All posts by Michael Chroney

The End of the Road for Cisco Kenna: Take a Measured Path into Exposure Management

Post Syndicated from Michael Chroney original https://www.rapid7.com/blog/post/em-eol-cisco-kenna-new-measured-path-into-exposure-management

Cisco’s announcement that it will sunset Cisco Vulnerability Management (Kenna) marks a clear inflection point for many security teams. With end-of-sale and end-of-life timelines now defined, and no replacement offering on the roadmap, Kenna customers face an unavoidable decision window. 

Beyond the practical need to replace a tool, Kenna’s exit raises a bigger question for security leaders: what should vulnerability management look like moving forward? 

Not just a tool change

For many organizations, Kenna wasn’t “just another scanner”. Before their acquisition by Cisco in 2021, Kenna Security helped pioneer a shift away from chasing raw CVSS scores and toward prioritization based on real-world risk, influencing how many teams approach risk-based vulnerability management. Security teams invested years building workflows, reporting, and executive trust around that model. 

That’s why this moment feels different. Replacing Kenna isn’t about checking a feature box, it’s about protecting the integrity of the progress teams have already made while using this moment to elevate programs past traditional vulnerability management.

Security leaders are rightly cautious. No one wants to: 

  • Rush into a short-term replacement vs. a platform that suits current and future needs

  • Trade proven prioritization for untested promises 

  • Disrupt remediation workflows that engineering teams finally trust 

At the same time, few teams believe traditional vulnerability management – isolated scanners, static scoring, endless ticket queues – is sufficient on its own anymore. 

So where does that leave you? 

“Risk-based vulnerability management is dead” doesn’t tell the full story

In response to Kenna’s end-of-life, much of the market has rushed to frame this as the end of risk-based vulnerability management (RBVM) altogether. The message is often loud and binary: RBVM is outdated, jump straight to exposure management.

In practice, that framing doesn’t match how security programs actually evolve. 

Most organizations are not abandoning vulnerability management. They are expanding it:

  • From on-prem to hybrid and cloud

  • From isolated findings to broader attack surface context 

  • From vulnerability lists to exposure-driven decisions 

  • From static to continuous

The mistake is assuming this evolution requires a hard reset, or that exposure management is completely separate and not part of that evolution.  

For CISOs and hands-on leaders alike, the smarter question is: how do we preserve what works today, while building toward what we know we’ll need tomorrow?

What Kenna customers should prioritize next 

As you evaluate what comes after Kenna, the right decision comes down to which platform can consistently deliver security outcomes and measurable risk reduction: 

Continuity without disruption

Your team already understands risk-based prioritization. The next platform should strengthen that muscle, not force you back to severity-only thinking or one-dimensional scoring models that ignore business context and threat intelligence. 

See risk clearly across on-prem, cloud, and external environments

Risk doesn’t live exclusively on-prem or in the cloud. Vulnerability data needs to reflect the reality of modern environments – endpoints, cloud workloads, external-facing assets – without fragmenting visibility. It needs to build on what teams already have by supporting findings from a broad range of existing tools and services, so risk can be understood in one place instead of scattered across platforms. 

Customizable remediation workflows

Prioritization only matters if it leads to action. Look for platforms that help security and IT teams collaborate, track ownership, and measure progress without creating more friction. 

A credible path forward

Exposure management is valuable only when it’s grounded in accurate data, operational context, and day-to-day usability. Security teams are already drowning in findings across tools, and without context that explains what matters and why, exposure management adds more noise instead of helping teams make decisions and reduce risk. That noise shows up in familiar ways: duplicate findings aren’t reconciled, conflicting risk scores between tools, unclear ownership for remediation, and long lists of issues with no clear path to action.

Why this moment favors steady platforms, not big bets

Kenna’s exit creates pressure, but pressure shouldn’t drive risky or forced decisions. Security leaders are accountable not just for vision, but for outcomes, such as: 

  • Are we reducing real risk this quarter? 

  • Can we explain prioritization decisions to the board? 

  • Will this platform still support us two or three years from now? 

This is where vendor stability, roadmap clarity, and operational proof start to matter more than bold claims. 

The strongest next steps are coming from platforms that already deliver visibility across hybrid environments, mature, threat-informed vulnerability prioritization, and integrated remediation workflows that teams actually use. From there, exposure management becomes an evolution, not a leap of faith. 

A measured path forward

Kenna’s EOL doesn’t signal the end of risk-based vulnerability management. It signals that security programs are ready to expect more from it. For security leaders this is an opportunity to reaffirm what has worked in your program, close real visibility and workflow gaps, and choose a platform that supports both near-term continuity and long-term growth.

