Cisco’s announcement that it will sunset Cisco Vulnerability Management (Kenna) marks a clear inflection point for many security teams. With end-of-sale and end-of-life timelines now defined, and no replacement offering on the roadmap, Kenna customers face an unavoidable decision window. 

Beyond the practical need to replace a tool, Kenna’s exit raises a bigger question for security leaders: what should vulnerability management look like moving forward? 

Not just a tool change

For many organizations, Kenna wasn’t “just another scanner”. Before their acquisition by Cisco in 2021, Kenna Security helped pioneer a shift away from chasing raw CVSS scores and toward prioritization based on real-world risk, influencing how many teams approach risk-based vulnerability management. Security teams invested years building workflows, reporting, and executive trust around that model. 

That’s why this moment feels different. Replacing Kenna isn’t about checking a feature box, it’s about protecting the integrity of the progress teams have already made while using this moment to elevate programs past traditional vulnerability management.

Security leaders are rightly cautious. No one wants to: 

• Rush into a short-term replacement vs. a platform that suits current and future needs

• Trade proven prioritization for untested promises 

• Disrupt remediation workflows that engineering teams finally trust 

At the same time, few teams believe traditional vulnerability management – isolated scanners, static scoring, endless ticket queues – is sufficient on its own anymore. 

So where does that leave you? 

“Risk-based vulnerability management is dead” doesn’t tell the full story

In response to Kenna’s end-of-life, much of the market has rushed to frame this as the end of risk-based vulnerability management (RBVM) altogether. The message is often loud and binary: RBVM is outdated, jump straight to exposure management.

In practice, that framing doesn’t match how security programs actually evolve. 

Most organizations are not abandoning vulnerability management. They are expanding it:

• From on-prem to hybrid and cloud

• From isolated findings to broader attack surface context 

• From vulnerability lists to exposure-driven decisions 

• From static to continuous

The mistake is assuming this evolution requires a hard reset, or that exposure management is completely separate and not part of that evolution.  

For CISOs and hands-on leaders alike, the smarter question is: how do we preserve what works today, while building toward what we know we’ll need tomorrow?

What Kenna customers should prioritize next 

As you evaluate what comes after Kenna, the right decision comes down to which platform can consistently deliver security outcomes and measurable risk reduction: 

Continuity without disruption

Your team already understands risk-based prioritization. The next platform should strengthen that muscle, not force you back to severity-only thinking or one-dimensional scoring models that ignore business context and threat intelligence. 

See risk clearly across on-prem, cloud, and external environments

Risk doesn’t live exclusively on-prem or in the cloud. Vulnerability data needs to reflect the reality of modern environments – endpoints, cloud workloads, external-facing assets – without fragmenting visibility. It needs to build on what teams already have by supporting findings from a broad range of existing tools and services, so risk can be understood in one place instead of scattered across platforms. 

Customizable remediation workflows

Prioritization only matters if it leads to action. Look for platforms that help security and IT teams collaborate, track ownership, and measure progress without creating more friction. 

A credible path forward

Exposure management is valuable only when it’s grounded in accurate data, operational context, and day-to-day usability. Security teams are already drowning in findings across tools, and without context that explains what matters and why, exposure management adds more noise instead of helping teams make decisions and reduce risk. That noise shows up in familiar ways: duplicate findings aren’t reconciled, conflicting risk scores between tools, unclear ownership for remediation, and long lists of issues with no clear path to action.

Why this moment favors steady platforms, not big bets

Kenna’s exit creates pressure, but pressure shouldn’t drive risky or forced decisions. Security leaders are accountable not just for vision, but for outcomes, such as: 

• Are we reducing real risk this quarter? 

• Can we explain prioritization decisions to the board? 

• Will this platform still support us two or three years from now? 

This is where vendor stability, roadmap clarity, and operational proof start to matter more than bold claims. 

The strongest next steps are coming from platforms that already deliver visibility across hybrid environments, mature, threat-informed vulnerability prioritization, and integrated remediation workflows that teams actually use. From there, exposure management becomes an evolution, not a leap of faith. 

