The Q3 2025 Threat Landscape Report, authored by the Rapid7 Labs team, paints a clear picture of an environment where attackers are moving faster, working smarter, and using artificial intelligence to stay ahead of defenders. The findings reveal a threat landscape defined by speed, coordination, and innovation.⠀
The quarter showed how quickly exploitation now follows disclosure: Rapid7 observed newly reported vulnerabilities weaponized within days, if not hours, leaving organizations little time to patch before attackers struck. Critical business platforms and third-party integrations were frequent targets, as adversaries sought direct paths to disruption. Ransomware remained a most visible threat, but the nature of these operations continued to evolve.
Groups such as Qilin, Akira, and INC Ransom drove much of the activity, while others went quiet, rebranded, or merged into larger collectives. The overall number of active groups increased compared to the previous quarter, signaling renewed energy across the ransomware economy. Business services, manufacturing, and healthcare organizations were the most affected, with the majority of incidents occurring in North America.
Many newer actors opted for stealth, limiting public exposure by leaking fewer victim details, opting for “information-lite” screenshots in an effort to thwart law enforcement. Some established groups built alliances and shared infrastructure to expand reach such as Qilin extending its influence through partnerships with DragonForce and LockBit. Meanwhile, SafePay gained ground by running a fully in-house, hands-on model avoiding inter-party duelling and law enforcement. These trends show how ransomware has matured into a complex, service-based ecosystem.
Nation-state operations in Q3 favored persistence and stealth over disruption. Russian, Chinese, Iranian, and North Korean-linked groups maintained long-running campaigns. Many targeted identity systems, telecom networks, and supply chains. Rapid7’s telemetry showed these actors shrinking the window between disclosure and exploitation and relying on legitimate synchronization processes to remain hidden for months. The result: attacks that are harder to spot and even harder to contain.
Threat actors are fully operationalizing AI to enhance deception, automate intrusions, and evade detection. Generative tools now power realistic phishing, deepfake vishing, influence operations, and adaptive malware like LAMEHUG. This means the theoretical risk of AI has been fully operationalized. Defenders must now assume attackers are using these tools and techniques against them and not just supposing they are.
This is but a taste of the valuable threat information the report has to offer. In addition to deeper dives on the subjects above, the threat report includes analysis of some of the most common compromise vectors, new vulnerabilities and existing ones still favored by attackers, and, of course, our recommendations to safeguard against compromises across your entire attack surface.
Across industries, Microsoft is everywhere. It powers productivity, collaboration, and security through Defender, Sentinel, Entra, and the broader Microsoft ecosystem that underpins how modern organizations operate.
⠀
As organizations deepen their Microsoft investments, there’s an even greater opportunity to strengthen and simplify threat detection and response. Microsoft delivers powerful visibility and security insights across user identities, endpoints, and cloud workloads, but security teams often need help bringing those capabilities together with the rest of their environment to ensure that data, detections, and decisions that drive their threat detection and response program align seamlessly.
⠀
That’s where Rapid7 comes in.
⠀
A shared vision for simplified, unified security
We’re excited to announce the launch of an expanded partnership between Rapid7 and Microsoft, focused on helping organizations fully realize the potential of their Microsoft security investments. Together, we’re building a unified approach to threat detection and response that combines Microsoft’s ecosystem and scale with Rapid7’s AI-native security operations platform and decades of SOC expertise.
⠀
Our shared goal: help customers protect their businesses with clarity, speed, and confidence.
⠀
For many organizations, Microsoft is the backbone of their IT and security programs. But it’s only one part of a larger, interconnected environment. Security leaders need a way to bring Microsoft Defender, Sentinel, and Entra data into context with the rest of their infrastructure, cloud, and SaaS investments. Rapid7 helps make that possible by connecting Microsoft’s advanced telemetry and analytics with broader visibility and context into all security data, automation, and 24/7 expert-led managed operations.
⠀
We’ve long incorporated deep Microsoft visibility across the Command Platform, integrating with tools across different use cases, such as attack surface management, exposure management, cloud security, and application security. This foundation already allows us to correlate insights across on-premises and cloud environments, including Active Directory, Azure, and Microsoft 365 – providing outcomes across endpoints, workloads, and applications. These capabilities unify context from more than a dozen different Microsoft and Azure tools, giving customers a complete picture of risk across their environment.
⠀
This partnership combines Microsoft Defender’s signal depth with Rapid7’s threat intelligence, automation, and human-led operations to deliver complete visibility and coordinated response across your environment – from Microsoft to everything it touches.
⠀
This means:
Unified security operations managed for you: Rapid7 delivers 24×7 monitoring, investigation, and response across Microsoft and non-Microsoft environments, combining Defender insights with our own detection and response workflows to act quickly on what matters most.
Faster, smarter response: AI-driven correlation and human-led expertise reduce alert noise and accelerate containment when threats arise.
Simplified, predictable operations: Our managed detection and response (MDR) service removes ingestion complexity so you can focus on security outcomes.
Transparency and trust: Built in through seamless integration with the Microsoft consoles security teams already use.
⠀
A foundation for what’s next
Over the coming months, we’ll introduce new capabilities that make it easier for customers to operationalize Microsoft security within the Rapid7 ecosystem, including unified MDR coverage across the Defender products that protect the key vectors of endpoint, identity, cloud, and email.
⠀
These enhancements will enable organizations to not only respond to Microsoft-based threats faster but also proactively reduce risk across their entire environment through unified detection, investigation, and response.
⠀
We’re excited for this next step in advancing our MDR services to meet Microsoft customers where they are and maximize their investments with comprehensive visibility, faster response, and measurable security outcomes.
⠀
We’ll be releasing more information soon. In the meantime, learn more about Rapid7’s leading MDR service here.
Cybersecurity ROI is notoriously difficult to define, but not impossible.
In this Experts on Experts: Commanding Perspectivesepisode, Craig Adams chats with Steve Edwards, Director of Threat Intelligence & Detection Engineering, about what customers really get from Rapid7 MDR and how to think more clearly about value.
They cut through buzzwords and talk real-world outcomes: visibility, consolidation, faster response, and trust.
What ROI really looks like
As Steve explains, the ROI conversation starts with confidence. Once customers know they can trust the MDR team to cut through noise and take action, the benefits snowball from reduced false positives, to better visibility and smarter spend.
The IDC study highlighted a 422% ROI over three years. But the real signal is what teams can do with the time and clarity they gain.
To bring these numbers into your own context, you can use the Rapid7 MDR ROI Calculator – simply plug in your own parameters and apply IDC’s methodology to estimate your unique return. Try the ROI Calculator!
Telemetry without tradeoffs
Craig and Steve also dig into one of the biggest detection challenges today: partial visibility. Many orgs still pay by the log, creating disincentives for full data ingestion. MDR’s all-in access model helps customers detect threats earlier and act faster, without needing to triage upstream data decisions.
MITRE mapping makes it click
One of the most actionable insights? MITRE mapping. Steve talks about how customers are using visual coverage data to pinpoint gaps and prioritize onboarding new tech, or building compensating controls.
No-cap incident response
They also walk through what happens during the first 24 – 48 hours of an incident, and why having no cap on IR hours means Rapid7 can stay involved from containment to eradication.
Missed our earlier episodes? Catch up on Episode 1 with Laura Ellis on agentic AI and system governance [here], Episode 2 with Jon Hencinski on MDR strategy and SOC readiness [here] and Episode 3 with Raj Samani on cybercrime-as-a-service [here]
Every industry has their it’s-that-time-of-year-again rituals, and the cybersecurity industry is no different. The spring ushers in RSA, August is Hacker Summer Camp, October brings with it Cybersecurity Awareness Month — and, before we know it, it’s the end of the year and we’re once again making our “predictions” of what lies ahead.
A wise young man once said, “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” In our space, a whole lot is moving fast. To see clearly, it’s certainly important to take a moment to step away from the noise and look outward.
Many experts offer their predictions for the coming year, but how many stop to look back at how their vision for the current year fared? With that in mind, let’s take a look at the predictions Rapid7 experts made for 2025.
A look back
Prediction: “Greater visibility will act as a life preserver for security teams treading water across an increasingly complex attack surface.”
The importance of unified visibility, attack surface management, and exposure insight has become a leading theme in industry trends reports in 2025. The exposure management market is growing strongly, projected to hit ~$10.9 billion by 2030, which is up from ~$3.3 billion in 2024. Managed Detection and Response (MDR) adoption is also surging; the MDR market reached USD 4.19 billion in 2025 and is forecasted to keep growing fast.
Rapid7 customer New Zealand Automobile Association (NZAA) offers a real-world example of this trend. Before working with Rapid7, NZAA’s cybersecurity tools were fragmented and disjointed. This lack of a unified approach reduced visibility and slowed down threat responses. Now, with Rapid7’s MDR service, NZAA has a partner that can provide 24/7 support, centralized visibility, and predictable data usage — all with transparency and scalability.
This is just one example of the evidence we’ve seen that security teams are acting to consolidate disparate tooling and connect proactive exposure risk management with reactive detection and response capabilities. As a result, these teams and their organizations are shifting holistically into a confident, resilient security posture.
Prediction: “To thrive in a world where regulatory change is an ongoing concern, SecOps should prepare for both the predictable and the unpredictable.”
Regulatory change is indeed accelerating. For example, the EU’s Cyber Resilience Act was passed in 2024, with application phases extending toward 2027.
The UK announced the Cyber Security and Resilience Bill in 2024 to extend cyber obligations on organizations. Security operations teams have had to deal with both “expected” regulatory shifts (like NIS2, SEC rules) and unexpected mandates or cross-jurisdictional tensions.
Many organizations are now incorporating compliance readiness, threat modelling for future rules, and flexible architectures. Moving forward, SecOps should expect even more scrutiny over how operations are designed and architected, as well as how insights are shared and with whom.
Prediction: “Cybercriminals will increasingly exploit zero-day vulnerabilities, expanding potential entry points and bypassing traditional security measures to deliver more ransomware attacks.”
Attackers are investing in zero-day toolchains, and zero-day brokers are emerging in dark markets (i.e., “exploit-as-a-service” trends). See our Initial Access Brokers Report for more detail.
Rapid7 Q2 2025 Ransomware Trends Analysis research highlights that threat actors are using zero days more often, especially in critical or targeted operations within sectors likeservices (21.2%), manufacturing (16.8%), retail (14.1%), healthcare (10.3%), and communications, and media (10%).
In Q3 there were several instances of cybercriminals continuing to leverage zero-day exploits as initial access vectors during their ransomware campaigns. For example, CVE-2025-61882 affecting Oracle E-Business Suite was exploited in the wild by CL0p. The trend of cybercriminals exploiting zero-day vulnerabilities continues, as does the recurrence of not only the same cybercriminal groups, but also the same products being targeted over time (e.g., the file transfer product GoAnywhere MFT).
A look ahead
2025 has certainly pushed security teams to their limits with an increasingly complex attack surface, accelerating regulatory changes, and a persistent rise in zero-day exploits and ransomware attacks. The ongoing talent gap and the struggle to bridge the divide between technical and business leadership have further compounded these challenges, making it crucial for organizations to prioritize visibility, proactive exposure management, and actionable threat intelligence.
What will 2026 bring? Take a look ahead with our experts: Register now for Rapid7’s Top Cybersecurity Predictions webinar.
Security teams have long depended on SIEM tools as the backbone of threat detection and response. But the threat landscape, and the technology required to defend against it, has changed dramatically.
Rapid7’s new whitepaper, The End of Legacy SIEM and the Rise of Incident Command, examines why legacy SIEM models can no longer keep up with the scale and complexity of modern attacks, and why next-gen SIEMs (like that offered by Rapid7) combined with exposure management capabilities is the better choice in combatting modern enemies.
A turning point for the SOC
When SIEM first emerged, it was a breakthrough. For the first time, organizations could centralize log data, generate compliance reports, and detect threats from a single pane of glass. But two decades later, that approach is showing its age.
Today, data is distributed across cloud, on-prem, and hybrid environments. Adversaries are using artificial intelligence to automate and accelerate increasingly complex attacks that are escaping detection. Analysts are overwhelmed by alert fatigue and unpredictable costs that hamper visibility.
Legacy SIEM tools were built to collect data. They rely on rigid pricing models, static correlation rules, and constant manual upkeep. These systems slow down investigations and prevent analysts from focusing on the alerts that truly matter. Modern attackers exploit exposures faster than human teams can respond. Without automation, context, and clear prioritization, organizations remain in a reactive state.
What comes after SIEM?
The whitepaper outlines how the security industry is shifting toward a unified approach that combines SIEM, Security Orchestration and Automation (SOAR), Attack Surface Management (ASM), and threat intelligence in one platform, augmented by artificial intelligence.
This new model emphasizes automation, machine learning, and contextual awareness while collecting data from a wider variety of sources than SIEMs were originally designed for. It gives security teams the ability to identify and act on high-impact threats quickly. It also changes how organizations think about risk, focusing less on collecting alerts and more on understanding exposure across assets, identities, and vulnerabilities.
Introducing Rapid7 Incident Command
At the center of this shift is Rapid7 Incident Command, a unified platform that redefines modern detection and response. Trained on trillions of real-world alerts from Rapid7’s 24/7 Managed Detection and Response (MDR) service, Incident Command can accurately classify benign activity 99.93 percent of the time. This precision saves hundreds of analyst hours each week and drastically reduces noise.
Incident Command connects exposure data directly to detection logic, helping analysts see which threats are most likely to impact their organization. Built-in automation enables teams to isolate hosts, revoke credentials, or run response playbooks, while keeping humans in control of every action.
With asset-based pricing and a fast, cloud-based deployment model, organizations can scale visibility and response without the fear of surprise costs or drawn-out implementations.
A new chapter for defenders
Legacy SIEM served its purpose, but it was built for a different era. The modern SOC requires a platform that is unified, intelligent, and focused on outcomes.
The End of Legacy SIEM and the Rise of Incident Command explores how this transformation is reshaping detection and response for security teams everywhere.
Read the full whitepaper to learn why the future of SIEM is already here and how you can take command of what comes next.
Cloud adoption has fundamentally reshaped security operations, bringing flexibility and scalability, but also complexity. In this session from the Take Command 2025 Virtual Cybersecurity Summit, Rapid7’s product leaders discussed how today’s SOC and MDR capabilities must evolve to keep up. Hosted by Ellis Fincham, the panel featured Dan Martin and Tyler Terenzoni, who shared real-world insights on what cloud detection and response truly requires, what CNAPP can and can’t solve, and how to bridge the growing gap between alerts and actionable context.
The cloud has changed the rules
Traditional SOC tooling often struggles to keep up with cloud-native architectures. Dan Martin opened the discussion by highlighting a key shift:
“Detection doesn’t start at the endpoint anymore. It starts with understanding your architecture.”
The panel emphasized that while cloud offers flexibility and scale, it also introduces operational complexity. From short-lived containers to decentralized ownership, cloud environments require a different approach.
Visibility is the starting point
Tyler Terenzoni spoke to the importance of understanding what’s running and who owns it:
“There’s always a disconnect between what engineering thinks is in the environment and what security actually sees.”
He noted that cloud visibility isn’t just about logs, but also understanding user behavior, policy changes, and asset configuration in near real-time. Without this, SOC teams are often reacting to alerts without enough context.
This issue was reflected in the post-event survey, where 35% of respondents listed lack of visibility across the environment as a primary challenge in their threat detection efforts.
CNAPP isn’t the answer – but it helps
The panel clarified that Cloud-Native Application Protection Platforms (CNAPPs) are useful, but not a complete solution. According to Dan Martin:
“CNAPP is great for giving you coverage, but it doesn’t give you the operational context your SOC needs.”
Integrating CNAPP data into SIEM, XDR, and MDR platforms enables richer investigations and tighter correlation across sources.
The shift from alerts to contextual action
Rather than focusing on the volume of alerts, the speakers urged security leaders to ask: can we act on this alert quickly and with confidence?
Dan Martin shared:
“It’s not about reducing alerts, it’s about giving your analysts the context to know what matters and what to do about it.”
Tyler Terenzoni added that turning alerts into action requires better integrations and unified telemetry. Without that foundation, even advanced detections can lead to noise and inefficiency.
AI will play a role, but not alone
While the session didn’t center on AI, the panel acknowledged its growing role in detection workflows. Dan Martin noted:
“AI helps with triage and correlation, but your success still depends on how well your tools talk to each other.”
The emphasis was on automation that supports analysts, not replaces them, especially in cloud environments where missteps can be costly.
Watch the full session on demand
If your team is looking to strengthen cloud detection, improve response times, or better align MDR with cloud operations, this session offers real-world insights and practical guidance.
At Rapid7, we’re pushing the boundaries on what a cybersecurity company can be as we work to build a more secure digital future. In a field where the threat landscape continues to evolve, continuous learning and the development of our people becomes an engine for company success and innovation. With more than a dozen offices around the world, Rapid7’s culture provides a foundation where people can grow their skills and progress in their careers, while driving meaningful impact to the business.
We sat down with three Rapid7 team members from different departments, and across our global offices, and invited them to share more about their own career growth and development. Through the experiences of Vladislav Pavlovski, Manager, Website Development, Courtney Cronin, Account Executive, Commercial, and Daniel McGreevy, Senior Technical Support Engineer, we see a consistent emphasis on teamwork, support from managers, and recognition to fuel career trajectories for Rapid7 employees around the world.
How Rapid7 Managers Support Career Growth
A prominent aspect of Rapid7’s culture is the accessibility of leaders and the strong mentorship opportunities available. When stepping into a leadership role to relaunch the company website, Vladislav Pavlovski highlighted how his director, Victoria Krichevsky, helped him balance development work with coordination responsibilities.
“Her feedback helped me realize that I didn’t have to do everything myself — that success meant enabling others as well,”
Vladislav said.
“Her support helped me connect the dots between day-to-day execution and longterm vision and made a big difference in how confident I felt navigating this new territory.”
This exemplifies how leaders at Rapid7 provide guidance and support that go beyond task management, focusing on broader growth.
“When I eventually moved into the Website Development Manager role, it was not only the result of the work I put in, but also the outcome of having strong, intentional support from someone who believed in the direction we were heading. That experience really shaped how I think about leadership and mentorship today,”
he said.
For Courtney, her manager also played a direct role in helping her prepare for a promotion opportunity from Sales Development Representative to Account Executive.
