Glossary

    A
  • Access control model
    A conceptual approach for granting and enforcing access (e.g., RBAC, ABAC, MAC, DAC).
  • Administration
    The area within the Command Platform where an administrator can configure and manage Rapid7-specific settings (e.g., managing users, roles, permissions, and authentication methods).
  • Alert
    Alerts may originate from detection and response activities (e.g., suspicious login attempts) or from exposure management (e.g., a critical CVE or cloud misconfiguration). An alert can contain one or more findings.
  • Allowlist
    A list of approved and trusted entities, such as applications, IP addresses, or email senders, that are granted access to a system or network. Anything not on this list is automatically denied, making it a highly effective security strategy that prevents threats by default. See also, Deny List.
  • API credential
    A scoped, time-limited key or token used to authenticate and authorize applications interacting with APIs, often replacing traditional username-password pairs.
  • Asset
    Any hardware, software, service, data, or identity that has value to an organization and must be protected. Assets are the targets adversaries seek to exploit and the components defenders must monitor and secure.
  • Attack path
    The route an attacker can take to exploit vulnerabilities.
  • Attack surface
    The total of all exploitable entry points (assets, identities, services) within an organization’s digital environment.
  • Attribute-Based Access Control (ABAC)
    An access control model that makes decisions based on user and system attributes.
  • Authentication
    The process of verifying the identity of a user, device, or service before granting access.
  • Authorization
    The process of determining what an authenticated user, device, or service is allowed to do.
  • Automation
    Any workflow that streamlines repetitive or manual tasks across the security lifecycle, including traditional SOAR use cases. Automation improves efficiency, reduces human error, and frees up analyst time for higher-value work.
    • B
  • Blue team
    A defensive security team that responds to attacks.
  • Breach
    Unauthorized access to a system or disclosure of data.
    • C
  • Campaign
    A coordinated series of malicious activities carried out by a threat actor over a defined period. Campaigns are typically designed to achieve strategic objectives and can involve multiple attack vectors, tools, or infrastructure components.
  • Case
    A project where one or more individuals coordinate incident response or exposure remediation. Cases serve as collaborative spaces where stakeholders can track evidence, assign tasks, and document progress. They may be created from detection and response workflows or exposure management workflows. Cases can contain one or more alerts or findings.
  • Certificate
    A digital document used to establish trust, verify identity, and enable encrypted communications using TLS/SSL.
  • Cloud Detection and Response (CDR)
    A capability that detects and mitigates cloud-based attacks in real time.
  • Cloud security
    The set of practices, processes, and tools for protecting data, applications, and workloads that run on cloud platforms.
  • Cloud Security Posture Management (CSPM)
    A solution that continuously detects, monitors, reports, and remediates threats and miscconfigurations in cloud environments.
  • Cloud workload
    The applications, services, or processes running in cloud environments (e.g., virtual machines, containers, serverless functions).
  • Cloud Workload Protection Platform (CWPP)
    Monitors and protects workloads across cloud environments.
  • Command Platform
    The unified command center that enables organizations to manage their entire security program. It encompasses all packages, tiers, modules, features, and services offered within the Rapid7 ecosystem.
  • Common Vulnerability and Exposure (CVE)
    Standardized identifiers for publicly disclosed cybersecurity vulnerabilities, which are maintained by the MITRE Corporation. CVEs provide a common reference that allows security teams to track, prioritize, and remediate known weaknesses across systems and applications. CVEs also help correlate threat intelligence with actively exploited vulnerabilities.
  • Compliance
    The practice of ensuring operations meet regulatory and standards-based requirements across environments.
  • Compliance Hub (Prove)
    The Rapid7 hub that enables governance, regulatory alignment, and reporting.
  • Compute
    Physical or virtual resources that perform processing tasks but do not fit into other asset categories. This includes flexible, short-lived cloud resources like containers, virtual machines, and serverless functions.
  • Container
    A lightweight, standalone, and executable package of software that includes everything needed to run an application (e.g., code, runtime, system tools, libraries, settings). Containers are often ephemeral.
  • Containerization
    A software packaging approach that bundles code and dependencies into isolated units (containers) for consistent execution.
  • Continuous Threat Exposure Management (CTEM)
    A programmatic approach to automate continuous monitoring of an attack surface to detect and reduce exposures in real time.
  • Control
    A policy, processes, or technical measure that governs how a security program operates and ensure compliance with internal, regulatory, or industry standards. Controls may include team-specific SLAs, security best practices, or adherence to frameworks such as NIST CSF, HIPAA, or GDPR.
  • Cybersecurity
    The discipline of protecting systems, networks, programs, and data from digital attacks, unauthorized access, and damage.