A measured path forward

Kenna’s EOL doesn’t signal the end of risk-based vulnerability management. It signals that security programs are ready to expect more from it. For security leaders this is an opportunity to reaffirm what has worked in your program, close real visibility and workflow gaps, and choose a platform that supports both near-term continuity and long-term growth.

The goal isn’t to chase the next trend. It’s to make a confident, practical decision – one that protects today’s outcomes while positioning your team for what’s next. 

Looking ahead

If you’re navigating what comes after Cisco Kenna, the most important step is understanding your options early, before timelines force rushed decisions. Explore what a confident transition can look like and how teams are approaching continuity today while preparing for exposure management tomorrow. 

Explore a confident path forward.

Rapid7 has partnered with ARMO, a leader in cloud infrastructure and application security based on runtime data, to offer Cloud Runtime Security. The new offering, currently in beta, extends our vulnerability and exposure management solution, Exposure Command, into the moment where cloud risk becomes real: while applications and workloads are running. The solution does this with several differentiators that map directly to what security leaders need most: signal accuracy and response speed.

Introducing Rapid7 Cloud Runtime Security

Rapid7 Cloud Runtime Security combines kernel-level observability with AI-powered behavioral analysis to create a continuous, threat-aware defense layer within all cloud environments. 

The solution provides:

• AI-driven behavioral baselines for container activity. Because services, teams, and software releases create constant change, static policies can quickly become irrelevant and overly noisy. Cloud runtime security augmented by AI helps establish a behavioral baseline of what “normal” looks like for workload activity. This baseline becomes the standard for identifying deviations that indicate active exploits. This becomes even more critical for AI workloads in which runtime is the only place to understand behavior. 

• Root-cause in every risk finding. When a threat is detected, the platform does not just create noise by firing an alert. Instead, it reconstructs the entire event with root-cause insights by linking application-layer activity (like a SQL injection) to infrastructure-level changes (like a container escape). It also provides a natural-language narrative of the attack, showing exactly what happened, which credentials were used, and which resources were accessed.

• Connected dots across the entire cloud ecosystem. Rapid7 Cloud Runtime displays the entire attack story, from cloud and Kubernetes events and clusters APIs, to container and workload processes and individual lines of code. Instead of sifting through siloed, disparate security tools that each present different alerts, teams gain a single source of objective truth for faster forensic analysis.

• Deep application-layer visibility. Instantly detect and respond to common attacks, including SQL injections, command injections, local file inclusion (LFIs), and server-side request forgery (SSRF) that regular endpoint detection and response (EDR) tools overlook because their visibility is limited to the host and process level.

• Orchestrated automated response to detected anomalies. Detection is only part of the full battle. Speed is the difference between a contained event and a disruptive, expensive data breach. The solution automatically terminates malicious processes, pauses compromised containers, isolates namespaces, or blocks egress to prevent an attacker’s lateral movement.

Rapid7 Cloud Runtime Security enables orchestrated automated response when anomalies are detected, enabling teams to quickly mobilize and contain threats. 

Security amidst the chaos

Chaos is the natural state of cloud environments, where instances frequently shut down and containers constantly change. In these environments, chaos isn't a deficiency, but an inherent characteristic of distributed systems. Containers spin up and down constantly, deployments change multiple times per day, images get rebuilt and redeployed, identities and permissions drift, and workloads inherit misconfigurations at scale

Traditional vulnerability management (VM) was designed to protect static, on-prem technology architectures. Periodic scans, CVSS scores, and reactive patching have been effective here, but point-in-time snapshots and reactive remediation strategies collapse in dynamic, highly-distributed cloud environments for the following reasons:

• Blind spots. Ephemeral cloud resources can spin up, perform a task, and disappear in minutes. If a vulnerable container exists for only 10 minutes between a scheduled scan, traditional VM tools will miss it and an automated attacker script will find and exploit it in seconds.

• Missing context. Network scanners find CVEs, but they often lack contextual awareness. For instance, a ‘critical’ vulnerability may represent a low risk in a library that exists on an isolated container with no internet access. Conversely, a ‘medium’ vulnerability on a public-facing server with an over-privileged IAM role can be a catastrophic exploit.