“I had the opportunity to meet with each of the Commercial Sales Managers to sharpen my skills as a future AE. We focused on roleplays, reviewed enablement on our products and services, introduced negotiation strategies, and refined my presentation skills. That level of investment in my development from both my current manager and the team I was looking to grow into made a huge impact, and I’m grateful for how collaborative and encouraging the team was during that transition.”
Courtney also shared how she values learning from her manager’s career growth as a woman in sales.
“I take full advantage of having a manager who started in the same role, especially as a woman in sales,”
she said.
“She understands the challenges firsthand and has been a huge influence in building my confidence. I make the most of her experience by asking for advice, learning how she navigated similar situations, and applying those lessons to my growth. Her journey and success show me what’s possible to achieve here at Rapid7, and I’m grateful to have her as both a mentor and a role model!”
Vladislav also noted,
“Leaders are accessible, and there’s a real openness to ideas from any level. It’s not about titles — it’s about potential and contribution.”
This approach makes employees feel valued and encourages them to take ownership of their development.
Collaboration as a Catalyst for Growth
In addition to support from leaders, Rapid7 works to create an environment where employees can seek encouragement and guidance from peers and cross-functional partners when faced with challenges.
Daniel McGreevy started at Rapid7 as an apprentice and leveraged the expertise of his colleagues to grow his own capabilities and progress through his career.
“Working with our Technical Support experts across multiple products, and getting feedback from Support Engineers helped improve enablement across Global Support and really impacted how I approach solving complex challenges,”
he said.
Additionally, he shared how collaboration with product management and engineering teams impact product releases and ensure support is ready and equipped to assist customers effectively.
“By collaborating with different teams across the business, we’re able to improve how we service our customers while gaining additional context on the business, our products, and the goals and objectives of each of the teams we partner with and how it contributes to our bigger company initiatives.”
Incorporating this holistic view has played a role in Daniel’s progression into a Senior Technical Support Engineer.
For Vladislav, leading the launch of a new website was a significant career milestone, but what he says he’s even more proud of was the collaboration and partnership between various teams to get it over the finish line.
“The website launch was a huge project with high visibility and complex cross-functional alignment,”
he said.
“We created a space where everyone felt safe to contribute, ask for help, experiment, and make mistakes. We built trust between team members, and when people are not afraid to challenge ideas and share concerns, that openness drives better outcomes for everyone.”
Career Opportunities at Rapid7
The stories of Vladislav, Courtney, and Daniel paint a vivid picture of career growth and development at Rapid7. From accessible leadership and structured support to recognition and empowerment, Rapid7 fosters an environment where employees can thrive.
As India’s economy rapidly digitizes, cybersecurity challenges are becoming increasingly complex. This May, Rapid7 launched our inaugural Global Security Day series across India, bringing together top security leaders in Mumbai, Delhi, and Bengaluru to address the most pressing cyber threats facing organizations in 2025.
Key insights that emerged
Across all three cities, several critical themes emerged that are shaping India’s cybersecurity landscape:
AI is No Longer Optional: Organizations recognize that AI has become essential for threat detection, exposure management, and SOC operations. The question is no longer whether to adopt AI, but how to implement it effectively.
Attack Surface Explosion: Cloud misconfigurations, insecure APIs, and identity misuse are driving today’s biggest risks. Organizations are struggling to maintain visibility and control across increasingly complex environments.
SOC Modernization is Urgent: Traditional Security Operations Centers need fundamental transformation, with automation and AI at their core to handle the volume of modern threats.
Talent Gap Challenges: Upskilling and reskilling initiatives are critical to closing the cybersecurity talent gap that’s affecting organizations globally, but particularly acutely in India’s booming tech sector.
Regulatory Evolution: India’s evolving cybersecurity regulatory landscape is shaping how organizations approach their security investments and strategy development.
A journey across India’s cyber capital cities
Our three-city roadshow, organized in collaboration with Information Security Media Group (ISMG), focused on the theme “2025 Cyber Threat Predictions: AI-Driven Attacks, Ransomware Evolution, and Expanding Attack Surface.” The response from India’s cybersecurity community was overwhelming, with 138 security leaders and delegates participating across all three cities.
Launching with impact in Mumbai (May 8)
Our Mumbai kickoff set the tone for the entire series, drawing 43 security leaders eager to dive into critical cybersecurity challenges. Rob Dooley, General Manager APJ, welcomed attendees before Regional CTO Robin Long delivered comprehensive insights on:
Global and Asia-Pacific threat landscape trends
The evolution of ransomware from double extortion to hybrid attacks
Expanding attack surfaces driven by cloud misconfigurations and insecure APIs
Next-generation defense strategies leveraging AI and continuous threat exposure management (CTEM)
The highlight was our fireside chat featuring Starlin Ponpandy, CISO of Orion Systems and Rapid7 customer, discussing ‘Building a New-Age SOC: Practical Applications of AI’. The conversation explored choosing the right SOC model, building effective teams, and navigating the complexities of AI trust and explainability.
The main focus of the Q&A was the evolving cyber threat landscape and how organizations can prepare for 2025’s AI-driven, increasingly complex attack environment.
The conversation was dominated by leaders sharing insights on the rise of AI-powered threats, the shift in ransomware tactics to double and hybrid extortion and the urgent need for proactive threat exposure management. Rapid7’s emphasis on real-time, AI-enabled defenses and automated risk management strategies sparked strong engagement.
Strategic dialogue in Delhi (May 13)
Our Delhi event brought together 43 delegates for candid, strategic discussions about 2025’s top cyber threats. Security leaders engaged in deep conversations about AI-powered detection and defense, proactive exposure management, and building resilient SOCs with automation.
The panel discussion on ‘Building a New-Age SOC’ addressed critical challenges including the cybersecurity talent gap and integrating security into DevOps workflows, a thought-provoking conversation examining identity-centric security models and the shift from traditional SOCs to Managed Detection and Response solutions.
Attendees posed incisive questions about upskilling teams in an AI-driven environment, managing tool sprawl, and operationalizing security by design – highlighting the sophisticated thinking of India’s cybersecurity leadership.
Tactical discussions in India’s Silicon Valley – Bengaluru (May 15)
Our Bengaluru finale drew the largest crowd with 52 delegates, including CISOs and cybersecurity executives from across South India. The discussions were highly tactical, focusing on:
Modernizing SOCs through AI-led threat detection
Countering double and triple extortion ransomware
Risk automation and secure cloud transformation
Veteran industry speaker Satish Kumar Dwibhashi joined Robin Long for discussions that reinforced a clear theme: security strategy must evolve in lockstep with attacker innovation.
Building for the future
The success of our India Security Days reflects not just the hunger for cybersecurity knowledge in the region, but also Rapid7’s commitment to supporting India’s digital transformation journey. We’re excited to announce that we’re expanding our presence with aGlobal Capability Center (GCC) in Pune, which will serve as a hub for innovation and home to teams across engineering, business support, and our Security Operations Center (SOC).
This initiative represents more than just business expansion – it’s about building cybersecurity capability and expertise right here in India, that will shape a secure digital future for organizations around the world.
The road ahead
The conversations, connections, and insights from our India Security Days have reinforced our belief that India’s cybersecurity community is among the most forward-thinking globally. The challenges are significant – from AI-powered attacks to evolving ransomware tactics – but so is the talent, innovation, and determination to address them.
As we look toward 2025 and beyond, events like these remind us that cybersecurity is ultimately about people: the security leaders making tough decisions, the practitioners implementing defenses, and the communities sharing knowledge and supporting each other.
Thank you to all the security leaders who joined us in Mumbai, Delhi, and Bengaluru. Your engagement, questions, and insights made these events truly impactful. We look forward to continuing these conversations and supporting India’s cybersecurity community as we navigate the challenges and opportunities ahead.
In the ever-evolving landscape of cyber threat actors, the lines between ideologically driven hacktivism and financially motivated cybercriminals have become increasingly blurred. Originally fueled by political, social, or ethical causes, hacktivist groups have historically engaged in digital protest through website defacements, data leaks, and distributed denial of service (DDoS) attacks.
However, in recent years, a noticeable trend has emerged. Some hacktivist groups are evolving into ransomware operations and even becoming ransomware affiliates. This transformation is driven by a mix of ideological fatigue, opportunity for financial gain, access to sophisticated tools, and the growing profitability of extortion-based attacks. The result is a new hybrid threat actor—one that merges the disruptive zeal of hacktivism with the ruthless efficiency of cybercrime.
Understanding this shift is crucial for defenders, as it represents a convergence of motives that complicates attribution, response, and mitigation strategies. To this end, we have examined three prominent examples of relevant threat actors, namely FunkSec, KillSec, and GhostSec, identifying the drivers behind their transition to financially motivated campaigns and exploring the shift in their modus operandi.
Threat actor analysis
FunkSec
The FunkSec ransomware group emerged within the cybercrime ecosystem as a rising star in December 2024. The ransomware-as-a-service (RaaS) group has claimed at least 172 victims to date. The group proudly promotes itself as an AI-driven ransomware group, with their encryptor, FunkLocker, and some of the malware’s source code allegedly generated using generative AI tools.
The group targets organizations from various sectors and regions, such as government, education, automotive, energy, IT, and manufacturing, located in countries like the United States, Israel, France, Italy, Germany, India, and Australia.