The goal isn’t to chase the next trend. It’s to make a confident, practical decision – one that protects today’s outcomes while positioning your team for what’s next. 

Looking ahead

If you’re navigating what comes after Cisco Kenna, the most important step is understanding your options early, before timelines force rushed decisions. Explore what a confident transition can look like and how teams are approaching continuity today while preparing for exposure management tomorrow. 

Explore a confident path forward.

Introducing AI Attack Coverage in Exposure Command: Secure what traditional AppSec Tools miss

Post Syndicated from Michael Chroney original https://blog.rapid7.com/2025/06/03/introducing-ai-attack-coverage-in-exposure-command-secure-what-traditional-appsec-tools-miss/

Introducing AI Attack Coverage in Exposure Command: Secure what traditional AppSec Tools miss

The rise of GenAI-powered applications – from internal copilots to customer-facing chatbots – is changing how businesses operate. While these tools drive innovation, they also introduce a fast moving, often invisible layer of risk.

Most traditional AppSec tools were never built to handle the unique threats of conversational AI interfaces. As attackers get savvier, security teams need the right kind of coverage.

That’s why we’re excited to introduce AI Attack Coverage in Exposure Command and InsightAppSec.

This release brings purpose built protection for AI driven applications into your existing AppSec workflows, so you can uncover vulnerabilities that legacy tools miss – and stop AI specific threats before they become business problems.

A new class of risk requires a new kind of coverage

As organizations embrace GenAI, they’re also expanding their attack surface – often without realizing it. LLMs (large language models) and AI integrations create new opportunities for attackers to exploit vulnerabilities like:

  • Prompt injection: Tricking the model into revealing sensitive data or bypassing security controls.
  • Plugin abuse: Misusing connected tools through AI interfaces.
  • Data leakage: Inadvertent exposure of sensitive information in responses.

The problem? These aren’t issues most scanners can detect, and manual reviews don’t scale. AI Attack Coverage addresses this gap head-on with capabilities designed to tackle the evolving threat landscape.

Built to secure what matters most

AI Attack Coverage in Exposure Command introduces a suite of enhancements that work seamlessly within your existing DevSecOps pipelines:

  • Smarter scanning for smarter apps: Our enhanced R7Crawler interacts with LLMs and chatbots in real-world ways – uncovering vulnerabilities traditional scanners can’t see.
  • Purpose built LLM testing: With 6 new attack modules, comprising 25+ new attack techniques, that will target six of the OWASP Top 10 for LLMs, we help you find prompt injection, improper output handling, and more.
  • AI aware validation: Reduce false positives with intelligent validation powered by AWS Nova Pro, so teams can focus on what’s real and actionable.
  • Developer first remediation: Features like Attack Replay and CI/CD integrations help teams fix faster – without slowing down releases​.
Introducing AI Attack Coverage in Exposure Command: Secure what traditional AppSec Tools miss

Complete visibility, from code to cloud

Exposure Command doesn’t stop at the app layer. With integrated telemetry from InsightCloudSec, you also get:

  • Full-stack visibility into where GenAI services live across your environment.
  • Automated enforcement of security best practices for AI/ML environments.
  • Unified context to prioritize what’s truly risky in your hybrid estate. ​

Get started with AI Attack Coverage

If you’re building with AI – or thinking about it – now’s the time to make sure your security strategy keeps up. AI Attack Coverage gives your team the visibility, context, and control to manage risk in a world where apps are getting smarter, and attackers are more adept at exploiting them.

Whether you’re an AppSec engineer, a risk leader, or a CISO trying to future-proof your security posture, Exposure Command brings it all together.

Learn More About Rapid7’s Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Vendor-Agnostic Security: The Key To Smarter Risk Management

Post Syndicated from Michael Chroney original https://blog.rapid7.com/2025/05/13/vendor-agnostic-security-the-key-to-smarter-risk-management/

Vendor-Agnostic Security: The Key To Smarter Risk Management

Security teams are investing in more tools than ever – but visibility into real risk is still elusive. Why? Because too many tools are locked inside closed ecosystems that don’t share data or context.

A vendor-agnostic security strategy changes that. It gives you the flexibility to integrate best-in-class tools, eliminate blind spots, and build a stronger, more agile cybersecurity program. It’s also a core enabler of modern frameworks like continuous threat exposure management (CTEM).

In this post, we’ll explore how a vendor-agnostic approach, powered by exposure assessment platforms (EAPs), helps you manage risk smarter – by unifying your attack surface and helping your team focus on what matters most.