• Misconfigurations. In the cloud, vulnerabilities can live on unpatched software, but also arise from misconfigured systems. Consider a fully patched server that is compromised because of an open S3 bucket or a broad IAM policy. According to Gartner, “through 2026, nonpatchable attack surfaces will grow from less than 10% to more than half of the enterprise’s total exposure, reducing the impact of automated remediation practices¹.”

• AI-driven complexity. AI is accelerating innovation cycles, and as organizations push out more code, AI has introduced several new dimensions to the attack surface.  These can include vulnerabilities that trick LLM models into revealing sensitive data or bypassing security controls.

The new baseline for modern cloud security

As modern cloud environments are constantly changing, security teams need to know in real time when exposures become active threats. Rather than toiling over a ‘high’ or ‘critical’ vulnerability, they prioritize remediation actions based on the paths that lead to compromise. This is because a vulnerability can become a critical exposure when the conditions around it make it reachable, exploitable, and high impact. Savvy security teams use exposure management solutions to assess whether they are likely to get compromised, then lean on cloud runtime platforms to identify, in real-time, whether they are actively compromised. As a result, the best security programs now run on a “two-engine” model:

• Predictive and preemptive with exposure management. This risk-forecasting layer discovers, prioritizes, and guides action on the exposures most likely to lead to material impact. Organizations utilize exposure management solutions to identify which exposures should be addressed first, the shortest paths to breach, and the remediation activities that most reduce risk.

• Real-time and proactive with runtime security. This threat-reality layer detects anomalous behavior as it happens and supports immediate containment actions. Organizations use runtime security solutions to assess whether an exposure is actively being exploited, the configuration changes that may have led to the exposure, and the actions that need to be taken to contain the threat.

On their own, each part of the engine is valuable, but exposure management without runtime can cause teams to overlook active threats; runtime without exposure context can drown teams in noisy alerts. Together, these solutions enable teams to prioritize what matters most and respond instantly when it becomes active.

Visit our cloud security pages to learn more about how Rapid7 empowers teams to proactively manage risk, accelerate DevSecOps, and enforce compliance across multi-cloud environments.

¹ Gartner, Predicts 2023: Enterprises Must Expand From Threat to Exposure Management, Jeremy D'Hoinne, Pete Shoard, Mitchell Schneider, John Watts, December 2022

Over the last six months we’ve delivered significant advancements across the Command Platform, as well as received recognition as a Leader in Exposure Management and Managed Detection and Response (MDR) analyst reports. From launching new AI-driven capabilities - including our new next-gen SIEM Incident Command - to introducing real-time visibility into organizational risk with enhanced dashboarding, we continued to innovate in ways that support faster, more confident decision making. Explore the highlights of what we’ve been up to below.

Exposure Management: Prioritize risk across your attack surface

Rapid7 named a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms

Rapid7 was recognized as a Leader in the inaugural 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms (EAP). We believe this reflects our ability to help customers continuously understand, prioritize, and reduce risk across their hybrid environments. Exposure Command brings unified visibility, attacker-aware prioritization, and guided remediation together in one platform, enabling teams to make faster, more confident decisions with validated, business-aligned risk insights. Check out our recent blog post to learn more.

Remediate vulnerabilities faster with AI-generated Risk Intelligence

Prioritizing remediation is difficult when teams are flooded with CVEs and lack actionable context about real-world risk. We introduced AI-generated risk intelligence within Remediation Hub to help teams focus on the vulnerabilities that matter most and drive faster, more consistent risk reduction by distilling exploitability, business impact, toxic combinations, and patchability into clear summaries and guided actions. Check out our recent blog post to learn more.

⠀

Gain real-time visibility and communicate progress with the Exposure Management Dashboard

To effectively plan, track, and communicate exposure reduction, teams need a clear, real-time view of their security posture. The new Exposure Management Dashboard provides this view with an at-a-glance snapshot of asset coverage, exposure trends, and remediation progress — ideal for quarterly planning cycles and board-level reporting. Exportable views make it easy to justify investment decisions, demonstrate measurable improvements, and show how tool consolidation is strengthening your security program. Learn more in our recent blog.