FunkSec started as a politically motivated hacking (hacktivist) group, specifically interested in targeting the United States (Figure 1). The group was known to be aligned with the “Free Palestine” movement (Figure 2), and associated itself with other hacktivist groups, such as Ghost Algeria and Cyb3r Fl00d. Among its affiliates are Scorpion (AKA DesertStorm, a suspected Algeria-based hacker), El_farado, XTN, Blako, and Bjorka (an alleged Indonesian hacktivist). In its early days, the group offered tools commonly associated with hacktivist activities, including services for DDoS and defacement attacks.
Figure 1 – FunkSec’s activities as a hacktivistFigure 2 – FunkSec’s statement against the USA and Israel
At some point, the group transitioned its focus from politically motivated attacks to a RaaS model, offering customizable tools to its affiliates. Its victimology also changed from government entities to organizations across various sectors, such as education, technology, telecommunications, and agriculture (Figure 3).
Figure 3 – FunkSec’s latest active DLS
FunkSec’s reliance on relatively simple malware development using AI-based tools also explains the fast transition of the group from targeted hacktivism campaigns to broader, financially-motivated activities, with a large number of victims in a short period of time (Figure 4).
Figure 4 – FunkSec’s victims on their DLS
The group’s transition has also been referenced on a Russian-speaking dark web forum, where the author mentioned a cybersecurity vendor’s article on FunkSec (Figure 5).
Figure 5 – FunkSec’s transition being referenced on a Russian-speaking dark web forum
KillSec
The KillSec hacktivist group (AKA Kill Security) has been active since at least 2021. The Russia-aligned group targets organizations from various sectors, such as government, finance, transportation, electronics, manufacturing, travel and recreation, retail, and consumer services, located in countries like India, Bangladesh, Romania, Poland, and Brazil. The group considers itself a “prominent hacktivist group operating in the cyber realm, with a focus on both disruption and digital activism.”
KillSec initially emerged as a hacktivist group aligned with the Anonymous collective, with its operations primarily including DDoS attacks and website defacements, before pivoting to ransomware operations in October 2023. KillSec’s ransomware variants, namely KillSecurity 2.0 and KillSecurity 3.0, are designed to encrypt files and demand ransom payments for decryption.
In June 2024, KillSec introduced a RaaS operation, advertising a locker for Windows environments written in C++ and a dashboard, enabling affiliates to observe detailed statistics, conduct chat communications, and customize ransomware configurations using a builder tool. In November 2024, the group launched an additional locker for ESXi environments, expanding the breadth of its operations (Figure 6).
Figure 6 – KillSec launches locker for ESXi environments
The group’s shift is aligned with the overall proliferation of RaaS programs, enabling less technically skilled individuals to conduct ransomware attacks with relative ease in exchange for a fee. The group has been advertising its RaaS offering in an attempt to attract cybercriminals and further broaden its affiliate network (Figure 7).
Figure 7 – KillSec looking for affiliates
Although in certain incidents, KillSec leveraged solely stolen data to extort the victims, the group appears to adopt mainly double extortion tactics, exfiltrating data in addition to encrypting it and demanding a ransom payment to prevent it from being leaked. The group operates an active dedicated leak site (DLS) to which it uploads the data of victims who refuse to pay the ransom. The group also uses its DLS to advertise its services, which include penetration testing, data gathering, and its RaaS program (Figure 8).
Figure 8 – KillSec’s services
It should be noted that KillSec’s DLS also features a “For Sale” section, offering data allegedly exfiltrated from the targeted companies for sale, with the prices ranging between $5,000 and $350,000 (Figure 9). The group likely introduced this section in an attempt to further monetize the exfiltrated data. This offering of stolen data and additional services further suggests the financially motivated nature of the group’s activity.
Figure 9 – “For Sale” section on KillSec’s DLS
GhostSec
The GhostSec hacktivist group (AKA Ghost Security, GhostSecMafia, and GSM) has been active since at least 2015. The Anonymous-affiliated group gained prominence with the #OpIsis and #OpParis campaigns, in which various hacktivist groups took down thousands of ISIS websites and social media accounts using defacement and DDoS attacks. Since then, GhostSec has participated in campaigns, such as #OpLebanon, #OpNigeria, #OpMyanmar, #OpEcuador, and #OpColombia. The group has also continuously launched cyberattacks on Israel in response to alleged war crimes, primarily defacing their websites to spread “Free Palestine” messages.
GhostSec’s shift towards financially motivated operations overlaps with the group’s collaboration with cybercriminals. In July 2023, GhostSec announced that they formed a partnership with the Stormous ransomware group to target organizations in Cuba (Figure 10). Following this announcement, Stormous and GhostSec jointly claimed extortion attacks against three Cuban government ministries, and GhostSec also expressed the potential for future joint operations against other countries. In August 2023, GhostSec, together with ThreatSec, Stormous, Blackforums, and SiegedSec, collectively formed a unified collective, naming themselves “The Five Families” (Figure 11). This collective attempted to extort the presidential website of Cuba and the Brazilian organization Alfa Comercial.
Figure 10 – Announcement of the alliance between GhostSec and Stormous on their Telegram channelFigure 11 – Announcement of the “Five Families” formation on their Telegram channel
GhostSec solidified its presence in the cybercriminal ecosystem with the launch of its RaaS program “GhostLocker” in October 2023, which was shortly followed by the release of its infostealer tool, GhostStealer (Figure 12). In January 2024, the updated “REWRITE” (aka GhostLocker 2.0) version of GhostLocker was released, with a fully featured management panel allowing affiliates to track campaigns and payouts. The threat actor promoted its malware-as-a-service (MaaS) tools heavily on its Telegram channels, demonstrating its intention to attract affiliates and, in turn, maximize its profits.
Figure 12 – GhostLocker’s release announcement
On May 15, 2024, GhostSec announced its retirement from cybercriminal activities and its return to hacktivism. The group stated that it reached this decision after having obtained enough funding to support its hacktivist operations. GhostSec further mentioned that Stormous would remain in charge of the management and operation of GhostLocker (Figure 13).
Figure 13 – GhostSec’s retirement from cybercriminal activities
It should be noted that Stormous seemingly had already incorporated GhostLocker into its operations, even before GhostSec’s retirement. As of May 2025, the group is still active and operates the Stormous RaaS program, which appears to be a continuation of GhostLocker. This development signifies the mutual assistance and influence among united threat groups, as collectives like the Five Families allow them to maximize the impact and breadth of their operations by sharing resources, audience, and knowledge.
Two sides of the same coin?
This analysis shows that the threat actors in scope, FunkSec, KillSec, and GhostSec, have followed a similar trajectory, pivoting from politically motivated, disruptive campaigns to financial extortion. This transition is likely facilitated by the public availability of leaked ransomware builders, such as LockBit 3.0, which threat actors can leverage to develop their payloads.
The groups specifically appear to have adopted double extortion tactics, exfiltrating data from their victims and then encrypting it, in an attempt to pressure them to comply with their ransom demands. However, despite their seeming ability to conduct ransomware operations, these groups appear to lack the level of sophistication and specialization that characterize top-tier cybercriminal groups, such as Cl0p and LockBit, which are mentioned in the Rapid7 Q1 2025 ransomware report.
Interestingly enough, all three groups embraced RaaS as their business model while pivoting towards cybercrime. This evolution is aligned with the overall current status of the ransomware ecosystem, as RaaS programs have become increasingly more common. Such programs, demonstrating the financial nature of their activities, enable threat actors to maximize their profits by allowing affiliates to use their ransomware kit for a fee and a percentage of the collected ransom.
This transition of FunkSec, KillSec, and GhostSec has also affected and amplified the victimology of their operations. While these groups once operated as hacktivists that primarily targeted government entities, their scope of activities broadened significantly as they shifted to ransomware attacks. Along this process, their attacks shifted from targeted to opportunistic, against organizations of different sizes, operating in diverse sectors and geographies, that could be relatively easily compromised.
While all of these groups follow the pattern, shifting from hacktivism to cybercrime, and specifically financially motivated RaaS operations, the reason behind this transition remains unclear. As an exception, GhostSec appears to have embraced cybercrime in an attempt to gather funding for its hacktivist operations, according to its exit message. It should be noted that other threat actors, such as CyberVolk, have also launched RaaS programs to fund their operations, but these efforts remain scarce.
Finally, other hacktivist groups, such as Ikaruz Red Team and their affiliates, also operate ransomware, but they do so to cause disruption and make political statements. Thus, the scope of their operations differs from financial gain and is not comparable to that of the groups included in this analysis.
Conclusion
The evolution of FunkSec, KillSec, and GhostSec from hacktivist collectives to RaaS operations highlights a recent trend of a shift in motivations, driving cybercriminal behavior. Initially, these groups were propelled by political and ideological aims, targeting governments and organizations in alignment with their perceived causes. However, over time, their focus has clearly shifted towards financial gain, as evidenced by their adoption of RaaS models that prioritize profit over ideology. As cybercriminals adapt to “market demands,” it becomes clear that financial motivation has come to dominate their activities, leaving behind the ideological roots of their earlier campaigns.
