// What is InsightVM?
Rapid7 InsightVM is a vulnerability management platform that continuously discovers, assesses, and prioritises vulnerabilities across your organisation's assets — on-premises, cloud, and remote endpoints. It is part of the Rapid7 Insight platform and integrates with other Rapid7 products such as InsightIDR (SIEM) and InsightConnect (SOAR).
Unlike a simple vulnerability scanner, InsightVM provides a live risk view of your environment. Rather than producing a static report once a week, it maintains an up-to-date picture of your attack surface by continuously pulling data from scan engines and agents.
InsightVM is the evolution of Rapid7's older product Nexpose. If you see Nexpose references in documentation or community posts, they are referring to the same underlying technology.
// Architecture
Understanding how InsightVM is structured helps you make sense of the data it produces and troubleshoot scan issues when they arise.
Insight Platform
The cloud-hosted console where you access InsightVM. All scan data, dashboards, and reports live here. No on-prem console to maintain.
Scan Engine
An on-premises component that performs network scanning. It sends results back to the Insight platform. You can deploy multiple engines across network segments.
Insight Agent
A lightweight agent installed directly on endpoints. Provides continuous assessment without needing network access to the asset — ideal for laptops and remote workers.
Collector
Acts as a relay between scan engines/agents and the Insight platform. Used in environments where direct cloud connectivity from the engine is restricted.
Agent vs. Engine: Use agents for laptops and remote assets that move around. Use scan engines for servers, network devices, and infrastructure that stays on a fixed network segment. Many environments use both.
// Core Concepts
Before diving into scanning, it is worth getting familiar with InsightVM's terminology. These terms appear throughout the UI and documentation.
Sites
A Site is a logical grouping of assets that you want to scan together. You define the targets (IP ranges, hostnames, or asset groups), choose which scan engine to use, configure credentials, and set a scan schedule — all within a site.
Organise sites by network segment or business unit rather than dumping everything into one site. This makes scheduling, credentialing, and reporting much easier to manage.
Assets
An Asset is any discovered device — server, workstation, network device, cloud instance. InsightVM fingerprints each asset and tracks its vulnerabilities over time. Assets are identified by IP address, hostname, and MAC address.
Scan Templates
A Scan Template defines what checks to run during a scan — which vulnerability checks, network discovery methods, and how aggressively to probe. Rapid7 ships several built-in templates:
Discovery Scan
Finds live assets only — no vulnerability checks. Fast. Good for getting an inventory of what is on your network before running full assessments.
Full Audit
Comprehensive vulnerability checks across all services. Slower but thorough. Use for scheduled weekly/monthly scans against known infrastructure.
Exhaustive (with credentials)
The most thorough template — runs all checks including authenticated local checks. Requires credentials. Produces the most accurate and complete results.
CIS / DISA Policy Scans
Checks assets against compliance benchmarks such as CIS Controls or DISA STIGs. Useful if your organisation has compliance requirements.
Credentials
Authenticated scanning dramatically improves the quality of results. Without credentials, InsightVM can only see what is exposed over the network. With credentials, it can log into the asset and check patch levels, installed software, registry keys, and configuration — catching far more vulnerabilities.
Scan credentials should be dedicated service accounts with the minimum required privileges. Never use domain admin or shared admin accounts for scanning. Store credentials in InsightVM's credential store — never in scan templates directly.
Asset Groups & Tags
Asset Groups let you slice your asset inventory for reporting and remediation — for example, grouping all assets in a specific subnet, all Windows servers, or all assets owned by a particular team. Tags are labels you apply to assets to add context — criticality, owner, location, or environment (prod/dev/test).
// Risk Scoring
InsightVM uses two scoring systems side by side. Understanding both helps you prioritise effectively.
CVSS Score
The industry-standard Common Vulnerability Scoring System. Rates vulnerabilities from 0–10 based on exploitability and impact. Does not account for your specific environment or whether exploits exist in the wild.
Rapid7 Risk Score
Rapid7's proprietary score (0–1000) that factors in CVSS, asset criticality, exploit availability, and real-world threat data from Rapid7's research. More contextual than CVSS alone.
