Cloud adoption has fundamentally reshaped security operations, bringing flexibility and scalability, but also complexity. In this session from the Take Command 2025 Virtual Cybersecurity Summit, Rapid7’s product leaders discussed how today’s SOC and MDR capabilities must evolve to keep up. Hosted by Ellis Fincham, the panel featured Dan Martin and Tyler Terenzoni, who shared real-world insights on what cloud detection and response truly requires, what CNAPP can and can’t solve, and how to bridge the growing gap between alerts and actionable context.
The cloud has changed the rules
Traditional SOC tooling often struggles to keep up with cloud-native architectures. Dan Martin opened the discussion by highlighting a key shift:
“Detection doesn’t start at the endpoint anymore. It starts with understanding your architecture.”
The panel emphasized that while cloud offers flexibility and scale, it also introduces operational complexity. From short-lived containers to decentralized ownership, cloud environments require a different approach.
Visibility is the starting point
Tyler Terenzoni spoke to the importance of understanding what’s running and who owns it:
“There’s always a disconnect between what engineering thinks is in the environment and what security actually sees.”
He noted that cloud visibility isn’t just about logs, but also understanding user behavior, policy changes, and asset configuration in near real-time. Without this, SOC teams are often reacting to alerts without enough context.
This issue was reflected in the post-event survey, where 35% of respondents listed lack of visibility across the environment as a primary challenge in their threat detection efforts.
CNAPP isn’t the answer - but it helps
The panel clarified that Cloud-Native Application Protection Platforms (CNAPPs) are useful, but not a complete solution. According to Dan Martin:
“CNAPP is great for giving you coverage, but it doesn’t give you the operational context your SOC needs.”
Integrating CNAPP data into SIEM, XDR, and MDR platforms enables richer investigations and tighter correlation across sources.
The shift from alerts to contextual action
Rather than focusing on the volume of alerts, the speakers urged security leaders to ask: can we act on this alert quickly and with confidence?
Dan Martin shared:
“It’s not about reducing alerts, it’s about giving your analysts the context to know what matters and what to do about it.”
Tyler Terenzoni added that turning alerts into action requires better integrations and unified telemetry. Without that foundation, even advanced detections can lead to noise and inefficiency.
AI will play a role, but not alone
While the session didn’t center on AI, the panel acknowledged its growing role in detection workflows. Dan Martin noted:
“AI helps with triage and correlation, but your success still depends on how well your tools talk to each other.”
The emphasis was on automation that supports analysts, not replaces them, especially in cloud environments where missteps can be costly.
Watch the full session on demand
If your team is looking to strengthen cloud detection, improve response times, or better align MDR with cloud operations, this session offers real-world insights and practical guidance.
At Rapid7, we’re pushing the boundaries on what a cybersecurity company can be as we work to build a more secure digital future. In a field where the threat landscape continues to evolve, continuous learning and the development of our people becomes an engine for company success and innovation. With more than a dozen offices around the world, Rapid7’s culture provides a foundation where people can grow their skills and progress in their careers, while driving meaningful impact to the business.
We sat down with three Rapid7 team members from different departments, and across our global offices, and invited them to share more about their own career growth and development. Through the experiences of Vladislav Pavlovski, Manager, Website Development, Courtney Cronin, Account Executive, Commercial, and Daniel McGreevy, Senior Technical Support Engineer, we see a consistent emphasis on teamwork, support from managers, and recognition to fuel career trajectories for Rapid7 employees around the world.
How Rapid7 Managers Support Career Growth
A prominent aspect of Rapid7's culture is the accessibility of leaders and the strong mentorship opportunities available. When stepping into a leadership role to relaunch the company website, Vladislav Pavlovski highlighted how his director, Victoria Krichevsky, helped him balance development work with coordination responsibilities.
"Her feedback helped me realize that I didn’t have to do everything myself — that success meant enabling others as well,”
Vladislav said.
“Her support helped me connect the dots between day-to-day execution and longterm vision and made a big difference in how confident I felt navigating this new territory."
This exemplifies how leaders at Rapid7 provide guidance and support that go beyond task management, focusing on broader growth.
“When I eventually moved into the Website Development Manager role, it was not only the result of the work I put in, but also the outcome of having strong, intentional support from someone who believed in the direction we were heading. That experience really shaped how I think about leadership and mentorship today,”
he said.
For Courtney, her manager also played a direct role in helping her prepare for a promotion opportunity from Sales Development Representative to Account Executive.
“I had the opportunity to meet with each of the Commercial Sales Managers to sharpen my skills as a future AE. We focused on roleplays, reviewed enablement on our products and services, introduced negotiation strategies, and refined my presentation skills. That level of investment in my development from both my current manager and the team I was looking to grow into made a huge impact, and I’m grateful for how collaborative and encouraging the team was during that transition.”
Courtney also shared how she values learning from her manager’s career growth as a woman in sales.
“I take full advantage of having a manager who started in the same role, especially as a woman in sales,”
she said.
“She understands the challenges firsthand and has been a huge influence in building my confidence. I make the most of her experience by asking for advice, learning how she navigated similar situations, and applying those lessons to my growth. Her journey and success show me what’s possible to achieve here at Rapid7, and I’m grateful to have her as both a mentor and a role model!”
Vladislav also noted,
"Leaders are accessible, and there’s a real openness to ideas from any level. It’s not about titles — it’s about potential and contribution."
This approach makes employees feel valued and encourages them to take ownership of their development.
Collaboration as a Catalyst for Growth
In addition to support from leaders, Rapid7 works to create an environment where employees can seek encouragement and guidance from peers and cross-functional partners when faced with challenges.
Daniel McGreevy started at Rapid7 as an apprentice and leveraged the expertise of his colleagues to grow his own capabilities and progress through his career.
“Working with our Technical Support experts across multiple products, and getting feedback from Support Engineers helped improve enablement across Global Support and really impacted how I approach solving complex challenges,”
he said.
Additionally, he shared how collaboration with product management and engineering teams impact product releases and ensure support is ready and equipped to assist customers effectively.
“By collaborating with different teams across the business, we’re able to improve how we service our customers while gaining additional context on the business, our products, and the goals and objectives of each of the teams we partner with and how it contributes to our bigger company initiatives.”
Incorporating this holistic view has played a role in Daniel’s progression into a Senior Technical Support Engineer.
For Vladislav, leading the launch of a new website was a significant career milestone, but what he says he’s even more proud of was the collaboration and partnership between various teams to get it over the finish line.
“The website launch was a huge project with high visibility and complex cross-functional alignment,”
he said.
“We created a space where everyone felt safe to contribute, ask for help, experiment, and make mistakes. We built trust between team members, and when people are not afraid to challenge ideas and share concerns, that openness drives better outcomes for everyone.”
Career Opportunities at Rapid7
The stories of Vladislav, Courtney, and Daniel paint a vivid picture of career growth and development at Rapid7. From accessible leadership and structured support to recognition and empowerment, Rapid7 fosters an environment where employees can thrive.
As India's economy rapidly digitizes, cybersecurity challenges are becoming increasingly complex. This May, Rapid7 launched our inaugural Global Security Day series across India, bringing together top security leaders in Mumbai, Delhi, and Bengaluru to address the most pressing cyber threats facing organizations in 2025.
Key insights that emerged
Across all three cities, several critical themes emerged that are shaping India's cybersecurity landscape:
AI is No Longer Optional: Organizations recognize that AI has become essential for threat detection, exposure management, and SOC operations. The question is no longer whether to adopt AI, but how to implement it effectively.
Attack Surface Explosion: Cloud misconfigurations, insecure APIs, and identity misuse are driving today's biggest risks. Organizations are struggling to maintain visibility and control across increasingly complex environments.
SOC Modernization is Urgent: Traditional Security Operations Centers need fundamental transformation, with automation and AI at their core to handle the volume of modern threats.
Talent Gap Challenges: Upskilling and reskilling initiatives are critical to closing the cybersecurity talent gap that's affecting organizations globally, but particularly acutely in India's booming tech sector.
Regulatory Evolution: India's evolving cybersecurity regulatory landscape is shaping how organizations approach their security investments and strategy development.
A journey across India's cyber capital cities
Our three-city roadshow, organized in collaboration with Information Security Media Group (ISMG), focused on the theme "2025 Cyber Threat Predictions: AI-Driven Attacks, Ransomware Evolution, and Expanding Attack Surface." The response from India's cybersecurity community was overwhelming, with 138 security leaders and delegates participating across all three cities.
Launching with impact in Mumbai (May 8)
Our Mumbai kickoff set the tone for the entire series, drawing 43 security leaders eager to dive into critical cybersecurity challenges. Rob Dooley, General Manager APJ, welcomed attendees before Regional CTO Robin Long delivered comprehensive insights on:
Global and Asia-Pacific threat landscape trends
The evolution of ransomware from double extortion to hybrid attacks
Expanding attack surfaces driven by cloud misconfigurations and insecure APIs
The highlight was our fireside chat featuring Starlin Ponpandy, CISO of Orion Systems and Rapid7 customer, discussing ‘Building a New-Age SOC: Practical Applications of AI’. The conversation explored choosing the right SOC model, building effective teams, and navigating the complexities of AI trust and explainability.
The main focus of the Q&A was the evolving cyber threat landscape and how organizations can prepare for 2025's AI-driven, increasingly complex attack environment.
The conversation was dominated by leaders sharing insights on the rise of AI-powered threats, the shift in ransomware tactics to double and hybrid extortion and the urgent need for proactive threat exposure management. Rapid7's emphasis on real-time, AI-enabled defenses and automated risk management strategies sparked strong engagement.
Strategic dialogue in Delhi (May 13)
Our Delhi event brought together 43 delegates for candid, strategic discussions about 2025's top cyber threats. Security leaders engaged in deep conversations about AI-powered detection and defense, proactive exposure management, and building resilient SOCs with automation.
The panel discussion on ‘Building a New-Age SOC’ addressed critical challenges including the cybersecurity talent gap and integrating security into DevOps workflows, a thought-provoking conversation examining identity-centric security models and the shift from traditional SOCs to Managed Detection and Response solutions.
Attendees posed incisive questions about upskilling teams in an AI-driven environment, managing tool sprawl, and operationalizing security by design - highlighting the sophisticated thinking of India's cybersecurity leadership.
Tactical discussions in India’s Silicon Valley - Bengaluru (May 15)
Our Bengaluru finale drew the largest crowd with 52 delegates, including CISOs and cybersecurity executives from across South India. The discussions were highly tactical, focusing on:
Modernizing SOCs through AI-led threat detection
Countering double and triple extortion ransomware
Risk automation and secure cloud transformation
Veteran industry speaker Satish Kumar Dwibhashi joined Robin Long for discussions that reinforced a clear theme: security strategy must evolve in lockstep with attacker innovation.
Building for the future
The success of our India Security Days reflects not just the hunger for cybersecurity knowledge in the region, but also Rapid7's commitment to supporting India's digital transformation journey. We're excited to announce that we're expanding our presence with a Global Capability Center (GCC) in Pune, which will serve as a hub for innovation and home to teams across engineering, business support, and our Security Operations Center (SOC).
This initiative represents more than just business expansion - it's about building cybersecurity capability and expertise right here in India, that will shape a secure digital future for organizations around the world.
The road ahead
The conversations, connections, and insights from our India Security Days have reinforced our belief that India's cybersecurity community is among the most forward-thinking globally. The challenges are significant - from AI-powered attacks to evolving ransomware tactics - but so is the talent, innovation, and determination to address them.
As we look toward 2025 and beyond, events like these remind us that cybersecurity is ultimately about people: the security leaders making tough decisions, the practitioners implementing defenses, and the communities sharing knowledge and supporting each other.
Thank you to all the security leaders who joined us in Mumbai, Delhi, and Bengaluru. Your engagement, questions, and insights made these events truly impactful. We look forward to continuing these conversations and supporting India's cybersecurity community as we navigate the challenges and opportunities ahead.
In the ever-evolving landscape of cyber threat actors, the lines between ideologically driven hacktivism and financially motivated cybercriminals have become increasingly blurred. Originally fueled by political, social, or ethical causes, hacktivist groups have historically engaged in digital protest through website defacements, data leaks, and distributed denial of service (DDoS) attacks.
However, in recent years, a noticeable trend has emerged. Some hacktivist groups are evolving into ransomware operations and even becoming ransomware affiliates. This transformation is driven by a mix of ideological fatigue, opportunity for financial gain, access to sophisticated tools, and the growing profitability of extortion-based attacks. The result is a new hybrid threat actor—one that merges the disruptive zeal of hacktivism with the ruthless efficiency of cybercrime.
Understanding this shift is crucial for defenders, as it represents a convergence of motives that complicates attribution, response, and mitigation strategies. To this end, we have examined three prominent examples of relevant threat actors, namely FunkSec, KillSec, and GhostSec, identifying the drivers behind their transition to financially motivated campaigns and exploring the shift in their modus operandi.
Threat actor analysis
FunkSec
The FunkSec ransomware group emerged within the cybercrime ecosystem as a rising star in December 2024. The ransomware-as-a-service (RaaS) group has claimed at least 172 victims to date. The group proudly promotes itself as an AI-driven ransomware group, with their encryptor, FunkLocker, and some of the malware’s source code allegedly generated using generative AI tools.
The group targets organizations from various sectors and regions, such as government, education, automotive, energy, IT, and manufacturing, located in countries like the United States, Israel, France, Italy, Germany, India, and Australia.
FunkSec started as a politically motivated hacking (hacktivist) group, specifically interested in targeting the United States (Figure 1). The group was known to be aligned with the “Free Palestine” movement (Figure 2), and associated itself with other hacktivist groups, such as Ghost Algeria and Cyb3r Fl00d. Among its affiliates are Scorpion (AKA DesertStorm, a suspected Algeria-based hacker), El_farado, XTN, Blako, and Bjorka (an alleged Indonesian hacktivist). In its early days, the group offered tools commonly associated with hacktivist activities, including services for DDoS and defacement attacks.
Figure 1 - FunkSec’s activities as a hacktivistFigure 2 - FunkSec’s statement against the USA and Israel
At some point, the group transitioned its focus from politically motivated attacks to a RaaS model, offering customizable tools to its affiliates. Its victimology also changed from government entities to organizations across various sectors, such as education, technology, telecommunications, and agriculture (Figure 3).
Figure 3 - FunkSec’s latest active DLS
FunkSec’s reliance on relatively simple malware development using AI-based tools also explains the fast transition of the group from targeted hacktivism campaigns to broader, financially-motivated activities, with a large number of victims in a short period of time (Figure 4).
Figure 4 - FunkSec’s victims on their DLS
The group’s transition has also been referenced on a Russian-speaking dark web forum, where the author mentioned a cybersecurity vendor’s article on FunkSec (Figure 5).
Figure 5 - FunkSec’s transition being referenced on a Russian-speaking dark web forum
KillSec
The KillSec hacktivist group (AKA Kill Security) has been active since at least 2021. The Russia-aligned group targets organizations from various sectors, such as government, finance, transportation, electronics, manufacturing, travel and recreation, retail, and consumer services, located in countries like India, Bangladesh, Romania, Poland, and Brazil. The group considers itself a “prominent hacktivist group operating in the cyber realm, with a focus on both disruption and digital activism."
KillSec initially emerged as a hacktivist group aligned with the Anonymous collective, with its operations primarily including DDoS attacks and website defacements, before pivoting to ransomware operations in October 2023. KillSec’s ransomware variants, namely KillSecurity 2.0 and KillSecurity 3.0, are designed to encrypt files and demand ransom payments for decryption.
In June 2024, KillSec introduced a RaaS operation, advertising a locker for Windows environments written in C++ and a dashboard, enabling affiliates to observe detailed statistics, conduct chat communications, and customize ransomware configurations using a builder tool. In November 2024, the group launched an additional locker for ESXi environments, expanding the breadth of its operations (Figure 6).
Figure 6 - KillSec launches locker for ESXi environments
The group’s shift is aligned with the overall proliferation of RaaS programs, enabling less technically skilled individuals to conduct ransomware attacks with relative ease in exchange for a fee. The group has been advertising its RaaS offering in an attempt to attract cybercriminals and further broaden its affiliate network (Figure 7).
Figure 7 - KillSec looking for affiliates
Although in certain incidents, KillSec leveraged solely stolen data to extort the victims, the group appears to adopt mainly double extortion tactics, exfiltrating data in addition to encrypting it and demanding a ransom payment to prevent it from being leaked. The group operates an active dedicated leak site (DLS) to which it uploads the data of victims who refuse to pay the ransom. The group also uses its DLS to advertise its services, which include penetration testing, data gathering, and its RaaS program (Figure 8).
Figure 8 - KillSec’s services
It should be noted that KillSec’s DLS also features a “For Sale” section, offering data allegedly exfiltrated from the targeted companies for sale, with the prices ranging between $5,000 and $350,000 (Figure 9). The group likely introduced this section in an attempt to further monetize the exfiltrated data. This offering of stolen data and additional services further suggests the financially motivated nature of the group’s activity.
Figure 9 - “For Sale” section on KillSec’s DLS
GhostSec
The GhostSec hacktivist group (AKA Ghost Security, GhostSecMafia, and GSM) has been active since at least 2015. The Anonymous-affiliated group gained prominence with the #OpIsis and #OpParis campaigns, in which various hacktivist groups took down thousands of ISIS websites and social media accounts using defacement and DDoS attacks. Since then, GhostSec has participated in campaigns, such as #OpLebanon, #OpNigeria, #OpMyanmar, #OpEcuador, and #OpColombia. The group has also continuously launched cyberattacks on Israel in response to alleged war crimes, primarily defacing their websites to spread “Free Palestine” messages.
GhostSec’s shift towards financially motivated operations overlaps with the group’s collaboration with cybercriminals. In July 2023, GhostSec announced that they formed a partnership with the Stormous ransomware group to target organizations in Cuba (Figure 10). Following this announcement, Stormous and GhostSec jointly claimed extortion attacks against three Cuban government ministries, and GhostSec also expressed the potential for future joint operations against other countries. In August 2023, GhostSec, together with ThreatSec, Stormous, Blackforums, and SiegedSec, collectively formed a unified collective, naming themselves “The Five Families” (Figure 11). This collective attempted to extort the presidential website of Cuba and the Brazilian organization Alfa Comercial.
Figure 10 - Announcement of the alliance between GhostSec and Stormous on their Telegram channelFigure 11 - Announcement of the “Five Families” formation on their Telegram channel
GhostSec solidified its presence in the cybercriminal ecosystem with the launch of its RaaS program “GhostLocker” in October 2023, which was shortly followed by the release of its infostealer tool, GhostStealer (Figure 12). In January 2024, the updated “REWRITE” (aka GhostLocker 2.0) version of GhostLocker was released, with a fully featured management panel allowing affiliates to track campaigns and payouts. The threat actor promoted its malware-as-a-service (MaaS) tools heavily on its Telegram channels, demonstrating its intention to attract affiliates and, in turn, maximize its profits.
Figure 12 - GhostLocker’s release announcement
On May 15, 2024, GhostSec announced its retirement from cybercriminal activities and its return to hacktivism. The group stated that it reached this decision after having obtained enough funding to support its hacktivist operations. GhostSec further mentioned that Stormous would remain in charge of the management and operation of GhostLocker (Figure 13).
Figure 13 - GhostSec’s retirement from cybercriminal activities
It should be noted that Stormous seemingly had already incorporated GhostLocker into its operations, even before GhostSec’s retirement. As of May 2025, the group is still active and operates the Stormous RaaS program, which appears to be a continuation of GhostLocker. This development signifies the mutual assistance and influence among united threat groups, as collectives like the Five Families allow them to maximize the impact and breadth of their operations by sharing resources, audience, and knowledge.
Two sides of the same coin?
This analysis shows that the threat actors in scope, FunkSec, KillSec, and GhostSec, have followed a similar trajectory, pivoting from politically motivated, disruptive campaigns to financial extortion. This transition is likely facilitated by the public availability of leaked ransomware builders, such as LockBit 3.0, which threat actors can leverage to develop their payloads.
The groups specifically appear to have adopted double extortion tactics, exfiltrating data from their victims and then encrypting it, in an attempt to pressure them to comply with their ransom demands. However, despite their seeming ability to conduct ransomware operations, these groups appear to lack the level of sophistication and specialization that characterize top-tier cybercriminal groups, such as Cl0p and LockBit, which are mentioned in the Rapid7 Q1 2025 ransomware report.
Interestingly enough, all three groups embraced RaaS as their business model while pivoting towards cybercrime. This evolution is aligned with the overall current status of the ransomware ecosystem, as RaaS programs have become increasingly more common. Such programs, demonstrating the financial nature of their activities, enable threat actors to maximize their profits by allowing affiliates to use their ransomware kit for a fee and a percentage of the collected ransom.
This transition of FunkSec, KillSec, and GhostSec has also affected and amplified the victimology of their operations. While these groups once operated as hacktivists that primarily targeted government entities, their scope of activities broadened significantly as they shifted to ransomware attacks. Along this process, their attacks shifted from targeted to opportunistic, against organizations of different sizes, operating in diverse sectors and geographies, that could be relatively easily compromised.
While all of these groups follow the pattern, shifting from hacktivism to cybercrime, and specifically financially motivated RaaS operations, the reason behind this transition remains unclear. As an exception, GhostSec appears to have embraced cybercrime in an attempt to gather funding for its hacktivist operations, according to its exit message. It should be noted that other threat actors, such as CyberVolk, have also launched RaaS programs to fund their operations, but these efforts remain scarce.
Finally, other hacktivist groups, such as Ikaruz Red Team and their affiliates, also operate ransomware, but they do so to cause disruption and make political statements. Thus, the scope of their operations differs from financial gain and is not comparable to that of the groups included in this analysis.
Conclusion
The evolution of FunkSec, KillSec, and GhostSec from hacktivist collectives to RaaS operations highlights a recent trend of a shift in motivations, driving cybercriminal behavior. Initially, these groups were propelled by political and ideological aims, targeting governments and organizations in alignment with their perceived causes. However, over time, their focus has clearly shifted towards financial gain, as evidenced by their adoption of RaaS models that prioritize profit over ideology. As cybercriminals adapt to “market demands,” it becomes clear that financial motivation has come to dominate their activities, leaving behind the ideological roots of their earlier campaigns.
