An Evaluation of Rapid7 NeXpose
I’ve been focusing a lot of my time lately on our PCI initiatives. One sub-topic that I’ve spent a particularly large amount of time on has been Requirement 11.2 which says that you need to have internal and external network vulnerability scans performed by a scan vendor qualified by PCI. We already employ one such tool, but I’ve been working to evaluate several other vulnerability scanning tools to see where our current tool is at in comparison. I’ll post my evaluations of each of these tools in time, but for now I’ll start with my evaluation of Rapid7 NeXpose.
First off, I had never heard of the company before, but they were among the cheaper options of what I evaluated and apparently are doing some good things. They got the SC Magazine recommendation for the month of August 2008 and they received a 5-star overall rating in said magazine. The problem came as soon as I started talking to their salesperson. From the start, the guy was coming off like a used car salesman asking questions like “What would it take to get you to buy by the end of this month?” This was before I even saw an evaluation of the product. From that point forward, I don’t think a week went by where I didn’t hear from the salesperson. “How’s the evaluation going? Do you think you’re going to buy?” It got annoying very quickly.
The evaluation of the product went fairly smoothly. My biggest gripe was that the company claimed that they did everything that Qualys does and more (they even forwarded me a press release on it), but ultimately failed to deliver on that promise when I found something rather large that Qualys finds and NeXpose does not. To their benefit, Rapid7 had engineers and developers calling me and asking about the issue trying to get it into their system for me. That was pretty cool, but ultimately they’re getting paid to find these vulnerabilities for us. You would think that they’d at least have all of the CVE items in their scanning tool.
My missing Qualys vulnerability aside, the NeXpose tool found plenty of issues. This was both a positive and a negative since a lot of what it found had to do with a single vulnerability being exposed over and over through our site’s faceted navigation. It would have been nice if the scanner recognized that since it made the results look a lot worse than it actually is. Also, when going through the results, I noticed quite a few false positives. It seemed like most of these were due to the scanner just looking at a version number in a header instead of actually trying to test the vulnerability. It found issues with Apache modules that we didn’t even have enabled.
My favorite thing about the Rapid7 NeXpose vulnerability scanning tool was the reporting. They provide some very good reports in there by default. I found the “Remediation Plan Report” to be particularly interesting as it provided you with their suggested path to remediate our vulnerabilities most effeciently and effectively. Was it better than the reporting that I’ve seen in other products? Maybe, maybe not.
Anyway, my evaluation of Rapid7 NeXpose was coming to a close when I got a call from the salesperson last week. It went something like this…
Salesperson: “Did you hear we got a recommendation from SC Magazine? Yeah, things are busy here. Your evaluation is taking longer than normal and I know you’ve had several issues with the product, do you think you’re going to buy it?”
Me: “Nope, hadn’t heard about the SC Magazine thing. We’ve definitely worked through some issues. Overall, the evaluation went well and I like the product. Once I finish the other evaluations I’m working on, I’ll let you know our decision.”
Salesperson: “Well, with the amount of business we’re getting with the SC Magazine article, I don’t have time for you. Feel free to call me back if you decide to buy our product, otherwise, good luck.”
What do you say to that? I got dumped by a salesperson, who I kept dropping hints to leave me alone to do my evaluation, because I was taking up too much of his time? It’s a little difficult to do an unbiased review after that, but I tried my best.
September 9th, 2008 at 2:09 pm
Yeah, to add on to Josh’s review, we had a bad experience with our initial Rapid7 sales rep. I had to tell Josh to tell him to quit calling me. It was funny, you could tell when he was calling us because you’d hear one phone ring, it would stop, the next one would start ringing… Once you picked up you’d be treated to a half hour of “WHAT will it TAKE to get you to BUY TODAY!?!?!” A successful technical evaluation, how about that. It seemed tuned to “You just want something to check off that annoying PCI compliance line item, you don’t really care about your security.” Naturally that rubbed us the wrong way. For you sales guys out there, that degrades confidence in your solution from a technical team’s POV – we had several discussions about “What are they trying to hide, or are they selling vaporware or something, to come on hard like that?”