    • D
  • Dashboard
    A collection of reports presented visually in charts, tables, and icons, which provides a real-time overview of key metrics, allowing security teams to analyze and monitor trends and make data-driven decisions.
  • Data connector
    The integration mechanism that brings an organization's environment data into the Command Platform. Data connectors aggregate and normalize information from endpoints, third-party services, and cloud or on-prem systems so security teams can monitor and manage their environment from a single location.
  • Data encryption
    Encoding data to prevent unauthorized access.
  • Data Loss Prevention (DLP)
    A strategy designed to prevent the exfiltration of data.
  • Denial of Service (DoS)
    An attack that overwhelms a system, making it unavailable.
  • Deny list
    A list of entities (e.g., IPs, domains, apps, senders) explicitly blocked from accessing a system, network, or service. See also, Allowlist.
  • Domain name
    A human-readable address that maps to an IP address, used to access websites or services on the internet (e.g., example.com). Domain names are registered to an organization and have an expiration date.
    • E
  • Encryption
    A method of protecting data by transforming it into unreadable ciphertext that can be reverted only with the correct key.
  • Endpoint
    A computing device that connects to a network (e.g., a laptop, server, workstation, or mobile device).
  • Endpoint Detection and Response (EDR)
    Detects, investigates, and mitigates endpoint threats.
  • Endpoint security
    Protects endpoints like laptops, servers, and mobile devices.
  • Exposure
    Any condition that increases the likelihood or impact of a successful attack.
  • Exposure Command
    A package of Rapid7 modules that provides an end-to-end solution for exposure management. The Exposure Management package includes Attack Surface Management, SOAR, and Threat Intelligence.
  • Exposure management
    The process of addressing access points (attack vectors) and digital or physical assets across an organization’s attack surface, reducing risk.
  • Extended Detection and Response (XDR)
    Integrates multiple security layers for centralized threat response.
    • F
  • Finding
    A piece of notable, security-relevant activity or evidence identified within an environment. A finding is curated information (not just raw event or log data) that may or may not indicate malicious behavior, but provides useful context for analysis.
  • Fully Qualified Domain Name (FQDN)
    A complete domain name that specifies the exact location of a resource within the Domain Name System (DNS) hierarchy.
    • G
  • General Data Protection Regulation (GDPR)
    The EU regulation that sets requirements for personal data protection, privacy rights, and organizational accountability.
  • Governance, Risk, and Compliance (GRC)
    A framework designed to align security with business risk and regulation.
  • Group
    A logical collection of assets, users, vulnerabilities, or alerts that share common characteristics. Groups allow security teams to organize and apply actions (like scans, policies, or investigations) to multiple entities at once.
    • H
  • Health Insurance Portability and Accountability Act (HIPAA)
    The U.S. regulation establishing security and privacy requirements for protected health information (PHI).
    • I
  • Identity
    A digital representation of a user, device, or process that interacts with systems and requires authentication and authorization.
  • Identity and Access Management (IAM)
    The discipline of defining and enforcing who and what can access digital resources across cloud, on-prem, and hybrid environments.
  • Incident
    A confirmed or suspected security event that compromises or poses a credible risk to confidentiality, integrity, or availability.
  • Incident Command
    A package of Rapid7 modules that provides an end-to-end solution for incident management. The Incident Command package includes Attack Surface Management, SOAR, and Threat Intelligence.
  • Incident response
    The process of managing and mitigating security incidents.
  • Indicator of Compromise (IOC)
    Data that suggests malicious activity within an environment. Suspicious IP addresses, domains, URLs, file hashes, and email addresses can all be Indicators of Compromise.
  • Indicator of Compromise (IOC) rule
    A detection rule based on known indicators of compromise (e.g., IP addresses, file hashes, domain names) that signify potential malicious activity. IOC rules help identify threats by matching these indicators against logs, endpoint data, or network traffic.
  • Individual
    The human associated with one or more user accounts. This identity is used to correlate activity across systems and assess risk at the person level.
  • Insider threat
    The security risk posed by employees or contractors within an organization.
  • Installed software
    Applications or services installed on a physical or virtual asset.
  • Integration
    A connection between Rapid7 products and external tools or platforms (e.g., Microsoft Azure, AWS, ServiceNow). Integrations allow seamless data sharing, event forwarding, enrichment, and automation, expanding the visibility and control within your security ecosystem.
  • Intelligence
    The security insights and contextual information that allow organizations to detect, investigate, and respond to threats. Intelligence comprises detection rules, attacker behavior analytics, and curated threat intelligence feeds that keep defenders aware of adversary Tactics, Techniques, and Procedures (TTPs).
  • IP address
    A unique numeric identifier assigned to each device or resource on a network, used for routing traffic.
