If product releases had a runway moment, Q1 at Rapid7 would’ve walked out in Cloud Dancer; crisp, confident, and quietly powerful, before breaking into a full gallop in the Year of the Horse. At Rapid7, our first-quarter launches combined velocity with refinement: meaningful enhancements designed to move security teams faster without adding complexity. Let’s cover off the key launches, one by one.

Detection and response

MDR for Microsoft

Getting more value from the tools you already have is an objective shared by all of us. For many of you, that translates to achieving greater security operations outcomes and resilience from your Microsoft technology. With MDR for Microsoft, organizations correlate their Microsoft, Rapid7, and third-party telemetry with prioritized risk context so the service can anticipate attacks before they start. 

AI-powered triage and investigations – backed by unlimited incident response that ensures threats are fully eradicated – delivers certainty in an uncertain attack environment. Dedicated advisory provides strategic recommendations and program hardening guidance that drives long-term security resilience. Customers ultimately experience security operations excellence and achieve stronger outcomes from their existing Microsoft foundation.

Read the blog to learn more.

Rapid7 acquires Kenzo Security

The acquisition of Kenzo Security marks another step forward for the Rapid7 Command Platform and Rapid7’s vision for preemptive, AI-powered security operations. In an environment where most security teams are forced to leave large volumes of alerts uninvestigated, Kenzo’s agentic AI capabilities are expected to help accelerate Rapid7 from AI-assisted workflows toward AI-driven, machine-speed operations. Designed around specialized AI agents that work together across security operations tasks, this technology has the potential to reduce manual strain, broaden investigative coverage, and deliver more consistent, precise outcomes.

An average Kenzo customer reported a 94% reduction in investigation time, and their alert coverage increased from 12% to 100%. As these capabilities are brought into MDR, Managed Threat Complete, InsightIDR, and Incident Command, customers will benefit from a stronger, more scalable approach to cyber defense.

Incident Command

User to Identity mapping

Connecting user activity to full identity context is critical for faster, more confident investigations. With User to Identity mapping in Incident Command, analysts can seamlessly link SIEM users to their corresponding identity profiles, gaining instant visibility into MFA status, account posture, and group memberships. By unifying detection and exposure data, teams eliminate manual reconciliation and close visibility gaps across the identity attack surface. This enables faster triage, deeper insight into user risk, and a complete, connected view of identity-driven threats.

AI-Powered Log Entry Summary

AI-powered Log Entry Summary brings instant clarity to even the most complex log data. By translating raw log lines into a simple “who, what, when, where, and why” framework, analysts can quickly uncover insights without needing to interpret vendor-specific syntax or business logic. This removes the cognitive burden from investigations and hunts, allowing teams to spot threats faster across all data sources. Teams benefit from accelerated triage, more efficient investigations, and smarter decisions driven by clear, actionable context.

Exposure management

Cloud Runtime Security (application detection and response)

Earlier this year, we made a significant announcement that Rapid7 had partnered with ARMO to add AI-powered cloud application detection and response (CADR) – or cloud runtime security – to our cloud security portfolio. We are thrilled to announce that these capabilities are now integrated with Rapid7 Exposure Command Ultimate. For our customers, this milestone represents our ability to deliver on the promise of a complete cloud-native application protection platform (CNAPP) that helps security teams preemptively identify and proactively thwart attacks. If you’re interested in learning more about this latest innovation to our cloud security portfolio, reach out to one of our account executives.

Top Remediation Report in Remediation Hub

Understanding which remediations to prioritize is only part of the process, teams also need asset-level detail to act. Top Remediations Report adds that context in Remediation Hub, with customizable filters, shared visibility across teams, and automated scheduling for recurring delivery to key stakeholders in CSV, HTML, or PDF. The result is faster coordination, clearer ownership, and quicker remediation progress.

Remediation Bulk Export API

We understand that organizations need to customize reporting for various stakeholders and levels across their business to drive effective vulnerability remediation and communicate security posture. One of the ways that organizations address this need is through our powerful cloud-based API, which enables teams to extract and export large amounts of security data into external tools like Tableau or PowerBI. Customers can export security data at scale, including assets, vulnerabilities, remediations and agent-based policy data, resulting in more flexible reporting and querying.

Data Security Posture Management (DSPM)

Understanding which exposures threaten sensitive data is difficult when data security and exposure insights live in separate tools. A partnership between Rapid7 and Symmetry Systems brings those perspectives together on Exposure Command, aligning sensitive data intelligence with real attacker reachability. DSPM capabilities discover sensitive data and map identity access, helping teams prioritize remediation based on breach impact.

Read the blog to learn how aligning data and exposure reduces breach risk.