IP addresses: 82[.]147[.]84[.]98, 77[.]91[.]77[.]187, 93[.]123[.]39[.]65
Rapid7 customers
InsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through Rapid7's expansive library of detection rules. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to the FunkSec, KillSec, and GhostSec ransomware activity. We will also continue to iterate detections as new variants emerge, giving customers continuous detection without manual tuning:
Suspicious Process - Malicious Hash On Asset
While this specific detection directly covers malicious binaries linked to ransomware operations, customers also benefit from a comprehensive suite of detections that alert on post-exploitation behavior often observed prior to ransomware deployment. These include detections for lateral movement, privilege escalation, and suspicious persistence mechanisms, providing layered defense even when the specific ransomware payload is novel or obfuscated.
NEVER MISS AN EMERGING THREAT
Be the first to learn about the latest vulnerabilities and cybersecurity news.
At the Take Command 2025 Virtual Cybersecurity Summit, a standout session titled Risk Revolution brought together Rapid7 product leaders and ESG analyst Tyler Shields to unpack the evolution of exposure management — and how organizations can build more context-driven, proactive risk strategies.
Hosted by Ryan Blanchard, Senior Manager, Product Marketing at Rapid7, the panel featured:
Jane Man, Senior Director of Product Management, Rapid7
Jamie Douglas, Specialist, Rapid7
Tyler Shields, Principal Analyst, Risk and Vulnerability Management, ESG
Here are the key takeaways from the discussion, along with supporting insights from the post-event attendee survey.
From vulnerability management to exposure management
“Exposure management is the maturation of vulnerability management… It's understanding risk, business context, and prioritizing accordingly.”
Rather than focusing solely on patching, exposure management is about knowing what to fix, why it matters, and who owns it and doing it continuously.
Visibility gaps are slowing teams down
Visibility was a central theme throughout the session. Jane Man noted:
“A lot of the customers we talk to still struggle with just identifying what they have.”
This challenge was echoed in the post-event survey, where 53% of respondents cited identifying unknown assets as the top challenge in their exposure management programs.
Tyler added:
“You can’t protect what you don’t know about. And you certainly can’t prioritize it.”
Prioritization must be contextual
Prioritization remains a major hurdle for many organizations. Jamie Douglas stressed that severity alone isn’t enough:
“You can have a critical vulnerability on a printer, but if it’s segmented and not internet-facing, is it really a priority?”
The team emphasized the importance of integrating business impact, asset criticality, exploitability, and ownership into the prioritization process.
“If you don’t tie risk to business context, you’re just chasing numbers,” Tyler noted.
It’s time to break down silos
A powerful moment in the session came when the panel discussed collaboration across functions. Jane shared:
“Security doesn’t operate in a vacuum. You need buy-in from engineering, cloud, compliance - everyone has a role in risk reduction.”
Without shared language and unified dashboards, visibility doesn’t translate into action. The speakers urged teams to build bridges with IT and DevOps to ensure findings are actually resolved, not just reported.
Survey: risk prioritization is lagging behind
In the survey, only 18% of respondents said their organizations integrate threat intelligence into exposure management “very effectively”, highlighting a clear opportunity to improve how teams prioritize risk with real-time context.
This stat reinforces the panel’s broader message: that exposure management isn’t a point-in-time project — it’s a continuous, evolving practice.
Watch the full session on demand
For a deeper dive into the frameworks, real-world examples, and exposure strategies discussed in this session, watch Risk Revolution on demand.
One of the most actionable sessions at the Take Command 2025 Virtual Cybersecurity Summit came directly from the field. In a panel hosted by Aniket Menon, VP of Product Management at Rapid7, security leaders from Cross Financial Corp, Phibro Animal Health Corporation, and Miltenyi Biotec shared how they’re evolving vulnerability management into a proactive exposure management strategy.
With real-world examples, team metrics, and shared challenges, the panel offered practical advice for teams ready to modernize their approach and reduce risk with more focus and confidence.
From VM to EM: A shift in mindset
Panelists agreed: traditional vulnerability management practices can’t keep up with today’s dynamic, hybrid environments. To stay ahead, security teams must shift toward continuous exposure assessment - building context around vulnerabilities and aligning efforts with business priorities.
As one attendee later shared in our post-event survey:
“Moving from vulnerability management to exposure management isn’t just a process change - it’s a mindset shift. It forces us to be more proactive.”
This takeaway aligns with broader findings from the summit survey, where 64% of respondents identified exposure management as a top priority for improving their detection and response strategies.
Prioritization requires business context
Volume isn’t the issue - context is. The panel emphasized that real risk reduction happens when teams align remediation priorities with asset value, exploitability, and operational relevance. That means:
Building dashboards tailored for different stakeholders
Connecting security and IT teams through shared language
Using context to elevate urgency and drive action
You can’t fix what you can’t see
Despite tool investments, many organizations still struggle with asset discovery and visibility. In fact, 53% of survey respondents said identifying unknown assets is the most challenging part of exposure management.
As Edward Chang, Senior Manager of Cybersecurity and Compliance at Phibro Animal Health Corporation, explained during the panel:
“No one has 100% visibility. But if we can improve what we see and give that context to the right teams, we’re already ahead of where we were last year.”
The session encouraged using telemetry, automation, and unified data views to close gaps across environments.
Bridging the gap between security and operations
A recurring theme across the panel was the need for collaboration between security, infrastructure, and engineering teams. Effective exposure management doesn’t just rely on the right data — it depends on the right relationships.
Security teams must be integrated into how organizations build, deploy, and operate — not treated as a separate or downstream function. Building that alignment means treating security as an enabler, not a roadblock.
Ownership, accountability, and human risk
Beyond technology, the session also addressed ownership and accountability. Security leaders must not only flag risk — they must clearly assign and communicate responsibility. As attack surfaces expand and teams diversify, the ability to coordinate across functions becomes even more critical.
Watch the full panel on demand
If you're looking to strengthen your vulnerability management program or build a more proactive exposure management strategy, this session offers a roadmap shaped by real-world experience.
The Take Command 2025 Virtual Cybersecurity Summit wasn’t just about sharing insights, it was about listening. After the live sessions wrapped, we surveyed attendees to understand where their security programs stand today, what challenges they’re facing, and what they found most valuable during the event.
Now, we’re excited to share those insights in a new downloadable infographic - The Take Command: Pulse of the Industry Survey, capturing the state of exposure management, AI adoption, MDR maturity, and more.
Here are a few standout takeaways from the survey, and where to dive deeper in the sessions on demand.
Exposure management: confidence is growing — but challenges remain
80% of respondents said they have confidence in their ability to respond to cyber risks through their exposure management program, and 60% reported successful integration of EM into their broader security workflows.
But the day-of survey showed a more nuanced reality. More than half of respondents cited “identifying unknown assets” and “monitoring third-party risk” as the top challenges in their exposure programs.
MDR adoption is strong — but visibility still needs work
58% of respondents rated their detection and response capabilities at 4 or 5 out of 5, and most teams using MDR cited a need for 24/7 monitoring and support for under-resourced teams. But 21% rated their confidence at 3 or below, indicating that making the right choice in MDR partner is critical.
Generative AI was one of the most discussed topics across the day — and for good reason. 50% of respondents said they were “very” or “extremely concerned” about adversaries using AI to enhance cyber attacks. Yet 36% of respondents say they’re not currently using Generative AI in their own security operations, citing barriers like tool integration, cost, and lack of skilled personnel.
For those navigating this space, AI in Action and Rise of the Machines both delivered practical examples of how teams are using AI responsibly to improve triage, detection, and response — while setting the necessary guardrails for safe adoption.
What attendees found most valuable
Take Command 2025 drew more than 2,200 live attendees, with on-demand views continuing to grow — and the feedback was clear: the content delivered. 67% of survey respondents rated the speakers as “Excellent”, with similarly high marks for session content and delivery.
When asked about their biggest takeaways, attendees consistently highlighted:
Exposure management and risk visibility are key
SOC operations and real-world case studies
AI’s role in transforming security strategy
The importance of “thinking like a hacker” to improve defenses
Attendees also appreciated the balance of voices, with one noting:
“Good mix of internal and external resources that knew what they were talking about and how to deliver it to a wide audience.”
Another shared:
“I didn’t think Rapid7 could improve its ability to unify information — but the new Exposure Command solution has done just that.”
From the depth of expertise to the variety of session formats, the summit resonated with attendees across roles, regions, and industries.
Explore the full infographic
Want a deeper dive into the data? Download the full Take Command: Pulse of the Industry Survey infographic to explore:
Where teams are seeing success with exposure management
How GenAI is being used (or not) across security operations
What MDR teams are prioritizing — and what’s holding them back
The biggest technical and strategic challenges security leaders face in 2025
Whether you missed the live event or want to explore specific topics in more detail, every session from Take Command 2025 is now available to watch on demand.
Rapid7 has been tracking a malware campaign that uses fake software installers disguised as popular apps like VPN and QQBrowser—to deliver Winos v4.0, a hard-to-detect malware that runs entirely in memory and gives attackers remote access.
The campaign was first spotted during a February 2025 MDR investigation. Since then, we’ve seen more samples using the same infection method—a multi-layered setup we call the Catena loader. Catena uses embedded shellcode and configuration switching logic to stage payloads like Winos v4.0 entirely in memory, evading traditional antivirus tools.
Once installed, it quietly connects to attacker-controlled servers—mostly hosted in Hong Kong—to receive follow-up instructions or additional malware. While we’ve seen no signs of widespread targeting, the operation appears focused on Chinese-speaking environments and shows signs of careful, long-term planning by a capable threat group.
Rapid7 has deployed detections for this activity and continues to monitor for new variants. Indicators and analysis related to this campaign are available in Rapid7 Intelligence Hub.
Introduction
This blog covers a malware campaign tracked by Rapid7 that uses trojanized NSIS installers to deploy Winos v4.0, a stealthy, memory-resident stager. The first sample was flagged during a February 2025 MDR investigation. Following that case, we identified additional related samples through threat hunting and malware analysis.
All observed samples relied on NSIS installers bundled with signed decoy apps, shellcode embedded in `.ini` files, and reflective DLL injection to quietly maintain persistence and avoid detection. We refer to this full infection chain as Catena, due to its modular, chain-like structure.
The campaign has so far been active throughout 2025, showing a consistent infection chain with some tactical adjustments—pointing to a capable and adaptive threat actor.
In this report, we start with a brief recap of the February 2025 MDR incident, which was also covered by other researchers. We then focus on newer samples found later in 2025 that follow the same core infection chain but introduce changes in delivery, tooling, and evasion—highlighting how the campaign continues to evolve.
How it started: QQBrowser Installer in MDR Case
In February 2025, Rapid7’s MDR team detected suspicious activity on a customer asset involving a trojanized NSIS installer masquerading as QQBrowser installer `QQBrowser_Setup_x64.exe`. While the file initially appeared legitimate, further analysis revealed it delivered malware via a multi-stage, memory-resident loader chain. Upon execution, the installer created an Axialis directory under %APPDATA% and dropped several files:
`Axialis.vbs` – a VBScript launcher
`Axialis.ps1` – a PowerShell-based loader `Axialis.dll` – a malicious DLL
`Config.ini` and `Config2.ini` – binary configuration files containing shellcode and embedded payloads
A desktop shortcut and the original QQBrowser setup binary used for deception
Upon execution, the malware follows this chain shown below.
