Organizations across regulated sectors are under growing pressure to prove their security readiness. At the same time, traditional assurance approaches rely on periodic audits and manual evidence collection. These activities take time, strain staff, and often fall out of date as environments evolve.

To help close this gap, Rapid7 has partnered with HITRUST to bring automated evidence collection and continuous validation of security controls to customers who follow HITRUST frameworks. This partnership builds on existing capabilities in the Rapid7 Command Platform and creates a more efficient path for organizations that need to demonstrate strong and reliable assurance.

Rapid7 achieves this by leveraging our native telemetry and extensive support for third-party data sources; the Rapid7 Command Platform has visibility into vulnerabilities, exposures, configurations, identities, threat detections, IT context and more, the very same datasets that make up the evidence of technical compliance controls.  Meaning that Rapid7 as a Security Operations platform, not only implements those very controls but can also help customers to prove those controls to lower their cost to certification. This is accomplished through automated evidence collection and continuous controls monitoring from Surface Command to detect things like compliance drift.

⠀

⠀

To help understand how Rapid7 can help our customers to assure against HITRUST and its many levels of assurance, we will provide a brief background on HITRUST.

The importance of HITRUST

HITRUST offers one of the most comprehensive cybersecurity assurance programs for risk, security, and compliance. Its framework is informed by more than 60 standards and is continuously updated based on active threats and risk thresholds. This helps close the gap between traditional checkbox compliance and the realities of modern risk.

HITRUST has developed an all-encompassing compliance framework, a framework of frameworks, if you will. It’s the only compliance framework that is actively updated based on the latest attacker behavior and security threats, meaning it can further close the gap between checkbox compliance and actual risk reduction. It offers a portfolio of assessments and certifications that validate the security of systems, data and environment. They currently laude a 99.41% breach-free rate for organizations that have a HITRUST certification. This alone is a very compelling stat, yet there’s another area of differentiation that is worth mentioning. HITRUST assessors are entirely independent from the HITRUST organization. This independence provides organizations with a consistent and transparent way to validate their control performance. Achieving HITRUST assurance also extends coverage across several major frameworks, including ISO/IEC 27001, NIST CSF, HIPAA, and GDPR. This helps teams streamline overlapping requirements while working within a single, structured model.

⠀

⠀

What is HITRUST assurance?

Assurance, defined by HITRUST, is a token of trust that HITRUST designates to organizations that have been through the assurance process. There are two main requirements to be trustworthy:

1. The control set has to be relevant e.g. informed by latest attacker behavior

2. The control set has to be reliable, transparent and have an open scoring system and independent assessor network

Customers are assessed by an independent network of HITRUST assessors (e.g audit firms) to evaluate if they meet the requirements of the HITRUST framework, which provides several levels of controls based on the size, sector, and risk profile of the organization. HITRUST provides a free CSF framework that has been downloaded by over 35,000 organizations. The r2 certification has been around the longest, for around 10 years and is the most rigorous. There is a newer certification called e1, which is an entry-level control set to help customers get started and is seeing the majority of adoption by new HITRUST customers.

The e1 currently has over 40 technical controls to adhere to, and the r2 is a combination of the control set from i1 (over 100 controls) with a per-customer set of controls based on the specific risk to that business. This means that no two r2 assessments are the same. Highlighting another key differentiator of HITRUST that goes beyond the check-the-box, minimal viable security approach to compliance.

⠀

⠀
Lastly, HITRUST frameworks are typically updated quarterly leveraging the latest research on threats and industry best practices. While this can be challenging for customers to maintain that have not adopted automated evidence collection, it ensures that HITRUST is providing a high quality risk-informed framework that drives meaningful security outcomes.

How the Rapid7 partnership strengthens assurance programs

Rapid7’s Surface Command provides customers with a complete internal and external view of their attack surface, including vulnerabilities, misconfigurations, assets, and exposure data. With this new integration, the platform can now collect, map, and validate technical controls against HITRUST requirements using the same datasets security teams rely on for day-to-day operations.

This automated approach supports several outcomes featured in the press release:

• Continuous compliance visibility: The Command Platform assesses environments for control drift based on HITRUST requirements, which are updated in response to emerging threats.

• Proactive risk mitigation: Customers can connect vulnerability and exposure insights with HITRUST controls to address areas that matter most.

