Remediate Risk Across Cloud and On-Prem Environments
Copy link

Remediation Hub provides a central location for recommended remediation actions on risks and vulnerabilities across your hybrid environment, so you can focus and prioritize your efforts on the most impactful changes and improve your overall security posture.

Requirements
Copy link

To access Remediation Hub, you must have at least one of the following role combinations:

  • Vulnerability Management (InsightVM) - any role
  • Cloud Security (InsightCloudSec) - Domain Admin or Domain Viewer
  • Command Platform Administrator and Attack Surface Management (Surface Command) - Attack Surface Management (Surface Command) Admin
ℹ️

Remediations are scoped to your permissions

Remediation Hub shows remediations for the modules you can access. For example, if you only have the Cloud Security - Domain Admin role, you will only see Cloud Security remediations.

To populate Remediation Hub with data, you must have already setup at least one of the following modules:

Review emergent threats
Copy link

Rapid7’s security research team actively monitors and researches emergent threats. Rapid7’s Emergent Threat Response delivers fast expert analysis and first-rate security content for the highest priority security threats to help you understand your exposures and act quickly to protect your assets from exploitation. When an emergent threat is active, Remediation Hub displays a banner at the top of the page.

This banner:

  • Indicates that Rapid7 teams are actively responding to the threat
  • Links to a Rapid7 blog post with ongoing updates
  • Provides visibility into associated CVEs and impacted assets as more data becomes available

Emergent threats are displayed for 14 days. If no emergent threat is active, the banner is not shown.

Review remediations
Copy link

You can monitor the potential impact of the top 25 remediations using the key metrics, including:

MetricDescription
Vulnerability Findings RemediatedThe number of vulnerability findings expected to be remediated if the top 25 remediations are implemented.
Assets UpdateThe number of assets that would be updated if the top 25 remediations are implemented.

Remediation Hub mainly consists of remediations for risks and vulnerabilities found in your environment. Each remediation in the table includes the following:

  • Type (on-prem or cloud)
  • A short description of the remediation
  • A risk score calculated from the active risk score on the vulnerabilities and total number of assets impacted
  • The number of assets, images, CVEs, and findings that are associated with the risk
    • Note that due to the time it takes to sync data for Remediation Hub, the count of assets affected by a given remediation may vary between Remediation Hub, Cloud Security (InsightCloudSec), and InsightVM.
  • The source of the remediation. Learn more about third-party vulnerabilities and remediations.

To get started with implementing remediations:

  • Apply filters to reduce the scope of remediations and assets returned in the Remediation Hub.
ℹ️

Special filters

  • Click Export to export the top 25 remediations in the current view as a CSV file. To create a scheduled HTML report, go to Top remediations report for details.

Details
Copy link

Click a remediation from the table to open a panel containing an AI overview of the remediation, details on the total number of impacted assets and vulnerabilities, and a description of the remediation.

Depending on the type of asset, available details may differ but can include:

If the asset is available in Vulnerability Management (InsightVM) or Attack Surface Management (Surface Command), you can click Actions (…) > View Asset or Actions (…) > View Attack Surface to view the asset in Vulnerability Management (InsightVM) or Attack Surface Management (Surface Command), respectively.

AI Overview
Copy link

ℹ️

Concerns about AI?

Rapid7 does not use any customer data for training or fine-tuning our large language models (LLMs), nor do we share your data with any third-party LLMs for their training purposes. If you would prefer to opt out of AI usage, contact your CSA or Support.

Rapid7 offers AI-generated summaries of a remediation that help you understand the criticality, exploitability, and potential impact of the CVEs detected in the environment, highlighting the risks of not applying a remediation. Business context, such as asset tags and affected systems, is also included with the analysis to help your security teams understand the operational complexity involved. Additionally, the AI Overview enhances remediation insights with clear, actionable recommendations and next steps for effective implementation.

The summaries are generated from data already visible in Remediation Hub and Rapid7’s own vulnerability intelligence. The model is never trained on your data, never sends information outside Rapid7’s secure, access-restricted infrastructure, and outputs are isolated per organization.

You can use icons at the bottom of the AI Overview panel to send Rapid7 feedback about the feature. This helps Rapid7 monitor quality and improve the feature over time.