Figure 1: QQBrowser-Based Infection Flow Observed in MDR Case
During runtime analysis, the `Axialis.dll` loader creates the mutex `VJANCAVESU` via the `CreateMutexA` API. If the mutex exists, it loads `Config2.ini`; if not, it loads `Config.ini`.
This behavior has been described by other researchers, who observed similar configuration switching logic in the DeepSeek campaigns — where the selected payload depended on the infection state. Both `.ini` files contain shellcode and embedded payload DLLs, all loaded and executed reflectively in memory.
Rapid7 analysis confirmed that the shellcode in `Config.ini` was built using the open-source sRDI loader.
Figure 2: Side-by-side comparison of shellcode from GitHub (left) and shellcode found in Config.ini (right)
The malware communicates with hardcoded command-and-control (C2) infrastructure over TCP port 18856 and HTTPS port 443.
Persistence is achieved through a combination of process monitoring and scheduled task registration. The embedded DLL in `Config.ini` created and executed `Monitor.bat`, which continuously checked for malware processes and relaunched them if terminated. To ensure persistence, the malware dropped `updated.ps1` and `PolicyManagement.xml`, which are used to register a scheduled task that re-executes the VBS loader `Decision.vbs` via `wscript.exe`.
The scheduled task executed weeks after initial compromise, suggesting long-term persistence. Interestingly, the malware includes a language check that looks for Chinese language settings on the host system. But even if the system isn’t using Chinese, the malware still executes. This suggests the check isn’t actually enforced—it could be a placeholder, an unfinished feature, or something the attackers plan to use in future versions. Either way, its presence hints at an intent to focus on Chinese-language environments, even if that logic isn’t fully implemented yet.
While infrastructure details (e.g., C2 IPs) varied, for example in our case involving 156.251.17.243[:]18852 and the reference blog citing 27.124.40.155[:]18852 — both campaigns used similar communication ports (18852 and 443), suggesting that the activity belongs to the same threat actor.
Campaign evolution
Following the initial discovery, Rapid7 continued tracking the campaign throughout early 2025. During this period, multiple incidents were observed reusing the same infection chain—abusing trojanized NSIS installers, reflective DLL loading, shellcode-embedded INI files, and staged persistence mechanisms. These variants were often disguised as legitimate software such as LetsVPN, Telegram, or Chrome installers.
However, in April 2025, we observed a tactical shift. Threat actors began modifying their approach: for instance, staging scripts like `Axialis.ps1` were dropped entirely, DLLs were invoked directly using `regsvr32.exe`, and new samples showed more efforts to evade antivirus detection. These changes suggest an evolving playbook—one that retains core infrastructure and execution logic but adapts to detection pressure and operational constraints.
Evolving tactics: LetsVPN Installer leading to Winos v4.0
The diagram below illustrates the Catena execution chain as observed in the LetsVPN variant.
Figure 4 Catena Loader: From LetsVPN Installer to Winos v4.0
The following sections break down this chain, stage by stage—from the initial installer and script logic to in-memory payload delivery and infrastructure interaction.
Our analysis started with `Lets.15.0.exe` SHA-256: 1E57AC6AD9A20CFAB1FE8EDD03107E7B63AB45CA555BA6CE68F143568884B003, a trojanized NSIS installer masquerading as a VPN setup. The installer included a decoy executable `Iatsvpn-Latest.exe` and a license file to appear legitimate. However, its true purpose was to deploy multi-stage, memory-resident malware across several directories.
Upon execution, the installer stages components in:
%LOCALAPPDATA%: first-stage loader `insttect.exe` and shellcode blob `Single.ini`
%APPDATA%\TrustAsia: second-stage payloads `Config.ini`, `Config2.ini` and loader DLL `intel.dll`
Figure 5: The extracted file structure by Lets.15.0.exe
The following sections walk through each step of this chain, starting with the NSIS installer and leading to in-memory payload execution.
Installer setup: NSIS script behavior
The `NSIS.nsi` script embedded in `Lets.15.0.exe` sets up both the fake VPN installation and the deployment of malware. It acts as the first step in the execution chain. The script starts by running a PowerShell command that adds Defender exclusions for all drives (C:\ to Z:), reducing system defenses.
First-stage payloads
The NSIS script begins by dropping initial payloads to %LOCALAPPDATA%:
`Single.ini`: a binary blob combining sRDI shellcode and an embedded DLL
`insttect.exe`: loader that reads and executes `Single.ini` in memory
Second-stage payloads
Next, the script drops second-stage files to %APPDATA%\TrustAsia:
`Config.ini`, `Config2.ini`: alternate sRDI payloads loaded later based on mutex logic
`intel.dll`: a secondary loader invoked via regsvr32.exe
To trigger this second stage, the NSIS script executes:
As seen in the February 2025 MDR incident, the NSIS script completes the decoy setup by dropping `IatsvpnLatest.exe`ba0fd15483437a036e7f9dc91a65caa6e9b9494ed3793710257c450a30b88b8a and creating a desktop shortcut pointing to it. Despite the filename containing a typo, the binary is a legitimate LetsVPN executable, signed with a valid digital certificate.
Figure 6: Malicious NSIS script
The following sections outline the role of each dropped binary in the execution chain.
Stage 1: Execution of insttect.exe and Single.ini file
We analyzed `insttect.exe`, a trojanized loader masquerading as a legitimate Tencent PC Manager installer. The binary, titled 腾讯电脑管家在线安装程序 (machine translation: "Tencent PC Manager Online Installation Program" (in both metadata and resource strings).
The binary is signed with an expired certificate issued by VeriSign Class 3 Code Signing CA (2010) and allegedly belongs to Tencent Technology (Shenzhen), valid from 2018-10-11 to 2020-02-02.
The binary includes deceptive artifacts such as localized UI strings in Chinese, internal references to Tencent development paths, and hardcoded XML updater config pointing to `QQPCDownload.dll`
Figure 7: Hardcoded PDB path from `insttect.exe`
These elements reinforce the loader's appearance as legitimate software.
Upon execution, `insttect.exe` locates `%LOCALAPPDATA%\Single.ini`, allocates memory with PAGE_EXECUTE_READWRITE permissions, copies the file into that region, and transfers control to its start. As previously described, the payload uses the sRDI format—enabling the embedded shellcode to self-parse and reflectively load the DLL without separate extraction.
Windows API calls related to shellcode loading are resolved dynamically via hashed function names.
Figure 8: Hashed API Resolution Routine
The DLL embedded within `Single.ini` takes a snapshot of running processes and continuously checks for `360tray.exe` and `360safe.exe`. These are components of 360 Total Security, a popular antivirus product developed by Chinese vendor Qihoo 360.
However, when tested with a dummy `360tray.exe`, the malware showed no response—neither terminating the process nor altering its own behavior.
Stage 2: Execution of intel.dll and Config.ini files
The `.nsi script` drops `intel.dll`, `Config.ini`, and `Config2.ini` into %APPDATA%\TrustAsia, and uses nsExec::Exec to invoke intel.dll via a regsvr32 call.
Both `Config.ini` and `Config2.ini` initially appeared benign due to their generic names. However, as with earlier payloads, both `.ini` are binary blobs containing shellcode formatted using the Shellcode Reflective DLL Injection (sRDI) technique described earlier.
As noted in the QQBrowser case, earlier variants loaded the shellcode from disk using PowerShell scripts. In this version, execution is handled entirely in memory via `regsvr32.exe`, which invokes `intel.dll`. As is typical for DLLs executed this way, `intel.dll` exports the `DllRegisterServer` function, which is automatically called.
While this shift avoids PowerShell, it’s not necessarily more evasive, since `regsvr32.exe` is a well-known LOLBin and is commonly monitored by modern EDR solutions. Upon execution, `intel.dll` loader creates a hardcoded mutex `99907F23-25AB-22C5-057C-5C1D92466C65` using the `CreateMutexA` API, and checks for the presence of two indicators: the mutex itself, and a file named `Temp.aps` in %APPDATA%\TrustAsia. If both are found, `Config2.ini` is loaded; otherwise, the default `Config.ini` is used.
Figure 9: Handle to Config.ini being returned
Once the appropriate `.ini` file is chosen, the loader opens it using `CreateFileW` and loads its contents into memory. As seen in earlier stages, the `.ini` file contains a shellcode blob using the sRDI format, which self-parses and reflectively loads an embedded DLL.
The in-memory DLL, extracted and executed entirely from within the shellcode blob, exports a single function named `VFPower`, a naming convention consistent across all observed samples. Debug symbols embedded in the DLL reference a Chinese development path E:\冲锋\进行中\Code_Shellcode - 裸体上线用作注入\Release\Code_Shellcode.pdb (machine translation: E:\Charge\In Progress\Code_Shellcode - Naked online for injection \ Release \ Code _ Shellcode.pdb).
During runtime, this in-memory DLL creates a hardcoded mutex `zhuxianlu` (machine translation: main line) and verifies if it was launched from `UserAccountBroker.exe`. If true, it immediately initiates C2 communication, likely assuming it was started with elevated privileges. Otherwise, the malware continues execution by spawning five threads, each responsible for a specific task before ultimately reaching the same C2 routine.
Figure 10: Mutex Check and C2 Trigger Logic
The five threads carry out the following actions:
Thread 1 launches PowerShell via `ShellExecuteExA` to add a Microsoft Defender exclusion for the C:\ drive.
Thread 2 attempts to establish persistence via scheduled task registration as seen in the earlier QQBrowser incident described in the introduction. It generates two files:
`PolicyManagement.xml` — an XML file defining a scheduled task
`updated.ps1` — a PowerShell script that imports and registers the task
To ensure the script runs without restriction the malware first sets PowerShell policies to `Unrestricted` (for the current user) and `Bypass` (for the specific script). The scheduled task is configured to invoke `regsvr32.exe` at logon, which in turn re-executes either `intel.dll` or `insttect.exe` loader.
Although this operation failed during our analysis even with the Chinese language pack installed, it was attempted twice—we believe to ensure redundancy or persistence across both loaders. Both files `PolicyManagement.xml` and `updated.ps1` are deleted immediately after execution.
Thread 3 takes a snapshot of all running processes and scans for any instance of `Telegram.exe`, `telegram.exe`, or `WhatsApp.exe`. If any of these are detected, it creates an empty marker file named `Temp.aps` in %APPDATA%\TrustAsia, and then executes:
This triggers the second-stage loader. The presence of the `Temp.aps`alters the loader’s behavior, causing it to run `Config2.ini` instead of `Config.ini`.
Thread 4 checks for the existence of the file `TrustAsia\Exit.aps`. If found, the file is deleted and the malware terminates.
Thread 5 acts as a persistence watchdog for the second-stage loader. It creates two files: `target.pid`, which stores the process ID of the running regsvr32.exe instance executing `intel.dll` loader, and `monitor.bat`, a batch script that checks whether this process is still running. If not, the script attempts to relaunch it. This check runs every 15 seconds to ensure `intel.dll` remains continuously active.
