Rapid7 Active Response

Rapid7 Active Response is an optional add-on to our Managed Detection and Response (MDR) service that enables our expert SOC analysts to respond directly to validated threats in your environment.

With Active Response, our analysts can isolate endpoints and disable compromised user accounts within minutes, limiting attacker dwell time and accelerating time to respond.

How it works

Here’s how Rapid7 Active Response works:

  • During setup, you will install the required on demand response actions, set up connections and add a list of users and assets (such as critical servers, users, or devices) that you want excluded from quarantine actions, to global artifacts. This way, we don’t treat your Domain Controller the same as a typical asset.
  • Active Response then uses the Rapid7 Insight Agent or supported Third Party EDR (Carbon Black Cloud, SentinelOne, Crowdstrike Falcon, and Microsoft Windows Defender ATP) to isolate threats by quarantining users or endpoints as early in the kill chain as possible, preventing malware propagation across your systems, lateral movement, or data exfiltration.
  • Outcomes of the actions will be available to view on InsightIDR investigations.

Active Response Deployment Overview

Active Response Deployment Milestones are listed below:

The following sections contain installation and configuration instructions to guide you through the deployment process.

StepContent
Active Response 2.0 RequirementsCovers eligibility requirements for Active Response 2.0 and requirements for the Insight Agent.
On demand response actionsA walk-through for setting up on demand response actions.