, providing visibility into phishing awareness testing activities.
  • Illumio: Illumio is a Zero Trust Segmentation platform that provides real-time visibility and microsegmentation across multi-cloud and data center environments. The platform is centered around the Policy Compute Engine (PCE), which collects telemetry from Virtual Enforcement Nodes (VENs) installed on workloads and Network Enforcement Nodes (NENs) to build a live application dependency map and enforce security policies. This connector imports workloads, labels, VENs, and network devices from the Illumio PCE into the Rapid7 Platform.

Updated Connectors

  • Crowdstrike Falcon: Vulnerability Statuses: Removed Closed and Expired options; existing configs with those values will log a warning and import only open/reopen findings.
  • Delinea Privilege Manager: Pinned dependencies
  • Delinea Secret Server: Fixed schema validation error for DelineaSecretServerSecret type
  • GitHub: Fixed authentication issues related to recent dependency updates.
  • KnowBe4: Fetched groups from KnowBe4 and linked to users.
  • Mimecast: Updated the MimecastUser and MimecastInternalDomain types to allow referencing between them, and adding a virtual edge to materialize the ownership relationship between domains and users.
  • Recorded Future: Added RecordedFutureVuln and RecordedFutureEvidence types with risk list ingestion.
  • VMware vCenter: Fixed SSL Verify setting not being applied correctly.

Version 1.0.908
Copy link

Software release date: April 28, 2026 | Release notes published: May 4, 2026

Improved:

  • Expand correlation exclusion rules for serial numbers to ignore additional placeholder values, including “n/a,” “n.a.,” “-,” “1234,” and “not specified.” These values are now excluded from correlation while the property remains on the asset.
  • Filter View widgets now support drill-in operations, enabling interactive exploration.
  • Graphical Query Builder filters now display selectable enum values in a dropdown, matching Data Insights filter behavior for improved usability.

Connectors

The following connectors were updated in the Extension Library  since the previous release. Connector updates are published independently and may have been available before this release date.

New Connectors

  • JFrog Artifactory: JFrog Artifactory is a universal artifact repository manager that stores, manages, and distributes software packages and binaries across the development pipeline. This connector synchronizes user, group, project, and repository data from JFrog Artifactory into the Rapid7 Platform.

Updated Connectors

  • Dragos: Fixed data validation for x and y labels in DragosAsset.
  • Freshservice: Added unmatched asset counts logging.
  • Microsoft Graph Security: Added connector settings for minimum severity and lookback days for alerts and incidents.
  • Microsoft Intune: Fixed a date parsing error when devices have never synced and the Last Sync filter is enabled.
  • NetBox: Improved name-based correlation for NetBoxDevice.
  • SentinelOne Singularity:
    • Filtered vulnerabilities by status to exclude resolved and suppressed findings.
    • Improved paging log to show running totals across pages.
  • SolarWinds Orion: Increased timeout and decreased limit for Node SWQL queries.
  • VMware vCenter:
    • Fixed tag retrieval by switching to the REST API.
    • Added vCenterTagAssociation type to link objects to tags.
    • Added vCenterAssociatedTag type to host REST-sourced tag data.

Top of page

Cloud Security (InsightCloudSec)
Copy link

Release availability for self-hosted users

Self-hosted users are able to download the latest version usually 4 business days after SaaS users are upgraded from the following locations:

  • Terraform deployments: Public S3 bucket . Modules can be updated with the terraform get -update command.
  • Amazon Elastic Container Repository (ECR) deployments: You can obtain the ECR build images for this version from the InsightCloudSec ECR Gallery 

Version 26.5.12
Copy link

Software release date: May 12, 2026 | Release notes published: May 11, 2026

Important

  • Oracle Cloud Vault and Secret Resource Identification: Changed the Oracle Cloud backend format for Vaults and Secrets. The new format uses: {vault_display_name}.{vault_id} for Vaults and {secret_name}{vault_id} for Secrets. This change ensures global uniqueness and correct parent-child relationships.
    • Impact: All existing Vaults and Secrets will be considered new resources after the initial harvest once this version has been deployed. Bots, alerts, or integrations may be triggered if configured to act on newly discovered resources.

Improved

  • Improved database connection pool recycling for harvesting operations to enhance overall system stability and efficiency.
  • Updated Azure, GCP, OCI, and AliCloud onboarding scripts to provide standalone permission update support. AWS support was already available.
  • Updated the Display by: Resource view on the Misconfigurations page to allow for selecting whether to show only Insights within a specific Insight Pack or all insights a resource is flagged with. A new toggle allows switching between the two views, with the default being to show only insights belonging to the pack you are scoped to.
  • Added “Cloud Vendor Managed” column (true/false) to Kubernetes namespace scoped resources for better visibility and filtering.
  • Added a filter in the Vulnerabilities -> Resources tab to filter only resources that have vulnerabilities.

