Cybersecurity is a team sport

In cybersecurity, no one fights alone. Defending against modern threats requires seamless collaboration, real-time intelligence, and precision execution—just like a well-coordinated sports team. That’s why Rapid7 Labs and our Vector Command team work together to stay ahead of adversaries, ensuring security teams have the insights and capabilities needed to respond effectively. While Rapid7 Labs uncovers emerging threats and delivers cutting-edge research, Vector Command puts that intelligence to work—validating response strategies, optimizing defenses, and ensuring organizations are ready when it matters most. Because in cybersecurity, the best defense is a well-prepared team.

What is an Emergent Threat Response?

Rapid7’s Emergent Threat Response (ETR) program from Rapid7 Labs delivers fast, expert analysis and first-rate security content for the highest-priority security threats to help both Rapid7 customers and the greater security community understand their exposure and act quickly to defend their networks against rising threats.

The Rapid7 Command Platform displays any emergent threats on our homepage, at the top of the screen, easily visible once you have logged in. Our expert researchers include a blog post to accompany each emergent threat.

We also notify all Managed Service customers after discovering new Common Vulnerabilities and Exposures (CVEs). This notification includes known information about the CVE, steps to protect your environment and updates on Rapid7’s response.

Why is ETR critical?

Emergent threat response validation is critical because cyber threats evolve at a relentless pace, often outpacing traditional security measures. Without continuous testing and refinement, even the most advanced security tools can fall short when faced with real-world attacks. By proactively validating threat response strategies, organizations can identify gaps, fine-tune automation, and ensure that security teams are ready to act with speed and precision. This not only minimizes downtime and damage but also strengthens overall resilience, enabling businesses to stay ahead of adversaries rather than scrambling to react after an incident has already occurred. In today’s threat landscape, preparedness isn’t optional—it’s the difference between containment and catastrophe.

How can Vector Command help?

This is the value of an always-on, managed red team service. We continuously test your defenses against the latest ETRs, to see if we can breach your network before threat actors do. If we’re successful, we’ll show you how—and provide actionable remediation guidance.

We’d love to highlight the many organizations that have benefited from this capability with Vector Command, however, we respect their privacy.

One example we can share: a global professional services firm adopted Vector Command for this exact use case. As a frequent target of advanced persistent threats, their security team recognized the value of proactive testing of their resilience.

DORA compliance was also a key driver for this client, given their customer footprint in the EU and the requirement to have reporting. DORA compliance reports demonstrate how financial entities meet regulatory expectations around ICT risk management, incident handling, and third-party oversight—ensuring operational resilience.

With Vector Command, we deliver ongoing external network penetration testing. For some customers, this alone is enough to demonstrate to auditors that they are actively validating their defenses in alignment with DORA.

CTEM and Validation

The leading industry analyst, Gartner®, has said, “security operations managers should go beyond vulnerability management and build a continuous threat exposure management program to more effectively scope and remediate exposures”.

Threat exposure management involves identifying, assessing, and mitigating exposures within an organization's digital environment. CTEM has emerged as a dynamic program designed to help teams manage their expanding attack surface and maintain a consistent, actionable security posture.

The fourth phase of CTEM is the validation phase and this is where always on red teaming, like Vector Command becomes essential.

Rapid7 also supports the second, third and fifth phases of CTEM through our Exposure Command and Exposure Command Advanced, both launched in August 2024.

Take command of your attack surface

This is the fourth post in our deep dive blog series exploring key capabilities of Vector Command. We hope you’ve found it valuable—and if you have feedback or questions, we’d love to hear from you.

Rapid7 brings together world-class expertise -  from our Labs researchers and red teamers to the superstars who work across our multiple SOC’s.

If you missed our most recent virtual Take Command 2025 summit, the session, “Outpacing the adversary: Red teaming in a complex threat landscape” is still available on demand. You’ll hear firsthand from industry expert, Will Hunt and Rapid7 principal security consultant, Aaron Herndon.

We’ve also created a self-guided product tour for Vector Command—available anytime for a hands-on look at the platform.

Vector Command: Request Demo ▶︎

Ready to see how continuous red team managed services can ensure your potential attack pathways are remediated before they can ever be exploited?

