Configure Exposure Command

The Rapid7 Command Platform is your base within the ecosystem of Rapid7 cloud offerings, modules, and services. To log in to the platform, you need a Rapid7 Command Platform account.

To create an account:

1. Check your corporate email inbox for an email from the Rapid7 Command Platform team.
2. Visit insight.rapid7.com/login.
3. Select Haven’t activated your account?.
4. Enter your corporate email address to receive an activation email with next steps. If you do not receive an activation email, reach out to your Customer Adoption Manager (CAM) or Customer Success Advisor (CSA).
5. Refer to the activation email and follow the instructions to create and activate your Command Platform account.

After your Command Platform account is set up, assign roles based on the modules you plan to configure. At a minimum, ensure you have administrative access for any module you’ll enable.

For details, refer to Assign roles in RBAC.

If you don’t plan to use a module yet, you can skip assigning its role and return later.

Some firewalls block inbound traffic and prevent Attack Surface Management from collecting attack surface data. If this applies to your environment, allowlist the IP addresses for your data storage region.

To confirm your region, check the Data Storage region in Command Platform Organization Settings.

Configure single sign-on (SSO) to centralize authentication through your identity provider (IdP).

To configure single sign-on:

1. Go to Platform Administration > Single Sign-On (SSO).

2. Select your SSO protocol (typically SAML 2.0).

3. In your identity provider (IdP), create or configure the Rapid7 application and collect the required values (for example, Sign-In URL, Entity ID/Issuer, and X.509 certificate).

4. Enter the IdP configuration details into the Rapid7 SSO settings and configure the required attribute mappings (such as email address), ensuring that the mapped email attribute matches each user’s Rapid7 account.

5. Assign access to multiple users by adding them to the appropriate group in your IdP and assigning that group to the Rapid7 application.

6. Test SSO login with a subset of users to confirm successful authentication, correct role assignment, and expected product access.

7. After confirming successful authentication for all required users, return to the SSO settings and enable the option to require SSO authentication.

8. Disable or restrict local password-based Security Console login to eliminate direct backdoor access.

9. Verify that all designated users can authenticate through SSO and that direct console login is no longer permitted.

The Rapid7 Agent enables Exposure Command to provide continuous endpoint security monitoring and powers File Integrity Monitoring (FIM). The Rapid7 Agent collects live system information–including basic asset identification information, running processes, and logs–from your assets and sends it to the Command Platform for analysis. Combined with network and user data, this helps you identify stealthy attacks for both your critical and remote assets.

You can deploy the Rapid7 Agent on your target assets using either a token-based installer or certificate package installer. The token-based installer uses a token to download configuration files, whereas the certificate package installer provides a .zip file with the configuration files.

To deploy the Rapid7 Agent:

1. Decide which installer is best suited for your environment.

2. Read the steps to download the installer and follow the instructions.

A Connector is a software component that enables Attack Surface Management to collect data from an information source, such as vulnerability scanners, endpoint protection platforms, or cloud services. Connectors provide the context required for accurate asset correlation and risk prioritization.

Core connectors include:

• Active Directory (AD)

• EDR

• Cloud providers

• CMDB

• ITSM

• Identity platforms

To install and schedule a connector:

1. In the Command Platform, go to Data Connectors > Attack Surface Management > Connectors.
2. Click + Connector to open the Rapid7 Extension Library.

3. Search for the connector you want to install.

4. Click Install.
5. Follow the prompts to create a connector profile, configure the required settings, and schedule the connector, if applicable.
6. Click Save to save your configuration.

Repeat these steps for each connector required for your environment.

Seeds help discover domains, subdomains, IP ranges, certificates, and exposed services associated with your organization.

To add seeds:

1. Log in to Attack Surface Management.
2. Go to Discovery Seeds.
3. Click Add Seeds.
   A window containing a free text field opens.
4. Enter seeds (separated by spaces, commas, or line breaks) into the text field.
5. Click Add Seeds.
   Rapid7’s External Asset Engine begins scanning your seeds immediately.

Pairing connects your Vulnerability Management Security Console to the platform so it can synchronize data and support platform authentication.

Pairing your console takes place in two parts: first, you must obtain a pairing key from the Command Platform. Then, you'll paste the key into the Vulnerability Management Security Console.

Before you begin:

• Ensure the Vulnerability Management Security Console is set up. For deployment instructions, visit Deploy the InsightVM Security Console.
• Ensure outbound HTTPS (TCP 443) access so the Console can communicate with the Command Platform.
• A Console can be paired with only one organization at a time. If it’s already paired, unpair it before connecting to a different organization.