Anyway, we have a new sales rep from Rapid7 now and they’re much better. The previous rep left the company, and our new rep has been working with us and has apologized for our earlier glad-handing. We’re certainly not holding it against them in our supplier evaluation results.
And the product is decent, not vaporware, it does a good job of combining pretty good network vulnerability scanning and decent to average Web app vulnerability scanning into a single affordable package. Not everyone needs the Cadillac solution, and we’re learning that full Web app vulnerability scanning is expensive however you slice it. Rapid7 gets you about 90% coverage of the top names in network vulns and about 40% coverage of leaders in web app vulns, and is cost competitive with other network vuln services so you’re really getting that Web app coverage “for free.” Many sites’ security profiles are fine with that, not everyone’s a bank or the government despite what your local security consultancies will tell you.
January 8th, 2010 at 4:22 am
Are you kidding me? I WAS a sales rep for Rapid7. We were taught to be assholes to clients. It was supposed to make us more marketable. If you got a “NEW” rep who was polite, it was all “good Cop, bad Cop.” Trust me… the company is as bad as you think. I would never surrender 100K plus to them. Rapid7 is as bad as a “ShamWow” commercial.
January 8th, 2010 at 9:41 am
Sweet! Thanks for speaking out. When our rep escalated to his manager and we got the exact same used-car-salesman treatment from him I suspected we weren’t an isolated case.
Boy, I wish there was a good IT-oriented site where you could review supplier’s sales (and support) teams. Quality does vary wildly. Our entire department decided to have nothing more to do with Quest Software, for example, after a number of hateful sales engagements.
January 8th, 2010 at 12:14 pm
Seriously, thank you for commenting. I intentionally refrained from naming any names because I was unsure whether this practice came from the salesperson or the company. I still can’t quite figure out how being an asshole to clients leads to more marketability, but apparently that tact is somehow working for them. Best of luck to you with wherever you’re working at these days. There are no hard feelings on our end of things.
January 29th, 2010 at 11:41 am
Wow. This is one of those things where I try to be objective even in the face of obvious used car salesman tactics. Our company has also been evaluating NeXpose and we too have endured not only the aggressive sales pitch but also the “I’m really busy, so if you don’t have the money you need to tell me now so I can move on” BS. Rapid 7’s sales people are easily the WORST I have ever dealt with and they are in real jeopardy of losing a potential sale here. My co-workers listening in on the call (it was on speaker phone) couldn’t believe the audacity of the sales person either. A quick web check of the sales persons name let us know they have only been employed at Rapid 7 less then six months and they appear to have no real security product background. That is what led me to search the web for comments from others who may have experienced the same thing we have. At this point it is hard to see us going with Rapid 7. If anyone has any recommendations for a competing product, please post it here. Thanks.
January 29th, 2010 at 6:36 pm
We have been talking with them off an on for a few months and have had the exact same experience as above. I have a hard time buying something from a company who conducts itself in this way. I get the impression that their entire sales team is inside of a bit room with 4 walls, a bunch of tables and a bunch of phones with some pointy haired guy in the back yelling ‘SELL SELL SELL’.
February 1st, 2010 at 6:06 pm
Heh, sounds like they don’t change their spots easily.
We ended up going with Qualys for network scanning and White Hat for application scanning. It’s a little sad we have to use two vendors – it’s also probably more expensive. But we were going for “cadillac” solution.
I’m not sure if there’s another good all-in-one that does network and app scanning. (Most network ones claim they do some app scanning, but it’s usually the most trivial possible.)
February 18th, 2010 at 9:20 am
haha this is all very true, I used to work there and they basically are trying to breed A-holes. It doesn’t matter how good their product is because they act like such douches it turns people off. As far as their employees, it’s a revolving door, nobody I started with was there a month later. I’m surprised I put up with it for 3 months
March 11th, 2010 at 12:23 pm
We bought nCircle because in a head to head eval it was a much better product. Add to it the terrible sales tactics of Rapid7 and it was obvious to us which company would be here to stand behind their product in years to come.
