Remediate an Alert

With the Threat Command module, you can perform the following forms of external alert remediation :

  • Takedown - Request that Rapid7 contact the content provider and act on your behalf to remove the threat from the web. Remediated alerts can be closed automatically; by default, they remain open.
  • Report - For URLs and domains, request that Rapid7 sends threat information to Google Web Risk or PhishTank. This can warn others of the potential danger of those indicators of compromise (IOCs).

Internal remediation is accomplished by sharing IOCs with internal security devices, in the following way:

  • Blocklist - Rapid7 adds IOCs related to a threat to an internal blocklist which can be fed to internal security devices with the Threat Command Automation module.
  • A blocklist remediation can be performed immediately, so it can be used as a temporary remediation effort until a takedown request is complete. Similarly, if takedown evidence is not available, a blocklist remediation can mitigate the issue. For a quick guide, see Blocklist Remediation.

This video provides an overview of the remediation process:

Before initiating a remediation request

Before initiating a remediation request, the following issues must be addressed:

  • Admin users must complete the following:

    • Upload company trademarks, power of attorney, and letter of authorization to the Threat Command > Configurations > Remediation tab. This video provides an overview of letters of authorization (LOA) and how to provide them to Rapid7:
    • Purchase takedown credits. You can see the balance of credits in the Remediation  panel or in the Settings > Subscription page (for admin users only).
  • Ensure that the alert is a candidate for remediation. If the remediation options are present in the alert, it can be remediated. For the full list, see the Remediation matrix.
    To remediate alerts that are not in Threat Command, contact Customer Support.

  • Some remediation requests must be accompanied by indisputable evidence before the registrar proceeds with them. Evidence can be uploaded in TXT, MSG, EML, or MBOX formats. For example, to request a takedown for a suspicious domain, the user must supply the original phishing email, sent from the suspicious domain, complete with the email headers (not simply a screenshot).

    For full information, see the Evidence Best Practice Guidelines.

If indisputable evidence is not available, see what other mitigation options are available at Additional Monitoring and Protection Steps.

To perform remediations, see takedown remediation,report remediation, or blocklist remediation.

You can view all remediation requests and remediable alerts in the Remediations page.

Remediation matrix

The following tables describe the available forms of remediation.

The supported table also details each form of alert and its remediation options and requirements:

Supported remediation scenarios

SourceScenariosRequired to prove abuse (at least one) otherwise they will not respond to the remediation request.Prerequisites(source policy may change, and other documents may be asked for as the request progresses)
Apple App Store- Fake application

- Malicious application
The source requires that at least one of the following must have been abused:

- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Application stores- Fake application

- Malicious application
The source requires that at least one of the following must have been abused:

- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Confidential documents- Per case and vendor
DomainSee Phishing - domain
eBay- Product for saleThe source requires that at least one of the following must have been abused:

- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Etsy- Profile
- Product for sale
The source requires that at least one of the following must have been abused:

- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Facebook- Group
- Job scam
- Profile
- Post
- Company page


- VIP profile




- Community page
The source requires that at least one of the following must have been abused:

- Company registered logo
- Company name






The source requires that at least one of the following must have been abused:
- VIP name
- VIP photo
- Company registered logo
- Company name





Facebook does not support takedowns of community pages
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.





VIP ID is required, either of these options:

1. One Government ID (driver's license, national identity card, passport, or birth certificate) that includes the VIP name and date of birth or VIP name and photo.

2. Two non-government IDs (student card, library card, refugee card, employment verification, diploma, or loyalty card) that both include the VIP name. At least one of the IDs must also include the VIP date of birth or photo.

In addition to the ID documents, a signed letter of authorization (LOA) must be present in the Configurations page.
Fake job offer- Per case and vendorThe source requires that at least one of the following must have been abused:

- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Flickr- Page
- Photo
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
GitHubRepository or file that contains:
- Copyrighted code
- Leaked credentials
- Malicious code
The source requires that at least one of the following must have been abused:

1. Access credentials, such as user name, together with a password, or other credentials that can grant access to your organization's server, network, or domain.

2. AWS tokens and other similar access credentials that grant access to a third party on your behalf. You must be able to show that the token belongs to you.

3. Documentation (such as network diagrams or architecture) that poses a specific security risk for your company.

4. Information related to, and posing a security risk to, you as an individual (such as Social Security Number or other government ID numbers).
Include as much detail as possible, including specific lines and URLs. When reporting a repository, include the URL of the lowest level (such as a file URL, not a repository URL).temporary placeholder
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Google Play- Fake application
- Malicious application
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.

The LOA must not have an expiration date.
Google Plus- ProfileThe source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Instagram- Profile
- Post


- VIP profile
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name



The source requires that at least one of the following must have been abused:
- VIP's name
- VIP's photo
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.