⠀

Validate real cloud exposures with Public Exposure Validation

When cloud configurations drift or controls degrade, it’s critical to know which assets are actually exposed to the public internet. Public Exposure Validation confirms externally reachable cloud resources using real external scans, reducing noise and eliminating theoretical findings.

Teams gain clearer visibility into true attack paths, shorten investigation cycles, and validate that remediation efforts are closing real gaps. This strengthens their posture with evidence, not assumptions. Learn more in our recent blog.

Keep external visibility accurate with Dynamic EASM Discovery

Accurate external discovery depends on seeds that reflect what’s truly exposed. But static seed lists can quickly become outdated. Dynamic EASM Discovery continuously pulls domains and public IP ranges from authoritative sources such as MarkMonitor, NetBox, and Rapid7 AppSec, ensuring your discovery scope stays current without manual upkeep.

This eliminates blind spots, keeps external inventories aligned with real-world change, and strengthens CTEM outcomes by grounding scope, discovery, and prioritization in real-time data rather than spreadsheets. See our recent blog on Dynamic EASM Discovery to learn more.

Detection and Response: Transform your SOC operations

Rapid7 named a Leader in the 2025 Frost Radar™ for Managed Detection and Response

In addition to being named a Leader in Exposure Assessment, we’re proud to share that we have also received this recognition for Managed Detection and Response with Frost & Sullivan recognizing Rapid7 as a Leader in the 2025 Frost Radar™ for MDR, based on innovation and growth in a field of 120 evaluated vendors. The report highlights:

• Rapid7’s AI-driven triage accuracy of 99.93%, which helps security teams close benign alerts and reclaim 200+ SOC hours per week

• Our unified platform combining MDR with exposure management, threat hunting, and active remediation

• 180+ third-party integrations across endpoint, network, cloud, and identity

This recognition reinforces Rapid7’s commitment to proactive, outcome-driven security and delivering continuous innovation, transparent AI, and measurable value to customers. Learn more.

IDC publishes its Business Value of Rapid7 MDR Study

IDC recently published its Business Value of Rapid7 MDR study, highlighting how customers can achieve a 422% three-year ROI, a 5-month payback period, and an impressive range of additional security outcomes delivered through Rapid7 Managed Detection and Response. The study found that Rapid7 MDR significantly reduced the chances of major security incidents and improved the speed to identify threats for customers – translating to both risk reduction and cost savings. Learn more about the study in our blog or download the full report.

New third party event sources available for Rapid7 SOC management

For organizations to stay secure, they need visibility across their entire attack surface. With recent third party event source expansions, our Rapid7 SOC can now manage PAN Cortex XDR, Okta Identity, and Google Security Command Center alerts as a part of our MDR and Managed Threat Complete offerings. This reinforces our defense-in-depth approach, in which Rapid7 collects, correlates, and maps native and third party telemetry to the MITRE ATT&CK framework, providing expanded visibility and greater protection across your entire attack surface. Learn more about SOC-supported third-party event sources here.

Introducing Incident Command

In July we announced our new AI-powered, next-gen SIEM, Incident Command. Designed to transform how security teams manage investigations and response, Incident Command automates manual tasks and guides analysts through complex workflows — accelerating triage, providing real-time recommended actions, and unifying critical context across alerts and incidents. 

Backed with generative AI, our next-gen SIEM helps teams reduce mean time to respond (MTTR), improve consistency, and scale security operations without adding headcount. Learn more about what Incident Command can do for your team here.

⠀

Rapid7 recognized for the 7th consecutive year in Gartner® Magic Quadrant™ for SIEM

Rapid7 has been recognized in the 2025 Gartner^® Magic Quadrant™ for Security Information and Event Management (SIEM), proof of our continued focus on helping security teams work smarter, respond faster, and stay ahead of evolving threats. This year’s report explores how SIEMs are transforming to meet the demands of modern, hybrid environments with greater automation, stronger analytics, and improved efficiency across security operations. We believe our inclusion underscores our commitment to delivering speed, transparency, and extensibility with our next-gen SIEM. Read the report for more insights.

