Exposure Command Overview
Exposure Command extends the power of Surface Command, combining complete attack surface visibility with high-fidelity risk context and insight into your organization’s security posture, aggregating findings from both our native exposure detection capabilities as well as third-party exposure and enrichment sources you’ve already got in place. This situational awareness enables teams to focus on the exposures and vulnerabilities that attackers have in their sights with the threat-aware risk context needed to prioritize more efficiently and effectively. For more details on Surface Command, visit the Surface Command Overview.
Exposure Command goes beyond monitoring and asset inventory mapping, enriching telemetry with compliance and risk findings from Rapid7’s entire set of exposure management capabilities. Combined, on-prem vulnerability management, cloud security, and application testing enable security and risk management teams to shift from reactive to proactive, continuously assessing your attack surface, validating exposures and providing actionable remediation guidance that takes into account existing downstream controls and the blast radius of a potential compromise. Native, no-code automation ensures teams operationalize their exposure management programs efficiently, with more than 450+ out-of-the-box integrations with popular security and ITOps tools.
Exposure Command packages
Rapid7 currently offers the following package tiers:
- Exposure Command Essentials is for teams looking for a holistic view of their attack surface as well as on-premise monitoring, risk prioritization, and vulnerability management.
- Exposure Command Advanced is for teams looking for a holistic view of their attack surface as well as some cloud and on-premise monitoring, including attack path analysis, risk prioritization, and vulnerability management.
- Exposure Command Ultimate is for teams looking for a holistic view of their attack surface as well as extensive cloud and on-premise monitoring, compliance alignment, infrastructure as code (IaC) scanning, least privileged access management, and threat detection.
Surface Command is included with all Exposure Command package tiers.
Feature comparison
The following table lists key differences between the products at a feature-level.
| Capability | Surface Command | Exposure Command Essentials | Exposure Command Advanced | Exposure Command Ultimate |
|---|---|---|---|---|
| Asset discovery and unified inventory, including devices, software, identities, and controls | ✓ | ✓ | ✓ | ✓ |
| Asset enrichment with security context | ✓ | ✓ | ✓ | ✓ |
| Blast radius mapping with asset graph | ✓ | ✓ | ✓ | ✓ |
| Built-in automation and policy enforcement | ✓ | ✓ | ✓ | ✓ |
| External attack surface discovery | ✓ | ✓ | ✓ | ✓ |
| Vulnerability and policy scanning | - | ✓ | ✓ | ✓ |
| Dynamic asset tagging with criticality rating | - | ✓ | ✓ | ✓ |
| Threat-aware active risk score | ✓ | ✓ | ✓ | ✓ |
| Customizable live dashboards and reporting | - | ✓ | ✓ | ✓ |
| Remediation Hub | ✓ | ✓ | ✓ | ✓ |
| Bulk data export API | - | ✓ | ✓ | ✓ |
| Security orchestration, automation, and response (SOAR) | ✓ | ✓ | ✓ | ✓ |
| 100s of out-of-the-box compliance policies and industry standards | - | ✓ | ✓ | ✓ |
| Hosted and container vulnerability assessment | - | - | ✓ | ✓ |
| Best practices configuration assessment, including CIS | - | ✓ | ✓ | ✓ |
| Multi-cloud visibility across AWS, Azure, GCP, and Kubernetes | - | - | ✓¹ | ✓ |
| Cloud hosted and container vulnerability assessment | - | - | ✓ | ✓ |
| Best practices cloud configuration assessment, including CIS | - | - | ✓ | ✓ |
| Contextual risk prioritization | - | - | ✓ | ✓ |
| Attack path analysis | - | - | ✓ | ✓ |
| Notifications and integrations | - | - | ✓ | ✓ |
| Extended Cloud Visibility (Oracle Cloud Infrastructure and Alibaba Cloud) | - | - | - | ✓ |
| Infrastructure as Code (IaC) scanning | - | - | - | ✓ |
| Cloud threat detection | - | - | - | ✓ |
| Real-time cloud visibility with event-driven harvesting (EDH) | - | - | - | ✓ |
| Automated cloud remediation | - | - | - | ✓ |
| Dynamic Application Security Testing (DAST) | - | - | - | ✓ |
| 100s of out-of-the-box cloud compliance policies and industry standards | - | - | - | ✓ |
The Exposure Command Advanced package visibility
The Exposure Command Advanced package visibility is limited to resource types that are associated with supported Compliance Packs.
