May 2025 Release Notes

Last updated: June 2, 2025

What's new

Learn about new Rapid7 features released during May 2025:

Attack surface

Your attack surface is comprised of all of the potential entry points that attackers could exploit across your systems, applications, and networks. Developing knowledge of your attack surface is a key goal in improving your company's security posture.

Protect your attack surface with Surface Command integrations

Surface Command now integrates with additional third-party tools to further enhance your visibility across the attack surface. The newest connectors—Baramundi, Cybereason, Dragos, Markmonitor, Microsoft Defender for IoT, and Zabbix Cloud—enable streamlined insights, automation, and contextual analysis across diverse asset types.

With this capability, you can:

  • Achieve full-spectrum visibility–understand your entire attack surface, including assets, networks, business applications, data storage, and user identities.
  • Gain multi-source context–correlate vulnerabilities and exposures from different security tools for deeper insights into risks and threats.
  • Automate security workflows–leverage integrated, action-oriented APIs to trigger remediation processes and streamline security operations.

Impacted Offerings:

  • Surface Command
  • Exposure Command

Where: Surface Command > Connectors

Explore and analyze your external and internal assets with a unified interface

Surface Command now offers complete visibility and control over your internal and external attack surfaces in a single, unified interface—eliminating context switching and streamlining attack surface management.

With this capability, you can:

  • Experience a consistent and unified interface for both internal and external attack surface discovery.
  • Access external attack surface seed management, exploration, and insight dashboards directly within Surface Command.
  • Eliminate UI context switching when managing external discovery seeds.

Impacted Offerings:

  • Surface Command
  • Exposure Command

Where: Surface Command > External Attack Surface

Manage Vector Command testing status in Surface Command

Vector Command testing status is now fully integrated into Surface Command, so you can further streamline external attack surface management.

With this capability, you can:

  • Mark specific subdomains, IP addresses, and network services as out-of-scope for Vector Command penetration testing.
  • Establish Vector Command testing for dedicated QA and test systems instead of production systems.

Impacted Offerings:

  • Surface Command
  • Exposure Command

Where: Surface Command > External Attack Surface

Improve your focus in Surface Command with dark mode

Personalize your workspace with light or dark mode in Surface Command—ensuring visual comfort and a consistent experience across the Command Platform.

With this capability, you can:

  • Toggle between light and dark mode to match your personal visual preference.
  • Maintain a consistent visual experience as you transition to other Command Platform experiences.
  • Improve readability in low-light environments by switching to dark mode.

Impacted Offerings:

  • Surface Command
  • Exposure Command

Where: Surface Command

Risk

Risk is the potential for loss or damage to your assets, operations, or reputation, due to vulnerabilities being exploited by a bad actor. Security teams must assess the risk level by evaluating the likelihood of a threat occurring and the impact that it would have if realized.

Prioritize what matters with mitigating controls in Remediation Hub

Prioritize what truly matters by highlighting assets that have mitigating controls—not just vulnerabilities. With full context on asset exposure and existing controls, Remediation Hub helps your teams cut through the noise, reduce backlog and friction with IT, and accelerate remediation where it counts most.

With this capability, you can:

  • Shift focus from what's merely vulnerable to what's truly at risk.
  • Accelerate workflows with all relevant data available in a single, streamlined view.
  • Cut through the noise with real asset context to save time and ensure remediation teams focus on what matters most.

Impacted Offerings:

  • Surface Command
  • Exposure Command
  • InsightCloudSec
  • InsightVM
  • InsightConnect

Where: Command Platform > Risk > Remediation Hub

Ingest cloud log data faster with expanded event sources

Cloud event data can now be ingested directly into Rapid7’s detection products without additional software.

With this capability, you can ingest data from the following event sources:

  • Claroty xDome
  • Imperva WAF

Accelerate cloud response with remediation recommendations for AWS and Azure

InsightIDR now provides expert-driven remediation guidance for AWS GuardDuty and Azure Defender for Cloud alerts, delivering faster, more consistent response through enriched cloud context.

