Exposure Command Overview

Exposure Command extends the power of Surface Command, combining the power of complete attack surface visibility with high-fidelity risk context and insight into your organization’s security posture, aggregating findings from both our native exposure detection capabilities as well as third-party exposure and enrichment sources you’ve already got in place. This situational awareness enables teams to focus on the exposures and vulnerabilities that attackers have in their sights with the threat-aware risk context needed to prioritize more efficiently and effectively. For more details on Surface Command, visit the Surface Command Overview.

Exposure Command goes beyond monitoring and asset inventory mapping, enriching telemetry with compliance and risk findings from Rapid7’s entire set of exposure management capabilities. Combined, on-prem vulnerability management, cloud security, and application testing enable security and risk management teams to shift from reactive to proactive, continuously assessing your attack surface, validating exposures and providing actionable remediation guidance that takes into account existing downstream controls and the blast radius of a potential compromise. Native, no-code automation ensures teams operationalize their exposure management programs efficiently, with more than 450+ out-of-the-box integrations with popular security and ITOps tools.

Exposure Command features

Rapid7 currently offers the following product options for Surface Command and by extension, Exposure Command:

  • Surface Command is for teams looking to consolidate their attack surface into a unified, single-pane-of-glass view.
  • Exposure Command is for teams looking for a holistic view of their attack surface (Surface Command) as well as some cloud and on-premise monitoring, including attack path analysis, risk prioritization, and vulnerability management.
  • Exposure Command Advanced is for teams looking for a holistic view of their attack surface (Surface Command) as well as extensive cloud and on-premise monitoring, compliance alignment, infrastructure as code (IaC) scanning, automation capabilities, least privileged access management, and threat detection.

Feature comparison

The following table lists key differences between the products at a feature-level.

Attack Surface management

Included CapabilitySurface CommandExposure CommandExposure Command Advanced
Asset Discovery and Unified Inventory
Attack Surface Visibility, including Identities, Software, and Controls
Asset Enrichment with Security Context
Blast Radius Mapping with Asset Graph
Built-In Automation and Policy Enforcement
External Attack Surface Discovery
Continuous Assessment Service (Coming Soon)Add-OnAdd-OnAdd-On

Exposure management

Included CapabilitySurface CommandExposure CommandExposure Command Advanced
Multi-cloud Visibility Across AWS, Azure, GCP, and Kubernetes (limited to CIS Compliance-related resources)¹-
Extended Cloud Visibility Across AWS, Azure, GCP, Kubernetes, Oracle Cloud Infrastructure, and Alibaba Cloud (all resource types)--
Cloud and Container Vulnerability Assessment-
Best Practices Configuration Assessment, including CIS-
Contextual Risk Prioritization (Layered Context)-
Attack Path Analysis-
Notifications and Integrations-
100s of Out-of-the-Box Compliance Policies and Industry Standards--
Infrastructure as Code (IaC) Scanning--
Effective and Least Privileged Access (LPA) Management--
Cloud Threat Detection--
Automated Cloud Remediation--
Discovery, Vulnerability, and Policy Scanning-
Agent-based Vulnerability and Policy Assessment-
Dynamic Asset Tagging with Criticality Rating-
Threat Aware Active Risk Score-
Customizable Live Dashboards and Reporting-
Remediation Workflows-
Goals & SLAs-
Dynamic Application Security Testing (DAST)--
Executive Risk View-
Remediation Hub (Coming Soon)-
Bulk Data Export API (Coming Soon)-
450+ Out-of-the-Box Integrations with Security and ITOps Tools-
Security, Orchestration, Automation, and Response (SOAR)-
¹ Exposure Command Product Resource Limitations

The Exposure Command product is limited to monitoring only the resources that are related to CIS and AWS Foundations compliance. The resource types in the following table come directly from the InsightCloudSec inventory view.