New Query Filters

  • Kubernetes Resources Managed by Cloud Vendor: Identifies Kubernetes Resources managed by cloud vendors with a not_in option to filter out or include cloud vendor managed Kubernetes resources.

Fixed

  • Fixed an issue where creating a vulnerability email subscription would fail with a session error, preventing the subscription from being saved.
  • Fixed an error during exemption rule processing that could cause resource harvesting to fail with a database session error.
  • Fixed an IaC v3 scanner bug where Database Instance Not Encrypted was being incorrectly flagged when a Cluster Instance is attached to an encrypted cluster.
  • Fixed performance issues with Attack Path Analysis job execution that caused timeouts and extended processing times. Optimized database queries and internal data processing to reduce job runtime by approximately 75% in large environments.
  • Fixed delete button on IaC Managed Run tasks UI, added descriptive text, and moved the pop-out confirmation to a modal dialog.
  • Fixed false positive bug by adding origin information on AWS::CloudFront::Distribution resources for Content Delivery Network Without Origin Access Control insight.

Version 26.5.5
Copy link

Software release date: May 5, 2026 | Release notes published: May 4, 2026

Upcoming changes in the release version 26.5.12

OCI Vault and Secret Resource Identification: We will update the resource_id generation for the Vault and Secret resource types in Oracle Cloud Infrastructure (OCI) environments. This change will ensure global uniqueness and correct parent-child relationships by incorporating the Vault OCID into the ID format.

  • Impact:
    • Existing Vaults and Secrets will be re-identified as new resources on the first harvest after this update.
    • Bots, alerts, or integrations may be triggered if configured to act on newly discovered resource types.

Current Release 26.5.5

Improved

  • Updated the Threat Findings experience to align with an industry-standard Detection Findings view. This update introduces an improved layout, enhanced organization, and additional functionality to help you investigate and prioritize findings more efficiently.
    • Improved
      • Mapped all findings to the MITRE ATT&CK framework.
      • Added remediation guidance for findings generated by cloud service providers.
      • Improved visualization of severity and event source counts.
    • Impact
      • Detection Findings is now the default experience for all users.
      • The underlying findings data remains unchanged. However, the interface has been redesigned to provide improved functionality and navigation.
      • This experience is not available for self-hosted customers.
      • Saved filters are scoped to each experience. Detection Findings does not include filters previously saved in Threat Findings.
      • You can continue to access the previous Threat Findings experience and switch between views using a toggle.
  • Added the ability to create bots directly from JSON configuration. Users can now select “Create Bot From JSON” from the bot creation dropdown menu, eliminating the previous requirement to first create a template from JSON before creating a bot. This streamlines the bot creation workflow for users who prefer working with JSON configurations.
  • Extended the existing container SBOM download feature to support downloading vulnerability assessment data for individual host instances, enabling users to export detailed software package inventories for compliance and security analysis.

New Resources

  • Added support for Lustre File System resource type with new harvester LustreFileSystemHarvester:
    • New permissions required: Microsoft.StorageCache/amlFilesystems/read

New Insights

  • Lustre File System Without CMK Encryption: Identifies Lustre File Systems that are not encrypted with a customer-managed key (CMK).

New Query Filters

  • Container Instance is Kubernetes Node: Identifies Container Instances that are Kubernetes Nodes.
  • Lustre File System Without CMK Encryption: Identifies Lustre File Systems that are not encrypted with a customer-managed key (CMK).

Fixed

  • Fixed an issue where AlloyDB Cluster Snapshots would not link correctly to parent cluster if stored in a different region than the cluster.
  • Fixed handling of missing locationType for GCE rapid storage class buckets in StorageContainerHarvester.

Top of page

Mimics Infrastructure as Code (IaC) Scanning Tool
Copy link

No updates released at this time.

Top of page

SIEM (InsightIDR)
Copy link

Improved:

  • Custom parser editing no longer requires a 10-log minimum.
  • S3 Bucket field validation in event source creation form updated for consistency.

Fixed:

  • Descriptions restored for authentication services table and error states within User page.
  • Special character parsing within Investigation Details timeline refined.
  • Global search results visibility corrected to prevent layering behind other page elements.

Top of page

Vulnerability Management (InsightVM)
Copy link

Version 8.45.0
Copy link

Software release date: May 18, 2026 | Release notes published: May 15, 2026

Improved:

  • Upgraded the bundled Spring Boot and Metasploit frameworks to enhance the overall stability and security posture of the console.
  • Enhanced scanning capabilities by improving SSH remote execution support for JunOS assets.
  • Policy Coverage added for the following:
    • CIS VMWare ESXI 7.0 v1.5.0
    • CIS Fortigate 7.4.X V1.0.1
    • CIS SUSE Linux Enterprise 16 Benchmark 1.0.0
    • CIS Apache HTTP Server 2.4 Benchmark v2.3.0
    • CIS Microsoft_Intune_for_Windows_11_Benchmark_v4.0.0
    • CIS Oracle MySQL Enterprise Edition 8.4 Benchmark 1.1.0
    • CIS Red Hat Enterprise Linux 8 Benchmark v4.0.0
    • CIS PostgreSQL 14 v1.3.0CIS F5 Networks v1.0.1
    • DISA STIG F5 Big-IP TMOS DNS STIG V1R1
    • DISA STIG F5 Big-IP TMOS NDM STIG V1R2
    • DISA STIG F5 Big-IP TMOS ALG STIG V1R2
    • DISA STIG F5 Big-IP TMOS Firewall STIG V1R1
    • DISA SUSE Linux Enterprise Server (SLES) 12 STIG V3R4

Fixed:

  • Resolved an issue causing mismatched risk score values between the Asset page and Search page. Values are now consistent across the security console.
  • Fixed an issue causing a false positive for obsolete versions of Apache Log4j
  • Addressed a fingerprinting inconsistency observed for IBM WebSphere Application Server on Windows systems.
  • Resolved an issue causing a false positive for the WebDAV Disabled rule in CIS Microsoft IIS 10 Benchmark v1.1.1.
  • Addressed issues impacting rules in the following policies - CIS Microsoft Windows 11 Enterprise Benchmark 4.0.0, CIS PostgreSQL 14 v1.3.0, CIS Apache HTTP Server 2.4 Benchmark v2.3.0.

Version 8.44.0
Copy link

Software release date: May 11, 2026 | Release notes published: May 7, 2026

Content-only release

  • This release includes the latest vulnerability content updates to ensure your scans continue to detect and assess the most recent threats. No product feature changes or updates are included in this version.

Top of page

Nexpose
Copy link

Nexpose version 8.45.0
Copy link

Software release date: May 18, 2026 | Release notes published: May 15, 2026

Improved:

  • Upgraded the bundled Spring Boot and Metasploit frameworks to enhance the overall stability and security posture of the console.
  • Enhanced scanning capabilities by improving SSH remote execution support for JunOS assets.
  • Policy Coverage added for the following:
    • CIS VMWare ESXI 7.0 v1.5.0
    • CIS Fortigate 7.4.X V1.0.1
    • CIS SUSE Linux Enterprise 16 Benchmark 1.0.0
    • CIS Apache HTTP Server 2.4 Benchmark v2.3.0
    • CIS Microsoft_Intune_for_Windows_11_Benchmark_v4.0.0
    • CIS Oracle MySQL Enterprise Edition 8.4 Benchmark 1.1.0
    • CIS Red Hat Enterprise Linux 8 Benchmark v4.0.0
    • CIS PostgreSQL 14 v1.3.0CIS F5 Networks v1.0.1
    • DISA STIG F5 Big-IP TMOS DNS STIG V1R1
    • DISA STIG F5 Big-IP TMOS NDM STIG V1R2
    • DISA STIG F5 Big-IP TMOS ALG STIG V1R2
    • DISA STIG F5 Big-IP TMOS Firewall STIG V1R1
    • DISA SUSE Linux Enterprise Server (SLES) 12 STIG V3R4

Fixed:

  • Resolved an issue causing mismatched risk score values between the Asset page and Search page. Values are now consistent across the security console.
  • Fixed an issue causing a false positive for obsolete versions of Apache Log4j
  • Addressed a fingerprinting inconsistency observed for IBM WebSphere Application Server on Windows systems.
  • Resolved an issue causing a false positive for the WebDAV Disabled rule in CIS Microsoft IIS 10 Benchmark v1.1.1.
  • Addressed issues impacting rules in the following policies - CIS Microsoft Windows 11 Enterprise Benchmark 4.0.0, CIS PostgreSQL 14 v1.3.0, CIS Apache HTTP Server 2.4 Benchmark v2.3.0.

Nexpose Version 8.44.0
Copy link

Software release date: May 11, 2026 | Release notes published: May 7, 2026

Content-only release

  • This release includes the latest vulnerability content updates to ensure your scans continue to detect and assess the most recent threats. No product feature changes or updates are included in this version.

Top of page

Digital Risk Protection (Threat Command)
Copy link

No updates released at this time.

Top of page

Remediation Hub
Copy link

  • 2.21.0

    • Resource Type filter: We’ve introduced a new Resource Type filter in the Remediation Hub main table. This allows customers to filter remediation data by categories such as Instance, Container, and Host. This filter applies to Cloud Security (InsightCloudSec) assets.
    • Improved loading experience for the Emergent Threats section.
    • Improved performance and reliability.

Top of page

Rapid7 Agent (Insight Agent)
Copy link

No updates released at this time.

Top of page

Next-Generation Antivirus
Copy link

No updates released at this time.

Top of page

Ransomware Prevention
Copy link

No updates released at this time.

Top of page

Velociraptor
Copy link

No updates released at this time.

Top of page