    • L
  • Least Privilege Access (LPA)
    The principle of granting users or systems the minimum permissions necessary to perform their job or function.
    • M
  • Machine
    Any networked asset with a CPU that isn’t a server, network device, workstation, or mobile device. This might include devices like printers, IoT hardware, or VoIP phones.
  • Malware
    Malicious software designed to damage or exploit systems.
  • Managed Detection and Response (MDR)
    An outsourced cybersecurity service that provides continuous monitoring and response to threats.
  • Mention
    References to an oragnization's assets, keywords, or threats observed across the clear, deep, and dark web. Mentions provide operational intelligence that enables security teams to monitor risks, identify potential data exposure, and track threat actor activity.
  • Misconfiguration
    An incorrect or insecure configuration of cloud resources or services that can create an exploitable security risk.
  • MITRE ATT&CK framework
    A publicly available knowledge base of adversary Tactics, Techniques, and Procedures (TTPs) used to map, detect, and defend against attacks.
  • Mobile device
    A portable asset such as a smartphone or tablet that connects to a network and runs a mobile operating system.
  • Module
    A core functional component that makes up part of a package. Modules deliver specific security capabilities (e.g., vulnerability management, SIEM, cloud security).
    • N
  • Network device
    Hardware that enables or supports communication within or between networks, such as routers, switches, firewalls, and wireless access points.
  • Network service
    A service that runs on a network-connected host and listens for requests, such as HTTP, DNS, or SSH.
  • NIST Cybersecurity Framework (NIST CSF)
    A set of guidelines and best practices for managing cybersecurity risk across Identify, Protect, Detect, Respond, and Recover.
    • O
  • Operating system (OS)
    Software that manages hardware and runs applications on a device.
    • P
  • Package
    A purchasable bundle of capabilities that gives access to specific Rapid7 modules and the Command Platform. Each package delivers an end-to-end solution within a broad security domain (e.g., Exposure Management, Detection & Response).
  • Patch
    A software update that fixes vulnerabilities or bugs.
  • Patch management
    The process of applying updates to fix vulnerabilities.
  • Penetration test report
    Documentation summarizing the findings of a penetration test.
  • Penetration testing
    The authorized simulation of real-world attacks on processes, technology, and people to identify security weaknesses. Also known as pen testing.
  • Phishing
    A fraudulent attempt to obtain sensitive information using deception.
  • Privileged Access Management (PAM)
    A subset of IAM focused specifically on securing, monitoring, and controlling accounts with elevated or “privileged” permissions.
    • Q
  • Query
    A request for information or data using specific search criteria.
    • R
  • Ransomware
    Malware that encrypts data until a ransom is paid.
  • Rapid7 AI-SOC
    An AI-assisted triage, investigation, response, and threat hunting module.
  • Rapid7 Application Security
    An application security solution that performs black-box security testing to automate identification, triage vulnerabilities, prioritize actions, and remediate application risk. Previously known as InsightAppSec.
  • Rapid7 Attack Surface Management (ASM)
    Provides a real-time view of the attack surface by correlating security data from internal and external assets, including data from third-party tools, such as endpoint management, endpoint security, cloud security, and configuration management databases (CMDBs).
  • Rapid7 Cloud Security
    A cloud secuirty solution that proactively manages risk, accelerates DevSecOps, and enforces compliance across multi-cloud environments. Formerly known as InsightCloudSec.
  • Rapid7 Digital Risk Protection
    A Digital Risk Protection module that proactively scans the clear, deep, and dark web for potential threats, as well as providing contextual alerts on malicious practices (e.g., malware, TTPs, phishing scams). Formerly known as Threat Command.
  • Rapid7 Endpoint
    Includes the Rapid7 Agent, NGAV, Ransomware Prevention, and Velociraptor.
  • Rapid7 Network
    Includes Rapid7 Sensor, Network Detection and Response (NDR), and Intrusion Detection System (IDS).
  • Rapid7 SIEM
    A detection and response solution that centralizes telemetry, detections, investigations, and response actions. Formerly known as InsightIDR.
  • Rapid7 SOAR
    A SOAR (Security Orchestration, Automation, and Response) solution that streamlines threat and vulnerability management, incident response, and security operations automation. Formerly known as InsightConnect.
  • Rapid7 Threat Intelligence
    A threat intelligence solution that connects threat data, telemetry, and detections to uncover patterns, accelerate decision-making, and drive informed security responses. Threat Intelligence is included in both Exposure Command and Incident Command.
  • Rapid7 Vulnerability Management
    A vulnerability management module that identifies, assesses, prioritizes, and remediates vulnerabilities in systems and software. Formerly known as InsightVM.