We are very pleased with our decision to let the Rapid7 phone calls go unanswered….and we all have more time to get to the task at hand…..
April 26th, 2010 at 1:02 pm
I am in the middle of this and can let you all know not much has changed – Rapid7/Nexpose is very aggressive, very hard selling – and Qualys is pretty mellow.
June 11th, 2010 at 3:41 am
It’s all true … the comments about Rapid 7 Sales, but at the same time their IP model is better than Qualys’. I can actually use the the “number” of IPs purchased to scan different IP ranges per scan. With Qualys, once you’ve defined an asset it’s there for good (maybe their support can get it changed but they want you to by more ips. Also Qualys is more expensive in the long run, since you have to pay the license each year while Rapid 7 you have a larger upfront cost but renewal fees are not 100%.
So while I agree with the sales tactics being irritating, it does actually have some pluses that I have to consider. Personally, though, I’m leaning toward going back to (and expanding) on an Nessus deployment. Their IP model is unlimited.
June 11th, 2010 at 9:54 am
Thanks for your feedback Jamie. From what I’ve heard from fairly reliable sources, Qualys is basically just Nessus with a pretty UI slapped on top of it. That said, I’ve been using it for years now and have grown very comfortable with it. When I did the Nexpose comparison, they claimed 100% coverage of what Qualys had, but I can guarantee that at least at the time this was not the case. As for the licensing, my understanding with Qualys is that you can change the IP’s associated at any time. We don’t do this yet, but I’ve been working towards using their scheduled mapping processes to define the IP ranges for scanning. This should eliminate dark IP addresses so that you have more spare IPs to use for other things. Currently, I do as you said and use Nessus to fill in the gaps of anyplace that I can’t scan with Qualys do to licensing restrictions.
July 8th, 2010 at 10:51 am
I am in the middle of a Rapid7/Qualys review right now. Both products find the obvious vulnerabilities, and both products have missed or conflicted with each other at times. Rapid7 found WAY more web application issues. I like the executive reports better in Rapid7, but the Qualys technical reports go much more in depth and you can see the output in detail which is nice for manual validation and testing. As for reporting, Rapid7 is better and comes with a greater number of canned reports to get you going. The Qualys interface “feels” more professional, but is a bit clunky IMHO. Right now for at least our organization both products will fit the bill with what we need to accomplish, so in the end it will probably come down to price and what reports the end users like better.
As far as the sales practices. In the past I would not have done business with Rapid7 due to their belligerent and aggressive tactics. However my recent experience with them has been professional and pleasant. The sales and technical teams at both companies have been very helpful and great to work with.
September 20th, 2010 at 4:04 pm
While there is much talk about R7 and Qualys, you would be doing an injustice by not to evaluate the nCircle product. It doesnt have any of quirky IP licensing of Qualys and it has much better coverage than R7.
Also anyone who has some compliance task at hand with love the complementary configuration compliance auditing tool.
September 23rd, 2010 at 4:54 pm
Only reason I allowed that blatant sales comment for nCircle is so that I could comment back and say that we did an initial evaluation of nCircle and didn’t even make it out of the starting blocks. Granted, this was over two years ago, but at the time about the only thing nCircle could compete on was price. Based on the latest Forrester and Gartner evaluations, it looks like nCircle may be closing the gap, but it is still considered inferior to both Qualys and Rapid7.
February 3rd, 2011 at 5:38 pm
Just to join the chorus, did a demo of NeXpose about 4 months ago. Took me a couple weeks to crowbar them off my phone.
February 9th, 2011 at 4:10 pm
My brother worked at Rapid7 very briefly. Apparently new reps must stand while making phone calls! My understanding is they hire enthusiasm over experience. As a seasoned sales professional: if you are a buyer or reviewer it does help to be upfront if you go in anothor direction,no budget, have other priorities etc.
Good companies and people get that immediately.
February 18th, 2011 at 12:51 pm
I believe there is some confusion; nCircle has never done an evaluation at National Instruments.