With this capability, you can:

  • Respond faster–get clear, structured remediation steps per alert group.
  • Improve consistency–leverage expert insights and automation scripts.
  • Reduce time to containment–take immediate, informed action on cloud threats.

Impacted Offerings:

  • InsightCloudSec
  • InsightIDR
  • Managed Threat Complete
  • MDR

Where: Alerts > Alert Details

Threat

A threat is any potential event or action that could exploit vulnerabilities in a system, causing harm to assets, data, or operations. Threats can originate from various sources, including malicious actors, natural disasters, or unintentional human errors.

Enhance threat coverage with new and migrated detection rules

The InsightIDR Detection Library continues to evolve, delivering faster, broader threat detection. This month, two new rules have been added, and six legacy rules have been migrated—part of our ongoing effort to unify and strengthen your detection experience.

With these updates, you can:

  • Stay ahead of emerging threats – leverage newly released rules to detect high-risk activity like watched or admin-led password resets.
  • Streamline rule management – benefit from the migration of legacy User Behavior Analytics (UBA) rules into the Detection Library, offering a single, comprehensive view of your detection landscape.
  • Improve response efficiency – with consistent rule access and faster insight into potential threats.

New Detection Rules:

  • Account Password Reset – Is Watched
  • Account Password Reset – Is Admin

Migrated Legacy Rules:

  • Third Party Alert – Cyberark Vault
  • Third Party Alert – Cybereason
  • Third Party Alert – Netskope
  • Zone Policy Violation
  • Flagged Hash On Asset
  • Flagged Process On Asset

Impacted Offerings:

  • InsightIDR

Where: Detection Rules > Detection Rule Library

Expanded Emerging Threats (ET) Detection Coverage Now Live in Network Sensor

The Network Sensor now includes enhanced ET rulesets to detect exploit attempts, scanning behavior, and post-compromise activity. With coverage for high-profile vulnerabilities like JetBrains, Citrix, and Cisco, it identifies threats early across all network traffic and supports faster SOC response with MITRE-mapped alerts.

With this capability, you can:

  • Detect emerging threats earlier–leverage dozens of new Suricata rules across ET EXPLOIT, ET EXPLOIT_KIT, and ET SCAN to surface exploit attempts and attacker behaviors in real time.
  • Uncover attacker intent–gain context-rich insights into reconnaissance activity and malware staging to better understand pre-attack patterns.
  • Accelerate incident response–enable faster triage and validation of high-severity alerts with precise, actionable detection logic.

Impacted Offerings:

  • InsightIDR

Where: Detection Rules

Accelerate investigations with Principal API Activity Timeline (Azure)

InsightIDR now features a graph-based timeline for Azure Principal API activity, giving SOC analysts a unified view of user, role, and resource actions across multiple audit log sources.

With this capability, you can:

  • Speed up investigations–quickly correlate API actions across time.
  • Improve incident response–faster threat identification and resolution.
  • Strengthen security posture–enhanced visibility supports proactive defense.

Impacted Offerings:

  • Managed Threat Complete
  • MDR
  • InsightCloudSec/Exposure Command Advanced

Where: Alerts > Alert Details

Administration

Administration focuses on refining platform controls, improving navigation, and enhancing user management. Updates streamline permissions, configurations, and logging, creating a more intuitive and efficient experience for administrators.

Enable programmatic access and improved automation capabilities with InsightCloudSec API Documentation

Empower your teams to automate with confidence using readily accessible InsightCloudSec API documentation—enabling faster integrations, streamlined workflows, and more scalable cloud security operations.

With this capability, you can:

  • Accelerate automation of common security and compliance tasks by using documented API endpoints.
  • Reduce manual effort by programmatically managing cloud resources and remediation actions.
  • Empower developers and engineers with self-service access to reliable, up-to-date API documentation.

