Remediate Risk Across Cloud and On-Prem Environments
Remediation Hub offers a list of prioritized updates called remediations that are focused on reducing vulnerability risk. This list makes the Remediation Hub the first place you should check to drive risk reduction across your hybrid environments.
Access Remediation Hub
To access Remediation Hub, you must have Command Platform Administrator (Shared) permissions and at least one of the following:
- Vulnerability Management (InsightVM) - Global Administrator
- Cloud Security (InsightCloudSec) - Domain Admin, Domain Viewer, or Organization Admin
- Attack Surface Management (Surface Command) - Surface Command Admin
To open Remediation Hub:
- Log in to the Command Platform.
- Go to Response & Remediation > Remediation Hub.
Vulnerabilities data sources
Vulnerability data comes from Vulnerability Management (InsightVM), Cloud Security (InsightCloudSec), and relevant Surface Command Connectors. For setup instructions, see:
Explore Remediation Hub
Remediation Hub contains three main sections:
- Emergent Threats (if available)
- Key Metrics
- Remediations
Emergent threats
Rapid7’s security research team actively monitors and researches emergent threats. Emergent Threat Response delivers fast expert analysis and first-rate security content for the highest priority security threats to help you understand your exposures and act quickly to protect your assets from exploitation. When there is an active emergent threat, Remediation Hub notifies users with a callout banner at the top of the page that Rapid7 teams are responding. This callout initially provides a link to a blog post that is constantly being updated. As more becomes known about the vulnerability and content is created in various Rapid7 solutions, the Remediation Hub shows customers the CVE numbers and the impact on assets across their environment. Emergent threats are shown for 14 days. If there is no current emergent threat, the banner will not be displayed.
Projected Impact
The following metrics are displayed at the top of Remediation Hub to help you understand the projected impact of the top 25 remediations:
| Metric | Description |
|---|---|
| Vulnerability Findings Remediated | The number of vulnerability findings expected to be remediated if the top 25 remediations are implemented. |
| Assets Update | The number of assets that would be updated if the top 25 remediations are implemented. |
Remediations
Remediation Hub mainly consists of remediations for risks and vulnerabilities found in your environment. Each remediation in the table includes the following:
- Type (on-prem or cloud)
- A short description of the remediation
- A risk score calculated from the active risk score on the vulnerabilities and total number of assets impacted
- For more information on how risk is calculated, visit How is Risk Calculated?
- The number of assets, images, CVEs, and findings that are associated with the risk
- Note that due to the time it takes to sync data for Remediation Hub, the count of assets affected by a given remediation may vary between Remediation Hub, Cloud Security (InsightCloudSec), and InsightVM.
- The source of the remediation. Learn more about third-party vulnerabilities and remediations.
To get started with implementing remediations:
- Apply filters to reduce the scope of remediations and assets returned in the Remediation Hub.
Special filters
Some filters, such as Reboot Required or patch management status, are based on asset-level conditions. As a result, the Remediation Hub table may not visibly change, even when a filter is applied. To confirm how a filter affects results, open a remediation and review the Impacted Assets tab.
If you have endpoint protection or patch management software connected to Attack Surface Management (Surface Command) , you can filter on either of these to quickly find remediations that rely on your existing mitigation controls. Review Assess endpoint protection and patch management coverage for more information.
- Click Export to export the top 25 remediations in the current view as a CSV file. To create a scheduled HTML report, go to Top remediations report for details.
Details
Click a remediation from the table to open a panel containing an AI overview of the remediation, details on the total number of impacted assets and vulnerabilities, and a description of the remediation.
Depending on the type of asset, available details may differ but can include:
- Asset Name
- Resource ID and type
- Physical site
- Cloud account
- Owner
- Vulnerability proof
- Vulnerability name, severity, and risk
- Number of Automation (InsightConnect) workflows ran
If the asset is available in Vulnerability Management (InsightVM) or Attack Surface Management (Surface Command), you can click Actions (…) > View Asset or Actions (…) > View Attack Surface to view the asset in Vulnerability Management (InsightVM) or Attack Surface Management (Surface Command), respectively.
AI Overview
Concerns about AI?
Rapid7 does not use any customer data for training or fine-tuning our large language models (LLMs), nor do we share your data with any third-party LLMs for their training purposes. If you would prefer to opt out of AI usage, contact your CSA or Support.
Rapid7 offers AI-generated summaries of a remediation that help you understand the criticality, exploitability, and potential impact of the CVEs detected in the environment, highlighting the risks of not applying a remediation. Business context, such as asset tags and affected systems, is also included with the analysis to help your security teams understand the operational complexity involved. Additionally, the AI Overview enhances remediation insights with clear, actionable recommendations and next steps for effective implementation.
The summaries are generated from data already visible in Remediation Hub and Rapid7’s own vulnerability intelligence. The model is never trained on your data, never sends information outside Rapid7’s secure, access-restricted infrastructure, and outputs are isolated per organization.