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner, “How to Grow Vulnerability Management Into Exposure Management”, November 2024 (For Gartner subscribers only)

During a recent Vector Command operation, I had the chance to sit down with one of our red teamers to hear firsthand how they identified and exploited an N-Day vulnerability in a customer’s environment. It’s a clear example of how continuous red teaming can uncover and validate real-world risks before attackers do.

While the organization involved remains anonymous, the events described are real. This story reflects how our always-on testing approach closely mirrors the creativity and persistence of actual threat actors.

Initial Recon: Spotting an N-Day in the Wild

Vector Command engagements begin with one core question: If someone wanted to break in, where would they start? That’s the mindset our red team brings to every operation.

A red team is a group of security professionals who simulate real-world adversaries. Their goal isn't to check boxes or run automated scans, but to think and act like attackers—uncovering weaknesses that traditional assessments often miss. They combine technical skill with creativity, adapting to the environment they’re targeting and exploring how far a real compromise could go.

In this case, as part of Vector Command’s continuous reconnaissance, the red team identified a subdomain hosting a vulnerable web application. The vulnerability, already publicly disclosed, classified the exposure as an N-Day. While the issue was known in the broader security community, it hadn’t yet been patched in this environment.

Using a publicly available proof-of-concept exploit, the team compromised the application and underlying host. From there, they found credentials stored in the file system, granting access to services deeper within the internal network.

From Exploit to Expansion: Breaching the Perimeter and Moving Laterally

As part of our recon, we zeroed in on a subdomain running a web app that was just begging to be poked. It was tied to a recently disclosed N-Day vulnerability—publicly known, actively discussed, and in this case, still unpatched.

We ran a proof-of-concept exploit and landed a shell. From there, we had access to the underlying host, and it didn’t take long to find something useful: credentials stashed away on the file system. Those creds gave us our next step into the internal network.

With the perimeter breached, we started exploring. There was little in the way of segmentation, which made internal discovery a breeze. We quickly found an internal SMTP server and realized we could send emails that appeared completely legit—from the inside, to the inside.

We used that to spin up a phishing campaign. The bait? A cloned version of the company’s actual login portal, hosted on the compromised subdomain. From the user’s perspective, everything looked familiar. The URL checked out. The branding was perfect. And people clicked.

We captured multiple sets of credentials, including an admin account. From there, we confirmed a misconfiguration on a critical internal system. That allowed us to escalate privileges and prepare for full domain takeover.

Classic attack chain: exploit, phish, pivot, escalate. All real. All tested safely under Vector Command.

From Attack Chain to Action Plan

You may be forgiven for thinking an organization would not be happy with this. However, it is exactly the opposite and our Vector Command customer was delighted we found and exploited this vulnerability. We proved the value of our continuous red teaming, mimicking what a real external threat actor would do to breach a network.

The sub-domain we compromised was prioritized for remediation and now has security controls in place. We then re-tested the customer’s environment to ensure their patches actually worked and this particular security gap was closed.

From PoC’s to Happy SOC’s

In our previous blogs, we’ve explored the human side of continuous red teaming—through opportunistic phishing stories, external network assessments, and a deep dive into the TTPs behind post-compromise simulations.

Security Operations Centers (SOCs) are often relieved—not rattled—when we uncover these risks. It gives them proof, insight, and time to act.

As part of Vector Command, this engagement was fully documented—summarized for executive stakeholders and detailed for security practitioners. Reports live in the Vector Command portal, accessible whenever teams need to revisit findings or track remediation progress.

Customers also have the opportunity to debrief directly with the red teamer behind the operation. Whether it's to dig deeper into the attack chain or walk through lessons learned, we’re here to help strengthen defenses—because at the end of the day, we’re all working toward the same goal.

If you or your security team want to explore how continuous red teaming can support your program, let’s talk.

Ready for Your Own Red Team Reality Check?

If you're curious what an attacker might find in your environment, Vector Command can help you find out before someone else does.

The reality of modern cyber threats

In today’s evolving cyber landscape, breaches are not a matter of if, but when. Attackers continue to refine their techniques, using stealthy post-compromise tactics to maintain persistence, escalate privileges, and move laterally across networks. The key to staying ahead is not just preventing attacks, but building resilience to withstand and respond to them effectively.

