In 2025, we launched Experts on Experts: Commanding Perspectives as a pilot video series designed to spotlight the ideas shaping cybersecurity, directly from the people driving them. Over five episodes, Rapid7 leaders shared short, candid conversations on topics like agentic AI, MDR ROI, cybercrime-as-a-service, and policy in practice. With Season Two launching soon, now is the perfect time to revisit the first run of expert conversations that started it all. 

Each episode is now embedded in its supporting blog on rapid7.com, making it even easier to watch, read, and share. Here's your full recap of Season One.

Ep 1: What Happens When Agentic AIs Talk to Each Other?

Guest: Laura Ellis, VP of Data & AI

Agentic AI was one of the most talked-about themes of the year, but few tackled it with the clarity and urgency Laura Ellis brought to this episode. From governance models to inter-agent deception, the conversation explores how AI systems can interact in unpredictable ways. Laura shares her perspective on keeping humans at the helm, how to contain agent behavior in real-world infrastructure, and what’s realistic for security teams today. The episode came from a LinkedIn conversation about autonomy, oversight, and the potential for agent-to-agent manipulation, and answered a lot of questions. If you’re curious about how AI moves from experiment to ecosystem, this is a great place to start.

[Read and watch]

Ep 2: What MDR ROI Really Looks Like

Guest: Jon Hencinski, VP of Detection & Response

In this open and honest conversation, Jon Hencinski takes us inside the modern SOC to show what strong managed detection and response really looks like. From coverage and telemetry to analyst training and noise reduction, the episode walks through the building blocks of a high-performing MDR program. Jon speaks directly to security leaders and decision-makers, breaking down which metrics matter most, how to measure confidence in your provider, and why speed is still the differentiator. If you’re evaluating MDR partners or trying to articulate the value of your program internally, this episode offers a practical benchmark. It also pairs well with Rapid7’s IDC report on MDR business value, which (Spoiler Alert) found a 422% three-year ROI and payback in under six months.

[Read and watch]

Ep 3: The Business of Cybercrime

Guest: Raj Samani, SVP and Chief Scientist

Cybercrime is no longer just a threat, it’s an economy. In this episode, Raj Samani unpacks the business model behind ransomware, initial access brokers, and affiliate operations. He shares his view on how cybercriminals are scaling operations like startups, what security teams can do to map that behavior, and why understanding the economy of access is key to disruption. It’s an insightful look at how attacker innovation is outpacing the traditional response, and what needs to change. Raj also reflects on the blurred lines between opportunistic access and long-tail ransomware campaigns, and how buyers on the dark web shape the threat landscape. This conversation is especially useful for defenders who want to think more strategically about adversaries and the systems that support them.

[Read and watch]

Ep 4: What SOC Teams Are Doing Differently in 2025

Guest: Steve Edwards, Director of Threat Intelligence and Detection Engineering

This episode walks through the key findings of Rapid7’s IDC study on the business value of MDR and brings them to life through real-world SOC operations. Steve Edwards shares how telemetry access changes the game, what true coverage looks like in practice, and why teams are shifting away from reactive models to faster, context-rich detection. You’ll hear what happens in the first 24 to 48 hours of incident response and how Rapid7’s no-cap IR model improves confidence during high-pressure moments. Steve also breaks down how teams are using MITRE ATT&CK  mapping to prioritize security investments and measure response maturity over time. For security leaders and buyers evaluating managed services, this conversation offers a clear, practical lens on what a successful MDR program looks like from a security and business perspective.

[Read and watch]

Ep 5: Policy to Practice - What Cyber Resilience Really Takes

Guest: Sabeen Malik, VP of Global Government Affairs and Public Policy

With new regulations emerging across the globe, it’s easy to confuse compliance with resilience. In this episode, Sabeen Malik unpacks what it takes to bridge that gap. She talks through disclosure laws, geopolitical tension, and the difficulty of turning policy into something operators can act on. Sabeen brings both policy expertise and operational realism, making the case that cybersecurity regulation needs to be built for the real world, not for a checklist. She also explores the cultural side of risk, including how insider threats and trust-based frameworks play into resilience planning. If your organization is tracking regulatory changes or working toward a more mature security posture, this episode offers a smart lens on where policy can help, and how to overcome it's shortfalls.

[Read and watch]

Organizations increasingly rely on Microsoft as their foundational productivity and security technology provider. As these environments grow in scale and complexity, security leaders are responsible for operationalizing the vast signals traversing their Microsoft stack in order to anticipate and preempt threats. At the same time, those efforts must deliver measurable security outcomes and clear return on investment.