CVSS Severity Bands
| Score | Severity | Typical Response |
|---|---|---|
| 9.0 – 10.0 | Critical | Patch within 24–72 hours |
| 7.0 – 8.9 | High | Patch within 7 days |
| 4.0 – 6.9 | Medium | Patch within 30 days |
| 0.1 – 3.9 | Low | Patch in next maintenance window |
Do not rely on CVSS alone. A CVSS 9.0 vulnerability with no public exploit on an isolated internal asset may be lower priority than a CVSS 7.0 vulnerability with a Metasploit module on an internet-facing server. Use the Rapid7 risk score and real-world threat context to guide prioritisation.
// Setting Up a Scan
Here is the basic workflow for setting up your first scan in InsightVM.
Navigate to Assets ? Sites ? New Site. Give it a meaningful name (e.g. "Corp LAN – 10.0.1.0/24"). Add your target IP ranges or hostnames.
Select which scan engine should perform the scan. Make sure the engine has network connectivity to the target range. If targets span multiple segments, you may need multiple engines.
Choose a template that matches your goal. For a first scan, Full Audit is a good starting point. Add credentials if available — results will be significantly more complete.
Configure how often the site scans. Weekly is common for internal infrastructure. Consider scan windows — avoid scanning during business-critical hours on sensitive systems.
Save and start the scan manually or let the schedule trigger it. Monitor progress in Scans ? Scan History. Scan duration depends on the number of targets and template used.
// Reading Scan Results
Once a scan completes, results are available immediately in the console. Here is where to look and what to pay attention to.
The Dashboard
The InsightVM home dashboard gives you a high-level risk posture view — total assets, total vulnerabilities broken down by severity, and your overall risk score trend over time. Use this to track whether your remediation efforts are actually moving the needle.
Vulnerability Details
Clicking into a vulnerability gives you:
Description & Impact
What the vulnerability is, what an attacker could do if they exploited it, and which CVE it maps to.
Solution
The specific remediation — usually a patch version number or configuration change. This is what you hand off to your patching team.
Exploits & Malware Kits
Whether a public exploit exists (and if it is in Metasploit). This is critical context for prioritisation — a vulnerability with a known working exploit needs faster attention.
Affected Assets
Every asset in your environment where this vulnerability was found. Use this to scope the remediation effort.
// Prioritising Remediation
A large organisation can have tens of thousands of vulnerabilities. You cannot fix everything at once — prioritisation is the core skill of vulnerability management.
The goal of vulnerability management is not zero vulnerabilities — it is managed risk. Focus effort where the potential impact is highest and the likelihood of exploitation is greatest.
A Practical Prioritisation Framework
Filter for CVSS 9.0+ vulnerabilities that have a known public exploit or are listed in CISA's Known Exploited Vulnerabilities (KEV) catalogue. These are your highest-risk items regardless of asset.
A medium vulnerability on a public-facing server or a domain controller is higher priority than a critical vulnerability on an isolated dev machine. Tag your assets with criticality in InsightVM and factor this into your scoring.
InsightVM can group vulnerabilities by the patch that fixes them. Applying one patch that closes 30 vulnerabilities is far more efficient than tracking 30 individual tickets.
Use InsightVM's Remediation Projects feature to assign vulnerability groups to owners, set due dates, and track progress. This creates accountability and gives you a clear view of what is in flight.
Use the CISA KEV catalogue. CISA maintains a list of vulnerabilities actively exploited in the wild. Any vulnerability on that list should jump to the top of your queue regardless of CVSS score. You can cross-reference it against your InsightVM findings manually or via integrations.
// Key Takeaways
Authenticated scanning produces significantly more accurate results. Prioritise getting credentials set up early.
Tag your assets with criticality and ownership from day one. It makes prioritisation and reporting much easier later.
CVSS alone is not enough. Factor in exploit availability, asset criticality, and real-world threat data to prioritise effectively.
Vulnerability management is a team sport. Use Remediation Projects to assign ownership and track progress — the security team cannot patch everything alone.