IP addresses: 82[.]147[.]84[.]98, 77[.]91[.]77[.]187, 93[.]123[.]39[.]65
Rapid7 customers
InsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through Rapid7’s expansive library of detection rules. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to the FunkSec, KillSec, and GhostSec ransomware activity. We will also continue to iterate detections as new variants emerge, giving customers continuous detection without manual tuning:
Suspicious Process – Malicious Hash On Asset
While this specific detection directly covers malicious binaries linked to ransomware operations, customers also benefit from a comprehensive suite of detections that alert on post-exploitation behavior often observed prior to ransomware deployment. These include detections for lateral movement, privilege escalation, and suspicious persistence mechanisms, providing layered defense even when the specific ransomware payload is novel or obfuscated.
At the Take Command 2025 Virtual Cybersecurity Summit, a standout session titled Risk Revolution brought together Rapid7 product leaders and ESG analyst Tyler Shields to unpack the evolution of exposure management — and how organizations can build more context-driven, proactive risk strategies.
Hosted by Ryan Blanchard, Senior Manager, Product Marketing at Rapid7, the panel featured:
Jane Man, Senior Director of Product Management, Rapid7
Jamie Douglas, Specialist, Rapid7
Tyler Shields, Principal Analyst, Risk and Vulnerability Management, ESG
Here are the key takeaways from the discussion, along with supporting insights from the post-event attendee survey.
From vulnerability management to exposure management
The session opened by distinguishing exposure management from traditional vulnerability management. Tyler Shields explained:
“Exposure management is the maturation of vulnerability management… It’s understanding risk, business context, and prioritizing accordingly.”
Rather than focusing solely on patching, exposure management is about knowing what to fix, why it matters, and who owns it and doing it continuously.
Visibility gaps are slowing teams down
Visibility was a central theme throughout the session. Jane Man noted:
“A lot of the customers we talk to still struggle with just identifying what they have.”
This challenge was echoed in the post-event survey, where 53% of respondents cited identifying unknown assets as the top challenge in their exposure management programs.
Tyler added:
“You can’t protect what you don’t know about. And you certainly can’t prioritize it.”
Prioritization must be contextual
Prioritization remains a major hurdle for many organizations. Jamie Douglas stressed that severity alone isn’t enough:
“You can have a critical vulnerability on a printer, but if it’s segmented and not internet-facing, is it really a priority?”
The team emphasized the importance of integrating business impact, asset criticality, exploitability, and ownership into the prioritization process.
“If you don’t tie risk to business context, you’re just chasing numbers,” Tyler noted.
It’s time to break down silos
A powerful moment in the session came when the panel discussed collaboration across functions. Jane shared:
“Security doesn’t operate in a vacuum. You need buy-in from engineering, cloud, compliance – everyone has a role in risk reduction.”
Without shared language and unified dashboards, visibility doesn’t translate into action. The speakers urged teams to build bridges with IT and DevOps to ensure findings are actually resolved, not just reported.
Survey: risk prioritization is lagging behind
In the survey, only 18% of respondents said their organizations integrate threat intelligence into exposure management “very effectively”, highlighting a clear opportunity to improve how teams prioritize risk with real-time context.
This stat reinforces the panel’s broader message: that exposure management isn’t a point-in-time project — it’s a continuous, evolving practice.
Watch the full session on demand
For a deeper dive into the frameworks, real-world examples, and exposure strategies discussed in this session, watch Risk Revolution on demand.
One of the most actionable sessions at the Take Command 2025 Virtual Cybersecurity Summit came directly from the field. In a panel hosted by Aniket Menon, VP of Product Management at Rapid7, security leaders from Cross Financial Corp, Phibro Animal Health Corporation, and Miltenyi Biotec shared how they’re evolving vulnerability management into a proactive exposure management strategy.
With real-world examples, team metrics, and shared challenges, the panel offered practical advice for teams ready to modernize their approach and reduce risk with more focus and confidence.
From VM to EM: A shift in mindset
Panelists agreed: traditional vulnerability management practices can’t keep up with today’s dynamic, hybrid environments. To stay ahead, security teams must shift toward continuous exposure assessment – building context around vulnerabilities and aligning efforts with business priorities.
As one attendee later shared in our post-event survey:
“Moving from vulnerability management to exposure management isn’t just a process change – it’s a mindset shift. It forces us to be more proactive.”
This takeaway aligns with broader findings from the summit survey, where 64% of respondents identified exposure management as a top priority for improving their detection and response strategies.
Prioritization requires business context
Volume isn’t the issue – context is. The panel emphasized that real risk reduction happens when teams align remediation priorities with asset value, exploitability, and operational relevance. That means:
Building dashboards tailored for different stakeholders
Connecting security and IT teams through shared language
Using context to elevate urgency and drive action
You can’t fix what you can’t see
Despite tool investments, many organizations still struggle with asset discovery and visibility. In fact, 53% of survey respondents said identifying unknown assets is the most challenging part of exposure management.
As Edward Chang, Senior Manager of Cybersecurity and Compliance at Phibro Animal Health Corporation, explained during the panel:
“No one has 100% visibility. But if we can improve what we see and give that context to the right teams, we’re already ahead of where we were last year.”
The session encouraged using telemetry, automation, and unified data views to close gaps across environments.
Bridging the gap between security and operations
A recurring theme across the panel was the need for collaboration between security, infrastructure, and engineering teams. Effective exposure management doesn’t just rely on the right data — it depends on the right relationships.
Security teams must be integrated into how organizations build, deploy, and operate — not treated as a separate or downstream function. Building that alignment means treating security as an enabler, not a roadblock.
Ownership, accountability, and human risk
Beyond technology, the session also addressed ownership and accountability. Security leaders must not only flag risk — they must clearly assign and communicate responsibility. As attack surfaces expand and teams diversify, the ability to coordinate across functions becomes even more critical.
Watch the full panel on demand
If you’re looking to strengthen your vulnerability management program or build a more proactive exposure management strategy, this session offers a roadmap shaped by real-world experience.
The Take Command 2025 Virtual Cybersecurity Summit wasn’t just about sharing insights, it was about listening. After the live sessions wrapped, we surveyed attendees to understand where their security programs stand today, what challenges they’re facing, and what they found most valuable during the event.
Now, we’re excited to share those insights in a new downloadable infographic – The Take Command: Pulse of the Industry Survey, capturing the state of exposure management, AI adoption, MDR maturity, and more.
Here are a few standout takeaways from the survey, and where to dive deeper in the sessions on demand.
Exposure management: confidence is growing — but challenges remain
80% of respondents said they have confidence in their ability to respond to cyber risks through their exposure management program, and 60% reported successful integration of EM into their broader security workflows.
But the day-of survey showed a more nuanced reality. More than half of respondents cited “identifying unknown assets” and “monitoring third-party risk” as the top challenges in their exposure programs.
MDR adoption is strong — but visibility still needs work
58% of respondents rated their detection and response capabilities at 4 or 5 out of 5, and most teams using MDR cited a need for 24/7 monitoring and support for under-resourced teams. But 21% rated their confidence at 3 or below, indicating that making the right choice in MDR partner is critical.
Generative AI was one of the most discussed topics across the day — and for good reason. 50% of respondents said they were “very” or “extremely concerned” about adversaries using AI to enhance cyber attacks. Yet 36% of respondents say they’re not currently using Generative AI in their own security operations, citing barriers like tool integration, cost, and lack of skilled personnel.
For those navigating this space, AI in Action and Rise of the Machines both delivered practical examples of how teams are using AI responsibly to improve triage, detection, and response — while setting the necessary guardrails for safe adoption.
What attendees found most valuable
Take Command 2025 drew more than 2,200 live attendees, with on-demand views continuing to grow — and the feedback was clear: the content delivered. 67% of survey respondents rated the speakers as “Excellent”, with similarly high marks for session content and delivery.
When asked about their biggest takeaways, attendees consistently highlighted:
Exposure management and risk visibility are key
SOC operations and real-world case studies
AI’s role in transforming security strategy
The importance of “thinking like a hacker” to improve defenses
Attendees also appreciated the balance of voices, with one noting:
“Good mix of internal and external resources that knew what they were talking about and how to deliver it to a wide audience.”
Another shared:
“I didn’t think Rapid7 could improve its ability to unify information — but the new Exposure Command solution has done just that.”
From the depth of expertise to the variety of session formats, the summit resonated with attendees across roles, regions, and industries.
Explore the full infographic
Want a deeper dive into the data? Download the full Take Command: Pulse of the Industry Survey infographic to explore:
Where teams are seeing success with exposure management
How GenAI is being used (or not) across security operations
What MDR teams are prioritizing — and what’s holding them back
The biggest technical and strategic challenges security leaders face in 2025
Whether you missed the live event or want to explore specific topics in more detail, every session from Take Command 2025 is now available to watch on demand.
In one of the most anticipated sessions of Take Command 2025, Raj Samani, Chief Scientist at Rapid7, sat down with Trent Teyema, former FBI Special Agent and President of CSG Strategies, for a candid conversation on how threat actors are evolving and what defenders must do to keep up.
Moderated by Brian Honan, CEO of BH Consulting, the panel pulled no punches. From the economics of ransomware to the risks of overrelying on static indicators of compromise, Inside the Mind of an Attacker: Navigating the Threat Horizon served as both a wake-up call and a roadmap for modern security strategy.