InsightGovCloud: Trusted security for federal agencies

Rapid7 achieves FedRAMP authorization for InsightGovCloud platform

Our achievement of FedRAMP Authorization to Operate (ATO) underscores our commitment to delivering secure, trusted cloud security solutions for federal agencies. The InsightGovCloud Platform provides government customers with vetted capabilities for vulnerability management, cloud security posture, and threat detection, meeting the rigorous standards required to protect sensitive federal environments, while enabling faster, more efficient security operations. Learn more.

Rapid7 Labs: Uplevel your defenses with our latest cybersecurity intelligence and research findings

New research: Q3 2025 Threat Landscape Report

Our Threat Landscape Report provides an analysis of global adversary behavior drawn from Rapid7’s MDR operations, vulnerability intelligence, and threat research. Our latest Q3 2025 report outlines key trends that are shaping today’s threat environment - including AI-assisted attacks and the rapid operationalization of new vulnerabilities - offering clear guidance to help security teams anticipate emerging risks and strengthen defenses in an increasingly fast-evolving landscape. Read the report here.

Emergent threat response: Real-time guidance for critical threats

Rapid7’s Emergent Threat Response (ETR) program from Rapid7 Labs delivers fast, expert analysis and first-rate security content for the highest-priority security threats. In H2 2025, Rapid7’s ETR team provided expert analysis, content, and mitigation guidance for a variety of notable vulnerabilities, including:

• CVE-2025-37164: Critical unauthenticated RCE affecting Hewlett Packard Enterprise OneView 

• CVE-2025-59718 and CVE-2025-59719: Critical vulnerabilities in Fortinet exploited in the wild 

• CVE-2025-55182 (React2Shell): Critical unauthenticated RCE affecting React Server Components

• CVE-2025-64446: Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild 

• CVE-2025-20333, CVE-2025-20362, CVE-2025-20363: Multiple critical vulnerabilities affecting Cisco products 

• CVE-2025-10035: Critical unauthenticated RCE in GoAnywhere MFT 

• CVE-2025-53770: Zero-day exploitation in the wild of Microsoft SharePoint servers 

Follow along here to see the latest emergent threat guidance from our team.

Technical assessments of CVEs in AttackerKB

Rapid7 researchers also publish additional vulnerability assessments in AttackerKB to help customers and the community understand and prioritize notable CVEs. Notable contributions from the back-half of 2025 include: 

• CVE-2025-20362 and CVE-2025-20333 - Cisco ASA unauthenticated RCE chain

• CVE-2025-10035 - Fortra GoAnywhere MFT unauthenticated RCE

• CVE-2025-58034 - Fortinet FortiWeb command injection

• CVE-2025-12480 - Gladinet CentreStack RCE via access control bypass

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

We’re proud to share that Rapid7 has been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms (EAP). We believe this recognition underscores our commitment to redefining security operations by embedding continuous, business-aligned exposure management into the core of modern defense strategies.

Our approach: Exposure Command at the core

At the root of Rapid7’s leadership is Exposure Command, our unified exposure management solution, underpinned by complete attack surface visibility, threat-informed risk assessment and integrated automated remediation capabilities.

Key capabilities highlighted in the report include:

• Unified visibility across environments: Broad attack surface visibility with native support across hybrid infrastructure including on-prem, cloud, containers, and IoT/OT, alongside extensive integrations with third-party security and ITOps tools.

• Threat-validated prioritization: Prioritization enhanced with real-world exploit intelligence, plus continuous red teaming and ad-hoc penetration testing through comprehensive managed services.

• Comprehensive, AI-driven remediation: Prebuilt workflows and playbooks, intelligent automation, and dynamic persona-centric reporting.

Why exposure assessment matters more than ever

The security landscape has fundamentally changed. Traditional vulnerability management largely centered around point-in-time scans and CVSS scores can no longer keep pace with the dynamic, hybrid environments that define today’s enterprise. Organizations face an ever-expanding attack surface across cloud, on-prem, SaaS, and OT environments while regulations continue to evolve. 