Supported Compliance Packs:
- AWS Foundational Security Best Practices
- CIS - AWS
- CIS - Azure
- CIS - GCP
- CIS - Kubernetes
Supported resource types:
| Resource Type | AWS Type | Azure Type | GCP Type | Kubernetes Type |
|---|---|---|---|---|
| Access List | NACL/Security Group | Network Security Group | Network Firewall | |
| Access List Flow Log | NSG Flow Logs | |||
| Access List Rule | NACL/Security Group Rules | Security Rules | Firewall Rules | |
| API Access Key | IAM User Access Key | Application Credentials | Service Account Key | |
| API Accounting Config | CloudTrail | Logs Storage | ||
| App Configuration | App Configuration | |||
| Automation Account | Automation Account | |||
| Autoscaling Group | Autoscaling Group | Virtual Machine Scale Sets | Autoscalers | |
| Batch Environment | Batch Compute Environment | Batch Account | ||
| Big Data Instance | Redshift | |||
| Big Data Workspace | Synapse | |||
| Bot Service | Bot Service | |||
| Cache Instance | ElastiCache | Redis Cache | Memorystore | |
| Cloud Account | Cloud Account | Subscription | Project | |
| Cloud Access Point | S3 Access Point | |||
| Cloud App | App Registration | |||
| Cloud Credentials | API Keys | |||
| Cloud Dataset | Big Query Dataset | |||
| Cloud Group | IAM Group | Azure Active Directory Group | Group | |
| Cloud Policy | IAM Policy (Customer Managed) | Role Definition | Role Permission Set | |
| Cloud Region | Region | Region | Region | |
| Cloud Role | IAM Role | Azure Active Directory Service Principal | Service Account | |
| Cloud User | IAM User | Azure Active Directory User | User | |
| Clusters | EKS/ECS/Fargate Cluster | Kubernetes Service | GKE | |
| Cognitive Search | Cognitive Search | |||
| Cold Storage | Glacier | |||
| Container Registry | Container Registry (ECR) | Container Registry | Container Registry | |
| Content Delivery Network | CloudFront | CDN Profile, Front Door (Standard/Premium) | Cloud CDN | |
| Control Plane | Control Plane | |||
| Database | SQL Database/Dedicated SQL Pool | Cloud SQL Database | ||
| Database Cluster | RDS Aurora, Neptune, DocumentDB | |||
| Database Instance | RDS Database, Neptune, DocumentDB | SQL Server, Azure Database for PostgreSQL/MySQL/MariaDB | Cloud SQL | |
| Databricks Workspace | Databricks Workspace | |||
| Data Factory | Data Factory | Data Fusion | ||
| Data Stream | Kinesis | Event Hub Namespace | ||
| Dataflow Job | Dataflow Job | |||
| Delivery Stream | Firehose | |||
| Directory Service | Directory Service | |||
| Distributed Table | DynamoDB | Azure Cosmos DB | ||
| Distributed Table Cluster | DynamoDB Accelerator (DAX) | Bigtable | ||
| DLP Job | DLP Inspection Job | |||
| DNS Zone | Route53 DNS Zone | DNS Zone | DNS Zone | |
| Elasticsearch Instance | OpenSearch | |||
| Encryption Key | KMS | Key Vault Key | Cloud KMS CryptoKey | |
| Encryption Key Vault | Key Vault | Cloud KMS Keyring | ||
| Event Grid Topic | Event Grid Topic | |||
| Global Load Balancer | Global Accelerator | Front Door (Classic) | ||
| GraphQL API | AppSync API | |||
| Instance | EC2 Instance | Virtual Machine | Compute Engine | |
| Load Balancer | Load Balancer (ELB/ALB/NLB/Gateway) | Load Balancer/Application Gateway | Load Balancer | |
| Log Group | CloudWatch Log Group | |||
| Logic App | Logic App | |||
| Machine Learning Instance | Sagemaker Notebook | AI Platform Notebook | ||
| MapReduce Cluster | Elastic MapReduce (EMR) | HDInsightCluster | Dataproc | |
| Message Queue | Simple Queue Service (SQS) | Service Bus Queue | ||
| Network | VPC | Virtual Network | VPC | |
| Network Peer | VPC Peer | Peerings | Network Peer | |
| Pods | Pod | |||
| Private Subnet | VPC Subnet | Subnet | Subnetwork | |
| Secret | Secret | Secret | Secret | Secret |
| Serverless Function | Lambda | Function | Cloud Function | |
| Shared File System | EFS/FSx | File Share | Cloud Filestore | |
| SSL Certificate | IAM/ACM SSL Certificate | SSL Certificate | SSL Certificate | |
| Storage Account | Storage Account | |||
| Storage Container | S3 Bucket | Blog Storage Container | Cloud Storage | |
| Stream Instance | MSK Instance | |||
| Task Definitions | Task Definition (ECS) | |||
| Volume | EBS Volume | Disk | Persistent Disk | |
| Web App | Elastic Beanstalk Environment | App Service | ||
| Web Application Firewall | Web Application Firewall | Web Application Firewall Policies | Cloud Armor | |
| Workspace | Workspace Instances |