Figure 11: Content of monitor.bat watchdog
Following thread execution, the final function is responsible for C2 communication. Since the earliest observed sample from February 2024, the malware has used Windows sockets and the `getaddrinfo` API to resolve a hardcoded IP and port 18852 which also seems to be consistent across all analyzed samples of `Config.ini`.
Once the connection is established, malware retrieves the next-stage payload from the C2 server, allocates a new memory region with PAGE_EXECUTE_READWRITE permissions, copies the downloaded content into memory, and transfers execution to it. This is the delivery of the final stage, observed as Winos v4.0 in recent samples.
Figure 12: Jump to final payload
Final payload Winos4.0
The `intel.dll` loader selects either `Config.ini` or `Config2.ini` based on runtime conditions, such as the presence of a mutex `VJANCAVESU` and a `Temp.aps`marker file. Each of these `.ini` files contains sRDI shellcode that connects to a different C2 server to download the next-stage payload which was Winos4.0 in our case.
In recent samples, the payloads were downloaded from:
`Config.ini` → 134.122.204[.]11:18852
`Config2.ini` → 103.46.185[.]44:443
Although being retrieved from different C2 servers, both payloads were nearly identical: 112 KB in size and structured as sRDI shellcode containing an embedded DLL. This DLL uses the same reflective loading technique seen in previous stages, exports a single-function `VFPower` and and includes debug metadata referencing a Chinese development path:
Based on available evidence supported by debug info, we can say this is Winos4.0 stager `上线模块.dll`( machine translation: `Online Module.dll`.)
Extracted configuration
The Winos v4.0 stager downloaded from 134.122.204[.]11:18852 contains an embedded configuration block. The data appears to control runtime behavior, C2 communication, and implant settings. A decoded sample is shown below:
Extracted Configuration from Payload (134.122.204[.]11:18852)
Configuration
Data
Description
p1
134.122.204[.]11
First CC IP address
o1
6074
First port
t1
1
Protocol (TCP)
p2
134.122.204[.]11
Second CC IP address
o2
6075
Second option port
t2
1
Protocol (TCP)
p3
134.122.204[.]11
Third CC IP address
o3
6076
Third option port
t3
1
Protocol (TCP)
dd
1
Implant execution delay in seconds
cl
1
Beaconing interval in seconds
fz
认默 (default)
Grouping
bb
1.0
Version
bz
2025.4.24
Generation date
jp
0
Keylogger
bh
0
End bluescreen
ll
0
Antitraffic monitoring
dl
0
Entry point
sh
0
Process daemon
kl
0
Process hollowing
bd
0
N/A
In previous incidents, Winos 4.0 has been linked to the Silver Fox APT group operation known for distributing malware like ValleyRAT via trojanized utilities and vulnerability exploitation. Notably, similar TTPs were observed in the CleverSoar campaign described by Rapid7 in November 2024 which also delivered Winos4.0 and checked system locale settings for Chinese or Vietnamese—suggesting targeting based on regional language.
Infrastructure
During our investigation, the hardcoded IP address 103.46.185[.]44 found in `Config.ini` was confirmed to host the final Winos 4.0 payload. Shodan scans showed it serving a binary blob that begins with recognizable sRDI shellcode and contains an embedded DLL identical to the Winos 4.0 stager ("Online Module") analyzed in this report.
Pivoting on this sample using Shodan hash -646083836, we identified eight additional IPs distributing the exact same payload: 112.213.101[.]161, 112.213.101[.]139, 103.46.185[.]73, 47.83.184[.]193, 202.79.173[.]50, 202.79.173[.]54, 202.79.173[.]98, and 103.46.185[.]44.
Each host returned identical byte sequences, indicating a shared and coordinated infrastructure distributing the same stage-one loader across multiple nodes, mostly hosted in Hong Kong.
Figure 13: Shared Hosting of Identical Winos v4.0 Payloads
To expand this infrastructure mapping, we extracted additional C2 addresses from historic MDR case data and active threat hunting leads. These included:
Pivoting on these nodes using Shodan hash correlations revealed additional infrastructure often resolving to the same ASNs or hosting providers, such as
CTG Server Ltd. / MEGA-II IDC (AS152194) OK COMMUNICATION / LANDUPS LIMITED (AS150452) Alibaba Cloud (AS45102) Tcloudnet, Inc. (AS399077)
Conclusion
This campaign shows a well-organized, regionally focused malware operation using trojanized NSIS installers to quietly drop the Winos v4.0 stager. It leans heavily on memory-resident payloads, reflective DLL loading, and decoy software signed with legit certificates to avoid raising alarms.
The malware’s logic—using mutexes to choose payloads, hiding shellcode in INI files, and layering persistence tricks like scheduled tasks and watchdog scripts—points to an actor that’s refining, not reinventing, their playbook. Infrastructure overlaps and language-based targeting hint at ties to Silver Fox APT, with activity likely aimed at Chinese-speaking environments. Rapid7 continues to track this threat and has detections in place to help protect customers.
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to Catena. We will also continue to iterate detections as new variants emerge, giving customers continuous protection without manual tuning:
In one of the most anticipated sessions of Take Command 2025, Raj Samani, Chief Scientist at Rapid7, sat down with Trent Teyema, former FBI Special Agent and President of CSG Strategies, for a candid conversation on how threat actors are evolving and what defenders must do to keep up.
Moderated by Brian Honan, CEO of BH Consulting, the panel pulled no punches. From the economics of ransomware to the risks of overrelying on static indicators of compromise, Inside the Mind of an Attacker: Navigating the Threat Horizon served as both a wake-up call and a roadmap for modern security strategy.
Cybercrime is thriving — and getting smarter
It’s no longer about lone hackers. As Raj put it, “Ransomware has become a business.” Today’s threat actors are highly organized, well-resourced, and increasingly leveraging professional tools and affiliate networks.
One striking takeaway: groups like RansomHub are reportedly earning tens of millions of dollars per quarter, reinvesting that revenue into toolkits, infrastructure, and even “customer service” operations for negotiating with victims.
Panelists discussed the trend toward secondary extortion tactics, where attackers threaten to notify regulators like the SEC if ransom demands aren’t met — a calculated move to increase pressure without deploying additional payloads.
From indicators to context: why threat intelligence must evolve
One of the biggest challenges facing defenders today is the lack of actionable, context-rich intelligence. While threat intel feeds are abundant, the signal-to-noise ratio is still too high.
“We don’t just need more data. We need better context,” Raj emphasized.
The panel discussed how defenders must move beyond static IOCs and invest in behavioral analysis, context-aware detection, and real-time telemetry to truly stay ahead of threats.
A recent stat from the post-event survey reflects this shift: only 18% of respondents said their organizations integrate threat intelligence into exposure management very effectively.
To beat an attacker, think like one
The message came through clearly: organizations that adopt a proactive, attacker-informed mindset are better equipped to defend against modern threats. That means:
Trent Teyema, drawing on his FBI experience, pointed out that too many organizations still rely on legacy thinking: “They treat cyber like IT, when they should be treating it like crime.”
Paying ransoms: a business risk, not a moral judgment
Both speakers addressed the uncomfortable reality: sometimes ransoms are paid. And while this remains a contentious topic, the panel framed it clearly - it’s a business decision, not a moral one.
Raj urged teams to have ransomware playbooks and decision frameworks defined in advance. This includes:
Knowing legal constraints (especially around sanctions and OFAC-listed entities)
Understanding the implications of payment
Engaging with experienced negotiation partners if needed
Visibility still reigns supreme
From attack surface awareness to SOC visibility gaps, the theme of visibility was woven throughout the session.
As Raj noted, "You can't protect what you don't know about."
The panel closed with a call to action: unify your data, reduce siloed tools, and build detection and response around context, not just coverage.
Watch the full session on demand
If you missed this conversation — or want to rewatch it with your team — the full session is now available.
We are thrilled to announce that two outstanding Rapid7 team members, Kelly Hiscoe and Heather DeMartini, have been recognized as CRN's 2025 Women of the Channel. This prestigious recognition honors innovative and strategic leaders that demonstrate commitment to advancing channel excellence and supporting the success of their partners and customers. We are extremely proud to see Kelly and Heather honored for their significant contributions.
Kelly Hiscoe: Building programs for our partner community
Kelly Hiscoe and her team lead the development and global implementation of Rapid7 partner programs, significantly enhancing the efficiency and growth of our global channel ecosystem. Their commitment to creating competitive programs and streamlined partner experiences ensures seamless execution across our partner network. Through ongoing engagement, Kelly's team delivers an experience to our partners that is simplified, scalable, and predictable.
Kelly's dedication to enhancing the partner experience is unwavering, noting: "At Rapid7, everything we develop is with deep intention and we will continue to build and refine our partner programs with our partners. We remain committed to building a competitive program while continuing to enhance the partner experience by developing efficient processes that significantly enhance the partner selling experience with Rapid7 ."
Her leadership and vision are integral to our ongoing success and the satisfaction of our partners.
Kelly Hiscoe - Senior Director, Global Partner Programs and Experience
Heather DeMartini: Building scalable partner training
Heather leads Global Partner Enablement at Rapid7 where she and the enablement team recently launched the company’s first role-based partner certification framework to drive partner empowerment, autonomy, and profitability. By recognizing partner capabilities, knowledge, and expertise, Rapid7’s Partner Academy ensures partner awareness and competency in all aspects of positioning, selling, and using Rapid7 solutions across the entire customer lifecycle from pre-sales to sales to post-sales.
Heather shared the overall mission of Rapid7’s Partner Academy: “We designed this training and certification framework to drive mutual success with partners in two ways: by enabling a partner ecosystem that is a self-sufficient revenue generating engine, and by enabling partner-led services across the full customer lifecycle that accelerate profitability with Rapid7.”
On the value and importance of partner services enablement, Heather elaborated: “We understand that partners offering services experience significantly higher profitability driven by margin on services being so much higher than on products alone. Our goal is to ensure our partners can more easily wrap their services around our products by enabling them to build, elevate, and expand their services capabilities with us. So, we are thrilled to launch the second part of our mission in the second half of this year.”
Heather looks forward to advancing this partner-first approach while improving the customer and partner experience with Partner Academy This will ensure partners are successful in developing the knowledge and skills they need to expand their success with Rapid7.
Heather DeMartini - Global Partner Enablement Lead
Commitment to excellence
Kelly and Heather’s recognition as CRN’s 2025 Women of the Channel points to their unique ability to foster a supportive channel ecosystem that empowers partners and helps accelerate their businesses.
We are grateful for the outstanding contributions of these two women – their continued dedication to excellence in the channel community underscores Rapid7’s commitment to our partners in industries throughout the world. Please join us in celebrating the achievements of Kelly and Heather in service of their partner colleagues. Learn more about Rapid7 global partnerships here.
Led by Ted Harrington, Executive Partner at ISE, and hosted by Thom Langford, EMEA CTO at Rapid7, this session challenged security leaders to think beyond traditional defenses and imagine a future where cybersecurity is smarter, faster, and proactive by design.
Here’s a quick look at the key insights from the conversation.
Security needs a reset, not a retrofit
Ted kicked things off with a fundamental question: if we could rebuild cybersecurity from scratch, what would we do differently? Instead of layering on more tools or chasing compliance checklists, today’s most resilient organizations are rethinking their architectures, embedding security principles like Zero Trust from the ground up, and designing systems to stop threats before they strike.