The risks of vendor lock-in in cybersecurity

Security teams rely on a mix of tools from different vendors. According to the 2023 Gartner® Technology Adoption Roadmap for Large Enterprises Survey, “cybersecurity leaders indicated that on average their organizations had 43 tools in their cybersecurity product portfolios, and 5% of the leaders indicated their organizations had over 100 tools”. When those tools don’t speak the same language, you’re left with siloed data and a fragmented security strategy. That’s how blind spots are born – and how critical vulnerabilities slip through the cracks.

On top of that, being locked into a single vendor makes it costly and complicated to switch solutions, often forcing organizations to stick with suboptimal tools. Instead of driving innovation, you have limited options that lead to unnecessary spending on add-ons that may not fully meet your needs.

How a vendor-agnostic approach powers CTEM

CTEM is designed to be proactive, contextual, and continuous. It’s about knowing what exposures exist, which ones to prioritize, and how to remediate them – before attackers take advantage. To get the most out of CTEM, your security framework needs to be as flexible as the threats you’re defending against.

That means looking beyond a single vendor’s lens. A vendor-agnostic approach helps you:

  • Ingest data from anywhere across endpoints, cloud, identities, networks, threat intel, and more.
  • Correlate and prioritize with context – so your team can focus on what’s urgent and actionable.
  • Act faster across teams with remediation workflows that plug into existing tools and processes.

Unlocking CTEM with exposure assessment platforms

This is where EAPs make a real difference. These platforms unify and enrich data from across your hybrid environment, continuously identifying and prioritizing exposures – like vulnerabilities and misconfigurations – across a wide range of asset types. This gives security teams the context they need to act with clarity and confidence.

With a vendor-agonostic EAP, security teams can:

  • Continuously discover exposures across hybrid environments
  • Prioritize based on actual risk, not just raw severity scores
  • Correlate findings across sources to surface exploitable attack paths
  • Enable confident, fast decisions using context like business criticality and threat intel

It’s a centralized command center for everything that puts your organization at risk – and helps provide insight into what you can do about it.

Real-world example: Why risk context matters

Let’s say your team spots a misconfiguration in a firewall. On its own, that might trigger a red flag. But without deeper context, it’s hard to know if it’s actually a risk – or just noise.

Now imagine you can instantly cross-reference that misconfiguration with endpoint telemetry. If those endpoints aren’t exposed or already have compensating controls in place, you can safely deprioritize the issue. But if it opens the door to vulnerable assets? You’ve got the clarity (and urgency) to act.

That level of insight is only possible with a centralized, vendor-agnostic platform that brings together telemetry from across your environment. It filters out the noise and empowers your team to make informed, high-impact decisions.

Key takeaways

Strengthen your organization’s overall security posture by adopting a vendor-agnostic strategy that helps your team:

  • Break free from vendor lock-in for more flexibility and control
  • Unify security tools to drive a more effective CTEM program
  • Enhance decision-making with EAPs
  • Extract more value from the tools and telemetry you already have

Build a future-ready cybersecurity strategy

Rapid7’s Exposure Command embraces a vendor-agnostic approach to provide a unified, transparent view of your security landscape. It aggregates telemetry and risk signals from across your existing tools – endpoint, cloud, identity, vulnerability management, and more – so you can:

  • Uncover blind spots hidden in fragmented vendor ecosystems
  • Correlate and contextualize risk with a unified, real-time view
  • Streamline decisions and accelerate remediation with automated workflows and prioritization

By moving to a vendor-agnostic approach with Rapid7, you’re not just reducing risk — you’re building a security program that’s resilient, scalable, and built for what’s next.


1Gartner, Infrastructure Security Primer for 2025, John Watts, Franz Hinner, 29 January 2025 (For Gartner subscribers only)

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Seeing The Whole Picture: A Better Way To Manage Your Attack Surface

Post Syndicated from Michael Chroney original https://blog.rapid7.com/2025/03/10/seeing-the-whole-picture-a-better-way-to-manage-your-attack-surface/

Do you trust your view of your organization’s risk?

Seeing The Whole Picture: A Better Way To Manage Your Attack Surface

With cloud adoption, remote work, shadow IT, and AI, security teams face an overwhelming challenge: scoping their attack surface and continuously discovering all assets and exposures before threats emerge. This aligns with the critical first steps of a Continuous Threat Exposure Management Program (CTEM), which emphasizes the importance of scoping and discovery.

This visibility gap has significant consequences. In 2024, 14% of breaches happened because attackers exploited vulnerabilities to gain initial access — that’s almost triple the amount from 2023 (Verizon DBIR 2024). This isn’t surprising when you consider that only 17% of organizations feel confident that they can find and list at least 95% of their assets, according to Gartner Innovation Insight: Attack Surface Management 2024 research. Without a clear plan for scoping and discovery, organizations can’t effectively secure their assets because they don’t know what they’re trying to protect.