February 18th, 2011 at 2:18 pm
Jeff, my humblest apologies. Your comment made me dig back through my e-mails and it turns out that I was confusing nCircle with Critical Watch whom I did do an evaluation of. As you said, I don’t believe that nCircle ever found it’s way into our evaluation for one reason or another. I sincerely apologize for the mistaken identity, and now that I think about it, I have heard several good things about nCircle.
February 18th, 2011 at 2:42 pm
No problem Josh, thank you for the note. Let us know if you’d like an eval! 🙂
September 15th, 2011 at 11:52 am
So….did anybody here really go into the intricacies of the RAPID7 solution? Having used open-source Wapiti and w3af, I was interested in their sponsorship of the wsaf project as well. Sure, the sales team is a bunch of fucking douchebags, I’ve heard this seven ways to Sunday since 2007….but what about the technology itself?
September 15th, 2011 at 1:57 pm
Destro, yes, I ran Rapid7 through the ringer back then. They told me before the eval that “NeXpose does 100% of what Qualys does and more.” I was extremely skeptical and, after testing, it was clear that this was not the case. They did a decent job finding vulnerabilities, and there was certainly overlap, but it was nowhere near 100%. That was Rapid7 several years ago. The old sales guy is gone and the new one who took his place is actually a decent guy. I found myself re-evaluating scanners this year due to what I consider to be very strict licensing restrictions on Qualys and ended up deciding to switch over to Rapid7 NeXpose. They were able to give us a pretty decent deal and I’ve been fairly happy so far. I did have one issue with being told by sales that you “can do discovery on an unlimited number of IP addresses” from outside the firewall. It turns out that they have some restrictions set on their hosted scanner that limits this, but I found the Rapid7 support personnel and management very willing to work with me to find an adequate solution to the problem. So I guess you can call me a Rapid7 convert for the time being. Let me know if you want to discuss in more detail and I’ll help you out.
January 17th, 2012 at 5:50 pm
RAPID7 SALES ARE THE WORST AT TAKING HINTS!!!! That aside I am leaving towards Qualys for two reasons.
1) Awesome network mapping capabilities
2) They subscribe to exploit kits and actually run the exploit.(within safe parameters) Found to many false positives with Nessus and Nexpose that I did not have with Qualys. Theres a reason why major players like Google choose Qualys.
January 18th, 2012 at 11:39 am
Adam,
I admit that the Qualys network maps are pretty sweet and being able to visualize how devices are laid out on your network is definitely valuable. So far I haven’t been able to find anything similar with Rapid7. That said, the out-of-the-box reporting available with NeXpose blows Qualys out of the water. I’d rather have the reports over the network maps, but that’s just me.
As for the exploit kits, did you know that NeXpose now integrates (if you can call it that) with Metasploit? Basically, your scan results will show a list of vulnerabilities and then tag any of them where a Metasploit module exists to exploit it. So while Qualys may be able to test the exploit for you, with Metasploit you can test/exploit it yourself. Not sure if that’s a good or a bad thing. 😉
Don’t get me wrong. I don’t buy all of the Rapid7 hype either as I feel it’s mostly generated by them and not by customers, but I do think they have some decent products (NeXpose, Metasploit, w3af). At this point, this type of scanning has basically become a commodity where with a few small exceptions, the various vendors are about equal. Because of that, IMHO licensing models (ie. the flexibility to be able to do what you need to do) and price have become the major components of vulnerability scanning purchases these days.
September 8th, 2015 at 10:19 am
We had NeXpose for several years and I can tell you that the sales team is unmerciful while their tech support team is really laid back, as in out to lunch. My 2 biggest complaints about the tool was that the reports had awful formatting issues & often ran into thousands of pages (mostly unnecessary carriage returns & redundant info) and their reliance on banner grabs to identify vulnerabilities. We run WebSphere & NeXpose was always reporting dozens of missing Apache patches because WebSphere didn’t update the banner info. This is stupid.
We now use Tenable SecurityCenter and my major complaint is it does not do a good job of recognizing what Windows patches need to be installed. They can interface with the various windows patch management systems but our windows team so far has refused to let us connect so that is self-inflicted but I wish Tenable would do better there.