Cybercrime is thriving — and getting smarter
It’s no longer about lone hackers. As Raj put it, “Ransomware has become a business.” Today’s threat actors are highly organized, well-resourced, and increasingly leveraging professional tools and affiliate networks.
One striking takeaway: groups like RansomHub are reportedly earning tens of millions of dollars per quarter, reinvesting that revenue into toolkits, infrastructure, and even “customer service” operations for negotiating with victims.
Panelists discussed the trend toward secondary extortion tactics, where attackers threaten to notify regulators like the SEC if ransom demands aren’t met — a calculated move to increase pressure without deploying additional payloads.
From indicators to context: why threat intelligence must evolve
One of the biggest challenges facing defenders today is the lack of actionable, context-rich intelligence. While threat intel feeds are abundant, the signal-to-noise ratio is still too high.
“We don’t just need more data. We need better context,” Raj emphasized.
The panel discussed how defenders must move beyond static IOCs and invest in behavioral analysis, context-aware detection, and real-time telemetry to truly stay ahead of threats.
A recent stat from the post-event survey reflects this shift: only 18% of respondents said their organizations integrate threat intelligence into exposure management very effectively.
To beat an attacker, think like one
The message came through clearly: organizations that adopt a proactive, attacker-informed mindset are better equipped to defend against modern threats. That means:
Red teaming with real-world attacker playbooks
Understanding how ransomware operators stage and execute campaigns
Practicing lateral movement detection before it happens
Trent Teyema, drawing on his FBI experience, pointed out that too many organizations still rely on legacy thinking: “They treat cyber like IT, when they should be treating it like crime.”
Paying ransoms: a business risk, not a moral judgment
Both speakers addressed the uncomfortable reality: sometimes ransoms are paid. And while this remains a contentious topic, the panel framed it clearly – it’s a business decision, not a moral one.
Raj urged teams to have ransomware playbooks and decision frameworks defined in advance. This includes:
Knowing legal constraints (especially around sanctions and OFAC-listed entities)
Understanding the implications of payment
Engaging with experienced negotiation partners if needed
Visibility still reigns supreme
From attack surface awareness to SOC visibility gaps, the theme of visibility was woven throughout the session.
As Raj noted, “You can’t protect what you don’t know about.”
The panel closed with a call to action: unify your data, reduce siloed tools, and build detection and response around context, not just coverage.
Watch the full session on demand
If you missed this conversation — or want to rewatch it with your team — the full session is now available.
We are thrilled to announce that two outstanding Rapid7 team members, Kelly Hiscoe and Heather DeMartini, have been recognized as CRN’s 2025 Women of the Channel. This prestigious recognition honors innovative and strategic leaders that demonstrate commitment to advancing channel excellence and supporting the success of their partners and customers. We are extremely proud to see Kelly and Heather honored for their significant contributions.
Kelly Hiscoe: Building programs for our partner community
Kelly Hiscoe and her team lead the development and global implementation of Rapid7 partner programs, significantly enhancing the efficiency and growth of our global channel ecosystem. Their commitment to creating competitive programs and streamlined partner experiences ensures seamless execution across our partner network. Through ongoing engagement, Kelly’s team delivers an experience to our partners that is simplified, scalable, and predictable.
Kelly’s dedication to enhancing the partner experience is unwavering, noting: “At Rapid7, everything we develop is with deep intention and we will continue to build and refine our partner programs with our partners. We remain committed to building a competitive program while continuing to enhance the partner experience by developing efficient processes that significantly enhance the partner selling experience with Rapid7 .”
Her leadership and vision are integral to our ongoing success and the satisfaction of our partners.
Kelly Hiscoe – Senior Director, Global Partner Programs and Experience
Heather DeMartini: Building scalable partner training
Heather leads Global Partner Enablement at Rapid7 where she and the enablement team recently launched the company’s first role-based partner certification framework to drive partner empowerment, autonomy, and profitability. By recognizing partner capabilities, knowledge, and expertise, Rapid7’s Partner Academy ensures partner awareness and competency in all aspects of positioning, selling, and using Rapid7 solutions across the entire customer lifecycle from pre-sales to sales to post-sales.
Heather shared the overall mission of Rapid7’s Partner Academy: “We designed this training and certification framework to drive mutual success with partners in two ways: by enabling a partner ecosystem that is a self-sufficient revenue generating engine, and by enabling partner-led services across the full customer lifecycle that accelerate profitability with Rapid7.”
On the value and importance of partner services enablement, Heather elaborated: “We understand that partners offering services experience significantly higher profitability driven by margin on services being so much higher than on products alone. Our goal is to ensure our partners can more easily wrap their services around our products by enabling them to build, elevate, and expand their services capabilities with us. So, we are thrilled to launch the second part of our mission in the second half of this year.”
Heather looks forward to advancing this partner-first approach while improving the customer and partner experience with Partner Academy This will ensure partners are successful in developing the knowledge and skills they need to expand their success with Rapid7.
Heather DeMartini – Global Partner Enablement Lead
Commitment to excellence
Kelly and Heather’s recognition as CRN’s 2025 Women of the Channel points to their unique ability to foster a supportive channel ecosystem that empowers partners and helps accelerate their businesses.
We are grateful for the outstanding contributions of these two women – their continued dedication to excellence in the channel community underscores Rapid7’s commitment to our partners in industries throughout the world. Please join us in celebrating the achievements of Kelly and Heather in service of their partner colleagues. Learn more about Rapid7 global partnerships here.
Led by Ted Harrington, Executive Partner at ISE, and hosted by Thom Langford, EMEA CTO at Rapid7, this session challenged security leaders to think beyond traditional defenses and imagine a future where cybersecurity is smarter, faster, and proactive by design.
Here’s a quick look at the key insights from the conversation.
Security needs a reset, not a retrofit
Ted kicked things off with a fundamental question: if we could rebuild cybersecurity from scratch, what would we do differently? Instead of layering on more tools or chasing compliance checklists, today’s most resilient organizations are rethinking their architectures, embedding security principles like Zero Trust from the ground up, and designing systems to stop threats before they strike.
Think like an attacker to build defenses that work
The best defenders don’t just react, they anticipate. Ted emphasized the importance of adopting a hacker mindset within security teams. Creativity, curiosity, and a willingness to question assumptions are critical to staying ahead of adversaries who constantly innovate. Security strategies must evolve to disrupt attacker workflows, not just patch known vulnerabilities.
Security is a business enabler, not a roadblock
One of the biggest missed opportunities in cybersecurity is the failure to connect security outcomes to business success. Ted encouraged security leaders to speak the language of the boardroom, framing security initiatives as drivers of trust, resilience, and competitive advantage — not just cost centers or necessary evils.
Burnout and broken structures hold security back
Ted didn’t shy away from real talk about the internal challenges many security teams face. Burnout, underfunded initiatives, and misaligned CISO roles are slowing progress across the industry. Organizations must empower security leadership with proper funding, executive visibility, and a seat at the table if they want to build truly resilient programs.
Ready to take command? Watch the full session
Ted’s message was clear: the future of cybersecurity won’t be built on incremental improvements. It will be shaped by organizations bold enough to rethink, reframe, and rebuild from a position of strength.
Want to dive deeper? Catch the full session on demand and explore how you can take command of your defenses today.
Cybersecurity has never stood still — but in 2025, it’s not just evolving. It’s transforming.
Cybersecurity has entered a pivotal new phase. According to Gartner®, Top Trends in Cybersecurity for 2025, “Security and risk management (SRM) leaders must enable business value and double down on embedding organizational, personal and team resilience to prove security program effectiveness in 2025.”*
That’s not just a shift in tactics — it’s a mandate to rethink how security supports transformation, agility, and sustainability in a world that’s constantly changing. At Rapid7, we’re offering complimentary access to this Gartner research to help you explore what’s next and how to prepare.
Here are three trends that stand out for leaders aiming to build a more resilient, AI-ready security program in 2025.
AI Is Here to Stay — and It’s Tactical Now
Security teams are moving beyond the fascination phase with GenAI. Now, it’s about real use cases with measurable benefits. Gartner states:
“SRM leaders are learning from AI transformation pilots and refining their processes based on initial success in taking a more tactical approach to AI integration.”*
Rather than chasing sweeping AI promises, forward-looking teams are prioritizing specific, achievable objectives. This approach is helping reduce risk and maintain credibility by “delivering more incremental security benefits than myopically striving for hype-driven seismic change.”*
From documentation assistance to incident triage and threat analysis, AI is no longer an experiment — it’s becoming a reliable tool for making overburdened teams more effective.
Resilience Is the New North Star
According to Gartner, we are seeing increasing recognition that a “zero-tolerance for failure” mindset has reached its peak in achieving sustainable risk buy-down and only increases the risk of security team burnout. At Rapid7, we see that In their place is a rising focus on resilience — not just in infrastructure, but in people, processes, and culture. It’s a hard pivot for many security programs built on prevention and perimeter defense, but it’s overdue.
From board-level priorities to frontline operations, security is now recognized as a business enabler. And enabling business requires adaptability. That means investing in burnout prevention, embedding resilience in security culture, and measuring success not just by how few incidents occur, but how effectively teams recover and evolve from them.
Gartner predicts that by 2027, CISOs investing in cybersecurity-specific personal resilience programming will see 50% less burnout-related attrition than peers who don’t.