If you’re reading this, you already know what’s at stake. But I’ll say it louder for the folks in the back: As more of your environment consolidates onto Microsoft, the attack surface evolves – and without fully operationalizing that ecosystem, risk grows alongside it.

We are excited to announce the availability of Rapid7 MDR for Microsoft – a preemptive threat detection, investigation, and response service that brings together Rapid7’s global SOC, our market-leading SIEM technology, and deeper bi-directional Microsoft Defender integrations. The service helps security and IT teams maximize their investments, reduce cost and complexity, respond decisively to threats, and improve their security posture and resilience.

Extend the power of your stack

Microsoft Defender provides broad visibility across modern environments – from endpoint and identity to cloud and email. That visibility leads many organizations to a fine line, where it can either mean rich, actionable insight for some security teams, and overwhelming signal volume and missed alerts for others. Rapid7 helps organizations build a clear picture from the rich telemetry by bringing these Microsoft signals together with our native telemetry. And by incorporating exposure and asset risk directly into investigations, our SOC is empowered to anticipate likely breach paths and intervene earlier in the attack lifecycle. Combining your Microsoft security stack with our preemptive MDR ultimately helps you:

• Anticipate attacks before they start
• Respond with certainty across the full attack lifecycle
• Strengthen resilience through partnership

• Get better outcomes from Microsoft - not overhead

Capabilities that drive real-world outcomes

Leaning into Rapid7’s proven record as a leader in managed detection and response, MDR for Microsoft combines powerful AI-SOC technology with expert human service delivery to help Microsoft-centric organizations achieve measurable security outcomes. In IDC’s recent Business Value of Rapid7 MDR study, customers achieved a 422% three-year ROI, identified threats 87% faster, and reduced the likelihood of a major security event by 54%. MDR for Microsoft delivers these same results through capabilities designed to operationalize and protect Microsoft environments at scale, including:

• Risk-aware analysis that stops attacks earlier: By pairing enterprise vulnerability risk management with analysis of live threat activity, the service preemptively identifies the attack paths most likely to be exploited – empowering efficient analyst evaluation with a clear understanding of underlying asset context.

• Dedicated cybersecurity advisor extends your team: Your advisor leverages their practitioner experience to provide regular threat briefings, environment-hardening advice, program governance, and health checks – helping drive long-term maturity without adding headcount.

• Decisive response backed by deep forensics and unlimited IR: Remote containment, endpoint forensics powered by our open-source DFIR framework –  Velociraptor – and unlimited incident response ensure threats are stopped quickly, and fully investigated and neutralized before our team rests.

• Unlimited log ingestion delivers predictable value: Remove SIEM cost constraints and ensure complete visibility so investigations are never limited by data volume or surprise overage fees.

• Bi-Directional Defender integration that reduces friction: Endpoint alerts and analyst actions stay synchronized between Rapid7 and Microsoft consoles, keeping systems aligned while laying the foundation for broader integrations across additional Microsoft security vectors.

• Always-on, expert-led SOC coverage: Our 24x7x365 global SOC continuously monitors and investigates activity across Microsoft and non-Microsoft environments, ensuring threats are identified and acted on as soon as they emerge.

• Full transparency into SOC activity and outcomes: With direct access to the SIEM and investigation workflows, your team can ride sidecar on investigations, run your own queries, upskill internal teams, and clearly see the outcomes being delivered by the Rapid7 SOC over time.

Additional value-drivers included in the service are unlimited SOAR automation, standard 13-month data retention with the ability to extend, proactive threat hunting, and AI-assisted investigation workflows, delivering a comprehensive MDR experience that scales with your environment and outpaces attackers.

Make the most of Microsoft Defender with Rapid7

As Microsoft continues to serve as the backbone of modern environments, the ability to translate security signals into consistent action becomes increasingly critical. MDR for Microsoft is designed to help security leaders move confidently from visibility to outcomes – pairing the strength of Microsoft Defender with Rapid7’s proven expertise, preemptive risk-awareness, and resilience-building capabilities. The result is a security program that not only sees more, but responds faster, operates with greater confidence, and proves its value as environments continue to scale.

If you’d like to see how MDR for Microsoft can help you operationalize your Microsoft security stack, request a demo or reach out to your Rapid7 account team to continue the conversation.

Over the last six months we’ve delivered significant advancements across the Command Platform, as well as received recognition as a Leader in Exposure Management and Managed Detection and Response (MDR) analyst reports. From launching new AI-driven capabilities - including our new next-gen SIEM Incident Command - to introducing real-time visibility into organizational risk with enhanced dashboarding, we continued to innovate in ways that support faster, more confident decision making. Explore the highlights of what we’ve been up to below.

