Get started with Surface Command | Surface Command Documentation

The Command Platform is your centralized hub for managing Rapid7 solutions. To access it, you’ll need an account.

To create an account:

1. Check your corporate email inbox for an email from the Command Platform team.
2. Visit [https://insight.rapid7.com/login ]
3. Select Haven’t activated your account?
4. Enter your corporate email address to receive an activation email.
   1. Didn’t get it? Contact your Customer Adoption Manager (CAM) or Customer Success Advisor (CSA).
5. Follow the activation email instructions to complete setup.

Before you begin, review the core concepts and components that define Surface Command:

• Connector - A software component that enables Surface Command to collect data from an information source, such as vulnerability scanners, endpoint protection platforms, or cloud services. Each connector understands the API and data schema of its target source. Surface Command provides connectors for most major tools and supports custom connectors for enterprise-specific systems. Learn more about Connectors.
  • Orchestrator - A software component deployed in your environment when Surface Command cannot access an information source directly. Orchestrators collect data from internal or private cloud sources and can also execute actions. After deployment, orchestrators are paired to Surface Command, and one or more connectors are assigned to them.
  • Profile - A configuration that contains credentials and import feeds for a specific connector.
  • Import Feed - A scheduled task that runs a specific data ingestion job. A connector may have multiple associated import feeds.
• Attack Surface - Divided into internal and external components. The internal surface includes assets and identities. The external surface includes IPs, domains, certificates, and services exposed to the internet. Surface Command discovers external assets using domain and IP seeds. Learn more about your Surface Command attack surface.
  • Asset - Any network-connected device, such as a server, workstation, mobile device, or printer. Assets are created automatically when data is ingested from connectors.
  • Identity - A user-based entity like a username, service account, or shared mailbox. Identities can be human or non-human.
  • Seed - A discoverable domain, subdomain, CIDR, or IP used in external asset discovery to uncover certificates, services, and subdomains.
  • Type - * A schema that defines how data is structured for a specific kind of asset or identity. Each connector introduces its own types, which Surface Command maps into standardized unified types (for example, Server, Identity, or Vulnerability). These unified types allow for cross-source correlation and query filtering. Explore unified properties.
• Query - A request written in Cypher or built using the graphical interface to retrieve data ingested by connectors. Queries cannot modify data but can be customized to extract specific insights. Prebuilt queries are available, and you can also create your own. Learn more about Queries.
  • Reference list - External data imported using Excel or CSV files that augments connector data. Use reference lists to enrich queries (for example, to correlate network zones with business units).
• Dashboard - A customizable interface that displays key metrics and insights using widgets. Dashboards help you monitor your security posture visually. Learn more about Dashboards.
  • Widget - A visual component that displays filtered results from a query using charts or graphs. Widgets can be customized to show counts, trends, or metrics. The default widgets on the Surface Command home page provide asset counts by unified type and are not editable.
• Workflow - A repeatable software process that executes steps based on query results. Workflows can be triggered automatically or manually to drive consistent response actions. Learn more about Workflows.
  • Function - A reusable unit of code that interacts with remote systems to retrieve data or take action. Functions serve as the building blocks of workflows and are typically included with connector packages.

Surface Command uses unified types to normalize data across diverse sources like EDRs, vulnerability scanners, cloud APIs, CMDBs, and identity providers. Unified types represent generalized object classes—such as Asset, Network, Identity, and Vulnerability—and define standardized properties and relationships.

You can access the Unified Model Explorer from:

• Settings > Manage unified properties (or View unified properties, depending on your permissions)
• Workspace > Unified asset model

Click a type to see standard properties and source types. Types with an asterisk (*) can have a relationship with themselves. For example, Groups can be hierarchical. In the model, you can see that Asset relates to Vulnerability. An asset can have a list of vulnerabilities that were identified. Use these relationships to build queries that span sources and correlate data. For example, find assets with vulnerabilities above a certain CVSS score across Tenable, Qualys, NVD, and CISA feeds.