If you don’t have a complete picture of your entire IT estate — inclusive of internal and external facing assets — you’re going to miss vulnerabilities and leave openings that attackers can exploit. That’s why it’s so important to continuously scan and discover your assets so that you always have an accurate, up-to-date view of your attack surface. This is where tools like external attack surface management (EASM) and cyber asset attack surface management (CAASM) come into play because they give you a single view of everything you have and can highlight what’s exposed. Gaining this visibility will help your security teams proactively detect, prioritize, and remediate threats before they are exploited.

Why you need a complete view of your attack surface

Let’s face it, as organizations grow, their potential vulnerabilities grow right along with them. This creates complexity for security teams who are already struggling to keep up. They’ve tried to solve this by adding more and more security tools, but this often backfires and creates a fragmented view that makes it harder to see the whole picture.

To truly reduce risk and strengthen your defenses, you need a unified approach that combines EASM and CAASM.

Even organizations who embrace EASM or CAASM may end up with a disjointed security toolset. Many organizations try to manage their attack surface with either an EASM, a CAASM, or other separate tools, but this often results in an incomplete view of the attack surface, creating blind spots and leading to missed vulnerabilities. This fragmented approach also fails to identify critical control gaps. For example, if an asset is not visible, it might be overlooked that it lacks an endpoint agent or is not protected by a firewall.

Why EASM or CAASM alone fall short

EASM solutions are highly effective for monitoring internet-facing assets, including web applications, cloud services, and third-party integrations. However, they cannot provide visibility into internal environments that are not publicly accessible. This includes non-internet-facing components of on-prem infrastructure, privileged systems, and certain shadow IT assets.

CAASM solutions provide internal visibility, aggregating data from security tools, asset inventories, and IT management systems. They’re great at identifying misconfigurations, vulnerabilities, and security gaps within an organization’s controlled environment. However, CAASM tools can’t account for external exposures, leaving an incomplete picture of how attackers could gain initial access. Additionally, CAASM solutions are completely reliant on 3rd party tools and integrations, meaning that you are adding yet another tool to your tech stack that you have to pay for and manage.

Disparate tools, disjointed defense

To secure growing attack surfaces, many organizations rely on a mix of vulnerability management, cloud security posture management (CSPM), and application scanners. However, these tools often operate independently, leading to fragmented visibility and inefficiencies. Without a single source of truth, security teams struggle to correlate risks, resulting in missed threats, duplicate efforts, and slower response times. Managing multiple tools also increases alert fatigue and operational overhead, while leaving critical gaps in attack surface coverage.

Are you sensing a trend here?

The power of a unified view

A truly effective risk management strategy needs more than a bunch of different tools — it needs those tools to work together seamlessly, giving you a complete picture of all your assets and potential exposures. Security teams need one single source of truth that brings together data from all of their vulnerability management solutions. This will ensure that teams can:

  • Strengthen Security Through Visibility

You have to know and trust what assets you have, where they are, and how they might be exposed. This is key to enforcing proper access controls, patching vulnerabilities, and applying the right security measures to your assets. With a full inventory, teams can be sure that no device, application, or cloud instance is left unprotected.

  • Manage Risk Across Your Entire Attack Surface

A unified approach lets security teams prioritize the most critical risks across all digital environments, greatly reducing blind spots. With a unified view, organizations can detect patterns, understand attack paths, and proactively close security gaps before attackers can exploit them.

By integrating all of your exposure management capabilities into a single, centralized system, your organization can move from reactive security measures to a proactive and holistic approach — giving you the confidence to effectively defend against modern threats.

Take command of your attack surface

The threat landscape is constantly shifting, and it’s more important than ever to have a complete and accurate view of your attack surface. It’s time for security teams to ask some tough questions: Do we really have the insight we need to protect our organization? Are there blind spots that attackers could take advantage of? These questions are at the heart of the scoping and discovery phases within a CTEM program, prompting organizations to continuously evaluate and improve their attack surface visibility.

To get ahead of threats, organizations should simplify their security approach by reducing the number of tools they’re using and find a solution that seamlessly combines EASM and CAASM. A unified view helps security teams find, prioritize, and reduce risks more effectively.

How Rapid7 can help

Rapid7 recently announced Exposure Command and Surface Command, the first two solutions launched on the new Command Platform. Surface Command provides complete visibility across internal and external environments by combining EASM and CAASM in a single solution, allowing security teams to view and prioritize high-risk assets across their entire environment. Exposure Command builds on Surface Command’s attack surface visibility, offering proactive exposure mitigation and remediation prioritization across your hybrid environment.