Attack surface management

Dynamic External Attack Surface Discovery

Your attack surface doesn’t stand still, and point-in-time visibility can leave teams chasing what’s already changed. Dynamic EASM Discovery helps Surface Command automatically identify and track changes across the external attack surface by ingesting domain and IP data from across the environment. The result is more current visibility, fewer blind spots, and stronger confidence that teams are prioritizing and validating the exposures that matter most.

Read the blog to see how Dynamic EASM Discovery helps teams keep pace with a changing attack surface.

Platform and Labs

Rapid7 Command Platform

We’re excited to introduce a centralized way to programmatically access data across all managed tenants with new multi-tenant API keys. For organizations managing multiple environments, tenants, or customers, integrating with each one individually has traditionally required significant manual effort, creating, maintaining, and rotating separate API keys for every tenant. This not only slows down development but also increases operational overhead and the risk of inconsistency.

With this new capability, you can build a single integration that seamlessly “loops” through tenants automatically, enabling consistent data access and streamlined workflows at scale. Whether you’re aggregating data for reporting, powering automation, or integrating with third-party tools, multi-tenant API keys simplify the process and reduce complexity, freeing up your teams to focus on higher-value tasks instead of repetitive configuration. Read all about it in our blog. 

Rapid7 Labs

The latest threat research reports from Rapid7 Labs

This quarter Rapid7 Labs continued to deliver critical insights into the evolving threat landscape, uncovering how attackers are adapting their tactics – from stealthy, long-term intrusions to increasingly targeted and data-driven attacks. Our latest research reports highlight the growing complexity of modern threats and the real-world risks facing organizations today. Explore the findings below to better understand what’s changing and what it means for your security strategy.

• BPFdoor in Telecom Networks: Sleeper Cells in the Backbone: Rapid7 uncovered a long-running espionage campaign in which a China-nexus threat actor, Red Menshen, embedded stealthy “sleeper cells” inside global telecommunications networks using the BPFdoor backdoor. Operating at the Linux kernel level, this malware enables persistent, hard-to-detect access without typical network signals, allowing attackers to monitor communications, subscriber data, and critical infrastructure over time. The research highlights a shift from opportunistic attacks to deliberate, long-term pre-positioning inside core systems that underpin global connectivity, raising national-level risk.

• 2026 Global Threat Landscape Report: The latest report from Rapid7 Labs delivers an in-depth analysis of global adversary behavior, drawing on telemetry from Rapid7 MDR investigations, vulnerability intelligence, and frontline incident response. This year’s findings highlight a rapidly evolving threat environment, marked by the collapse of the window between vulnerability disclosure and exploitation, the continued industrialization of ransomware operations, and the acceleration of modern attacks through the use of AI.

• Executives’ Digital Footprints Threat Report: Today, 60% of an executive’s digital risk exposure is retrievable through surface web searches, including public records, professional history, and social media activity — all of which can be weaponized for highly targeted attacks. The Executive Digital Footprints Threat Report from Rapid7 Labs details how these executive digital footprints are an often overlooked threat vector that can be exploited, posing risks to the executive, their families, and organizations.

Exposing the Chrysalis Backdoor

Last month, Rapid7 uncovered the Chrysalis backdoor, a sophisticated supply chain attack that leveraged the Notepad++ update mechanism to selectively target organizations with a stealthy, persistent backdoor. This discovery highlights the growing risk of trusted software being weaponized and the real-world impact of advanced, targeted campaigns that can evade traditional defenses, reinforcing the importance of continuous monitoring and validating third-party software behavior in today’s threat landscape. Learn more about the Chrysalis backdoor here, and see more details on its impact and what you can do next here.

Cyber threat activity related to the Iran conflict

Rapid7 is actively monitoring cyber threat activity related to the Iran conflict, providing support for our customers and the cybersecurity community. Review observed activity, official advisories, and recommended defensive actions here.

Announcing Metasploit Pro 5.0.0

We’re excited to announce the launch of Metasploit Pro 5.0.0, a major evolution in red-team and penetration testing. Built to address today’s dynamic threat landscape, this release delivers a significantly improved UI, usability, validation, and workflow improvements that empower security teams to validate vulnerabilities faster and more effectively. Learn more in our blog post here.

We’re just getting started

The innovation doesn’t stop here. We have a strong pipeline of product enhancements and new capabilities rolling out all year long. Be sure to follow our blog and release notes to see how Rapid7 continues to advance our platform and deliver greater value.

What you’ll learn in this article

This article explains why many breaches are driven by gaps in visibility rather than advanced exploits, how attackers move through modern environments, and what changes when organizations start connecting assets, identities, and attack paths into a single view.

What is a visibility problem in cybersecurity?