Impacted Offerings:

  • InsightCloudSec

Where: InsightCloudSec > Profile, InsightCloudSec > Help menu

Accelerated Triage with AI Dispositioning

InsightIDR now extends the power of Rapid7’s SOC-grade machine learning to customers by automatically classifying alerts as likely benign or malicious in real time. A redesigned alert details interface provides visibility into the AI Engine’s decision-making process, offering greater transparency and control.

With this capability, you can:

  • Accelerate alert triage – Leverage AI-generated dispositions to quickly identify which alerts require action.
  • Understand AI decisions – View the specific data inputs used by the Rapid7 AI Engine, and get detailed explanations of its logic.
  • Filter and audit with ease – Use the new “AI Suggested Disposition” field to sort and review AI-triaged alerts directly from the Alert Triage table.

Impacted Offerings:

  • InsightIDR

Where: Alerts > Alert Details

Reduce data overages with InsightIDR fair use adjustment

Rapid7 understands how critical it is for you to capture endpoint data since the vast majority of attacks originate from these assets. InsightIDR allows you to capture Enhanced Endpoint Telemetry (EET) data, which, while critical to your SOC’s effectiveness, can be a large enough volume to jeopardize your monthly Fair Use data allowance.

To eliminate this possibility, Rapid7 has changed how your monthly Fair Use data allowance is calculated. Effective May 1, 2025, EET data is no longer included in your Fair Use monthly data allowance. You will still be able to ingest EET data; you will no longer be charged for it.

With this adjustment, you can:

  • Maintain complete coverage–preserve visibility across 100% of the endpoint attack surface.
  • Prioritize what matters–focus overage discussions on less critical data sources.

Impacted Offerings:

  • InsightIDR

Where: Search the endpoint activity log set, including Process Start Events, Local Service Creation, and the Sysmon log source

Enhance detection workflows with new disposition options

InsightIDR now includes False Positive and Security Test as selectable dispositions for alerts and investigations. These options help teams more accurately categorize outcomes and improve visibility into detection and response efforts.

With this enhancement, you can:

  • Close process gaps–capture more precise outcomes from triage and investigation.
  • Strengthen detection workflows–gain clearer insight into alert and investigation resolution.

Impacted Offerings:

  • InsightIDR
  • Managed Threat Complete
  • MDR

Where: Alerts and Investigations

Fast, Flexible Bulk Exclusion for Endpoint Capabilities

Manage exclusions across your Endpoint capabilities in one unified area, with improved efficiency for fine-tuning benign alerts and better visibility and control at both the group the organization level.

With this enhancement, you can:

  • Create, edit and oversee all Endpoint exclusions from a centralized page.
  • Apply and edit exclusions for multiple groups.
  • Navigate a streamlined user experience to control exclusions from one place.

Impacted Offerings:

  • Managed Threat Complete
  • MDR

Where: For Endpoint Prevention licenses: Command Platform > Administration > Data Collection > Agents > Endpoint Prevention > Exclusions

For Endpoint Detection licenses: Command Platform > Administration > Data Collection > Agents > Endpoint Detection > Exclusions

Infrastructure updates

Keep track of improvements to core technology.