Think like an attacker to build defenses that work
The best defenders don’t just react, they anticipate. Ted emphasized the importance of adopting a hacker mindset within security teams. Creativity, curiosity, and a willingness to question assumptions are critical to staying ahead of adversaries who constantly innovate. Security strategies must evolve to disrupt attacker workflows, not just patch known vulnerabilities.
Security is a business enabler, not a roadblock
One of the biggest missed opportunities in cybersecurity is the failure to connect security outcomes to business success. Ted encouraged security leaders to speak the language of the boardroom, framing security initiatives as drivers of trust, resilience, and competitive advantage — not just cost centers or necessary evils.
Burnout and broken structures hold security back
Ted didn’t shy away from real talk about the internal challenges many security teams face. Burnout, underfunded initiatives, and misaligned CISO roles are slowing progress across the industry. Organizations must empower security leadership with proper funding, executive visibility, and a seat at the table if they want to build truly resilient programs.
Ready to take command? Watch the full session
Ted’s message was clear: the future of cybersecurity won’t be built on incremental improvements. It will be shaped by organizations bold enough to rethink, reframe, and rebuild from a position of strength.
Want to dive deeper? Catch the full session on demand and explore how you can take command of your defenses today.
Cybersecurity has never stood still — but in 2025, it’s not just evolving. It’s transforming.
Cybersecurity has entered a pivotal new phase. According to Gartner®, Top Trends in Cybersecurity for 2025, “Security and risk management (SRM) leaders must enable business value and double down on embedding organizational, personal and team resilience to prove security program effectiveness in 2025.”*
That’s not just a shift in tactics — it’s a mandate to rethink how security supports transformation, agility, and sustainability in a world that’s constantly changing. At Rapid7, we’re offering complimentary access to this Gartner research to help you explore what’s next and how to prepare.
Here are three trends that stand out for leaders aiming to build a more resilient, AI-ready security program in 2025.
AI Is Here to Stay — and It’s Tactical Now
Security teams are moving beyond the fascination phase with GenAI. Now, it’s about real use cases with measurable benefits. Gartner states:
“SRM leaders are learning from AI transformation pilots and refining their processes based on initial success in taking a more tactical approach to AI integration.”*
Rather than chasing sweeping AI promises, forward-looking teams are prioritizing specific, achievable objectives. This approach is helping reduce risk and maintain credibility by “delivering more incremental security benefits than myopically striving for hype-driven seismic change.”*
From documentation assistance to incident triage and threat analysis, AI is no longer an experiment — it’s becoming a reliable tool for making overburdened teams more effective.
Resilience Is the New North Star
According to Gartner, we are seeing increasing recognition that a “zero-tolerance for failure” mindset has reached its peak in achieving sustainable risk buy-down and only increases the risk of security team burnout. At Rapid7, we see that In their place is a rising focus on resilience — not just in infrastructure, but in people, processes, and culture. It’s a hard pivot for many security programs built on prevention and perimeter defense, but it’s overdue.
From board-level priorities to frontline operations, security is now recognized as a business enabler. And enabling business requires adaptability. That means investing in burnout prevention, embedding resilience in security culture, and measuring success not just by how few incidents occur, but how effectively teams recover and evolve from them.
Gartner predicts that by 2027, CISOs investing in cybersecurity-specific personal resilience programming will see 50% less burnout-related attrition than peers who don’t.
That’s not just a wellness metric. It’s a business continuity strategy.
Less Tool Sprawl, More Platform Power
Most security teams today are managing dozens of tools. But consolidation without strategy is risky. Gartner notes that “SRM leaders are shifting focus to tool optimization rather than vendor consolidation,” urging leaders to strike a balance between integration and effectiveness.
“Organizations are seeking to strike the right balance between consolidation of commodity capabilities and purchase of separate, differentiated products to address niche requirements,”* Gartner explains. The message is clear: platform thinking matters — but only when it enhances outcomes, not complexity.
That’s why at Rapid7, we’ve built the Command platform to deliver comprehensive visibility and control, integrating detection, response, and exposure management into a unified experience backed by expert services.
The Takeaway: Secure Transformation Starts With Trust
If there’s one unifying message in Top Trends in Cybersecurity for 2025, it’s this: transformation doesn’t have to come at the cost of control. AI doesn’t have to erode trust. Automation doesn’t have to sideline expertise. And resilience isn’t a soft goal — it’s the foundation of sustainable security.
By anchoring your program in clarity, resilience, and targeted innovation, you can move faster — and more confidently — than ever before.
Gartner Top Trends in Cybersecurity for 2025, Richard Addiscott, et al., 12 December 2024 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Security leaders today face a harsh reality: traditional vulnerability management isn’t enough. Threat actors are evolving, attack surfaces are expanding, and organizations need a more proactive approach to stay ahead of risk. Latest research from Gartner, How to Grow Vulnerability Management Into Exposure Management, highlights the need for security teams to move beyond simply tracking vulnerabilities and embrace a more comprehensive approach to exposure management.
At Rapid7, we are excited to offer complimentary access to this report and share our three key takeaways to help you modernize your security strategy.
Gartner states: "Creating prioritized lists of security vulnerabilities isn’t enough to cover all exposures or find actionable solutions. Security operations managers should go beyond vulnerability management and build a continuous threat exposure management program to more effectively scope and remediate exposures."
CTEM shifts the focus from merely identifying vulnerabilities to understanding the full picture of organizational risk. It integrates asset visibility, business impact analysis, attack surface monitoring, and validation of security controls to help organizations assess and reduce their true exposure to threats.
Takeaway 2: Exposure Management Requires Business Context
One of the biggest challenges in vulnerability management today is that many security teams focus too much on discovering issues without evaluating their impact on the business. Gartner highlights the importance of integrating business context into security operations, stating that "adding a business context, such as asset value and impact of compromise, to exposure management activities can improve senior leadership engagement."
By aligning security initiatives with business priorities, organizations can:
Focus on the vulnerabilities that pose the greatest risk to critical operations
Improve communication with senior leadership and stakeholders
Justify security investments with real business impact
Takeaway 3: Attack Surface Visibility Must Keep Up With Digital Evolution
Modern attack surfaces extend far beyond on-premises IT. The rise of cloud applications, IoT, supply chain dependencies, and remote work environments has dramatically increased the number of potential entry points for attackers. Gartner emphasizes that "current approaches to attack surface visibility are not keeping up with the rapid pace of digital evolution. Organizations must quickly reduce exposure to make their public-facing assets less visible and accessible."
This means security teams need to enhance their discovery processes to:
Continuously monitor both their internal and external attack surface
Implement proactive security measures to reduce overall exposure
How Rapid7 Aligns with Gartner Exposure Management Vision
At Rapid7, we believe in empowering security teams with the tools and insights they need to shift from reactive vulnerability management to proactive exposure management. Our Exposure Management solution helps organizations:
Gain real-time visibility into evolving attack surfaces
Prioritize threats based on business impact and exploitability
Continuously validate security controls through adversarial exposure testing
As threats continue to evolve, organizations must rethink how they approach vulnerability management. Gartner research provides a roadmap for security leaders looking to implement a comprehensive exposure management strategy.
Garter, How to Grow Vulnerability Management Into Exposure Management, Michell Schneider, Jeremy D’Hoinne, Jonathan Nunez, Craig Lawson, 8 November 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Co-authored by Peter Whibley, Ed Montgomery, and Joel Alcon
Technology innovation combined with the highly fragmented nature of today's IT landscape means that vulnerabilities are being exploited faster and at greater scale than ever. Security teams contend with a daily surge of new threat actors and attack vectors. Without a unified view of assets, business context, and compensating controls, they waste weeks identifying which risks are truly critical.
Many organizations try to tackle this challenge by implementing exposure management and risk-based vulnerability management (RBVM) approaches, where vulnerability data from various tools is consolidated into one dashboard. But many of these tools present risk scores without demonstrating a holistic view of the business impact of vulnerabilities, mitigating controls for endpoints, patch management status, and remediation steps.
Without that end-to-end context, security teams are struggling to keep up with the volume of new vulnerabilities. In fact, once the National Vulnerability Database (NVD) announced in February 2024 that it would no longer provide vulnerability scores for all CVEs, the shortcomings of traditional vulnerability management, including RBVM, became more evident.
From chasing vulnerabilities, to proactively mitigating risk
Rapid7’s Remediation Hub enables security teams to go beyond simply identifying vulnerabilities and focus more on remediating risk. By augmenting vulnerability findings with business context, threat intelligence, and compensating controls, organizations gain a continuous, all-in-one view of how to detect and respond to risks across their enterprise. These new capabilities empower security teams to:
Assess the impact of remediation steps. Reimagine your attack surface by viewing the number of vulnerabilities addressed by each remediation action.
Prioritize remediation with confidence. Leverage dynamic, threat-aware risk scores to assess the criticality of issues and quickly go from vulnerability to action.
Optimize risk mitigation. Accelerate risk response through streamlined remediation workflows.
Security teams leverage multiple vulnerability scanning tools for different parts of their infrastructure, including cloud environments, containers, web applications, and endpoints. Each tool reports findings in its own format and utilizes different scoring methods, making it difficult to get a clear, unified picture of an organization’s risk exposure.
By unifying this data into a centralized platform, security teams reduce unnecessary noise caused by redundant vulnerability findings, streamlining triage efforts, reducing silos, and driving faster, more informed remediation efforts.
Rapid7 Remediation Hub delivers this normalized view of third-party vulnerabilities, enabling teams to stop wasting time chasing low-impact issues or overlook high-severity threats. The solution takes this unified lens further via risk scores that combine these vulnerability findings with business context to help security teams quickly identify the most critical vulnerabilities, allocate resources efficiently, and communicate risk more effectively to stakeholders. These capabilities not only boost operational efficiency, but also strengthen an organization's security posture.
Context-based visibility into endpoint protection and patch management
Context is an essential component of managing risk in today’s increasingly complex technology landscape. By solely relying on vulnerability scores without also understanding business impact or breach likelihood, security teams are left with a hazy, incomplete view of their attack surface.
Rapid7 Exposure Command empowers security teams to prioritize vulnerabilities based on attacker behavior, exploitability, and potential impact – all without the need to export data into separate security tools. Rapid7 delivers deep, multi-layered risk scores calculated from Rapid7 Labs’s threat intelligence, first-party scans, third-party vulnerability findings, and an organization’s unique mitigating controls. Furthermore, Remediation Hub is seamlessly integrated with Rapid7 Surface Command, arming security teams with a continuous view of key mitigating controls of assets across the enterprise, including endpoint protection and patch management in place.
Endpoint protection - Remediation Hub displays which assets have active endpoint protection, as well as the protection type on the asset. Users can use intuitive filters to hone in on critical findings, such as the assets that lack endpoint protection and prioritize remediation efforts via a risk-based approach that gives higher priority to assets that lack endpoint protection.
Patch management - Remediation Hub shows the patch management availability status of each asset, arming security teams with a view of assets that are available for patching by a patch management system. Users can filter on assets with vulnerabilities where no patching is active.
Faster risk response, fewer security silos
Security teams often operate in silos, with a team handling risk identification and another focused on remediation. CISA recommends that critical vulnerabilities be remediated within 15 calendar days of initial detection, but to achieve this, organizations require tight collaboration between these disparate teams.