To learn more about using the unified model explorer, see Explore unified properties.

To discover your external attack surface, start by adding discovery seeds:

1. Log in to Surface Command.
2. Go to Discovery Seeds.
3. Click Add Seeds.
4. Enter seeds (separated by spaces, commas, or line breaks) into the text field.
5. Click Add Seeds. Rapid7’s External Asset Engine begins scanning your seeds immediately and results populate the External Attack Surface pages.

Install the following connectors in order to begin enriching your attack surface data:

1. CISA KEV Catalog
2. First EPSS
3. MITRE ATT&CK
4. MITRE CWE
5. MITRE D3FEND
6. NIST NVD
7. Combined Vulnerability Enrichment

After installation, create a recurring import feed schedule (based on your local time):

MITRE ATT&CK, MITRE CWE, and MITRE D3FEND do not require scheduling.

Installation steps for each connector follow a consistent process. Use the + Connector button to browse the Rapid7 Extension Library, install the connector, create a profile, and schedule it (where applicable).

Surface Command includes default dashboards to help confirm that asset data and connector integrations are working:

• Data Overview - Displays asset counts and correlation summaries.
• External Attack Surface Overview - Tracks trends and counts for network services, risky exposures, and TLS certificates.
• Controls Overview - Highlights gaps in EDR coverage, vulnerability scanning, and MFA configurations.

Use these dashboards to confirm that external assets data is available and that the Command Platform connector is actively collecting Rapid7 asset data.

To confirm Command Platform connector data collection:

1. Open Surface Command.
2. Go to Dashboards.
3. Select Data Overview from the dashboard name drop-down menu.
4. Confirm that widgets are populated with data.

This is an example of a working dashboard:

To verify external asset data availability:

1. Go to Dashboards.
2. Select External Attack Surface Overview from the dashboard name drop-down menu.
3. Confirm that widgets are populated with data.

This is an example of a working dashboard:

To map your attack surface more effectively, we recommend installing multiple SaaS-based connectors from the categories in the following table. You should consider the various questions and use cases you want to address and identify the sources which contain the relevant information needed to address them.:

To strengthen your attack surface mapping, install SaaS-based connectors from the recommended categories included in this section. Choose connectors based on your organization’s use cases and data sources.

We recommend starting with SaaS connectors due to their ease of configuration and management. These connectors typically require only credentials and minimal setup.

Rapid7 recommends starting with SaaS-based connectors because they’re easier to configure, manage, and test as they simply rely on credentials.

To install a connector:

1. Go to Connectors.
2. Click + Connector to open the Extension Library.
3. Search for a connector.
4. Click the connector name. The Overview page for the connector opens.
5. Click Documentation to view setup instructions.

The most common issue during connector setup is incorrect credentials. You can validate connector health using test connection functionality or import feed logs.

To test a connection:

1. Go to Connectors.
2. Click a connector.
3. Click Settings.
4. Next to a profile, click Test connection. Surface Command reports any errors found using the credentials.

To view import feed logs:

1. Go to Import Feeds.
2. Search for a connector.
3. Click an import feed.
4. Click History.
5. Expand a completed job date. The log loads.

As introduced on Day 1, your attack surface consists of internal and external components. In Surface Command, the internal surface includes assets and identities. The external surface includes IP addresses, domains, network services, and certificates. Discovery of the external surface is driven by domain and IP seeds.

All views for these components function similarly (except for the Discovery Seeds page), so the instructions in this section apply generally. For more context on asset types and their properties, revisit Day 1.

When you open a view in Surface Command, you’ll see a table displaying common properties for each asset type. Use these key features to explore your data:

• Click Manage table columns (the last column header in the table) to add or remove properties.
• Click Edit in Workspace to move the current view to the Workspace (see Day 4 for details).
• Click Menu > View graph to view a relationship graph for the selected asset (sometimes referred to as a blast radius).
• Click Filter views to see saved filters.

Click any asset to open the Properties panel, which includes a General tab and tabs for each connector with data on that asset. Hover over the info icon next to a property to see its source details:

Expand the Correlation Information section at the bottom of each tab to view key properties used to correlate records into a unified view.

You can filter views by any property by using the + Filter button or the Filter icon in column headers. Note that the Sources property is special because you can filter by coverage gap (assets that do not have the selected sources) or by source (assets that do have the selected sources).

When filtering by a related asset type (for example, mitigations or vulnerabilities), you can further refine your view by selecting specific criteria, such as vulnerabilities with a critical severity. After filtering, you can save your view for future use. Use the Filter Views menu to access saved and default filters (marked with a lock icon).

You’ll create the following filters for Day 4:

• Assets without vulnerability scanning
• Assets that have vulnerabilities with a CVSS score of 9 or higher
• Active Windows servers without endpoint protection

To create the “Assets Without Vulnerability Scanning” filter:

1. Open Surface Command.
2. Go to Assets.
3. Click Manage table columns.
4. Under Additional properties, click Mitigations.
5. Click Apply.
6. Click + Filter, search for Mitigations, and select it.
7. Set the filter to Id is empty. The table loads to display assets without vulnerability scanning.
8. Click Save, provide a filter name and description, and confirm.

To create the “Assets With Vulnerabilities ≥ 9” filter:

1. Go to Assets.
2. Click Manage table columns.
3. Under Additional properties, click Vulnerabilities.
4. Click Apply.
5. Click + Filter, search for Vulnerabilities, and select it.
6. Set the filter to CVSS Score greater than or equal to 9. The table loads to display assets a CVSS score of 9 or higher.
7. Click Save, provide a filter name and description, and confirm.

To create the “Active Windows Servers Without Endpoint Protection” filter:

1. Go to Assets.
2. Click + Filter, search for OS Family, and select it.
3. Click Only next to Windows.
4. Click the Filter icon in the Sources column.
5. Search for Insight Agent (you could also select any other relevant endpoint protection). It is selected automatically.
6. Click the Filter icon in the Endpoint Last Seen column.
7. Select Timeframe and Last 90 days. The table loads to display assets without vulnerability scanning.
8. Click Save, provide a filter name and description, and confirm.

Widgets are created from saved queries and are the main content for dashboards. You’ll need to convert your saved asset filters into Workspace queries before building widgets.

To build a number widget for the “Active Windows Servers Without Endpoint Protection” saved filter:

1. Open Surface Command.
2. Go to Assets.
3. Click Filter views, then select the “Active Windows Servers Without Endpoint Protection” saved filter.
4. Click Edit in workspace to convert the filter to a Workspace query.
5. Click Execute query (play icon).
6. Click Save query, provide a name and description.
7. Toggle Create widgets to create a widget from the query now.
8. Click Save. The query is saved and the Saved Queries page for it loads.
9. Click the Widgets tab.
10. Click + Create a widget.
11. Name and describe the widget.
12. Click Number.
13. Under the Data tab, select Count as the measure.
14. Under the Format tab, choose Number.
15. Optionally, add conditional formatting or change the widget color.
16. Click Save.

To build a pie chart widget for the “Assets Without Vulnerability Scanning” saved filter:

1. Go to Assets.
2. Click Filter views, then select the “Assets Without Vulnerability Scanning” saved filter.
3. Click Edit in workspace to convert the filter to a Workspace query.
4. Click Execute query (play icon).
5. Click Save query, provide a name and description.
6. Toggle Create widgets to create a widget from the query now.
7. Click Save. The query is saved and the Saved Queries page for it loads.
8. Click the Widgets tab.
9. Click + Create a widget.
10. Name and describe the widget.
11. Click Pie.
12. Under the Data tab:
    1. Select Count as the measure.
    2. Toggle on Dimensions and select Sources.
13. Under the Format tab:
    1. Toggle on Legend.
    2. Optionally, change the widget starting color.
14. Click Save.

Dashboards organize widgets into sections. All widgets in Surface Command are shared, so you can use any of them in your dashboards.