That’s not just a wellness metric. It’s a business continuity strategy.
Less Tool Sprawl, More Platform Power
Most security teams today are managing dozens of tools. But consolidation without strategy is risky. Gartner notes that “SRM leaders are shifting focus to tool optimization rather than vendor consolidation,” urging leaders to strike a balance between integration and effectiveness.
“Organizations are seeking to strike the right balance between consolidation of commodity capabilities and purchase of separate, differentiated products to address niche requirements,”* Gartner explains. The message is clear: platform thinking matters — but only when it enhances outcomes, not complexity.
That’s why at Rapid7, we’ve built the Command platform to deliver comprehensive visibility and control, integrating detection, response, and exposure management into a unified experience backed by expert services.
The Takeaway: Secure Transformation Starts With Trust
If there’s one unifying message in Top Trends in Cybersecurity for 2025, it’s this: transformation doesn’t have to come at the cost of control. AI doesn’t have to erode trust. Automation doesn’t have to sideline expertise. And resilience isn’t a soft goal — it’s the foundation of sustainable security.
By anchoring your program in clarity, resilience, and targeted innovation, you can move faster — and more confidently — than ever before.
Gartner Top Trends in Cybersecurity for 2025, Richard Addiscott, et al., 12 December 2024 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Security leaders today face a harsh reality: traditional vulnerability management isn’t enough. Threat actors are evolving, attack surfaces are expanding, and organizations need a more proactive approach to stay ahead of risk. Latest research from Gartner, How to Grow Vulnerability Management Into Exposure Management, highlights the need for security teams to move beyond simply tracking vulnerabilities and embrace a more comprehensive approach to exposure management.
At Rapid7, we are excited to offer complimentary access to this report and share our three key takeaways to help you modernize your security strategy.
Gartner states: “Creating prioritized lists of security vulnerabilities isn’t enough to cover all exposures or find actionable solutions. Security operations managers should go beyond vulnerability management and build a continuous threat exposure management program to more effectively scope and remediate exposures.”
CTEM shifts the focus from merely identifying vulnerabilities to understanding the full picture of organizational risk. It integrates asset visibility, business impact analysis, attack surface monitoring, and validation of security controls to help organizations assess and reduce their true exposure to threats.
Takeaway 2: Exposure Management Requires Business Context
One of the biggest challenges in vulnerability management today is that many security teams focus too much on discovering issues without evaluating their impact on the business. Gartner highlights the importance of integrating business context into security operations, stating that “adding a business context, such as asset value and impact of compromise, to exposure management activities can improve senior leadership engagement.”
By aligning security initiatives with business priorities, organizations can:
Focus on the vulnerabilities that pose the greatest risk to critical operations
Improve communication with senior leadership and stakeholders
Justify security investments with real business impact
Takeaway 3: Attack Surface Visibility Must Keep Up With Digital Evolution
Modern attack surfaces extend far beyond on-premises IT. The rise of cloud applications, IoT, supply chain dependencies, and remote work environments has dramatically increased the number of potential entry points for attackers. Gartner emphasizes that “current approaches to attack surface visibility are not keeping up with the rapid pace of digital evolution. Organizations must quickly reduce exposure to make their public-facing assets less visible and accessible.”
This means security teams need to enhance their discovery processes to:
Continuously monitor both their internal and external attack surface
Implement proactive security measures to reduce overall exposure
How Rapid7 Aligns with Gartner Exposure Management Vision
At Rapid7, we believe in empowering security teams with the tools and insights they need to shift from reactive vulnerability management to proactive exposure management. Our Exposure Management solution helps organizations:
Gain real-time visibility into evolving attack surfaces
Prioritize threats based on business impact and exploitability
Continuously validate security controls through adversarial exposure testing
As threats continue to evolve, organizations must rethink how they approach vulnerability management. Gartner research provides a roadmap for security leaders looking to implement a comprehensive exposure management strategy.
Garter, How to Grow Vulnerability Management Into Exposure Management, Michell Schneider, Jeremy D’Hoinne, Jonathan Nunez, Craig Lawson, 8 November 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Co-authored by Peter Whibley, Ed Montgomery, and Joel Alcon
Technology innovation combined with the highly fragmented nature of today’s IT landscape means that vulnerabilities are being exploited faster and at greater scale than ever. Security teams contend with a daily surge of new threat actors and attack vectors. Without a unified view of assets, business context, and compensating controls, they waste weeks identifying which risks are truly critical.
Many organizations try to tackle this challenge by implementing exposure management and risk-based vulnerability management (RBVM) approaches, where vulnerability data from various tools is consolidated into one dashboard. But many of these tools present risk scores without demonstrating a holistic view of the business impact of vulnerabilities, mitigating controls for endpoints, patch management status, and remediation steps.
Without that end-to-end context, security teams are struggling to keep up with the volume of new vulnerabilities. In fact, once the National Vulnerability Database (NVD) announced in February 2024 that it would no longer provide vulnerability scores for all CVEs, the shortcomings of traditional vulnerability management, including RBVM, became more evident.
From chasing vulnerabilities, to proactively mitigating risk
Rapid7’s Remediation Hub enables security teams to go beyond simply identifying vulnerabilities and focus more on remediating risk. By augmenting vulnerability findings with business context, threat intelligence, and compensating controls, organizations gain a continuous, all-in-one view of how to detect and respond to risks across their enterprise. These new capabilities empower security teams to:
Assess the impact of remediation steps. Reimagine your attack surface by viewing the number of vulnerabilities addressed by each remediation action.
Prioritize remediation with confidence. Leverage dynamic, threat-aware risk scores to assess the criticality of issues and quickly go from vulnerability to action.
Optimize risk mitigation. Accelerate risk response through streamlined remediation workflows.
Security teams leverage multiple vulnerability scanning tools for different parts of their infrastructure, including cloud environments, containers, web applications, and endpoints. Each tool reports findings in its own format and utilizes different scoring methods, making it difficult to get a clear, unified picture of an organization’s risk exposure.
By unifying this data into a centralized platform, security teams reduce unnecessary noise caused by redundant vulnerability findings, streamlining triage efforts, reducing silos, and driving faster, more informed remediation efforts.
Rapid7 Remediation Hub delivers this normalized view of third-party vulnerabilities, enabling teams to stop wasting time chasing low-impact issues or overlook high-severity threats. The solution takes this unified lens further via risk scores that combine these vulnerability findings with business context to help security teams quickly identify the most critical vulnerabilities, allocate resources efficiently, and communicate risk more effectively to stakeholders. These capabilities not only boost operational efficiency, but also strengthen an organization’s security posture.
Context-based visibility into endpoint protection and patch management
Context is an essential component of managing risk in today’s increasingly complex technology landscape. By solely relying on vulnerability scores without also understanding business impact or breach likelihood, security teams are left with a hazy, incomplete view of their attack surface.
Rapid7 Exposure Command empowers security teams to prioritize vulnerabilities based on attacker behavior, exploitability, and potential impact – all without the need to export data into separate security tools. Rapid7 delivers deep, multi-layered risk scores calculated from Rapid7 Labs’s threat intelligence, first-party scans, third-party vulnerability findings, and an organization’s unique mitigating controls. Furthermore, Remediation Hub is seamlessly integrated with Rapid7 Surface Command, arming security teams with a continuous view of key mitigating controls of assets across the enterprise, including endpoint protection and patch management in place.
Endpoint protection – Remediation Hub displays which assets have active endpoint protection, as well as the protection type on the asset. Users can use intuitive filters to hone in on critical findings, such as the assets that lack endpoint protection and prioritize remediation efforts via a risk-based approach that gives higher priority to assets that lack endpoint protection.
Patch management – Remediation Hub shows the patch management availability status of each asset, arming security teams with a view of assets that are available for patching by a patch management system. Users can filter on assets with vulnerabilities where no patching is active.
Faster risk response, fewer security silos
Security teams often operate in silos, with a team handling risk identification and another focused on remediation. CISA recommends that critical vulnerabilities be remediated within 15 calendar days of initial detection, but to achieve this, organizations require tight collaboration between these disparate teams.
Unfortunately, because these groups operate with poorly integrated security tools, going from vulnerability finding to risk remediation can take months, with some vulnerabilities going unpatched for years. For instance, the 2024 Verizon Data Breach Investigations Report finds that it takes an estimated 55 days to remediate 50% of critical vulnerabilities once their patches are available.
Remediation Hub tackles this challenge with purpose-built SOAR integrations that help improve collaboration and drive down MTTR (mean time to remediate). The new capabilities automatically trigger remediation workflows, with notifications auto-generated and sent to adjacent teams responsible for implementing the recommended remediations.
For example, users can leverage Remediation Hub to automatically trigger a workflow in Jira or create an incident report in ServiceNow based on the severity or business impact of a vulnerability. Each workflow is fully customizable based on unique security thresholds.
Embracing faster, continuous exposure management
Organizations are rapidly transitioning from traditional vulnerability management to more continuous, exposure management approaches. Rapid7’s Remediation Hub – an integral component of the Exposure Command platform – empowers security teams to embrace the shift.
With a remediation-based approach to vulnerability management and risk reduction, organizations are taking command of their attack surface and discovering a simpler, more effective approach to managing and truly mitigating risk.