Unfortunately, because these groups operate with poorly integrated security tools, going from vulnerability finding to risk remediation can take months, with some vulnerabilities going unpatched for years. For instance, the 2024 Verizon Data Breach Investigations Report finds that it takes an estimated 55 days to remediate 50% of critical vulnerabilities once their patches are available.
Remediation Hub tackles this challenge with purpose-built SOAR integrations that help improve collaboration and drive down MTTR (mean time to remediate). The new capabilities automatically trigger remediation workflows, with notifications auto-generated and sent to adjacent teams responsible for implementing the recommended remediations.
For example, users can leverage Remediation Hub to automatically trigger a workflow in Jira or create an incident report in ServiceNow based on the severity or business impact of a vulnerability. Each workflow is fully customizable based on unique security thresholds.
Embracing faster, continuous exposure management
Organizations are rapidly transitioning from traditional vulnerability management to more continuous, exposure management approaches. Rapid7’s Remediation Hub – an integral component of the Exposure Command platform – empowers security teams to embrace the shift.
With a remediation-based approach to vulnerability management and risk reduction, organizations are taking command of their attack surface and discovering a simpler, more effective approach to managing and truly mitigating risk.
If you are interested in learning more about Remediation Hub and our Exposure Command platform, check out our Exposure Command product tour.
When it comes to defending your organization, every second counts. The time to detect, respond, and remediate is critical, but speed alone isn't enough. Fragmentation across security tools, siloed teams, and manual workflows leaves organizations constantly reactive, overwhelmed by alerts, and at risk of breaches. Rapid7 is here to change that.
Organizations need solutions that unify their approach, streamline processes, and accelerate response times. Rapid7 delivers the industry's broadest, most unified view of the attack and detection surface. Today, we're thrilled to announce a series of strategic launches that further this integrated approach and deliver unified remediation across the full breach timeline, integrating proactive exposure management with intelligent detection and automated response. This comprehensive approach provides security teams with the precise tools and deep insights needed to effectively secure their organization and shift from proactively reducing vulnerabilities to swiftly resolving active threats.
Left of Boom: Proactive Exposure Remediation
The most effective security strategy begins before a breach ever happens. Rapid7’s Exposure Command directly addresses this gap, combining advanced risk-based vulnerability management (RBVM) with environmental context, threat intelligence, and native workflow automation.
Launching this week at RSA, we’re excited to announce a trio of updates to Remediation Hub aimed at helping organizations unify and modernize their vulnerability management programs:
Enhanced Automated Remediation Workflows: We've significantly expanded our workflow automation capabilities to streamline exposure remediation. Users can now easily launch both pre-built and fully customizable remediation workflows—including notifications, ticketing, and patch deployment—directly from the intuitive Remediation Hub interface. This seamless integration simplifies the remediation process, allowing teams to swiftly address vulnerabilities and maintain robust security hygiene.
Advanced Compensating Controls Assessment: Remediation Hub now provides comprehensive insights into existing compensating controls, empowering teams to strategically deprioritize vulnerabilities that present minimal or no practical risk due to limited accessibility or exploitability—such as a compromised asset running antivirus or behavior prevention. This enhanced visibility is particularly vital for managing unpatchable workloads or addressing vulnerabilities where patches or permanent fixes are currently unavailable.
Expanded Third-Party Vulnerability Integration: Exposure Command has always integrated valuable telemetry from third-party vulnerability scanners such as Tenable, Qualys, and Wiz. Now, we've enhanced this capability by incorporating vulnerability findings and detailed risk scoring directly into the Remediation Hub. This allows vulnerabilities identified from any 3rd-party integration to be effectively prioritized using Active Risk assessments and effortlessly embedded into your team's existing remediation and patch management workflows, streamlining vulnerability management across diverse scanning solutions.
With these new enhancements to Remediation Hub, security teams are empowered with a real-time, validated understanding of exposures enriched with business context, adversary intelligence, and insight into existing compensating controls, not just a list of CVEs. And because the Exposure Command platform brings together native scanning from Rapid7 and vulnerability findings from third-party tools, teams can prioritize vulnerabilities based on attacker behavior, exploitability, and potential impact without spending valuable time porting data into separate tools.
Instead of just alerting your team to a vulnerability, Exposure Command helps you own the risk conversation with the business by aligning on what matters most to the business, the risks already addressed, and outlining a path to closing any remaining gaps. Security teams no longer have to guess which vulnerabilities pose the most risk; instead, they can proactively remediate with certainty, preventing vulnerabilities from escalating into incidents.
Right of Boom: Intelligent Detection, Confident Response, and Financial Assurance
Despite best efforts, security incidents and breaches are ever-present. To reduce their impact and the cost of remediation, security teams need rapid, intelligent responses to evolving incidents, helping them to prioritize and triage, and leverage automation to reduce the volume of potential investigations, and improve their ability to scale to meet remediation tasks. This is why Rapid7 is focusing efforts around building in support post event, marking a significant shift in our capabilities to remediate malicious attacker behavior:
AI Triage and Transparency within InsightIDR: Rapid7 was a pioneer in AI development for security use cases, starting in our earliest days with our VM Expert System in the early 2000s. Since then, Rapid7 has integrated Generative AI into the Command Platform to supercharge SecOps and augment MDR services. This has culminated in Rapid7’s AI-Assisted Triage delivering industry-leading precision, accurately distinguishing critical threats from benign alerts with a 99.89% accuracy rate. Without access to the Rapid7 AI Alert Triage capability, SOC teams waste significant time manually evaluating and correctly classifying malicious alerts, increasing their threat exposure and contributing to SOC inefficiency. With AI Alert Triage, SOC analysts can automatically and accurately focus limited security resources on legitimate threats and improve SOC performance.
Active Remediation with Velociraptor: The response capabilities of the Rapid7 SOC have expanded to include the swift and precise removal of malware and breach artifacts from impacted endpoints. This progression beyond remote containment and guided remediation represents a significant deepening of the MDR partnership between Rapid7 and customers. It relieves security teams not only from the burden of coordinating remediation actions with IT teams, but also helps preserve endpoint integrity, reduce downtime, and avoid unnecessary endpoint rebuilds. With real-time remediation capabilities, the Command Platform links actions directly back to known vulnerabilities, providing valuable context for future prevention and significantly shortening incident response cycles.
Breach Protection Warranty: Investing in security solutions is about more than technology and expert service delivery. It’s about guaranteed results and peace of mind. The Rapid7 SOC analyzes trillions of events each year, and 99.6% of MDR customers remain unaffected by ransomware. Recognizing this, and reinforcing our commitment to ensuring cybersecurity resilience, customers in our premium tier, Managed Threat Complete Ultimate, will now receive up to $1 million in breach-related financial coverage through our Breach Protection Warranty. This represents a tangible demonstration of our confidence in our solutions and our commitment to protecting your organization's critical assets while also assuring you that, in the unlikely event of a compromise, we are right there by your side.
As our detection and response capabilities continue to expand, we’re pushing to deliver smarter, faster, and more complete security outcomes for our customers. With alert fatigue diminished through precise AI-Assisted Alert Triage, security analysts can spend more time on validated threats and strategic initiatives to enhance organizational posture. The expansion of Rapid7’s response workflow to include remediation redefines effective response while ensuring customer visibility and control. And now, our Breach Protection Warranty offers up to $1 million in breach-related financial coverage: we’re not just preventing and helping you recover from threats, we’re standing behind our ability to do so. Together, these capabilities mark a meaningful shift in how Rapid7 supports customers post-incident: with intelligence, speed, and confidence that extends all the way through recovery.
One Connected Journey, End-to-End
Cybersecurity incidents are complex, evolving threats requiring seamless integration of proactive and reactive security measures. Rapid7’s Command Platform bridges the traditional divides between proactive vulnerability management, intelligent threat detection, and automated incident remediation. With a unified, continuous security lifecycle, your organization can remain agile, informed, and resilient against emerging threats.
Take your cybersecurity posture to the next level. Discover how Rapid7’s unified remediation strategy delivers measurable results and helps secure your organization effectively against breaches. Interested in learning more about how Rapid7’s unified remediation strategy can transform your organization's security posture? Learn more here.
Cybersecurity threats are evolving at an unprecedented pace, making it imperative for organizations to stay ahead of attackers with proactive security measures. To help organizations navigate this rapidly changing threat landscape, we are excited to introduce the Exposure Assessment Platform (EAP) Buyer’s Guide. This comprehensive guide is designed to help security professionals understand the critical role of EAPs in modern security programs, evaluate potential solutions, and implement the right tool for their organization.
Why you need an EAP
Exposure Assessment Platforms (EAPs) continuously identify and prioritize exposures, such as vulnerabilities and misconfigurations, across a broad range of asset classes. EAPs go beyond traditional vulnerability management by offering real-time visibility into an organization’s entire IT environment, enabling security teams to proactively mitigate risks and prioritize remediation efforts effectively.
Automated security testing and validation to assess real-world exploitability.
Seamless integration with existing security tools to enhance threat intelligence and remediation workflows.
How Rapid7’s EAP can help strengthen your security
For organizations looking to gain complete control over their attack surface, Rapid7’s Exposure Command offers unparalleled visibility and risk assessment capabilities. By aggregating insights from native exposure detection and third-party sources, Exposure Command enables security teams to:
Identify and prioritize vulnerabilities based on real-world threat intelligence to reduce blind spots and misconfigurations.
Integrate with existing security ecosystems, reducing operational overhead.
Increase ROI by tracking the impact of reducing risk exposure across the business in real time.
With Rapid7 Exposure Command, organizations can reduce manual efforts, optimize security workflows, and proactively mitigate risks before they escalate into breaches. And by leveraging the insights and best practices outlined in this guide, organizations can make informed decisions to enhance their security posture, mitigate risk, and stay ahead of emerging threats.
In traditional conflicts, intelligence is both integral and beneficial to decision-making at every level. Unfortunately, in cybersecurity, the impact of threat intelligence as an asset for organizations—and in particular their security operations team—has been less significant.
Why has this been the case? While threat intelligence should be intrinsic to the detection and response process, the reality is that security teams are overwhelmed with far too much noise to efficiently gather what they need from it. Not responding in a timely fashion ultimately means that by the time any response can be mustered, it will be too late. This is particularly the case given threat actors’ dwell times have in some instances decreased to a matter of hours.
The threat landscape is not static—defenders need a continuous view of what is occurring, right now.
We are delighted to announce the availability of Intelligence Hub, an evolution in threat intelligence delivery that is designed to provide meaningful context and actionable insights integrated with the Rapid7 Command Platform.
High-fidelity data: curated intelligence
Intelligence is not a commodity. Simply gathering every feed is why many organizations are overwhelmed and unable to respond in a timely manner to disrupt the kill chain before attackers move to the final stage. Consider many of the recent significant breaches; invariably, alerts are missed and data is exfiltrated. With this in mind, the focus of Rapid7 Labs has been to increase the fidelity of data, leveraging our own approach to curated intelligence.
Data that can be trusted
The objective of curated intelligence is to extract the low-prevalence indicators and verify the malicious nature of the artifact, thus enabling a timely response while reducing the risk of false positives. Introducing high-fidelity data also provides the opportunity to automate the response. Such an approach goes beyond the analyst and considers what an appropriate response should be.