To activate your Console:

Refer to Activate your console on the Command Platform, then return to this document to proceed with your setup.

Scan engines perform network-based vulnerability scans against your assets. They discover systems, identify services, and assess exposures across your environment. Pairing connects each scan engine to your Security Console or Command Platform so scan data can be securely transmitted, processed, and correlated within Exposure Command

Before you begin:

1. Review system and network requirements.

2. Plan your scan engine deployment.

To deploy and pair scan engines:

1. Deploy your scan engine.

2. Select a scan engine for a site.

3. Pair a scan engine to the Security Console.

4. Refresh your Scan Engine status to confirm that the communication line is open and working.

A scan template is a predefined set of scan attributes, such as target assets, services, and vulnerabilities. Scan templates define how assets are assessed, including vulnerability checks, service detection, and performance options. Use different templates for discovery, full assessments, and targeted testing as needed.

To create custom scan templates:

1. Create a new scan template.

2. Select an existing scan template.

A site defines a group of assets to scan, the scan template used, and the scan engine assigned. You must create a site in order to run a scan of your environment and find vulnerabilities.

To create a site:

1. Create a new site in the Security Console.

2. Assign user access to the site.

3. Configure shared credentials.

4. Add target assets.

Shared scan credentials allow multiple sites to use the same authentication information, reducing the need for repetitive configurations. It is also helpful when credentials change frequently. For example, if your organization’s security policy requires credentials to change every 90 days, you can apply changes to a shared credential to apply across all sites.

To configure shared credentials:

• Create shared credentials.

• Test shared scan credentials.

• Assign credentials to sites.

You must have a Vulnerability Management Global Administrator role or a custom role with Manage Site permissions.

After sites and engines are configured, run an initial discovery scan to validate asset visibility.

Before you begin:

• Review Scan template best practices.

To run discovery and vulnerability scans:

1. After sites and engines are configured, run an initial discovery scan to validate asset visibility.

2. Review scan results to confirm assets are identified correctly.

3. Run a full vulnerability assessment using an appropriate scan template.

4. Confirm that vulnerability findings appear in the All Vulnerabilities view.

For detailed instructions, refer to Selecting a scan template.

Use User Management to control access to cloud data and administrative features.

Platform Administrators are able to see details about their Domain Admins, Users (at the Organization level), API Keys, Basic User Groups, Basic User Roles, and Authentication Servers.

To configure user roles and access:

1. In your Cloud Security (InsightCloudSec) installation, go to Settings > User Management.

2. Create or modify user roles and groups.

3. Assign users appropriate permissions.

For detailed instructions, refer to User Roles.

Cloud Security comes with many default harvesting strategies. Your accounts are harvested automatically without any additional configuration. If you want to add, manage, or explore the harvesting strategies available in your Cloud Security module, you can do so on the Harvesting Strategy page.

To get started with harvesting strategies:

1. Explore harvesting strategies.

2. Create a harvesting strategy.

You can integrate Cloud Security with third-party systems for notifications, ticketing, or data export.

To integrate with third party apps:

1. Go to Settings > Integrations.

2. Select Add for the specific integration you are interested in.

3. Each integration also includes a link to open the specific documentation page with instructions for that particular tool.

Application Security uses a cloud-based engine to test applications that have been deployed to the public domain and are accessible from the internet. If your applications are not publicly accessible, deploy an internal scan engine to assess them.

Refer to Setting up an on-premise scan engine to install and register the on-premises engine, then return to this document.

Targets are domains that you add to the allowlist so that you can include them in apps and scans. Ensure all domains you plan to scan are added before creating scan configurations.

For detailed instructions, refer to Discover Targets.

A scan configuration, or scan config, is a group of settings you use to scan an app. By creating scan configs, you can save specific settings and use them to scan that app with those options again and again.

Refer to Scan configuration to set up scan configs, then return to this document.

You can test your SOAP and REST web services by adding WSDL or Swagger files to Application Security. WSDL and Swagger files define a standard interface to APIs that is agnostic to programming languages. Application Security parses these documents to generate function calls to your API and create test values for the expected parameters. These function calls are then executed against your API and the interactions are checked for vulnerabilities.

When configuring API scanning, you’ll provide a URL to either a WSDL or Swagger file. If this URL is only available on your internal network, you will have to install a scan engine within the same network so that the engine is able to access the file.

To set up API scanning:  

• Scan SOAP APIs using WSDL files.