If you are interested in learning more about Remediation Hub and our Exposure Command platform, check out our Exposure Command product tour.
When it comes to defending your organization, every second counts. The time to detect, respond, and remediate is critical, but speed alone isn’t enough. Fragmentation across security tools, siloed teams, and manual workflows leaves organizations constantly reactive, overwhelmed by alerts, and at risk of breaches. Rapid7 is here to change that.
Organizations need solutions that unify their approach, streamline processes, and accelerate response times. Rapid7 delivers the industry’s broadest, most unified view of the attack and detection surface. Today, we’re thrilled to announce a series of strategic launches that further this integrated approach and deliver unified remediation across the full breach timeline, integrating proactive exposure management with intelligent detection and automated response. This comprehensive approach provides security teams with the precise tools and deep insights needed to effectively secure their organization and shift from proactively reducing vulnerabilities to swiftly resolving active threats.
Left of Boom: Proactive Exposure Remediation
The most effective security strategy begins before a breach ever happens. Rapid7’s Exposure Command directly addresses this gap, combining advanced risk-based vulnerability management (RBVM) with environmental context, threat intelligence, and native workflow automation.
Launching this week at RSA, we’re excited to announce a trio of updates to Remediation Hub aimed at helping organizations unify and modernize their vulnerability management programs:
Enhanced Automated Remediation Workflows: We’ve significantly expanded our workflow automation capabilities to streamline exposure remediation. Users can now easily launch both pre-built and fully customizable remediation workflows—including notifications, ticketing, and patch deployment—directly from the intuitive Remediation Hub interface. This seamless integration simplifies the remediation process, allowing teams to swiftly address vulnerabilities and maintain robust security hygiene.
Advanced Compensating Controls Assessment: Remediation Hub now provides comprehensive insights into existing compensating controls, empowering teams to strategically deprioritize vulnerabilities that present minimal or no practical risk due to limited accessibility or exploitability—such as a compromised asset running antivirus or behavior prevention. This enhanced visibility is particularly vital for managing unpatchable workloads or addressing vulnerabilities where patches or permanent fixes are currently unavailable.
Expanded Third-Party Vulnerability Integration: Exposure Command has always integrated valuable telemetry from third-party vulnerability scanners such as Tenable, Qualys, and Wiz. Now, we’ve enhanced this capability by incorporating vulnerability findings and detailed risk scoring directly into the Remediation Hub. This allows vulnerabilities identified from any 3rd-party integration to be effectively prioritized using Active Risk assessments and effortlessly embedded into your team’s existing remediation and patch management workflows, streamlining vulnerability management across diverse scanning solutions.
With these new enhancements to Remediation Hub, security teams are empowered with a real-time, validated understanding of exposures enriched with business context, adversary intelligence, and insight into existing compensating controls, not just a list of CVEs. And because the Exposure Command platform brings together native scanning from Rapid7 and vulnerability findings from third-party tools, teams can prioritize vulnerabilities based on attacker behavior, exploitability, and potential impact without spending valuable time porting data into separate tools.
Instead of just alerting your team to a vulnerability, Exposure Command helps you own the risk conversation with the business by aligning on what matters most to the business, the risks already addressed, and outlining a path to closing any remaining gaps. Security teams no longer have to guess which vulnerabilities pose the most risk; instead, they can proactively remediate with certainty, preventing vulnerabilities from escalating into incidents.
Right of Boom: Intelligent Detection, Confident Response, and Financial Assurance
Despite best efforts, security incidents and breaches are ever-present. To reduce their impact and the cost of remediation, security teams need rapid, intelligent responses to evolving incidents, helping them to prioritize and triage, and leverage automation to reduce the volume of potential investigations, and improve their ability to scale to meet remediation tasks. This is why Rapid7 is focusing efforts around building in support post event, marking a significant shift in our capabilities to remediate malicious attacker behavior:
AI Triage and Transparency within InsightIDR: Rapid7 was a pioneer in AI development for security use cases, starting in our earliest days with our VM Expert System in the early 2000s. Since then, Rapid7 has integrated Generative AI into the Command Platform to supercharge SecOps and augment MDR services. This has culminated in Rapid7’s AI-Assisted Triage delivering industry-leading precision, accurately distinguishing critical threats from benign alerts with a 99.89% accuracy rate. Without access to the Rapid7 AI Alert Triage capability, SOC teams waste significant time manually evaluating and correctly classifying malicious alerts, increasing their threat exposure and contributing to SOC inefficiency. With AI Alert Triage, SOC analysts can automatically and accurately focus limited security resources on legitimate threats and improve SOC performance.
Active Remediation with Velociraptor: The response capabilities of the Rapid7 SOC have expanded to include the swift and precise removal of malware and breach artifacts from impacted endpoints. This progression beyond remote containment and guided remediation represents a significant deepening of the MDR partnership between Rapid7 and customers. It relieves security teams not only from the burden of coordinating remediation actions with IT teams, but also helps preserve endpoint integrity, reduce downtime, and avoid unnecessary endpoint rebuilds. With real-time remediation capabilities, the Command Platform links actions directly back to known vulnerabilities, providing valuable context for future prevention and significantly shortening incident response cycles.
Breach Protection Warranty: Investing in security solutions is about more than technology and expert service delivery. It’s about guaranteed results and peace of mind. The Rapid7 SOC analyzes trillions of events each year, and 99.6% of MDR customers remain unaffected by ransomware. Recognizing this, and reinforcing our commitment to ensuring cybersecurity resilience, customers in our premium tier, Managed Threat Complete Ultimate, will now receive up to $1 million in breach-related financial coverage through our Breach Protection Warranty. This represents a tangible demonstration of our confidence in our solutions and our commitment to protecting your organization’s critical assets while also assuring you that, in the unlikely event of a compromise, we are right there by your side.
As our detection and response capabilities continue to expand, we’re pushing to deliver smarter, faster, and more complete security outcomes for our customers. With alert fatigue diminished through precise AI-Assisted Alert Triage, security analysts can spend more time on validated threats and strategic initiatives to enhance organizational posture. The expansion of Rapid7’s response workflow to include remediation redefines effective response while ensuring customer visibility and control. And now, our Breach Protection Warranty offers up to $1 million in breach-related financial coverage: we’re not just preventing and helping you recover from threats, we’re standing behind our ability to do so. Together, these capabilities mark a meaningful shift in how Rapid7 supports customers post-incident: with intelligence, speed, and confidence that extends all the way through recovery.
One Connected Journey, End-to-End
Cybersecurity incidents are complex, evolving threats requiring seamless integration of proactive and reactive security measures. Rapid7’s Command Platform bridges the traditional divides between proactive vulnerability management, intelligent threat detection, and automated incident remediation. With a unified, continuous security lifecycle, your organization can remain agile, informed, and resilient against emerging threats.
Take your cybersecurity posture to the next level. Discover how Rapid7’s unified remediation strategy delivers measurable results and helps secure your organization effectively against breaches. Interested in learning more about how Rapid7’s unified remediation strategy can transform your organization’s security posture? Learn more here.
Cybersecurity threats are evolving at an unprecedented pace, making it imperative for organizations to stay ahead of attackers with proactive security measures. To help organizations navigate this rapidly changing threat landscape, we are excited to introduce the Exposure Assessment Platform (EAP) Buyer’s Guide. This comprehensive guide is designed to help security professionals understand the critical role of EAPs in modern security programs, evaluate potential solutions, and implement the right tool for their organization.
Why you need an EAP
Exposure Assessment Platforms (EAPs) continuously identify and prioritize exposures, such as vulnerabilities and misconfigurations, across a broad range of asset classes. EAPs go beyond traditional vulnerability management by offering real-time visibility into an organization’s entire IT environment, enabling security teams to proactively mitigate risks and prioritize remediation efforts effectively.
An EAP is a critical component of a Continuous Threat Exposure Management (CTEM) program. With this in mind, our buyer’s guide provides essential insights into:
The importance of EAPs in modern security strategies
How EAPs support a CTEM framework
Key criteria to consider when evaluating an EAP solution
Best practices for implementing continuous risk management
How to evaluate and find the right EAP
Not all EAPs are created equal. When assessing potential solutions, organizations should prioritize platforms that offer:
Comprehensive visibility across all digital assets, including cloud environments, third-party integrations, and IoT devices.
Real-time continuous monitoring to detect new vulnerabilities and attack vectors.
Automated security testing and validation to assess real-world exploitability.
Seamless integration with existing security tools to enhance threat intelligence and remediation workflows.
How Rapid7’s EAP can help strengthen your security
For organizations looking to gain complete control over their attack surface, Rapid7’s Exposure Command offers unparalleled visibility and risk assessment capabilities. By aggregating insights from native exposure detection and third-party sources, Exposure Command enables security teams to:
Identify and prioritize vulnerabilities based on real-world threat intelligence to reduce blind spots and misconfigurations.
Integrate with existing security ecosystems, reducing operational overhead.
Increase ROI by tracking the impact of reducing risk exposure across the business in real time.
With Rapid7 Exposure Command, organizations can reduce manual efforts, optimize security workflows, and proactively mitigate risks before they escalate into breaches. And by leveraging the insights and best practices outlined in this guide, organizations can make informed decisions to enhance their security posture, mitigate risk, and stay ahead of emerging threats.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