The curated intelligence within Intelligence Hub is derived from ingestion sources that are unique to Rapid7, such as our honeypot data and proprietary research, as well as insights from our open source and research communities. These include Metasploit, AttackerKB, and other global communities that make our reach into understanding the threatscape both broader and deeper. Expertly crafted machine learning (ML) models combined with manual verification from our Rapid7 Labs team create additional layers of validation.
What matters to me? Understand prevalence quickly with the campaigns that are targeting your business sector or geography as efficiently as possible.
Decay modeling maintains relevance
Even curated intelligence can quickly get very stale. If we consider an IP address used within a given campaign, this artifact will soon cease to be relevant since threat actors will migrate once it has been identified as known bad. For this reason, Intelligence Hub shows the decay score, which will reduce over time as the artifact migrates from known bad to unknown (or another state).
A view of campaign activities being conducted by the Mustang Panda APT group (correct at the time of writing). Intelligence Hub covers all major threat activities from organized crime and APT groups.
Contextualized information
Intelligence Hub’s higher fidelity data remains continuously updated, allowing us to move away from the problem of traditional Threat Intelligence Platforms (TIPs) that have provided the firehose of false positives and noisy alerts. The opportunity is to now use prevalence to allocate resources to only the areas which are necessary. In other words, if a threat campaign is targeting a specific sector and/or geography and exploiting specific vulnerabilities, then surely these will require remediation first. In addition, if the campaign is being carried out by a ransomware group whose dwell time continues to drop, then almost certainly prioritizing remediation should include automation.
Automation does, of course, demand high-fidelity data, which is why curated intelligence remains the foundation of the solution.
Actionable insights
What all of this means is the security teams can get true, actionable insights — understanding what indicators within their environment are confirmed as malicious, as well as the threat actors’ motivations. Utilizing these insights to take the appropriate action to mitigate the threat in a timely fashion now becomes a reality with Intelligence Hub.
Learn more about the active threat groups conducting operations in the world today.
Intelligence is great, but what does this mean for your organization?
Above all else, the integration of Intelligence Hub with the Rapid7 Command Platform provides the ability to go beyond the analyst and deliver true security outcomes. Firstly, with our next-gen SIEM, Rapid7 InsightIDR, the security analyst can prioritize triaging security alerts that demand attention. For example, if there are reliable indicators regarding the possibility of a ransomware group inside the environment, this clearly demands prioritization with the intention of disrupting the kill chain before the final stage payload is delivered. Such an approach reinforces why context matters, and perhaps controversially, why attribution becomes operationally relevant.
Migrate away from the dependency of manual tools to integrate intelligence into operations and surface the alerts that truly matter.
Threat-informed remediation: beyond the security analyst
The role of intelligence Hub therefore goes beyond the security analyst, and supports integration with the remediation actions of any organization. An upcoming integration with Remediation Hub will give security analysts the added insight to justify security updates being rolled out outside of the normal change control cycle. An example of this could be CVE-2024-55591, an authentication bypass in Fortinet firewalls, which was exploited as a zero-day in January 2025 and reported to be used by ransomware groups on March 18, 2025. This attack warrants immediate remediation in order to mitigate the potential of being exploited. This answers the question many security practitioners are often asked: Are we vulnerable? And, with the investigation option within Intelligence Hub, the opportunity exists to answer the question: Have we been compromised?
With actionable (and relevant) intelligence being incorporated into the allocation of resources for remediation, Intelligence Hub provides the critical data necessary for effective security operations.
Intelligence Hub is the integrated threat intelligence solution that delivers proactive context and prioritization, rapidly accelerating time to remediation.
The evolution of threat intelligence
In summary, Intelligence Hub represents a significant leap forward in threat intelligence delivery. By providing curated, high-fidelity data with relevant context and actionable insights, it empowers security teams to move beyond the noise of traditional threat intelligence solutions. The integration with the Rapid7 Command Platform and Remediation Hub further offers threat-informed remediation, allowing organizations to prioritize and automate responses effectively. Ultimately, Intelligence Hub is designed to help organizations achieve true security outcomes by focusing on what truly matters and disrupting the kill chain quicker, and with greater confidence. Learn more about Intelligence Hub here.
The live sessions may be over, but with every talk now available on demand, it’s the perfect time to reflect on the biggest takeaways from this year’s summit—and how they can help security teams move faster, act smarter, and take control of their attack surface.
From red teaming tactics to regulatory readiness, here are some of the standout lessons and ideas shared by speakers across the day.
1. Red Teaming Isn’t Just About Getting In—It’s About What Happens Next
In Outpacing the Adversary, Aaron Herndon, Senior Director, Sales Engineering at Rapid7 and Will Hunt, Co-Founder of In.security, reminded us that red teaming isn’t just about proving a breach is possible. It’s about helping teams understand how attackers think, where they’re likely to go, and whether detection and response controls actually work in practice.
From creative simulations to critical discussions on ethical boundaries and scope, the message was clear: red teaming is most valuable when it drives real organizational learning.
2. You Can’t Prioritize What You Can’t See
In Risk Revolution: Proactive Strategies forExposure Management, panelists from Rapid7 and ESG made it clear that visibility remains the top challenge for most teams. Fragmented data, sprawling assets, and misaligned priorities are slowing teams down.
The solution? A unified, risk-aware approach to exposure management—one that considers cloud, identity, data, and application risk in context. Prioritization must reflect business reality, not just vulnerability severity.
3. Cloud Security Requires Context
In DemystifyingCloud Detection & Response, panelists shared how traditional tools aren’t built for dynamic, cloud-native environments. Logs are short-lived, workloads are ephemeral, and identity is often the weakest link.
To respond effectively, SOC teams need visibility, automation, and integrations that bring context across systems. The modern attack surface starts well before the endpoint.
4. Compliance Is Evolving. It's Not a Checkbox Exercise
From Chaos to Compliantbrought practical guidance for navigating frameworks like NIS2, DORA, and SEC cyber rules, among others. The takeaway? Compliance and security are strongest when they work together.
With the right tools, processes, and internal alignment, compliance can become a strategic advantage—not just a box to tick.
5. AI Is Here. Use It Thoughtfully
AI was a recurring theme throughout the day, especially in AI in Action. Rapid7’s engineering and product teams showcased how they’re applying AI across triage, prioritization, and detection, while keeping responsible deployment top of mind.
The takeaway: AI can boost speed and scale, but human oversight and thoughtful governance are still essential.
6. Visibility Gaps Are Where Attackers Thrive
In Inside the SOC, Rapid7 threat hunters shared stories of real-world breaches where attackers operated undetected due to logging gaps, missing coverage, or misconfigured systems.
Whether it’s credential theft through Microsoft Teams impersonation attacks or ransomware in unmanaged environments, the message was clear: you need full visibility to stay ahead.
7. Security Is a Team Sport
Across sessions—from exposure management to cloud strategy to customer-led discussions—one thing was clear: effective security requires collaboration.
Security teams, IT, engineering, and compliance all need shared context and coordinated goals to defend today’s growing attack surface.
Catch Up or Rewatch: All Sessions On Demand
Every session from Take Command 2025 is now available to watch. Whether you missed one or want to revisit a discussion with your team, you can dive back in anytime.
On April 16, CISA extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. This was in response to a letter sent by MITRE on April 15 to CVE board members warning of a potential issue with MITRE's support for the CVE program. MITRE administers the global CVE program, which provides the human and technological infrastructure to reserve, publish, modify, and dispute CVEs.
Rapid7 continues to monitor both public and private discussions closely in its capacity as a CVE Numbering Authority (CNA) and as a longtime leader and participant in the CVE ecosystem.
How this could impact Rapid7 and our customers
Since funding has been extended for the next 11 months, there is no current impact. Rapid7 will continue to monitor the situation to ensure there is no future impact to our customers' ability to use our platform to accurately assess their environment for vulnerabilities.
Rapid7’s multi-layered approach to vulnerability detection, creation, and risk scoring means that our products are not completely reliant on any single source of information. This was something we pointed to last year, when we assured customers of our continued vulnerability coverage in the face of NIST’s National Vulnerability Database delays.
The importance of MITRE and the CVE Program
The CVE program is critical infrastructure for modern vulnerability identification, tracking, management, and resolution. CVEs are used for risk identification, commercial and open-source tooling, vulnerability management workflows, security and academic research, threat intel production, incident response, and many other applications worldwide.
Rapid7 thanks and supports the MITRE organization as well as the extended ecosystem of industry collaborators who have worked diligently for the past 25 years to ensure the CVE program's utility and integrity for the broader community.
We will continue to monitor the situation and will update this blog with any relevant developments. If you have any questions, please reach out.
Take Command 2025 is officially in the books. From the opening sessions to the final takeaways, the summit delivered a full day of high-impact discussions, fresh research, and powerful stories from across the cybersecurity spectrum.
This year’s event brought together cybersecurity leaders, researchers, red teamers, and policy experts for an honest look at the challenges we’re facing—and the tools, tactics, and mindsets helping us take command in a complex threat landscape.
We’re grateful to everyone who joined us and proud of the conversations that unfolded throughout the day. If you missed any sessions or want to rewatch key moments, every session is now available on demand.
A Day of Firsts: New Research, New Tools, Real Stories
One of the standout moments came during Inside the Mind of an Attacker: Navigating the Threat Horizon session, where Raj Samani and Trent Teyema previewed findings from Rapid7’s latest ransomware intelligence. Based on data from Q1 2025, the discussion touched on shifting attacker tactics, the growing professionalism of ransomware groups, and the need for visibility and response readiness at every level.
Another highlight was Ted Harrington’s keynote, From Zero to Hero: Building the Perfect Defense, which challenged us to reimagine security architecture from the ground up. Ted emphasized bold thinking, Zero Trust foundations, and security’s role as a business enabler—not a roadblock.
In Risk Revolution: Proactive Strategies for Exposure Management, speakers laid out practical frameworks for prioritizing risk across cloud, identity, data, and application layers. And in Demystifying Cloud Detection & Response, panelists explored how SOC teams can bridge traditional and cloud-native security gaps using the right integrations and context-rich telemetry.
We also heard from customer leaders during Expert Tips to Future-Proof Your VM Program, where panelists from Cross Financial, Miltenyi Biotec, and Phibro Animal Health discussed the shift from vulnerability management to exposure-led strategies.
Compliance, Resilience, and Looking Ahead
With global regulations evolving fast, From Chaos to Compliantsession offered clear, actionable guidance for navigating global compliance legislations, such as SEC, NIS2, and DORA amongst many others—without compromising operational efficiency. Sabeen Malik and Lara Sunday reminded us that compliance, done right, can be a catalyst for organizational resilience.
And in one of the most engaging sessions of the day, The Tempest Two shared stories of adventure and mindset that resonated with security teams striving to adapt, overcome, and lead with purpose in high-pressure environments.
Now Streaming: All Sessions On Demand
Couldn’t attend live—or want to revisit a key session? Every session from Take Command 2025 is now available to watch on demand. Whether you’re catching up or sharing with your team, this is your chance to revisit the insights and strategies shaping the future of cybersecurity.
Login