This concept of resilience aligns with Continuous Threat Exposure Management (CTEM), a proactive approach to security validation. According to Gartner, CTEM consists of five pillars:

When we look at the five pillars, described by Gartner:

1. Scope of your organization’s attack surface;
2. Discover your attack surface;
3. Prioritize your vulnerabilities;
4. Validate security controls and finally;
5. Mobilize people and processes to operationalize the CTEM findings.

Vector Command plays a critical role in the fourth pillar, continuously testing security defenses through post-compromise breach simulations that replicate real-world adversary tactics.

How Vector Command tests resilience

This blog is the third in our Vector Command series, where we explore the tactics, techniques, and procedures (TTPs) leveraged by Rapid7’s expert red team. Today, we’re focusing on post-compromise breach simulations—a critical capability in assessing an organization’s ability to detect and respond to a persistent adversary.

TTP mapping to the MITRE ATT&CK framework

Once an attacker gains access—whether through phishing or external exploitation—the real damage begins. As part of our post-compromise breach simulation, Vector Command emulates the tactics and techniques adversaries use once they’re inside, leveraging the MITRE ATT&CK® frameworks as a guide.

Our red team stages command and control payloads and executes a series of proven attacker behaviors to test your resilience across the most common post-compromise scenarios:

• Configure host persistence - Attackers work to maintain their foothold across reboots and user sessions by modifying startup tasks, hijacking processes, or introducing malicious code. We simulate these tactics to test your defenses against long-term compromise.
• Attempt host privilege escalation - Gaining initial access is just the beginning. Adversaries often exploit misconfigurations or unpatched vulnerabilities to escalate privileges from standard user accounts to full admin control—enabling deeper access into your environment.
• Query Active Directory for hosts accessible with compromised credentials - With valid credentials in hand—often obtained through phishing—we test whether an attacker could identify and access other systems or sensitive services using tools that mimic common enumeration techniques.
• Attempt lateral movement on the network - We simulate how attackers move through your environment by pivoting between systems using native tools and compromised credentials. This reveals how far a real threat actor could go—and how quickly they’d reach your most critical assets.
• Attempt domain privilege escalation using common misconfigurations - During breach simulations, our red team frequently tests for domain privilege escalation using misconfigurations that are surprisingly common in real-world environments. These include:
• Local administrator accounts
• Users with admin-like access
• Standard users with elevated access to specific systems or sensitive functions

These misconfigurations often intersect with persistence techniques, as attackers take advantage of elevated contexts to maintain long-term access.

Want to see how exposed your organization might be? Surface Command can help identify admin users without multi-factor authentication (MFA), offering a quick view into high-risk accounts and helping fulfill the “Discover” step of Exposure Management.(See our Surface Command Admin users without MFA use case

• Initial access payloads and internal breach playbooks - Every simulation is guided by detailed internal breach playbooks. These help test your incident response readiness and ensure alignment with known attacker workflows, including phishing payload delivery and post-access exploitation.
  

Each of these steps represents a real-world risk. By simulating them in a controlled environment, Vector Command helps organizations identify blind spots, validate security controls, and improve detection and response capabilities.

Beyond simulation: Actionable reporting & remediation with Vector Command

Security testing is only as valuable as the insights it delivers. With Vector Command, organizations receive tailored reports designed for both executive leadership and security practitioners:

• Executive-Level Report: A high-level summary of key findings, business risks, and prioritized remediation steps, written in plain language for strategic decision-making.
• Technical Report: A detailed breakdown of attack simulations, including timestamps, screenshots, and step-by-step execution logs for the security team to analyze and act on.

These insights are not just reports—they are action plans to help teams fortify their defenses against real adversary behaviors.

Take command of your attack surface

Cyber resilience is about understanding your adversary’s tactics before they use them against you. Vector Command delivers an always-on red teaming service that helps organizations stay ahead of attackers by continuously validating defenses and improving response strategies.

Want to learn more? Join us at our upcoming Take Command virtual summit, where we’ll explore how red teaming is evolving to outpace modern threats.

Register here.