You can use icons at the bottom of the AI Overview panel to send Rapid7 feedback about the feature. This helps Rapid7 monitor quality and improve the feature over time.
Third-party vulnerabilities and remediations
Remediation Hub can report vulnerabilities and remediations from third-party sources if the matching Attack Surface Management (Surface Command) connector is installed. Remediation Hub supports this functionality for the following connectors:
- Amazon Inspector
- Claroty xDome
- Dragos Vulnerability
- ManageEngine Endpoint
- Microsoft Defender
- Orca
- Qualys Vulnerability Management Detection & Response (VMDR)
- Red Hat Insights
- SentinelOne
- Tenable (Tenable.io)
- Tenable Security Center (SC)
- Wiz
Assess endpoint protection and patch management coverage
On the Impacted Assets tab, the Endpoint Protection and Patch Management columns show the status of mitigating controls for each asset. These columns use the following statuses to indicate whether the control is detected for the asset:
| Status | Description |
|---|---|
| Available | A supported Attack Surface Management (Surface Command) connector confirms the mitigating control for the asset.
|
| None | The asset exists in Attack Surface Management (Surface Command) but no connector reports the mitigating control.
|
| Unknown | The asset was not found in Attack Surface Management (Surface Command), so the Command Platform cannot determine whether patch management or endpoint protection controls are available. This may occur when Attack Surface Management (Surface Command) is not enabled or the asset exists in another source (for example, Vulnerability Management (InsightVM)) but has not been discovered by or synced into Attack Surface Management (Surface Command) yet. |
| Reboot Required | Patch Management only. The asset requires a reboot before the Command Platform can retrieve the latest control status. |
Trigger workflows for assets
Automation (InsightConnect) workflows can assist with your remediation efforts, including creating Jira tickets, creating ServiceNow incidents, and much more. From the remediation detail panel, you can send a remediation to a workflow or view automation log, artifact, and output history for a remediation.
To send a remediation to a Workflow:
- From Command Home, go to Response & Remediation > Remediation Hub.
- Find a remediation you want to send to a workflow.
- Click the Remediation name to open the details panel.
- Click Send to Workflow to open a panel containing Automation (InsightConnect) workflows. Automation (InsightConnect) workflows appear on the panel if they have the Remediation Hub trigger. Note: The Send to Remediation Hub workflow currently supports up to 10,000 assets. If the selected remediation contains more than 10,000 assets, you need to add filters.
Want more workflows?
You can download more workflows from the Extension Library (click Open Extension Library) or you can create them in Automation (InsightConnect). To learn more about creating and managing workflows, review the Automation (InsightConnect) documentation
- Select a workflow to show workflow and remediation details.
- Click Run.
To view automation log, artifact, and output history:
- From Command Home, go to Response & Remediation > Remediation Hub.
- Find a remediation you want to send to a workflow.
- Click the Remediation name to open the details panel.
- Click the Automations value to open a list of automations that have run for this remediation.
- Find a workflow you want to review.
- Click View Details next to the workflow to review information, logs, artifacts, and outputs for that workflow.
Asset limit for workflow
The Send to Remediation Hub workflow currently supports up to 10,000 assets. If the selected remediation contains more than 10,000 assets, you need to add filters.
Top remediations report
You can create a report featuring the top 25 remediations directly from Remediation Hub, with all filters that are applied on Remediation Hub returned in the report. This report:
- Enables security teams to share clear, actionable remediation guidance with asset owners
- Eliminates the need to jump back to the Vulnerability Management (InsightVM) console to generate reports
- Works across multi-product environments (Vulnerability Management (InsightVM), Cloud Security (InsightCloudSec), Attack Surface Management (Surface Command)), so one report can convey your full attack surface
To create a top 25 remediations report:
- From the Command Platform, go to Response & Remediation > Remediation Hub.
- Filter the Remediation Hub as needed.
- Select Create Report.
- Choose a report type and select Open:
- Top Remediations Summary - See the top 25 remediation actions from your current filters that reduce the most risk. Use this report to prioritize fixes based on their overall impact.
- Top Remediations Summary with Assets - See the top 25 remediation actions from your current filters that reduce the most risk, including the affected assets for each action. Use this report to identify where to apply each fix.
- Optionally, adjust the report name and description
- Select at least one format: HTML, PDF, or CSV.
- Optionally, update the Scheduling:
- To generate a report now, turn on Trigger report on save.
- To generate the report on a recurring schedule, click + Add Schedule.
- Click the new schedule entry.
- Select a start date for the report.
- Enter a repeat timeframe. For example, repeat every 3 days.
- Enter a time to generate the report.
- Configure when the report should end (never or a select date).
- Select users or email addresses that you want to share the reports with.
- Optionally, click Add Another Schedule to add a separate schedule.
- Click Create.
Want to review your report?
After creating a report, you can open it in the Command Platform by going to Reports & Dashboards > Reports. From this page, you can easily search for reports by report date or date generated, sort reports, manage tags and add favorites, and select different ways to filter. You can also view (HTML) or download (PDF) your reports.