• Scan RESTful APIs using Swagger files.

You may encounter applications that are difficult to scan, such as dynamic web applications or systems that require authentication or scripted interaction. In these cases, use advanced configuration options such as macros, traffic recording, or Selenium scripts to ensure scans can authenticate properly and reach all relevant functionality.

If applicable, refer to Macro Traffic and Selenium for instructions and then return to this document to complete your setup.

The Rapid7 AppSec plugin for Chrome adds useful capabilities like recording your login activities and replaying attacks from your Application Security console. Use the plugin to understand how traffic is moving between your server, apps, and authentication layer.

To get the most out of the Rapid7 AppSec plugin, explore the following use cases:

• Validate vulnerabilities by replaying the vulnerability attack. Replaying attacks allows you to watch the attack traffic to determine whether a vulnerability is valid.
• Record macro authentication with the plugin and play the authentication sequences back to track user actions during authentication.
• Record traffic authentication to track and send the requests the front end application and the back end server in a Traffic file. You can then import the file so it can be used and referenced within an app.

To install the plugin:

1. Ensure you are using the latest version of Chrome.
2. On the Rapid7 AppSec Plugin for Chrome page, click Add to Chrome.
3. In the extension dialog, click Add extension.
   A notification appears when the plugin is successfully installed.

If your application requires a login, configure authentication so scans can access restricted areas.

Refer to Authentication and then return to this document to complete your setup.

To perform a test scan:

1. After configuration, run a full scan to establish a baseline.

2. Use incremental or validation scans as needed.

3. Configure schedules and blackout periods to minimize production impact.

Refer to Scan Your App and then return to this document to complete your setup.

Scheduling scans and blackouts allows you to run scans when there is less traffic on your site. To ensure that the performance and stability of your site is maintained, you can schedule a blackout to pause scans when site traffic is heavy. If a scan is scheduled to begin during a blackout period, the scan will be queued to start after the blackout period ends.

• Schedule a scan.

• Schedule a blackout.

Attack templates are pre-configured sets of attacks and performance options. Application Security comes with a set of pre-built templates based on common requirements. You can also use custom templates to further refine your scan configuration.

To configure attack templates, refer to Attack templates, then return to this document.

Before analyzing risk, confirm that scanning components are operating as expected.

To validate network vulnerability scanning:

1. Confirm scan engines are online and paired.

2. Verify that at least one discovery or vulnerability scan has completed successfully.

3. Review scan logs for errors or authentication failures.

4. Confirm that newly scanned assets appear in the asset inventory.

5. Validate that vulnerability findings are visible in the All Vulnerabilities view.

If expected assets are missing:

• Review site scope and included IP ranges.

• Confirm scan credentials are configured and tested.

• Ensure firewalls allow required scanning traffic.

1. Confirm Rapid7 Agents are online and reporting.

2. Verify that agent-based assets appear in your inventory.

3. Ensure vulnerability findings and endpoint telemetry are visible in dashboards.

If agents are not reporting:

• Confirm outbound connectivity to the Command Platform.

• Validate token or certificate configuration.

If you configured Cloud Security:

1. Confirm cloud accounts are connected and in a healthy state.

2. Verify harvesting jobs have completed.

3. Confirm misconfiguration findings and cloud assets appear in dashboards.

If data is missing:

• Review account permissions.

• Check harvesting strategy schedules.

If you configured Application Security:

1. Confirm scan engines (cloud or on-premises) are online.

2. Run an initial full scan.

3. Verify that scan results populate in the application findings view.

If scans fail:

• Review authentication configuration.

• Validate allowed targets.

• Confirm scan scope and attack template settings.

After confirming scanning components are functioning, verify that data is properly correlated in Exposure Command.

Confirm that:

• Asset inventory reflects internal, cloud, and external assets.

• Vulnerability and misconfiguration findings appear from all connected sources.

• Risk scores reflect asset context and exposure pathways.

• Remediation recommendations are available in Remediation Hub.

If dashboards appear empty or incomplete:

1. Confirm connectors are installed and scheduled.

2. Verify permissions for third-party integrations.

3. Review connector status and ingestion health indicators.

Resolve ingestion issues before proceeding.

Once validation is complete, begin reviewing exposure and prioritizing remediation.

Start with:

• The Risk Dashboard to understand how risk is calculated and prioritized.

• The All Vulnerabilities view to analyze findings across modules.

• The Remediation Hub to identify high-impact remediation actions.

Use filters and saved views to focus on business units, asset groups, or high-risk exposures.