Rapid7 Nexpose: Vulnerability management product overview

Ed Tittel examines Rapid7 Nexpose, a vulnerability management product for physical, virtual, cloud and mobile environments that discovers assets and scans for vulnerabilities.

Rapid7 was founded in 2000 and, over the years, has focused on security data and analytics technology, including vulnerability management, which helps organizations bolster their infosec posture. The company's product portfolio includes Nexpose, one of the oldest, most established vulnerability management products on the market and the focus of this article. Rapid7 also provides Metasploit for penetration testing, AppSpider for web application security scanning, UserInsight for intruder analytics, Logentries for advanced log management, as well as various professional services based on company products.


Nexpose works in physical, virtual, cloud and mobile environments to discover assets and scan for vulnerabilities and then prioritizes risks based on the exploitability of those vulnerabilities within an organization's environment. The product also prioritizes vulnerability patching and enables administrators to schedule scans and configure security alerts.

Nexpose includes a Live Monitoring feature that collects available data and converts it into action plans. The Advanced Exposure Analytics feature is designed to find and prioritize vulnerabilities that are most likely to be exploited first, which can save security managers from getting bogged down with too many security alerts. The Liveboards feature, meanwhile, is designed to replace static dashboard reports with constantly updated visual reporting. In addition, this year, Rapid7 introduced a Remediation Workflow feature for Nexpose that is designed to help security staff track, manage and analyze the progress of addressing those vulnerabilities in their organization.

Rapid7 adheres to a 24-hour vulnerability service-level agreement to provide current definitions to Nexpose (also referred to as vulnerability signatures). Nexpose integrates seamlessly with Metasploit, which enables users to validate vulnerabilities by attempting to exploit them like an attacker.

Product versions

The Rapid7 Nexpose vulnerability management product comes in several editions with different deployment options:

  • Ultimate: Offered as a software product, virtual appliance, hardware appliance, private cloud or managed service; provides all of the features with an unlimited number of IP addresses, users and scan engines.
  • Enterprise: Offered as a software product, virtual appliance, hardware appliance, private cloud or managed service; designed for medium to large organizations, typically with security teams; is scalable and supports an unlimited number of IPs, users and scan engines.
  • Consultant: Offered as a software product or virtual appliance; designed for organizations that provide IT security consulting; installs on a single laptop, supports one scan engine and scans up to 1,024 IPs.
  • Express: Offered as a software product, virtual appliance or private cloud; designed for small organizations; supports one user, two scan engines and scans up to 1,024 IPs.
  • Community: Comes as a software product or a virtual appliance; one scan engine for a single user and scans up to 32 IPs.

All product editions include automatic vulnerability updates (including Microsoft Patch Tuesday vulnerability updates), exception management, dynamic asset groups and RealContext classification. Exception management allows an admin to remove vulnerabilities from a report and/or asset listing table to exclude it from risk score calculations. Dynamic assets groups are groups of assets that meet certain criteria; group members change automatically after a scan occurs or when a vulnerability exception is created. RealContext provides contextual business intelligence to help determine high-priority risks. Only the Ultimate and Enterprise editions include integrated vulnerability validation, mobile discovery and assessment, distributed scanning, hosted perimeter scanning (which requires an additional purchase) and user role customization.


Nexpose is known for its easy setup and configurability; the product is designed to be deployed within minutes, and it provides an intuitive web user interface. Administrators can view vulnerabilities by Common Vulnerability Scoring System score as well as by exploitable skill level, which is unique among vulnerability management vendors. The latter displays vulnerabilities categorized by the level of skill required to exploit them. Administrators can also run a plethora of reports, including those in support of regulatory compliance audits, from templates or customized settings.

Pricing, licensing and support

Nexpose Community is a free downloadable product. The Consultant edition requires the purchase of a subscription. Pricing and licensing for the Ultimate, Enterprise and Express editions is complex because of the various deployment formats in which they are available. For some perspective, Nexpose Express scanning up to 128 IPs costs about $2,000. Hardware appliances range in price from around $3,000 to $18,000, and management software adds to the package cost. A perpetual license is available for the Ultimate, Enterprise and Express editions.

Rapid7 basic support is available 24/7 via email, phone or web, and hardware appliances come with three-year warranties. Super Support gives customers a dedicated account manager (with daily interaction), a 90-minute service-level agreement, bi-annual system maintenance, emergency on-site support and more. The cost of Super Support varies based on customer environment size (number of IPs), but can cost over $20,000 for large organizations.

Rapid7 offers a free trial of Nexpose software, as well as a live demo of Nexpose Enterprise. The Nexpose installation, administrator's and user guides are freely available online, as are free tools, a searchable vulnerability database, webcasts, white papers, research reports and much more. Customers can also participate in Nexpose product training in a Rapid7 classroom, online or on site at the customer's location. Online courses last for two days and cost $2,000. Free webinars are available on the Rapid7 website.

Next Steps

In part one of this series, learn the basics of vulnerability management tools

In part two, read about enterprise use cases for vulnerability management

In part three, discover the purchasing criteria for vulnerability management tools

In part four, compare the leading vulnerability management products on the market

Dig Deeper on Risk management

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing