Quick Start Guide

Before installing anything, it’s important to familiarize yourself with the various concepts and components that make up Surface Command:

• Connector - A software component that enables Attack Surface Management to collect data from an information source, such as vulnerability scanners, endpoint protection platforms, or cloud services. Each connector understands the API and data schema of its target source. Attack Surface Management provides connectors for most major tools and supports custom connectors for enterprise-specific systems. Learn more about connectors .
  • Orchestrator - A software component deployed in your environment when Attack Surface Management cannot access an information source directly. Orchestrators collect data from internal or private cloud sources and can also execute actions. After deployment, orchestrators are paired to Attack Surface Management, and one or more connectors are assigned to them.
  • Profile - A configuration that contains credentials and import feeds for a specific connector. A connector may have one or more profiles.
  • Import Feed - A scheduled task that runs a specific data ingestion job. A connector may have multiple associated import feeds.
• Attack Surface - Divided into internal and external components. The internal surface includes assets and identities. The external surface includes IPs, domains, certificates, and services exposed to the internet. Attack Surface Management discovers external assets using domain and IP seeds. Learn more about your Attack Surface Management attack surface .
  • Asset - Any network-connected device, such as a server, workstation, mobile device, or printer. Assets are created automatically when data is ingested from connectors.
  • Identity - A user-based entity like a username, service account, or shared mailbox. Identities can be human or non-human.
  • Seed - A public domain name or IP address associated with your organization that can be used to find subdomains, network services, and TLS certificates.
  • Type - A schema that defines how data is structured for a specific kind of asset or identity. Each connector introduces its own types, which Attack Surface Management maps into standardized unified types (for example, Server, Identity, or Vulnerability). These unified types allow for cross-source correlation and query filtering. Explore unified properties .
• Filter Table - An interactive data table that lets you refine and analyze discovered assets. Each column in the table includes filter options, enabling you to quickly narrow results based on specific values or conditions.
• Query - A request written in Cypher or built using the graphical interface to retrieve data ingested by connectors. Queries cannot modify data but can be customized to extract specific insights. Prebuilt queries are available, and you can also create your own. Learn more about queries .
  • Reference list - External data imported using Excel or CSV files that augments connector data. Use reference lists to enrich queries (for example, to correlate network zones with business units).
• Dashboard - A customizable interface that displays key metrics and insights using widgets. Dashboards help you monitor your security posture visually. Learn more about dashboards .
  • Widget - A visual component that displays filtered results from a query using charts, such as trend charts, pie charts, and bar charts, or graphs. Widgets can be customized to show counts, trends, or metrics. The default widgets on the Attack Surface Management home page provide asset counts by unified type and are not editable.

Several capabilities are packaged with the Surface Command offering. For more information, review the various capability-oriented documentation:

• Attack Surface Management 
• Active Risk 
• Exposure Management Dashboard 
• Remediation Hub 
• Automation (InsightConnect) 

The Rapid7 Command Platform is your base within the ecosystem of Rapid7 cloud offerings, capabilities, and services. It provides a centralized location for administrative functions and makes navigating the platform simple. To log in to the platform, you need a Rapid7 Command Platform account.

To create an account:

1. Check your corporate email inbox for an email from the Rapid7 Command Platform team.
2. Visit insight.rapid7.com/login.
3. Select Haven’t activated your account?.
4. Enter your corporate email address to receive an activation email with next steps. If you do not receive an activation email, reach out to your Customer Adoption Manager (CAM) or Customer Success Advisor (CSA).
5. Refer to the activation email and follow the instructions to create and activate your Command Platform account.

Install the following recommended connectors to begin enriching your attack surface data:

• MITRE CWE
• MITRE D3FEND

Some connectors are installed turned on, and scheduled by default. When you first visit the Connectors page, you’ll notice several pre-installed connectors that run by default. These include: Rapid7 Command Platform, Attack Surface Management Built-ins, Dashboards, and Machine Learning services. These provide essential platform functionality and don’t require management.

Installation steps for each connector follow a consistent pattern. Use the + Connector button to browse the Rapid7 Extension Library , install the connector, create a profile, and schedule it (where applicable).

To start unifying asset data across hybrid environments to break down silos and deliver a comprehensive, real-time view of your attack surface, you’ll need to set up Attack Surface Management. Follow the instructions in Get Started with Attack Surface Management (Surface Command)  and then return to the Surface Command Quick Start Guide.

Add and configure additional connectors for your third-party Attack Surface Management data sources to further enrich your attack surface data (for example, Entra ID, MS Defender, CrowdStrike, etc.). In order to use connectors such as Active Directory to gather on-prem data, you’ll need to install and configure the Automation (InsightConnect) Orchestrator.

To verify external and internal asset data availability and installed connectors, follow the Get Started with Attack Surface Management instructions  and then return to the Surface Command Quick Start Guide.

Now that data is flowing regularly, you can focus on exploring your attack surface. You’ll learn how to navigate and filter your assets and identities and save custom views for later use. Follow Explore your data  and then return to the Surface Command Quick Start Guide.

Now you’re ready to build widgets and dashboards. If filters aren’t flexible enough for your needs, you can get started with the Query Builder inside the Workspace. Follow Customize and query  and then return to the Surface Command Quick Start Guide.

To start prioritizing and consolidating related vulnerabilities into high-impact remediation tasks, you can start exploring Remediation Hub. Refer to Remediate Risk  and then return to the Surface Command Quick Start Guide.

To start building automated workflows to handle security operations tasks, you’ll need to set up Automation (InsightConnect). Refer to Get Started with Automation (InsightConnect)  and then return to the Surface Command Quick Start Guide.

If you run into any problems with Surface Command, search the documentation  for solutions or contact Rapid7 Support through the customer portal .

The Rapid7 Academy  holds training, webcasts, workshops, and more, all led by our Rapid7 experts.

• On-demand training  helps you get started with Rapid7 products, answer frequently-asked questions, and recommend best practices.
• Rapid7 Webcasts  are hosted by Rapid7’s teams and provide a forum where you can learn about best practices as well as what’s new in your Rapid7 products.
• Virtual Instructor-Led Training Courses  are live training sessions broken down by product and available for enrollment.
• Certification Exams  are product-specific exams to help you demonstrate your knowledge of using Rapid7’s solutions as a cybersecurity professional.
• Product Workshops  are Rapid7’s free training on all things, all products, and are on average about an hour long.

To make sure you receive the Rapid7 communications that best suit your needs, set your communication preferences .

• Whether it’s an emergent cybersecurity threat, a product update, or a notice of service degradation for maintenance, we’ll alert you with an in-product message to ensure you’re aware of all that affects your environment.
• Rapid7’s research  provides information on a variety of topics, such as cloud misconfigurations, vulnerability management, detection and response, application security, and more.
• Rapid7’s blog  offers conversational guidance and information from our security experts.

Rapid7 supports a range of open-source projects. Consider joining one of our Open-Source communities!

• Surface Command  is a place for topics surrounding Surface Command, including connectors, queries, dashboards, and even use cases to get started with.
• AttackerKB captures, highlights, and expands on security researcher knowledge to shed light on the specific conditions and characteristics that make a vulnerability exploitable and useful to attackers.
• Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.
• Metasploit empowers and arms defenders to stay one step ahead of the game by verifying vulnerabilities, managing security assessments, and improving security awareness.
• Recog is a framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes.
• Our customer advocacy program, Rapid7 Voice, provides you with a network of customers, offers the chance to deepen your security expertise, and provides the opportunity to share input on future product developments.