To create a dashboard:

1. Go to Dashboards.
2. Click + Dashboard, then name and describe it.
3. Click + Widgets.
4. Search for the “Assets Without Vulnerability Scanning” and “Active Windows Servers Without Endpoint Protection” widgets and click +.
5. Close the Add widgets panel.
6. Use the arrow icons on the widgets to arrange them.
7. Click Save.

The Query Builder is a powerful tool in the Workspace for identifying relationships between asset types, which makes it easier to identify risks associated with shadow IT, vulnerabilities, and misconfigurations. For example, querying to find unencrypted Windows compute devices (Assets) that have a known Business Owner (Identity).

By default, you can only select unified asset model types, but you can reveal connector source types by clicking Show source types. Click a type to get started.

• Types are located on the left side of the Query Builder.
  • Click Add relationship to add a type relationship to the query. For example, an asset might have several relationships to a user, such as Business Owners and Technical Owners.
  • Click Filter result to narrow asset types. For example, matching active Windows-based assets to admin users.
  • Click Edit return properties to customize output. You can provide a human-readable alias for any property name.
• Returned properties are located on the right side of the Query Builder.
  • Toggle Distinct to de-duplicate results. For example, if you’re querying for assets with high CVSS score vulnerabilities and a particular asset has three vulnerabilities that meet that criteria, the results will contain three rows, regardless of the properties selected to return. If you toggle Distinct, the results will only contain unique, or distinct, Assets so it will only return a single row for that Asset.
  • Click Edit (pencil icon) to alias fields or modify properties.
  • Click Set order to change the order of the results.

To build a query to find unencrypted Windows compute devices that have a known Business Owner:

1. Go to Workspace.
2. Click + Query.
3. Click Asset.
4. Click Filter result and select Active? is true.
5. Click + to add another property and select OS Family is equal to Windows.
6. Click Add relationship, select Identity, then select the Asset -> Identity relationship path.
7. Change any to Business Owner(s).
8. Click Edit return properties, select and optionally alias owners.
9. Click Apply, then toggle Distinct.
10. Click Execute query (play icon). The query loads.
11. Click Save query, then name and describe the query.
12. Click Save. The query is saved and the Saved Queries page for it loads.

If you run into any problems with Surface Command, search the documentation  for solutions or contact Rapid7 Support through the customer portal .

The Rapid7 Academy  holds training, webcasts, workshops, and more, all led by our Rapid7 experts.

• On-demand training  helps you get started with Rapid7 products, answer frequently-asked questions, and recommend best practices.
• Rapid7 Webcasts  are hosted by Rapid7’s teams and provide a forum where customers can learn about best practices as well as what’s new in their Rapid7 products.
• Virtual Instructor-Led Training Courses  are live training sessions broken down by product and available for enrollment.
• Certification Exams  are product-specific exams to help you demonstrate your knowledge of using Rapid7’s solutions as a cybersecurity professional.
• Product Workshops  are Rapid7’s free training on all things, all products, and are on average about an hour long.

To make sure you receive the Rapid7 communications that best suit your needs, set your communication preferences .

• Whether it’s an emergent cybersecurity threat, a product update, or a notice of service degradation for maintenance, we’ll alert you with an in-product message to ensure you’re aware of all that affects your environment.\
• Rapid7’s research  provides information on a variety of topics, such as, cloud misconfigurations, vulnerability management, detection and response, application security, and more.
• Rapid7’s blog  offers conversational guidance and information from our security experts.

Rapid7 supports a range of open-source projects. Consider joining one of our Open-Source communities!

• AttackerKB captures, highlights, and expands on security researcher knowledge to shed light on the specific conditions and characteristics that make a vulnerability exploitable and useful to attackers.
• Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.
• Metasploit empowers and arms defenders to stay one step ahead of the game by verifying vulnerabilities, managing security assessments, and improving security awareness.
• Recog is a framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes.
• Our customer advocacy program, Rapid7 Voice, provides you with a network of customers, offers the chance to deepen your security expertise, and provides the opportunity to share input on future product developments.