June 2, 2025

InsightCloudSec
  • Enhanced how InsightCloudSec identifies and evaluates public accessibility for AWS Instance resources. This update refines the detection logic for public access scenarios.
  • Expanded Attack Paths support for AWS Instance resources to include Network Firewall, Network Endpoint, and Web Application Firewall nodes. This results in changes to Attack Path IDs. To see how old IDs map to new ones, you can use the /v2/prototype/apa/path-mapping endpoint. See Using the InsightCloudSec API for details on getting started with the API.
  • Updated release notes URL.
  • Added tooling to monitor peak memory usage per job run.
  • Updated the required permissions list for Oracle users:
    • Allow group InsightCloudSec to read domain in tenancy
    • Allow group InsightCloudSec to read integration-instances in tenancy
    • Allow group InsightCloudSec to read logging-family in tenancy
  • Added support to harvest BigQuery Dataset Tables.
  • Removed query filter: Dataset Tables Not Leveraging Customer-Managed Encryption Key (CMEK).
  • Deregistered the GCP ContainerRegistryHarvester as the service was discontinued. This harvester is replaced by ArtifactRegistryHarvester.
    • Docker image artifacts are now treated as a child resource and can only be seen on the Related Resources tab for the parent resource or programmatically using the related resource API endpoint.
  • Added support for EDH actions TagResource and UntagResource for EFS.
  • Introduced support for Azure App Service Environments including a new harvester, resource, and query filter.
  • Added the CIS GCP 3.0 Compliance Pack.
  • Introduced in-transit encryption support for auto-provisioned EDH queues.
  • Implemented Databricks Workspace resource expansion with configuration fields and Private Network linkage. Also added Query Filters related to the new configuration fields.
  • Updated and renamed Insights for CIS GCP 3.0 Recommendations 2.4–2.11.
  • Added new Insight: Serverless Function With Enabled Cloud Secret Manager API.
  • Added new Insight: Subnet Without VPC Flow Logs Enabled.
  • Added new Insight: Cloud Accounts Without Sinks Configured for All Log Entries.
  • Added new Insight: Cloud Account Linked to Cloud Credential Without App Restrictions.
  • Added new Query Filter: Resource Encrypted With Cloud Managed Key.
  • Added new Query Filter: Database Migration Endpoint Is/Is Not Encrypted.
  • Added new Query Filter: Cloud Accounts Without Sinks Configured For All Log Entries.
  • Added new Query Filter: Cloud Credential Without App Restrictions.
  • Introduced new query filters for Subnet log config including metadata and sampling controls.
  • Added query filters for GCP Organization Service API and Serverless Functions with Secret Manager API.
  • Added tagging support for Azure Container Registry.
  • Added source document support for AWS instance resource agents.
  • Added new error messages for the Infrastructure as Code (IaC) scanner.
InsightIDR
  • Added new investigation disposition options: “False Positive” and “Security Test.”
  • Added a new “Command Platform Features” tab in Settings, consolidating InsightVM and Agent settings into a single page.
  • Grouped related fields in the event source creation form to improve readability and allow collapsible sections.
  • The product select page to add new event sources now clearly indicate which event sources don’t require collectors and provides simpler access to configure collectors.

Fixed issues

Stay updated on fixes across platforms and products.

June 2, 2025

InsightCloudSec
  • Resolved an issue with instance count values in Network resource that caused false positives in Azure for the Network With No Instances Insight.
  • Fixed incorrect results in the Layered Context Vuln Resources containing CVE IDs.
  • Fixed issue with Azure Private Endpoints causing NetworkEndpointHarvester to fail.
  • Resolved "Out of sort memory" issue in ResourceGroupInsightFindings job.
  • Fixed issue with missing keys during compact Redis cache writing for insights.
  • Addressed problem with Kubernetes Insights showing outdated scan data.
  • Resolved issue with vulnerabilities not returned when using Jinja templates in Bot Actions.
  • Resolved issue with the Compliance Report PDF download failing to render all content.
  • Fixed issue with ServiceCertificateAuthorityHarvester.
  • Fixed error in Vulnerabilities->Resources advanced filter for multiple CVE detection.
  • Corrected issue where IaC Scan Completion Notifications linked to invalid URLs.
  • Resolved bug where Kubernetes Compliance Scorecard results incorrectly showed "No results" page.
  • Corrected a bug where tags for Azure Container Registry were not supported.
InsightIDR
  • Removed attribution preference settings for Imperva event sources, since Imperva does not produce attributable documents.
  • All Login URLs from the Code42 API documentation are now available when configuring a new Code42 event source.
  • Credentials can be configured for new directory watcher or file tailing event sources.