Exposure Management: Prioritize risk across your attack surface

Rapid7 named a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms

Rapid7 was recognized as a Leader in the inaugural 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms (EAP). We believe this reflects our ability to help customers continuously understand, prioritize, and reduce risk across their hybrid environments. Exposure Command brings unified visibility, attacker-aware prioritization, and guided remediation together in one platform, enabling teams to make faster, more confident decisions with validated, business-aligned risk insights. Check out our recent blog post to learn more.

Remediate vulnerabilities faster with AI-generated Risk Intelligence

Prioritizing remediation is difficult when teams are flooded with CVEs and lack actionable context about real-world risk. We introduced AI-generated risk intelligence within Remediation Hub to help teams focus on the vulnerabilities that matter most and drive faster, more consistent risk reduction by distilling exploitability, business impact, toxic combinations, and patchability into clear summaries and guided actions. Check out our recent blog post to learn more.

⠀

Gain real-time visibility and communicate progress with the Exposure Management Dashboard

To effectively plan, track, and communicate exposure reduction, teams need a clear, real-time view of their security posture. The new Exposure Management Dashboard provides this view with an at-a-glance snapshot of asset coverage, exposure trends, and remediation progress — ideal for quarterly planning cycles and board-level reporting. Exportable views make it easy to justify investment decisions, demonstrate measurable improvements, and show how tool consolidation is strengthening your security program. Learn more in our recent blog.

⠀

Validate real cloud exposures with Public Exposure Validation

When cloud configurations drift or controls degrade, it’s critical to know which assets are actually exposed to the public internet. Public Exposure Validation confirms externally reachable cloud resources using real external scans, reducing noise and eliminating theoretical findings.

Teams gain clearer visibility into true attack paths, shorten investigation cycles, and validate that remediation efforts are closing real gaps. This strengthens their posture with evidence, not assumptions. Learn more in our recent blog.

Keep external visibility accurate with Dynamic EASM Discovery

Accurate external discovery depends on seeds that reflect what’s truly exposed. But static seed lists can quickly become outdated. Dynamic EASM Discovery continuously pulls domains and public IP ranges from authoritative sources such as MarkMonitor, NetBox, and Rapid7 AppSec, ensuring your discovery scope stays current without manual upkeep.

This eliminates blind spots, keeps external inventories aligned with real-world change, and strengthens CTEM outcomes by grounding scope, discovery, and prioritization in real-time data rather than spreadsheets. See our recent blog on Dynamic EASM Discovery to learn more.

Detection and Response: Transform your SOC operations

Rapid7 named a Leader in the 2025 Frost Radar™ for Managed Detection and Response

In addition to being named a Leader in Exposure Assessment, we’re proud to share that we have also received this recognition for Managed Detection and Response with Frost & Sullivan recognizing Rapid7 as a Leader in the 2025 Frost Radar™ for MDR, based on innovation and growth in a field of 120 evaluated vendors. The report highlights:

• Rapid7’s AI-driven triage accuracy of 99.93%, which helps security teams close benign alerts and reclaim 200+ SOC hours per week

• Our unified platform combining MDR with exposure management, threat hunting, and active remediation

• 180+ third-party integrations across endpoint, network, cloud, and identity

This recognition reinforces Rapid7’s commitment to proactive, outcome-driven security and delivering continuous innovation, transparent AI, and measurable value to customers. Learn more.

IDC publishes its Business Value of Rapid7 MDR Study

IDC recently published its Business Value of Rapid7 MDR study, highlighting how customers can achieve a 422% three-year ROI, a 5-month payback period, and an impressive range of additional security outcomes delivered through Rapid7 Managed Detection and Response. The study found that Rapid7 MDR significantly reduced the chances of major security incidents and improved the speed to identify threats for customers – translating to both risk reduction and cost savings. Learn more about the study in our blog or download the full report.

New third party event sources available for Rapid7 SOC management

For organizations to stay secure, they need visibility across their entire attack surface. With recent third party event source expansions, our Rapid7 SOC can now manage PAN Cortex XDR, Okta Identity, and Google Security Command Center alerts as a part of our MDR and Managed Threat Complete offerings. This reinforces our defense-in-depth approach, in which Rapid7 collects, correlates, and maps native and third party telemetry to the MITRE ATT&CK framework, providing expanded visibility and greater protection across your entire attack surface. Learn more about SOC-supported third-party event sources here.

