Sabeen Malik is VP, Global Government Affairs and Public Policy at Rapid7.
⠀

Security teams need a better way to connect what they detect, what they fix, and what they can prove.

The pace of modern security operations no longer works in defenders’ favor. IBM’s Cost of a Data Breach Report 2025 found that the mean time to identify and contain a breach is now 241 days, even as AI and automation help defenders move faster. At the same time, Rapid7’s 2026 Global Threat Landscape Report shows how quickly attacker behavior is compressing the response window: exploited high and critical severity vulnerabilities more than doubled year over year, increasing 105% from 71 in 2024 to 146 in 2025, while the median time from publication to CISA KEV inclusion fell from 8.5 days to 5.0 days. This is not a future risk. It is today’s operational reality.

It also exposes a governance problem most security programs were not built to solve. Security teams are expected to demonstrate, continuously, that controls are working, that risk is being reduced, and that security investments are delivering measurable outcomes. Point-in-time audit evidence, assembled quarterly, is structurally incompatible with an environment where the threat picture changes in minutes.

The underlying issue is not a lack of effort, but a disconnect. Security data lives in one place, remediation happens in another, and evidence for auditors is assembled somewhere else. When leadership asks what changed, what was fixed, and what risk remains, teams are left stitching the story together manually producing reports that reflect where the organization was, not where it is.

Cyber GRC closes that gap by bringing governance, risk management, and compliance closer to the security data and workflows teams already rely on.

Why security operations and compliance need connected data

For years, security operations and GRC have run in parallel. One team manages threats, exposures, and remediation. Another manages policies, controls, audits, and evidence. Both aim to reduce risk, but typically without shared context or shared data.

That separation is no longer sustainable. Vulnerability exploitation rose 34% year-over-year and now accounts for 20% of all breaches, with a median of zero days between critical vulnerability publication and mass exploitation (Verizon DBIR 2025). Supply chain breaches doubled, now representing 30% of all incidents. Ransomware appeared in 44% of breaches – up 37% from the prior year.

Security leaders operating in this environment face an expectation that compliance teams were not designed to meet alone: continuous proof that controls are effective against adversaries who operate at machine speed. When AI agents can autonomously chain every phase of an attack with minimal human oversight, a quarterly audit cycle is not an assurance, but a historical record.

Why Cyber GRC matters now

Boards are no longer satisfied with compliance status reports. They want dollarized risk scenarios and evidence that remediation is actually reducing exposure -- not just that it was attempted.

Two pressures are converging. First, environmental complexity: modern infrastructure spans cloud, SaaS, remote endpoints, OT systems, and third-party providers. The perimeter is everywhere, and so is the attack surface. Second, regulatory expectation: SEC, NIS2, DORA, and CMMC now require demonstrable control effectiveness, not just documented policies. Both pressures demand a model that brings security activity, compliance readiness, and accountability into the same view.

What Cyber GRC changes for security and compliance teams

Cyber GRC changes how organizations use security data. Instead of disconnected, point-in-time artifacts, it enables teams to build governance and compliance workflows directly on top of real security telemetry – so evidence reflects the current state of the environment, not a snapshot assembled weeks before an audit.

In practice, this means connecting findings, controls, remediation activity, and evidence so teams can see what issues exist, who owns the response, how remediation is progressing, and what that means for overall readiness. This also helps address the compliance-theater problem directly: many programs are designed to pass audits rather than reduce actual exposure, creating false confidence and misallocated resources. Grounding compliance evidence in live security telemetry -- rather than manual documentation -- means teams can tell the difference between controls that are configured and controls that are working.

How connected security data strengthens compliance

Compliance has historically been treated as a separate process that happens alongside security operations. In practice, it depends on the same data. The telemetry that surfaces a critical finding also determines whether a control is operating effectively.

When evidence is generated directly from operational systems, teams spend less time assembling reports and more time improving controls. Continuous monitoring for control drift allows organizations to move from reactive audit preparation toward a consistent assurance model. Third-party risk -- now a source of 30% of all breaches -- benefits particularly, since continuous TPRM monitoring surfaces supply chain exposure in real time rather than at the next assessment cycle.

How Rapid7 Cyber GRC builds on existing security workflows

This shift does not require rebuilding security programs from the ground up. With the launch of Rapid7 Cyber GRC, customers can use the security data and workflows already connected through the Command Platform to support audits, assessments, and ongoing control validation. Capabilities such as HITRUST E1 control coverage provide continuous monitoring and automated evidence collection, while features like audit-ready user access exports and unified policy data reduce manual effort across SOC 2, NIST CSF, PAI, and other common frameworks.

When NIST CSF 2.0, MITRE ATT&CK, and FAIR-based risk quantification inform the evidence model rather than just the policy library, compliance becomes a byproduct of strong security operations -- not a parallel burden.

Rapid7 is launching Cyber GRC to connect security operations, risk, and compliance

Organizations do not need more disconnected processes for managing risk. They need a way to connect what they detect, what they fix, and what they can prove in a way that stands up to regulatory scrutiny, board-level oversight -- and keeps pace with adversaries who operate at AI speed.

That is why Rapid7 is launching Cyber GRC: to help customers bring security operations, governance, and compliance into a single, continuous view so teams can reduce risk, improve readiness, and demonstrate progress with confidence.

For current clients, reach out to your account team to get early access to Rapid7's Cyber GRC solution and help shape what comes next.

⠀

Sources: IBM Cost of a Data Breach Report 2025 | Rapid7’s 2026 Global Threat Landscape Report | Verizon DBIR 2025