Ingestion-based solutions have the potential to be more cost effective if you're selective about what security telemetry you ingest – but then who analyzes the impact of the logs you're leaving out until they're needed?

Or, consider an MDR solution that's more EDR with just a few additional log sources. For some organizations this is a perfectly optimal fit. But, how often are logging blind spots reviewed and accepted as a risk? In my experience, very rarely.

I like to spend time educating customers on the importance of defense in depth, and partners on how to clearly demonstrate its importance when it comes to catching and stopping attacks.

The Swiss Cheese model

One of my favorite ways of explaining defense in depth is the “Swiss Cheese model.”

⠀

It's a risk model successfully used across industries like aviation safety, engineering and other domains. Its guiding principle is that a single safeguard is not fool-proof when it comes to mitigating accidents, and that true resilience is dependent upon multiple layers of monitoring and control.

The great thing about this model is that it translates really well when it comes to security operations and the technologies (SIEM) and services (MDR) that underpin it. In the case of these solutions, each slice of “cheese” is a combination of log source and detection rules across multiple attack surface domains - think endpoint, identity, cloud, or network – each reinforced by multiple log sources and detection rules that ladder up to those domains.

• The log source is half of the “cheese layer,” providing the raw information.

• The detection rules that help us spot attackers’ actions are the other half of the “cheese layer.”

The logs and detection rules working in combination is what represents the whole slice of cheese.

For example, let’s say you have an agent capturing activity on all of your servers and endpoints. But, an attacker has managed to steal some VPN credentials to log in to your corporate environment like a normal user. There is no agent on the attacker’s machine, only on corporate users’ machines.

Their next step is to enumerate the environment, which can be a combination of passive monitoring and active scanning. Their task? Finding that next stepping stone so they can ultimately make their way to gaining domain admin credentials or exfiltrating data from the environment as an example.

There are lots of activities the attacker can implement to achieve this without alerting any agents.. But, what if we have some log sources monitoring active directory, firewall/VPN access, and even a network-based sensor monitoring traffic going in and out of the firewall? It means we can gain additional visibility, capturing this malicious activity before it escalates.

Other methods of initial access – like phishing – can also be captured through adding log sources for email solutions and any other email-related activities. An example could be changing email inbox rules so that an unsuspecting user can't see all the replies to the emails the attacker is sending from their mailbox.

What are the “holes” of the cheese slice?

Not every log source is able to capture every malicious activity from an attacker, which is why we need multiple layers. The holes can be for a few reasons - visibility gaps in the log source e.g. if you only have your EDR installed on 90% of the assets that can have it installed there is a clear hole. There are also detection rule shortfalls - either a rule does not exist to alert on that activity when it occurs or perhaps the log source is limited in how it records the behavior which makes creating a detection not possible.

This the whole foundational principle of Swiss cheese theory, that we should expect an attacker to be able to circumvent a single layer

How do we know what log sources and detections we need?

For each type of asset in your environment, it's a great idea to draw up a Threat Model. For the purposes of this blog, the below model is fairly high level. An organization-specific threat model should go more in depth, but hopefully you can get the general idea.

• Group types of assets together where it makes sense. For instance:
• Windows and Mac work stations
• Billing servers
• CRM
• Network equipment and firewalls
• Domain controllers

• Think about how an attacker might attempt to use these assets either to monetize the environment (i.e. ransomware) or as a stepping stone to a more critical asset.

• Think about the log sources that would contribute towards highlighting attacker activity on those assets. For instance:

• Windows and Mac workstations

• EDR agent

• Email logs

• VPN/firewall authentication logs

• Single sign on (SSO) logs

• Domain controller

• Lightweight directory access protocol (LDAP) and Active Directory logs

• EDR agent

• Network sensor

As I stated, this is high-level and not exhaustive, but the idea is to think of the attacker’s actions and all of the potential log sources that could detect those actions in order to ensure you’re able to capture this activity.

Of course, this model might come under scrutiny when looking at the costs of ingesting and storing log data. Organizations then have to balance the cost of technical detections with the value they provide. In real terms, if you must choose three out of five log sources because that's what you can afford, you should pick the three most valuable to your business.

The value should come from a combination of the number of detections they drive and the quality of those detections. For example, one log source might drive 1,000 detection types, but the detections themselves have a high benign positive ratio (say 29 in 30 are benign) on 80% of the detections, whilst another log source might drive 500 detections but have a much lower benign positive ratio of 1 in 10. This forces detection engineers to create the most optimal log-and-detection rule sets in order to optimize the cost of the SIEM.

Cheese with a complex flavor is nice, overly complex MDR pricing is not

All those calculations above sound complex, right? Much of that complexity can be made simpler with an asset-based pricing model, such as the one used by Rapid7.

The price is fixed on the number of servers and workstations, and customers can connect any number of log sources. This means when you’re modeling threats and detection of those threats, there are no cost constraints to consider for onboarding additional log sources, which would improve detection fidelity.

With that in mind, here’s a few questions I would suggest customers ask themselves to establish which solution is the right one for them:

Size: How big are you in terms of employees or number of assets?

A 5,000 employee business with a 20 person Security team is more likely to need a SIEM with unlimited ingestion than a 20 person business with one combined IT/security person.

Assets and tech stack: What types of assets are being protected and what technologies are in use?

This helps dictate whether an EDR with a few extra log sources is more suitable as the backbone of an MDR service versus One that incorporates a wide variety of telemetry sources.

Whilst the lines aren’t clear cut, these can be general areas to investigate and better understand. Other factors that also come into play are things like the type of threat actors that might target your organization. Here is an example of what it could look like worked into a threat model I spoke about.