  • Red team
    An internal team simulating a full-scope attack exercise that tests detection and defense.
  • Remediation
    Actions taken to reduce or eliminate risk from a vulnerability, misconfiguration, or incident (e.g., patch, reconfigure, isolate).
  • Report
    A list of records displayed in a table, based on defined criteria. Reports help analyze and organize security data by applying filters, sorting, and summarizing key fields.
  • Risk assessment
    Identifying and evaluating potential threats and their impacts.
  • Role-Based Access Control (RBAC)
    Assigns permissions based on predefined roles rather than individual users.
    • S
  • Security awareness training
    Educating users on safe cybersecurity practices.
  • Security Information and Event Management (SIEM)
    Aggregates and analyzes security event data in real time.
  • Security Operations Center (SOC)
    A centralized security team responsible for monitoring and defending systems.
  • Security Orchestration, Automation, and Response (SOAR)
    A class of security capabilities that automate and coordinate workflows, tools, and teams to investigate and respond to threats.
  • Security posture
    The overall state of an organization’s security strength.
  • Security program basics
    The foundational practices organizations use to build a cybersecurity program (e.g., MFA, security awareness training, policy, process).
  • Security validation testing
    The process of verifying that controls and configurations work as intended.
  • Server
    A physical or virtual machine that provides services, applications, or resources to other computers or users on a network.
  • Service account
    A persistent, non-human identity used by applications or automated processes to access systems or perform functions, typically with set permissions.
  • Shared mailbox
    An email account used by multiple individuals to access a common mailbox without personal login credentials.
  • Shared Responsibility Model
    The cloud-security model where a cloud service provider takes responsibility for securing the infrastructure while the customer is responsible for securing the workloads, configurations, data, and access.
  • Software as a Service (SaaS) application
    Cloud-hosted software delivered by a third-party provider over the internet.
  • Source / Feed
    External or internal data streams. Sources include event logs from systems like Active Directory or firewalls, while feeds often refer to threat intelligence inputs, such as known bad IPs or malicious file hashes, used to enrich detections and investigations.
  • Source code
    Human-readable code that defines software behavior.
  • Storage
    A system or location, on-prem or cloud-based, used to store digital data, such as databases, file systems, or object stores.
  • Surface Command
    A package of Rapid7 modules that provides an end-to-end solution for attack surface management and grants basic access to the Command Platform, including SOAR capabilities.
    • T
  • Tactics, Techniques, and Procedures (TTPs)
    Describes the behavioral patterns of threat actors during an attack. Tactics represent what the adversary aims to achieve (for example, initial access or persistence); techniques explain how they achieve those goals (for example, phishing or credential dumping); and procedures are the specific implementations or tools used to execute a technique. TTPs are often mapped to the MITRE ATT&CK Framework to support detection, analysis, and threat hunting.
  • Tag
    A metadata label applied to entities such as assets, users, alerts, or vulnerabilities. Tags are used to allow categoriziation, filtering of data for reporting, search, automation, or policy application.
  • Threat actor
    An individual, group, or organization that carries out malicious activity targeting digital systems. Threat actors use specific Tactics, Techniques, and Procedures (TTPs) to achieve objectives such as financial gain, espionage, ideological expression (hacktivism), or operational disruption.
  • Threat detection
    The capabilities and processes that identify potentially malicious or policy-violating activity across environments.
  • Threat hunting
    The proactive search for undetected threats in the environment.
  • Threat Intelligence
    Available data and insights on current and emerging cybersecurity threats.
  • Threat intelligence feed
    A stream of curated indicators and context (e.g., IPs, hashes, domains, TTPs) used to enrich detections and investigations.
  • Tier
    A level within a Rapid7 package that determines feature access and capability breadth. The Essentials tier provides standard functionality, the Advanced tier includes standard and expanded capabilities, and the Ultimate tier contains the most robust capabilities available.
  • Tokenization
    Replacing sensitive data with non-sensitive equivalents.
    • U
  • User account
    A single account assigned to an individual person, used to authenticate and access systems and data.
    • V
  • Vulnerability assessment
    The process of identifying and evaluating vulnerabilities in systems and software to inform risk prioritization.
  • Vulnerability scanner
    A tool that automatically assesses systems and software for known vulnerabilities.
    • W
  • Web application
    The server-hosted applications accessed through a browser and managed by an organization.
  • Website
    A collection of web pages and related content hosted on a domain and served over HTTP/HTTPS, typically accessible through a browser.
  • Workstation
    A user endpoint, typically a desktop or laptop, used for business operations and connected to the corporate network.
    • Z
  • Zero Trust
    A security model assuming no implicit trust and requiring verification at every step.