• Lower audit burden: Continuous validation reduces manual evidence collection and helps narrow audit scope to the areas that require attention.

• Support for cyber insurance: Demonstrating consistent control performance can help organizations show strong risk management practices to insurers.

• Lower costs: By reducing manual work and helping teams focus on priority controls, organizations can minimize the resource-intensive process associated with traditional assurance cycles.

To summarize, Rapid7 Command Platform can map & monitor technical controls to HITRUST e1, i1 and r2, and then by sampling them continuously, Rapid7 can detect control drift to identify areas that need attention, lowering the need for an expensive, comprehensive assessment. We can now help customers focus on remediating what needs attention and enable their assessors to look for only those areas that need addressing, instead of the full scope, ultimately saving costs during the evidence collection and assurance process.

Moving from periodic audits to continuous assurance

Moving from periodic audits to continuous assurance with Surface Command, Rapid7’s attack surface management (ASM) solution, provides our customers with a unified, continuously updated view of all assets and exposures in their organization through a combination of Rapid7 and third-party security data. Today’s security programs need approaches that keep pace with real threats and regulatory expectations. By pairing Rapid7’s visibility into security controls with HITRUST’s structured and independently assessed framework, customers can shift from point-in-time checks to a continuous, evidence-based view of their cybersecurity posture.

This partnership helps teams maintain confidence in their control performance, reduce evidence decay, and communicate program health more effectively to leadership and stakeholders.
Learn more here.

⠀

Migrating workloads to Amazon Web Services (AWS) represents a significant strategic opportunity, enabling greater agility, scalability, and potential for innovation. But undertaking this transition without a comprehensive strategy for visibility and security can introduce unforeseen risks, operational delays, and challenges in managing the new cloud environment effectively. A critical aspect often overlooked is the discovery and protection of sensitive data as it moves to and resides within the cloud, demanding specific attention.

Addressing security proactively is not merely a technical requirement: it functions as a crucial enabler, allowing organizations to fully realize the strategic benefits of the cloud without being hindered by security roadblocks or compliance failures.

Furthermore, bringing sensitive data protection into focus early connects the technical migration process directly to significant business risks, such as regulatory non-compliance and the potential impact of data breaches, underscoring the importance of robust security solutions for confidently realizing cloud benefits.

Integrating security across the migration lifecycle

A successful and secure migration is not achieved by treating security as an afterthought. Security considerations must be integrated throughout the entire migration lifecycle – from the initial assessment of the current environment, through mobilizing resources and establishing the cloud foundation, to the final migration and modernization phases.

Cloud migration typically involves distinct stages:

1. Assess: Evaluating the current state, identifying assets, and understanding existing risks.
2. Mobilize: Preparing resources and establishing a secure cloud foundation or landing zone in AWS.
3. Migrate and modernize: Transferring workloads and potentially optimizing them for the cloud environment.

Addressing security continuously across these stages helps prevent costly delays and rework often associated with late-stage security implementations. Effective tooling and methodology are essential here.

Rapid7’s security platform is designed to support organizations through this journey, providing the necessary visibility, risk context, and security controls for a smoother transition to AWS. The platform unifies critical capabilities, aiming to provide a 360° view of the attack surface and streamlining security operations across hybrid environments.

Improving migration efficiency through unified security

Efficiency is paramount across migration phases to maintain project velocity without compromising security. Managing multiple disparate tools can impede progress and obscure visibility. Rapid7 helps streamline critical activities by unifying essential capabilities within its Command Platform:

• Asset Discovery: Identify every vulnerable device and weak identity across your environment with comprehensive attack surface management.
• Risk-based prioritization: Incorporate business context, third-party vulnerability findings, and threat intelligence into how you assess risk to improve your cloud security posture and protect cloud workloads.
• Proactive remediation:Customize remediation workflows to seamlessly orchestrate and automatically respond to any vulnerability.

This integrated approach offers advantages beyond simplified tool management, potentially leading to richer context through data correlation and more effective prioritization.

During assessment

Comprehensive planning requires a complete asset inventory. Surface Command accelerates the initial assessment phase through rapid, comprehensive asset discovery across internal and external inventories, including cloud environments like AWS. This helps to eliminate blind spots and identify all assets, including potentially unsecured systems, before they are considered for migration.