VIP ID is required, either of these options:

1. One Government ID (driver's license, national identity card, passport, or birth certificate) that includes the VIP name and date of birth or VIP name and photo.

2. Two non-government IDs (student card, library card, refugee card, employment verification, diploma, or loyalty card) that both include the VIP name. At least one of the IDs must also include the VIP date of birth or photo.

In addition to the ID documents, a signed letter of authorization (LOA) must be present in the Configurations page.
LinkedIn- Employee

- Company page

- VIP Profile
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name

The source requires that at least one of the following must have been abused:
- VIP's name
- VIP's photo
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.

Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Pastebin- Copyrighted work
- Leaked credentials
- Confidential documents
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
- Sensitive company information (access credentials - passwords, emails, BIN number, etc.)
- Leaked secrets, source code, or documents
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Paste sites- Per case and vendor
Phishing domain- Phishing domainRegistrar policy requires one of the following:

1. The original phishing email that was sent by the suspicious domain, together with the full email headers. To create that in a way that mseets their strict requirements, following the description in Evidence Best Practice Guidelines. This is the best evidence.

2. A malware scan that shows this domain's association with malicious activity. This may be accepted.

3. Smishing SMS. This is supported by some registrars.

The registrar may require the original phishing email in some cases; malware analysis or smishing SMS is not always sufficient.
The original phishing email, together with the full email headers, is a code snippet that contains details that are essential to authenticate an email message.

The original email in EML, MSG, or MBOX format OR the email headers in TXT format indicate that the email was sent from this domain.

Screenshots and PDF files can be altered, which is why the registrar does not accept those formats.
Phishing website- Phishing websiteThe source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
- Company information (addresses, contact details)
- Similarity to the company website
Each vendor has different requirements.

Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Pinterest- AccountThe source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Reddit- UserThe source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Scribd- Account


- Post
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name


The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
- Sensitive company information (access credentials - passwords, emails, BIN number, etc.)
- Leaked secrets, source code, or documents
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.


Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Studylib- Copyrighted work
- Leaked credentials
- Confidential documents
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
- Sensitive company information (access credentials - passwords, emails, BIN number, etc.)
- Leaked secrets, source code, or documents
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Suspicious email address (Gmail, Outlook, etc.)- Phishing emailEmail vendors require this information before they will consider to takedown an email address:

The original spam email that was sent, together with the full email headers. To create that in a way that meets their strict requirements, following the description in Evidence Best Practice Guidelines.
The original phishing email, together with the full email headers, is a code snippet that contains details that are essential to authenticate an email message.

The original email in EML, MSG, or MBOX format OR the email headers in TXT format indicate that the email was sent from this domain.

Screenshots and PDF files can be altered, which is why the registrar does not accept those formats.
Telegram- Channel
- Group
- User
- Bot
Telegram requires the proof of abuse of both the company registered trademark AND company name (one is not adequate).

**Telegram policy protects the content of messages inside a group or channel, so those are not sufficient proof of abuse.**
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Telegram- Private channel
- Private group
- Specific message
Telegram does not support takedowns.
Tiktok- PageThe source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Tumblr- Page
- Profile
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Twitter- Profile (company page)

- VIP Profile

- Tweet
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name

The source requires that at least one of the following must have been abused:
- VIP's name
- VIP's photo
- Company registered logo
- Company name

Twitter does not support takedowns of tweets.
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.


VIP passport or driver's license must be submitted, and a signed letter of authorization (LOA) must be present in the Configurations page before initiating the remediation.
Veoh- Video
- Account
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
Vimeo- Video
- Account
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
VirusTotal- Copyrighted work
- Leaked credentials
- Confidential documents
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
- Sensitive company information (access credentials - passwords, emails, BIN number, etc.)
- Leaked secrets, source code, or documents
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
VK- Profile
- Page
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
WebsiteSee Phishing - website
Weibo- Profile
- Page
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.
YouTube- Channel
- Video
The source requires that at least one of the following must have been abused:
- Company registered logo
- Company name
Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation.

Non-supported remediation scenarios

These scenarios are not supported:

PlatformUnsupported specific scenario
Brand reputationRapid7 does not handle takedown requests related to brand reputation if they are not related to phishing activities nor violate our terms of service.
Examples of non-supported scenarios: Reviews, Adult content, Illegal content
Reseller websitesRapid7 does not handle takedown requests related to websites where our customers’ products are being resold legally or legitimately if there is no evidence provided of a security risk (e.g., phishing, etc.).
Dark webAll threats
S3 bucket AmazonAll bucket types
Line platformAll types
Dark webAll types
DouyinAll types
Kumu platformAll types
Pccid.ioAll types
xdocs.pAll types
PastehubAll types