Surface Command Overview
Surface Command breaks down data silos by combining comprehensive attack surface visibility across hybrid environments to build a dynamic 360-degree view of your entire attack surface in one place. External scans provide an adversary’s perspective on the attack surface, detecting and validating exposures while highlighting areas attackers are most likely to target.
Surface Command combines these external scans with a detailed inventory of your internal assets, no matter the security or IT tool used to scan them. This process delivers complete visibility into your attack surface without the risk of blind spots, unprotected assets, and ungoverned access. Understanding how assets are configured assists in quickly identify and address misconfigurations, shadow IT, and compliance issues. This integrated approach gives you a holistic view of your digital landscape, enabling proactive risk mitigation, threat prevention, and rapid response.
Data flow
Surface Command pulls data from the various connectors to provide a complete picture of your environment. Surface Command also monitors the data for changes, and optionally, takes action using workflows. There are several parts to this process:
- Ingestion - Surface Command pulls data using Connectors. Connectors' ingestion can be scheduled to run at the time and frequency that is most appropriate for your environment (typically daily).
- Correlation - As data comes in from Connectors, Surface Command correlates the data that refers to the same object and provides a unified view of that object. Each unified view of an object is represented as an asset in the system. Each of the records that are determined to be referring to the same object are linked to that unified asset. Correlation also tracks relationships between data. If an information source indicates a relationship between two objects (for example, a Machine has a specific IP address or owner), those relationships are inherited by the unified object they are correlated with.
- Unified property fulfillment - Each unified asset has a list of properties that are common for that type of asset. The most appropriate value for each of those properties is determined by evaluating the related properties of the correlated information source records and choosing the best value to include in the property of the unified asset. When you run queries for unified assets and look at their details, you are presented with these fulfilled unified properties, but you can also display all of the information source properties that were considered.
Surface Command features
Rapid7 currently offers the following product options containing Surface Command:
- Surface Command is for teams looking to consolidate their attack surface into a unified, single-pane-of-glass view.
- Exposure Command is for teams looking for a holistic view of their attack surface (Surface Command) as well as some cloud and on-premise monitoring, including attack path analysis, risk prioritization, and vulnerability management.
- Exposure Command Advanced is for teams looking for a holistic view of their attack surface (Surface Command) as well as extensive cloud and on-premise monitoring, compliance alignment, infrastructure as code (IaC) scanning, automation capabilities, least privileged access management, and threat detection.
Feature comparison
The following table lists key differences between the products at a feature-level.
Attack Surface management
| Included Capability | Surface Command | Exposure Command | Exposure Command Advanced |
|---|---|---|---|
| Asset Discovery and Unified Inventory | ✓ | ✓ | ✓ |
| Attack Surface Visibility, including Identities, Software, and Controls | ✓ | ✓ | ✓ |
| Asset Enrichment with Security Context | ✓ | ✓ | ✓ |
| Blast Radius Mapping with Asset Graph | ✓ | ✓ | ✓ |
| Built-In Automation and Policy Enforcement | ✓ | ✓ | ✓ |
| External Attack Surface Discovery | ✓ | ✓ | ✓ |
| Continuous Assessment Service (Coming Soon) | Add-On | Add-On | Add-On |
Exposure management
| Included Capability | Surface Command | Exposure Command | Exposure Command Advanced |
|---|---|---|---|
| Multi-cloud Visibility Across AWS, Azure, GCP, and Kubernetes (limited to CIS Compliance-related resources)¹ | - | ✓ | ✓ |
| Extended Cloud Visibility Across AWS, Azure, GCP, Kubernetes, Oracle Cloud Infrastructure, and Alibaba Cloud (all resource types) | - | - | ✓ |
| Cloud and Container Vulnerability Assessment | - | ✓ | ✓ |
| Best Practices Configuration Assessment, including CIS | - | ✓ | ✓ |
| Contextual Risk Prioritization (Layered Context) | - | ✓ | ✓ |
| Attack Path Analysis | - | ✓ | ✓ |
| Notifications and Integrations | - | ✓ | ✓ |
| 100s of Out-of-the-Box Compliance Policies and Industry Standards | - | - | ✓ |
| Infrastructure as Code (IaC) Scanning | - | - | ✓ |
| Effective and Least Privileged Access (LPA) Management | - | - | ✓ |
| Cloud Threat Detection | - | - | ✓ |
| Automated Cloud Remediation | - | - | ✓ |
| Discovery, Vulnerability, and Policy Scanning | - | ✓ | ✓ |
| Agent-based Vulnerability and Policy Assessment | - | ✓ | ✓ |
| Dynamic Asset Tagging with Criticality Rating | - | ✓ | ✓ |
| Threat Aware Active Risk Score | - | ✓ | ✓ |
| Customizable Live Dashboards and Reporting | - | ✓ | ✓ |
| Remediation Workflows | - | ✓ | ✓ |
| Goals & SLAs | - | ✓ | ✓ |
| Dynamic Application Security Testing (DAST) | - | - | ✓ |
| Executive Risk View | - | ✓ | ✓ |
| Remediation Hub (Coming Soon) | - | ✓ | ✓ |
| Bulk Data Export API (Coming Soon) | - | ✓ | ✓ |
| 450+ Out-of-the-Box Integrations with Security and ITOps Tools | - | ✓ | ✓ |
| Security, Orchestration, Automation, and Response (SOAR) | - | ✓ | ✓ |
¹ Exposure Command Product Resource Limitations
The Exposure Command product is limited to monitoring only the resources that are related to CIS and AWS Foundations compliance. The resource types in the following table come directly from the InsightCloudSec inventory view.
| Resource Type | AWS Type | Azure Type | GCP Type | Kubernetes Type |
|---|---|---|---|---|
| Access List | NACL/Security Group | Network Security Group | Network Firewall | |
| Access List Flow Log | NSG Flow Logs | |||
| Access List Rule | NACL/Security Group Rules | Security Rules | Firewall Rules | |
| API Access Key | IAM User Access Key | Application Credentials | Service Account Key | |
| API Accounting Config | CloudTrail | Logs Storage | ||
| App Configuration | App Configuration | |||
| Automation Account | Automation Account | |||
| Autoscaling Group | Autoscaling Group | Virtual Machine Scale Sets | Autoscalers | |
| Batch Environment | Batch Compute Environment | Batch Account | ||
| Big Data Instance | Redshift | |||
| Big Data Workspace | Synapse | |||
| Bot Service | Bot Service | |||
| Cache Instance | ElastiCache | Redis Cache | Memorystore | |
| Cloud Account | Cloud Account | Subscription | Project | |
| Cloud Access Point | S3 Access Point | |||
| Cloud App | App Registration | |||
| Cloud Credentials | API Keys | |||
| Cloud Dataset | Big Query Dataset | |||
| Cloud Group | IAM Group | Azure Active Directory Group | Group | |
| Cloud Policy | IAM Policy (Customer Managed) | Role Definition | Role Permission Set | |
| Cloud Region | Region | Region | Region | |
| Cloud Role | IAM Role | Azure Active Directory Service Principal | Service Account | |
| Cloud User | IAM User | Azure Active Directory User | User | |
| Clusters | EKS/ECS/Fargate Cluster | Kubernetes Service | GKE | |
| Cognitive Search | Cognitive Search | |||
| Cold Storage | Glacier | |||
| Container Registry | Container Registry (ECR) | Container Registry | Container Registry | |
| Content Delivery Network | CloudFront | CDN Profile, Front Door (Standard/Premium) | Cloud CDN | |
| Control Plane | Control Plane | |||
| Database | SQL Database/Dedicated SQL Pool | Cloud SQL Database | ||
| Database Cluster | RDS Aurora, Neptune, DocumentDB | |||
| Database Instance | RDS Database, Neptune, DocumentDB | SQL Server, Azure Database for PostgreSQL/MySQL/MariaDB | Cloud SQL | |
| Databricks Workspace | Databricks Workspace | |||
| Data Factory | Data Factory | Data Fusion | ||
| Data Stream | Kinesis | Event Hub Namespace | ||
| Dataflow Job | Dataflow Job | |||
| Delivery Stream | Firehose | |||
| Directory Service | Directory Service | |||
| Distributed Table | DynamoDB | Azure Cosmos DB | ||
| Distributed Table Cluster | DynamoDB Accelerator (DAX) | Bigtable | ||
| DLP Job | DLP Inspection Job | |||
| DNS Zone | Route53 DNS Zone | DNS Zone | DNS Zone | |
| Elasticsearch Instance | OpenSearch | |||
| Encryption Key | KMS | Key Vault Key | Cloud KMS CryptoKey | |
| Encryption Key Vault | Key Vault | Cloud KMS Keyring | ||
| Event Grid Topic | Event Grid Topic | |||
| Global Load Balancer | Global Accelerator | Front Door (Classic) | ||
| GraphQL API | AppSync API | |||
| Instance | EC2 Instance | Virtual Machine | Compute Engine | |
| Load Balancer | Load Balancer (ELB/ALB/NLB/Gateway) | Load Balancer/Application Gateway | Load Balancer | |
| Log Group | CloudWatch Log Group | |||
| Logic App | Logic App | |||
| Machine Learning Instance | Sagemaker Notebook | AI Platform Notebook | ||
| MapReduce Cluster | Elastic MapReduce (EMR) | HDInsightCluster | Dataproc | |
| Message Queue | Simple Queue Service (SQS) | Service Bus Queue | ||
| Network | VPC | Virtual Network | VPC | |
| Network Peer | VPC Peer | Peerings | Network Peer | |
| Pods | Pod | |||
| Private Subnet | VPC Subnet | Subnet | Subnetwork | |
| Secret | Secret | Secret | Secret | Secret |
| Serverless Function | Lambda | Function | Cloud Function | |
| Shared File System | EFS/FSx | File Share | Cloud Filestore | |
| SSL Certificate | IAM/ACM SSL Certificate | SSL Certificate | SSL Certificate | |
| Storage Account | Storage Account | |||
| Storage Container | S3 Bucket | Blog Storage Container | Cloud Storage | |
| Stream Instance | MSK Instance | |||
| Task Definitions | Task Definition (ECS) | |||
| Volume | EBS Volume | Disk | Persistent Disk | |
| Web App | Elastic Beanstalk Environment | App Service | ||
| Web Application Firewall | Web Application Firewall | Web Application Firewall Policies | Cloud Armor | |
| Workspace | Workspace Instances |
Onboarding experiences
The following table lists the different experiences and onboarding timelines for each of the CRC offerings.
| Implementation Success Package | Surface Command | Exposure Command | Exposure Command Advanced |
|---|---|---|---|
| Attack Surface Management | - | - | - |
| Cloud Security | - | 2 half-day sessions | 2 days |
| On-Prem Vulnerability Management | - | Workshops & Technical Assistance | 2 days |
Did this page help you?