A visibility problem exists when security teams cannot clearly answer three basic questions: what assets exist, who or what can access them, and how those elements connect. When those answers are incomplete, decisions are made based on assumptions – and that creates conditions where risk can grow, unnoticed.

As environments expand across cloud, SaaS, and hybrid infrastructure, the number of systems and identities grows quickly. What often falls behind is a clear understanding of how they relate to each other, and that gap is where attackers tend to operate.

How visibility gaps turn into breaches

A large medical technology organization experienced a breach driven by a series of compounding gaps rather than a single exploit. Internet-exposed assets created the initial entry point, while inconsistencies in device posture and identity enforcement, including gaps in platforms like Intune, weakened the security boundary. Attackers leveraged exposed or reused credentials and over-permissioned access to move laterally across systems. Without unified visibility across assets, identities, and managed devices, the attack path remained invisible until critical systems were reached.

Each of these conditions is common on its own, but what makes them dangerous is how they connect.

Why most attacks are not about flashy exploits

This breach did not rely on a zero-day vulnerability or an advanced technique. It depended on an exposed asset, valid credentials, and inconsistent enforcement across identity and devices. Those elements exist in most environments, but without visibility into how they overlap, they can be combined into a viable attack path.

Security teams often evaluate vulnerabilities individually, while attackers focus on how those weaknesses can be chained together. The risk is not just in what is vulnerable, but in how exposure allows movement.

What a visibility-first approach looks like

Improving outcomes depends on understanding how exposure exists across the environment and how different elements relate to each other.

Asset visibility is the starting point. Many organizations cannot confidently identify everything that is externally accessible, and attackers often find assets that were never intended to be exposed. Continuously mapping assets across cloud and on-prem environments reduces that uncertainty and limits entry points.

Identity is just as critical. Once access is established, movement depends on credentials and permissions. Stolen credentials, over-permissioned accounts, and weak authentication paths allow attackers to move beyond initial entry. Treating identity exposure as part of the attack surface helps identify these risks earlier, especially when leaked credentials can be tied to active accounts and privileges.

Attack path visibility connects these elements. Instead of evaluating findings in isolation, it shows how exposures can be combined into realistic attack scenarios. Through adversarial simulation, organizations can observe how an attacker could move from an exposed system to internal resources, which shifts focus toward removing viable paths rather than addressing isolated issues.

External signals, such as credential leaks, only become meaningful when tied back to internal systems. Monitoring for exposed credentials is useful, but correlating those credentials with active accounts and access levels is what turns that signal into something actionable.

Controls such as least privilege and multi-factor authentication remain essential, but they are only effective when applied consistently. Without visibility into where access exists, enforcement gaps are difficult to detect.

Why visibility changes the security outcome

The difference in a scenario like this is not simply better tooling. It is a shift in how exposure is understood and prioritized.

Attackers look for the easiest path through an environment. A visibility-first approach identifies those paths earlier, reduces them, and then examines why they existed. That changes how teams prioritize work, moving from reacting to individual findings toward removing viable attack paths.

How this works in practice

This is where platforms like Rapid7 support a more complete view of exposure. Surface Command aggregates telemetry from over 190 sources, helping organizations unify fragmented views of assets and identities. InsightCloudSec extends that visibility into cloud environments by enforcing best practices and least privilege without relying on manual processes. Vector Command focuses on how attackers move, using continuous testing and simulation to show how attacks would unfold across an environment.

On the intelligence side, integrating threat data with identity systems allows external signals, such as credential leaks, to be mapped to active accounts and validated in real time. That makes it possible to act before those credentials are used.

Together, these capabilities provide a clearer understanding of how exposure translates into risk.

Putting visibility at the center of security

Zero trust depends on more than policy. It requires visibility, identity, validation, and enforcement to work together continuously.

Without visibility, zero trust becomes difficult to apply in practice. With it, security decisions can be based on how systems actually behave rather than how they are expected to behave, which shifts organizations away from reacting to incidents and toward preventing them from forming.

Discovery: The foundation of exposure management

To understand your attack surface, and all related exposures, Rapid7's Command Platform provides Attack Surface Management, (included in Surface Command, Exposure Command and Incident Command). It provides a 360° view of all assets in the organization, their associated risks, and how they relate to one another. This provides teams with the attack surface visibility they can trust to detect security issues from endpoint to cloud. 

This blog will cover how to use connectors to bring security data from your cloud, IT, AI and cybersecurity systems into Surface Command and make it actionable for the Discovery phase of Continuous Threat Exposure Management (CTEM), as well as some best practices on data management. Read on to the end of the blog to learn more about the latest connectors for most mainstream AI platforms.

What are connectors in Rapid7 Surface Command?