Resource TypeAWS TypeAzure TypeGCP TypeKubernetes Type
Access ListNACL/Security GroupNetwork Security GroupNetwork Firewall
Access List Flow LogNSG Flow Logs
Access List RuleNACL/Security Group RulesSecurity RulesFirewall Rules
API Access KeyIAM User Access KeyApplication CredentialsService Account Key
API Accounting ConfigCloudTrailLogs Storage
App ConfigurationApp Configuration
Automation AccountAutomation Account
Autoscaling GroupAutoscaling GroupVirtual Machine Scale SetsAutoscalers
Batch EnvironmentBatch Compute EnvironmentBatch Account
Big Data InstanceRedshift
Big Data WorkspaceSynapse
Bot ServiceBot Service
Cache InstanceElastiCacheRedis CacheMemorystore
Cloud AccountCloud AccountSubscriptionProject
Cloud Access PointS3 Access Point
Cloud AppApp Registration
Cloud CredentialsAPI Keys
Cloud DatasetBig Query Dataset
Cloud GroupIAM GroupAzure Active Directory GroupGroup
Cloud PolicyIAM Policy (Customer Managed)Role DefinitionRole Permission Set
Cloud RegionRegionRegionRegion
Cloud RoleIAM RoleAzure Active Directory Service PrincipalService Account
Cloud UserIAM UserAzure Active Directory UserUser
ClustersEKS/ECS/Fargate ClusterKubernetes ServiceGKE
Cognitive SearchCognitive Search
Cold StorageGlacier
Container RegistryContainer Registry (ECR)Container RegistryContainer Registry
Content Delivery NetworkCloudFrontCDN Profile, Front Door (Standard/Premium)Cloud CDN
Control PlaneControl Plane
DatabaseSQL Database/Dedicated SQL PoolCloud SQL Database
Database ClusterRDS Aurora, Neptune, DocumentDB
Database InstanceRDS Database, Neptune, DocumentDBSQL Server, Azure Database for PostgreSQL/MySQL/MariaDBCloud SQL
Databricks WorkspaceDatabricks Workspace
Data FactoryData FactoryData Fusion
Data StreamKinesisEvent Hub Namespace
Dataflow JobDataflow Job
Delivery StreamFirehose
Directory ServiceDirectory Service
Distributed TableDynamoDBAzure Cosmos DB
Distributed Table ClusterDynamoDB Accelerator (DAX)Bigtable
DLP JobDLP Inspection Job
DNS ZoneRoute53 DNS ZoneDNS ZoneDNS Zone
Elasticsearch InstanceOpenSearch
Encryption KeyKMSKey Vault KeyCloud KMS CryptoKey
Encryption Key VaultKey VaultCloud KMS Keyring
Event Grid TopicEvent Grid Topic
Global Load BalancerGlobal AcceleratorFront Door (Classic)
GraphQL APIAppSync API
 InstanceEC2 InstanceVirtual MachineCompute Engine
Load BalancerLoad Balancer (ELB/ALB/NLB/Gateway)Load Balancer/Application GatewayLoad Balancer
Log GroupCloudWatch Log Group
Logic AppLogic App
Machine Learning InstanceSagemaker NotebookAI Platform Notebook
MapReduce ClusterElastic MapReduce (EMR)HDInsightClusterDataproc
Message QueueSimple Queue Service (SQS)Service Bus Queue
NetworkVPCVirtual NetworkVPC
Network PeerVPC PeerPeeringsNetwork Peer
PodsPod
Private SubnetVPC SubnetSubnetSubnetwork
SecretSecretSecretSecretSecret
Serverless FunctionLambdaFunctionCloud Function
Shared File SystemEFS/FSxFile ShareCloud Filestore
SSL CertificateIAM/ACM SSL CertificateSSL CertificateSSL Certificate
Storage AccountStorage Account
Storage ContainerS3 BucketBlog Storage ContainerCloud Storage
Stream InstanceMSK Instance
Task DefinitionsTask Definition (ECS)
VolumeEBS VolumeDiskPersistent Disk
Web AppElastic Beanstalk EnvironmentApp Service
Web Application FirewallWeb Application FirewallWeb Application Firewall PoliciesCloud Armor
WorkspaceWorkspace Instances

Onboarding experiences

The following table lists the different experiences and onboarding timelines for each of the CRC offerings.

Implementation Success PackageSurface CommandExposure CommandExposure Command Advanced
Attack Surface Management---
Cloud Security-2 half-day sessions2 days
On-Prem Vulnerability Management-Workshops & Technical Assistance2 days