Subsequently, Exposure Command builds upon this asset foundation, adding vulnerability data and risk scoring to identify critical weaknesses in on-premises systems slated for migration. It enables teams to focus remediation efforts effectively by prioritizing vulnerabilities based on threat-aware risk context before these systems move to the cloud.

During mobilize and migrate and modernize

In these intensive phases, Exposure Command ensures the AWS landing zone and core services are configured securely according to organizational policies and industry best practices (e.g., CIS Benchmarks) through its Cloud-Native Application Protection Platform  (CNAPP) capabilities, while providing ongoing monitoring for misconfigurations. It also plays a critical role in managing cloud permissions by analyzing identities and access rights to help enforce least-privilege access models.

As workloads are deployed, it offers  vulnerability management tailored for cloud assets, including container security. Concurrently, InsightConnect reduces the manual workload associated with security tasks. As a SOAR solution, it utilizes numerous plugins to automate repetitive processes like configuration validation, vulnerability enrichment, or initiating remediation workflows. This automation frees up valuable security and IT resources, helping maintain project velocity.

Enhancing risk management: Before, during, and after migration

Migrating to the cloud should not involve transferring existing on-premises security risks or inadvertently creating new ones in the AWS environment. Proactive risk management, integrated throughout the migration lifecycle, is essential.

• Before migration: Surface Command's ability to discover known and unknown assets provides a foundational inventory, helping prevent the migration of forgotten or unsecured systems. Concurrently, Exposure Command's vulnerability management capabilities allow organizations to identify and address critical weaknesses in on-premises systems targeted for migration, leveraging threat-aware risk scoring to prioritize remediation efforts before these systems enter the cloud.
• During migration (mobilize and migrate phases): As the AWS environment is established and workloads deployed, Exposure Command ensures secure configuration and detects drift. Its capabilities aid in managing cloud permissions and enforcing least privilege. Critically, Exposure Command integrates sensitive data discovery capabilities, leveraging technologies like InsightCloudSec or ingesting findings from services such as Amazon Macie. This provides visibility into the location of sensitive data within AWS. This data-centric context is incorporated into Exposure Command's risk analysis, including attack path analysis, allowing teams to prioritize threats based on the potential business impact of compromised sensitive information.
• During and after migration (modernization and ongoing operations): In modern cloud environments utilizing CI/CD pipelines, Exposure Command supports a proactive DevSecOps approach. By integrating security checks directly into the development lifecycle—scanning container images and validating Infrastructure-as-Code (IaC) templates—organizations can identify and fix security flaws before deployment to AWS. This "shift-left" strategy, facilitated by integrations with CI/CD platforms, significantly reduces the risk of introducing vulnerabilities into the production AWS environment and embeds security into cloud operations.

Building confidence through visibility, control, and automation

Achieving efficiency and robust risk management culminates in greater organizational confidence throughout the migration process and into ongoing cloud operations. Access to accurate, comprehensive data on assets and their associated vulnerabilities and risks allows for more informed, data-driven migration planning.

This comprehensive approach enables organizations to:

• Move beyond simple lift-and-shift approaches, using security posture data to strategically decide which workloads to migrate, identify necessary pre-migration remediation, and design secure target architectures in AWS.
• Validate the security posture of the foundational AWS environment with Exposure Command providing assurance before large-scale workload migration commences.
• Benefit from consolidated visibility and reporting through dashboards and features like Executive Risk View, offering stakeholders clear insights into the security status and risk landscape. This capability translates technical findings into business-relevant risk information to foster broader confidence.
• Leverage integrated detection and automatic response capabilities post-migration to ensure the security team can manage potential threats effectively in the new AWS environment.

This level of comprehensive visibility and control replaces uncertainty with operational readiness.

Achieving a secure and confident AWS transition

The transition to AWS offers substantial benefits in terms of agility, scalability, and innovation. However, realizing these benefits securely requires navigating the inherent complexities of migration and cloud operations.

Rapid7’s integrated solutions – Surface Command for foundational visibility and Exposure Command for comprehensive risk management across vulnerabilities, cloud  workloads, sensitive data, and CI/CD pipelines)provide the unified capabilities needed to manage the cloud journey efficiently and securely.

By delivering clarity and control across the entire migration lifecycle and into ongoing operations, the platform helps organizations manage the complexity of cloud security, enabling them to migrate to and operate within AWS with confidence.

Gain complete visibility for your AWS migration. Start your Surface Command free trial today.