Introducing Incident Command

In July we announced our new AI-powered, next-gen SIEM, Incident Command. Designed to transform how security teams manage investigations and response, Incident Command automates manual tasks and guides analysts through complex workflows — accelerating triage, providing real-time recommended actions, and unifying critical context across alerts and incidents. 

Backed with generative AI, our next-gen SIEM helps teams reduce mean time to respond (MTTR), improve consistency, and scale security operations without adding headcount. Learn more about what Incident Command can do for your team here.

⠀

Rapid7 recognized for the 7th consecutive year in Gartner® Magic Quadrant™ for SIEM

Rapid7 has been recognized in the 2025 Gartner^® Magic Quadrant™ for Security Information and Event Management (SIEM), proof of our continued focus on helping security teams work smarter, respond faster, and stay ahead of evolving threats. This year’s report explores how SIEMs are transforming to meet the demands of modern, hybrid environments with greater automation, stronger analytics, and improved efficiency across security operations. We believe our inclusion underscores our commitment to delivering speed, transparency, and extensibility with our next-gen SIEM. Read the report for more insights.

InsightGovCloud: Trusted security for federal agencies

Rapid7 achieves FedRAMP authorization for InsightGovCloud platform

Our achievement of FedRAMP Authorization to Operate (ATO) underscores our commitment to delivering secure, trusted cloud security solutions for federal agencies. The InsightGovCloud Platform provides government customers with vetted capabilities for vulnerability management, cloud security posture, and threat detection, meeting the rigorous standards required to protect sensitive federal environments, while enabling faster, more efficient security operations. Learn more.

Rapid7 Labs: Uplevel your defenses with our latest cybersecurity intelligence and research findings

New research: Q3 2025 Threat Landscape Report

Our Threat Landscape Report provides an analysis of global adversary behavior drawn from Rapid7’s MDR operations, vulnerability intelligence, and threat research. Our latest Q3 2025 report outlines key trends that are shaping today’s threat environment - including AI-assisted attacks and the rapid operationalization of new vulnerabilities - offering clear guidance to help security teams anticipate emerging risks and strengthen defenses in an increasingly fast-evolving landscape. Read the report here.

Emergent threat response: Real-time guidance for critical threats

Rapid7’s Emergent Threat Response (ETR) program from Rapid7 Labs delivers fast, expert analysis and first-rate security content for the highest-priority security threats. In H2 2025, Rapid7’s ETR team provided expert analysis, content, and mitigation guidance for a variety of notable vulnerabilities, including:

• CVE-2025-37164: Critical unauthenticated RCE affecting Hewlett Packard Enterprise OneView 

• CVE-2025-59718 and CVE-2025-59719: Critical vulnerabilities in Fortinet exploited in the wild 

• CVE-2025-55182 (React2Shell): Critical unauthenticated RCE affecting React Server Components

• CVE-2025-64446: Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild 

• CVE-2025-20333, CVE-2025-20362, CVE-2025-20363: Multiple critical vulnerabilities affecting Cisco products 

• CVE-2025-10035: Critical unauthenticated RCE in GoAnywhere MFT 

• CVE-2025-53770: Zero-day exploitation in the wild of Microsoft SharePoint servers 

Follow along here to see the latest emergent threat guidance from our team.

Technical assessments of CVEs in AttackerKB

Rapid7 researchers also publish additional vulnerability assessments in AttackerKB to help customers and the community understand and prioritize notable CVEs. Notable contributions from the back-half of 2025 include: 

• CVE-2025-20362 and CVE-2025-20333 - Cisco ASA unauthenticated RCE chain

• CVE-2025-10035 - Fortra GoAnywhere MFT unauthenticated RCE

• CVE-2025-58034 - Fortinet FortiWeb command injection

• CVE-2025-12480 - Gladinet CentreStack RCE via access control bypass

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

Across industries, Microsoft is everywhere. It powers productivity, collaboration, and security through Defender, Sentinel, Entra, and the broader Microsoft ecosystem that underpins how modern organizations operate.

⠀

As organizations deepen their Microsoft investments, there’s an even greater opportunity to strengthen and simplify threat detection and response. Microsoft delivers powerful visibility and security insights across user identities, endpoints, and cloud workloads, but security teams often need help bringing those capabilities together with the rest of their environment to ensure that data, detections, and decisions that drive their threat detection and response program align seamlessly. 

⠀

That’s where Rapid7 comes in.