This means a dramatic expansion in the scope of IT and security leaders from tech-centric systems management and patching to a core pillar of the business at large. As a result, exposure management is no longer about finding more; it’s about finding what matters and acting on it decisively. This aligns directly with Gartner’s CTEM model, which calls for a continuous, outcome-focused cycle of scoping, prioritization, validation, and mobilization.

Why CTEM + EAP are the future of risk reduction

CTEM isn’t just a buzzword and a new acronym, it’s the next evolution of proactive security, acknowledging a core truth: no organization can patch everything, nor should they try.

The goal is validated exposure reduction through five stages:

1. Business-aligned scoping (e.g., revenue-generating services, critical data systems)

2. Cross-domain discovery (cloud, identity, SaaS, on-prem, OT)

3. Threat-informed prioritization with real-world intelligence

4. Validation via attack-path modeling or adversary emulation (e.g., PTaaS, BAS, AEV)

5. Mobilization through integrated, repeatable remediation workflows

Gartner suggests CTEM is a way to translate technical vulnerabilities into business-relevant risks and mobilize cross-functional teams in response. EAPs, which Gartner defines as platforms that continuously identify and prioritize exposures across all environments with business and threat context, provide the operational foundation for CTEM.

⠀

⠀

Rapid7’s EAP capabilities allow teams to operationalize CTEM by translating technical findings into business-relevant risk and enabling cross-functional response, bridging the gap between posture and business continuity.

Looking ahead

As exposure management evolves from a siloed security function to an operational imperative, Rapid7 will continue to lead with innovation, transparency, and a relentless focus on customer outcomes. We believe our position as a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms is not just a recognition of the work we’ve done but a signal to the market of what’s next. Click here to download the full Report.

We are delighted to announce Rapid7 launched a new Amazon Web Service (AWS) cloud region in India with the API name ap-south-2.

This follows an announcement in March 2025, when Rapid7 announced plans for expansion in India, including the opening of a new Global Capability Center (GCC) in Pune to serve as an innovation hub and Security Operations Center (SOC).

The GCC opened in April 2025, quickly followed by dedicated events in the country, to demonstrate our commitment to our partners and customers in the region. Three Security Day events took place in May, in Mumbai, Delhi, and Bangalore. These events brought together key stakeholders from the world of commerce, academia, and government to explore our advancements in Continuous Threat Exposure Management (CTEM) and Managed Extended Detection and Response (MXDR).

“Expanding into India is a critical step in accelerating Rapid7’s investments in security operations leadership and customer-centric innovation,” said Corey Thomas, chairman and CEO of Rapid7. “Innovation thrives when multi-dimensional teams come together to solve complex challenges, and this new hub strengthens our ability to deliver the most adaptive, predictive, and responsive cybersecurity solutions to customers worldwide. Establishing a security operations center in Pune also enhances our ability to scale threat detection and response globally while connecting the exceptional technical talent in the region to impactful career opportunities. We are excited to grow a world-class team in India that will play a pivotal role in shaping the future of cybersecurity.”

Rapid7 expands to 8 AWS platform regions

Today, Rapid7 operates in eight platform regions (us-east-1, us-east-2, us-west-1, ap-northeast-1, ap-southeast-2, ca-central-1, eu-central-1, govcloud).

These regions allow our customers to meet their data sovereignty requirements by choosing where their sensitive security data is hosted. We have extended this capability to ap-south-2 and me-central-1 to process additional data and serve more customers with region requirements we have not previously been able to meet.

What this means for Rapid7 customers in India

This gives our customers in India the ability to access and store data in the India region for our Exposure Management product family.

⠀

⠀

Exposure Command combines complete attack surface visibility with high-fidelity risk context and insight into your organization’s security posture, aggregating findings from both Rapid7’s native exposure detection capabilities – as well as third-party exposure and enrichment sources you’ve already got in place – allowing you to:

• Extend risk coverage to cloud environments with real-time agentless assessment

• Zero-in on exposures and vulnerabilities with threat-aware risk context

• Continuously assess your attack surface, validate exposures, and receive actionable remediation guidance

• Efficiently operationalize your exposure management program and automate enforcement of security and compliance policies with native, no-code automation

Learn more about Exposure Command.

⠀

Figure 1: Exposure Command Remediation Hub