Third-party vulnerabilities and remediations
Copy link

Remediation Hub can report vulnerabilities and remediations from third-party sources if the matching Attack Surface Management (Surface Command) connector is installed. Remediation Hub supports this functionality for the following connectors:

  • Amazon Inspector
  • Claroty xDome
  • Dragos Vulnerability
  • ManageEngine Endpoint
  • Microsoft Defender
  • Orca
  • Qualys Vulnerability Management Detection & Response (VMDR)
  • Red Hat Insights
  • SentinelOne
  • Tenable (Tenable.io)
  • Tenable Security Center (SC)
  • Wiz

Assess endpoint protection and patch management coverage
Copy link

On the Impacted Assets tab, the Endpoint Protection and Patch Management columns show the status of mitigating controls for each asset. These columns use the following statuses to indicate whether the control is detected for the asset:

StatusDescription
AvailableA supported Attack Surface Management (Surface Command) connector confirms the mitigating control for the asset.
  • Patch Management: A patch management connector is available for the asset.
  • Endpoint Protection: An endpoint protection connector reports MITRE ATT&CK mitigation  M1040 or M1049 for the impacted asset. You can also hover over the status to see any available MITRE ATT&CK framework mitigation details.
NoneThe asset exists in Attack Surface Management (Surface Command) but no connector reports the mitigating control.
  • Patch Management: No patch management connector is associated with the asset.
  • Endpoint Protection: No connector reports MITRE ATT&CK mitigations M1040 or M1049 for the asset.
UnknownThe asset was not found in Attack Surface Management (Surface Command), so the Command Platform cannot determine whether patch management or endpoint protection controls are available. This may occur when Attack Surface Management (Surface Command) is not enabled or the asset exists in another source (for example, Vulnerability Management (InsightVM)) but has not been discovered by or synced into Attack Surface Management (Surface Command) yet.
Reboot RequiredPatch Management only. The asset requires a reboot before the Command Platform can retrieve the latest control status.

Trigger workflows for assets
Copy link

Automation (InsightConnect) workflows can assist with your remediation efforts, including creating Jira tickets, creating ServiceNow incidents, and much more. From the remediation detail panel, you can send a remediation to a workflow or view automation log, artifact, and output history for a remediation.

To send a remediation to a Workflow:

  1. From Command Home, go to Response & Remediation > Remediation Hub.
  2. Find a remediation you want to send to a workflow.
  3. Click the Remediation name to open the details panel.
  4. Click Send to Workflow to open a panel containing Automation (InsightConnect) workflows. Automation (InsightConnect) workflows appear on the panel if they have the Remediation Hub trigger. Note: The Send to Remediation Hub workflow currently supports up to 10,000 assets. If the selected remediation contains more than 10,000 assets, you need to add filters.
ℹ️

Want more workflows?

You can download more workflows from the Extension Library (click Open Extension Library) or you can create them in Automation (InsightConnect). To learn more about creating and managing workflows, review the Automation (InsightConnect) documentation 

  1. Select a workflow to show workflow and remediation details.
  2. Click Run.

To view automation log, artifact, and output history:

  1. From Command Home, go to Response & Remediation > Remediation Hub.
  2. Find a remediation you want to send to a workflow.
  3. Click the Remediation name to open the details panel.
  4. Click the Automations value to open a list of automations that have run for this remediation.
  5. Find a workflow you want to review.
  6. Click View Details next to the workflow to review information, logs, artifacts, and outputs for that workflow.
ℹ️

Asset limit for workflow

The Send to Remediation Hub workflow currently supports up to 10,000 assets. If the selected remediation contains more than 10,000 assets, you need to add filters.

Top remediations report
Copy link

You can create a report featuring the top 25 remediations directly from Remediation Hub, with all filters that are applied on Remediation Hub returned in the report. This report:

  • Enables security teams to share clear, actionable remediation guidance with asset owners
  • Eliminates the need to jump back to the Vulnerability Management (InsightVM) console to generate reports
  • Works across multi-product environments (Vulnerability Management (InsightVM), Cloud Security (InsightCloudSec), Attack Surface Management (Surface Command)), so one report can convey your full attack surface

To create a top 25 remediations report:

  1. From the Command Platform, go to Response & Remediation > Remediation Hub.
  2. Filter the Remediation Hub as needed.
  3. Select Create Report.
  4. Choose a report type and select Open:
    • Top Remediations Summary - See the top 25 remediation actions from your current filters that reduce the most risk. Use this report to prioritize fixes based on their overall impact.
    • Top Remediations Summary with Assets - See the top 25 remediation actions from your current filters that reduce the most risk, including the affected assets for each action. Use this report to identify where to apply each fix.
  5. Optionally, adjust the report name and description
  6. Select at least one format: HTML, PDF, or CSV.
  7. Optionally, update the Scheduling:
    1. To generate a report now, turn on Trigger report on save.
    2. To generate the report on a recurring schedule, click + Add Schedule.
      1. Click the new schedule entry.
      2. Select a start date for the report.
      3. Enter a repeat timeframe. For example, repeat every 3 days.
      4. Enter a time to generate the report.
      5. Configure when the report should end (never or a select date).
      6. Select users or email addresses that you want to share the reports with.
  8. Optionally, click Add Another Schedule to add a separate schedule.
  9. Click Create.
ℹ️

Want to review your report?

After creating a report, you can open it in the Command Platform by going to Reports & Dashboards > Reports. From this page, you can easily search for reports by report date or date generated, sort reports, manage tags and add favorites, and select different ways to filter. You can also view (HTML) or download (PDF) your reports.