⠀

A shared vision for simplified, unified security

We’re excited to announce the launch of an expanded partnership between Rapid7 and Microsoft, focused on helping organizations fully realize the potential of their Microsoft security investments. Together, we’re building a unified approach to threat detection and response that combines Microsoft’s ecosystem and scale with Rapid7’s AI-native security operations platform and decades of SOC expertise.

⠀

Our shared goal: help customers protect their businesses with clarity, speed, and confidence.

⠀

For many organizations, Microsoft is the backbone of their IT and security programs. But it’s only one part of a larger, interconnected environment. Security leaders need a way to bring Microsoft Defender, Sentinel, and Entra data into context with the rest of their infrastructure, cloud, and SaaS investments. Rapid7 helps make that possible by connecting Microsoft’s advanced telemetry and analytics with broader visibility and context into all security data, automation, and 24/7 expert-led managed operations.

⠀

We’ve long incorporated deep Microsoft visibility across the Command Platform, integrating with tools across different use cases, such as attack surface management, exposure management, cloud security, and application security. This foundation already allows us to correlate insights across on-premises and cloud environments, including Active Directory, Azure, and Microsoft 365 – providing outcomes across endpoints, workloads, and applications. These capabilities unify context from more than a dozen different Microsoft and Azure tools, giving customers a complete picture of risk across their environment. 

⠀

This partnership combines Microsoft Defender’s signal depth with Rapid7’s threat intelligence, automation, and human-led operations to deliver complete visibility and coordinated response across your environment – from Microsoft to everything it touches.

⠀

This means:

• Unified security operations managed for you: Rapid7 delivers 24x7 monitoring, investigation, and response across Microsoft and non-Microsoft environments, combining Defender insights with our own detection and response workflows to act quickly on what matters most.

• Faster, smarter response: AI-driven correlation and human-led expertise reduce alert noise and accelerate containment when threats arise.

• Simplified, predictable operations: Our managed detection and response (MDR) service removes ingestion complexity so you can focus on security outcomes.

• Transparency and trust: Built in through seamless integration with the Microsoft consoles security teams already use.

⠀

A foundation for what’s next

Over the coming months, we'll introduce new capabilities that make it easier for customers to operationalize Microsoft security within the Rapid7 ecosystem, including unified MDR coverage across the Defender products that protect the key vectors of endpoint, identity, cloud, and email.

⠀

These enhancements will enable organizations to not only respond to Microsoft-based threats faster but also proactively reduce risk across their entire environment through unified detection, investigation, and response.

⠀

We’re excited for this next step in advancing our MDR services to meet Microsoft customers where they are and maximize their investments with comprehensive visibility, faster response, and measurable security outcomes.

⠀

We’ll be releasing more information soon. In the meantime, learn more about Rapid7’s leading MDR service here.

Cybersecurity ROI is notoriously difficult to define, but not impossible.

In this Experts on Experts: Commanding Perspectives episode, Craig Adams chats with Steve Edwards, Director of Threat Intelligence & Detection Engineering, about what customers really get from Rapid7 MDR and how to think more clearly about value.

They cut through buzzwords and talk real-world outcomes: visibility, consolidation, faster response, and trust.

What ROI really looks like

As Steve explains, the ROI conversation starts with confidence. Once customers know they can trust the MDR team to cut through noise and take action, the benefits snowball from reduced false positives, to better visibility and smarter spend.

The IDC study highlighted a 422% ROI over three years. But the real signal is what teams can do with the time and clarity they gain.

To bring these numbers into your own context, you can use the Rapid7 MDR ROI Calculator - simply plug in your own parameters and apply IDC’s methodology to estimate your unique return. Try the ROI Calculator!

Telemetry without tradeoffs

Craig and Steve also dig into one of the biggest detection challenges today: partial visibility. Many orgs still pay by the log, creating disincentives for full data ingestion. MDR’s all-in access model helps customers detect threats earlier and act faster, without needing to triage upstream data decisions.

MITRE mapping makes it click

One of the most actionable insights? MITRE mapping. Steve talks about how customers are using visual coverage data to pinpoint gaps and prioritize onboarding new tech, or building compensating controls.

No-cap incident response

They also walk through what happens during the first 24 - 48 hours of an incident, and why having no cap on IR hours means Rapid7 can stay involved from containment to eradication.

Ready to dive in?

Watch the full episode here
Explore Rapid7's full ROI analysis

⠀

Missed our earlier episodes?
Catch up on Episode 1 with Laura Ellis on agentic AI and system governance [here], Episode 2 with Jon Hencinski on MDR strategy and SOC readiness [here] and Episode 3 with Raj Samani on cybercrime-as-a-service [here]