Connectors are lightweight, API-based integrations for common security data sources that allow Surface Command to ingest data about assets, identities, vulnerabilities, cloud environments, and more. By ingesting data from multiple different data sources, Surface Command can discover your entire attack surface, providing important context on exposure severity, business criticality, and exploitability.

Surface Command uses a Unified Data Model, mapping data from different sources into common asset types such as identities, networks, vulnerabilities, and findings. When new connectors are developed, they are aligned with these existing models for consistency and correlation.

Common data sources include vulnerability scanning tools, endpoint protection technologies, and cloud infrastructure, such as AWS, Azure, and GCP. Each connector is designed to work with the specific APIs and data formats of its target system. Surface Command provides connectors for most major security and IT management tools, and more are being developed every month. Custom connectors can also be created for enterprise-specific systems, providing there is an API to work with.

Each connector captures asset properties and relationships, storing a complete record of what is known in the original system. To keep data current, connectors periodically pull updates from their source. This can be scheduled per connector, depending on how dynamic the data is (e.g., cloud environments).

Surface Command then manages the data ingestion, correlating and mapping incoming data across systems to maintain accuracy and unify the view across assets.

The Rapid7 Extensions Library

⠀

The Extensions Library is your home for exploring and installing Rapid7 product extensions and integrations. You can access it at extensions.rapid7.com or by clicking on the Extensions icon (three squares and a plus) in the top right of the screen.

Surface Command currently supports 189 Extensions (also known as connectors), with new ones added weekly. You can easily filter by category, or search directly for the application you require.

Connecting the dots, one API at a time

Before you begin, we recommend you have your API key and URL ready for each application you’ll need to connect them to Surface Command. Surface Command requires read only access to each application.

Enter the relevant information (obfuscated for security reasons) and you are ready to test the API connection, and begin the data ingestion process. Repeat this process for all relevant applications. Surface Command will automatically correlate the incoming data and enrich each asset or identity with relevant business context.

⠀

Pro tip: Connectors & scheduling

So, we have added our connectors to Surface Command to pull in valuable information about our attack surface, we now need to schedule the running for each one.

Surface Command makes this easy. You can set connectors to run daily, weekly, or hourly — and we recommend scheduling them outside regular business hours.

To do this, simply click on Configurations / Import Feeds. Look for the connector you wish to schedule and use the edit button to access the configuration menu.

You can also select the frequency weekly, daily, or hourly. If you have multiple connectors added to Surface Command, we recommend running these at slightly different times.

⠀

Asset detail and associated connectors

Once your connectors are running, you can view any asset in Surface Command and immediately see which security tools are reporting on it. This makes it easy to identify gaps in protection, for example, an asset without endpoint detection or vulnerability coverage.

⠀

New beta connectors for OpenAI and Anthropic

We’re excited to introduce two new beta connectors in Surface Command that expand our visibility into how organizations provision and use modern AI platforms: OpenAI and Anthropic. Learn more about Rapid7's approach to AI in a new blog, here.

OpenAI connector

The OpenAI integration focuses on helping teams understand who is using OpenAI services and how they're using them. We now ingest:

• OpenAI Platform Users: users who create or work with API keys

• ChatGPT Users: identified via audit log analysis due to limited API support

Because ChatGPT Enterprise provides no native API for listing users, we built a workaround that parses audit logs to derive a unique user list, conversation counts, and last-active timestamps. It’s lightweight, but it’s the most accurate method available given current API constraints.

Anthropic connector

The Anthropic integration provides deeper insights and includes:

• Anthropic Console Users

• Claude Code Users

• Anthropic Workspaces

Claude Code offers especially rich analytics, including:

• Lines of code generated

• Tool actions

• Estimated costs

• Model usage patterns

This enables increasingly powerful AI posture and usage monitoring across engineering teams.

Inside the identities view

With these connectors enabled, you can now open any user in Surface Command and see:

• Their Anthropic user profile and workspace membership

• Their OpenAI usage, including ChatGPT conversation activity

• Their Claude Code analytics and estimated spend

Extensible exposure management AI usage

By adding these two AI connectors to Surface Command, Rapid7 extends the platform’s ability to ingest and correlate emerging AI usage data alongside existing asset and identity signals. This allows customers to gain visibility into who is using AI services, understand potential exposure, and apply the same governance and risk workflows they already rely on—without introducing new tools or silos. As new connectors are added, customers can continue expanding their exposure coverage as their environments evolve.

What’s coming next?

We’re already working on additional AI platform coverage:

• Gemini usage insights through the Google Workspace connector

• Microsoft Azure Copilot user visibility

These additions will round out our support for AI user posture across the major platforms.

Take Command of your attack surface

▶︎ Attack Surface Management: Free Trial

Access this hands-on experience of Surface Command to see how your team can accelerate high-risk asset identification, prioritization, and remediation.