Comparing solutions

Attempting to compare asset-based and ingestion-based solutions can be tricky. If you try to constrain to a consistent set of log sources for the two solution types, you could be depriving your organization of the main benefit of an asset-based pricing structure: the ability to bring more log sources and detections – and therefore additional layers of protection – for the same cost. This would, of course, give you a lower cost-per-detection. Let’s take a look at some ideas that might help:

Look at cost-per-detection when fixing a cost limit.

• For example, you take the asset-based structure and solution cost, and configure an equivalent cost on an ingestion-based solution. You then look at how many log sources and detections that gets you, then calculate the cost-per-active-detection. It’s also best to model this on your own or potential customers' environments.

Evaluate quality of detections within the model environment using the cost model constraint.

• Running the same offensive exercises in the same environment is a fair test to run, so in this instance you should set up all the log sources for each model up to your cost constraint. Keep in mind you will likely have more log sources for an asset-based model. This is still a fair test, as our key comparison metric is total cost of the solution regardless of how that solution detects the attacker.

Detection noise under normal conditions.

• This is an indication of the quality of the detection rules under normal conditions. It's great to detect attackers in an isolated environment, but in a production network with users working, it may also introduce many benign or false positives that the same detection rules will alert on. You want your detection rules to only alert on real attacker activity.

Give detection rules a score:

• Did they detect the attack correctly?
• Do they alert on normal user activity?
• If so, how often within a 30-day window?

⠀

Whilst there are no absolutes, there are some good rules that can help you on the path to choosing an MDR provider that works best with and for your organization. Focusing on the assets and technologies that you want to protect, and looking at log sources and detections that support that is a great place to start.

The higher the importance and complexity of the asset, the more layers you ideally want, and having the table above to clearly define your quality metrics will help you consider whether a solution is the right fit for you in terms of technology, service, and economics.

At the Rapid7 2026 Global Cybersecurity Summit, the signature session Inside the Modern SOC: Who Carries You Through an Incident takes a different approach. Rather than focusing on tools or dashboards, it follows a real-world incident from the perspective of the people responsible for investigating and containing it.

The session walks through how modern MDR teams operate under pressure, drawing on real experience across cloud, identity, and on-prem environments. Led by Karl Lankford, Senior Director, Sales Engineering, Rapid7, the discussion brings in perspectives from across the SOC, including incident response and detection, to show how teams work together when it matters most.

Structured around a full incident lifecycle, the walkthrough begins with the initial signal and moves through triage and investigation, following the decisions that shape the outcome. The focus is not on theory but on how incidents are handled in practice, from background and context through to the final result.

What stands out is how much of the process depends on judgment. Alerts are only the starting point. From there, analysts are working to understand context, assess risk, and decide what matters most in the moment. This includes identifying compromised identities, understanding how attackers move across environments, and coordinating response across multiple systems.

The session also highlights how quickly these decisions need to be made. As shown in the high-level timeline, attackers can move from initial access to broader compromise across cloud and on-prem systems in a matter of minutes, which leaves little room for hesitation or uncertainty.

Throughout the walkthrough, the focus stays on what carries organizations through an incident. Detection plays a role, but outcomes are shaped by coordination, tradeoffs, and the ability to act with clarity under pressure. The session also explores how visibility across environments, combined with human-led response, helps teams connect signals and act before impact occurs.

For practitioners, SOC leaders, and teams evaluating MDR, this session offers a grounded view of how modern incident response works under real conditions. It shows what happens between the alert and the outcome, and why that gap is where the real value lies. Watch the full session to follow the investigation step by step and see how MDR teams carry organizations through real incidents.

On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance.

Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026.  As of May 29, 2026,  this vulnerability has been added to the CISA KEV.

The CVE was originally assigned a CVSSv4 score of 4.7, medium severity. Due to the circumstances surrounding this vulnerability Rapid7 urges that organizations treat this as a critical vulnerability. An authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations. As such, organizations running affected appliances are urged to upgrade to a vendor supplied patch on an urgent basis.

Note that, as of May 29, Palo Alto Networks updated their security advisory to reflect a change in the CVSS score. The CVSSv4 score was changed from 4.7 to 7.8, with high severity to inform their customers to patch with the highest urgency. 

Observed Attacker Behavior

On 2026-05-18 01:51:37 UTC, Rapid7 MDR responded to a 'Suspicious VPN Authentication - Local Account Logon via Generic Non-Human Identity' alert. During the initial investigation, Rapid7 observed a suspicious cookie authentication to the local admin account across multiple customer environments from the same hosting provider, Vultr.

<14>May 18 01:51:37 palovpn-01 1,2026/05/18 01:51:37,010101010101,GLOBALPROTECT,0,2817,2026/05/18 01:51:37,vsys1,gateway-auth,login,Cookie,,admin,US,GP-CLIENT,104.207.144.154,0.0.0,0.0.0.0,0.0.0.0,aa:bb:cc:dd:ee:ff,,6.0.0,,Linux,"linux-64",1,,,"Auth latency: 78ms, profile: local_auth_profile",success,,0,,0,GP-Gateway,0101010101010101010,0x0,2026-05-18T01:51:37.264-05:00,,,,,,0,0,0,0,,palovpn-01,1,",

GlobalProtect Authentication Log

Rapid7 MDR analyzed the Palo Alto tech support files across the impacted customers and observed that Cloud Authentication Service (CAS) was disabled and the GlobalProtect portal or gateway had authentication override cookies enabled. Based on these findings, MDR analysts concluded that this was likely exploitation of CVE-2026-0257. Subsequent analysis by Rapid7 Labs confirmed this was accurate by validating a successful proof-of-concept.

Rapid7 MDR observed a second wave of exploitation on May 21st. Due to the consistent MAC address, Rapid7 believes both waves of exploitation are likely from the same threat actor (TA). However, the second wave of compromises originated from the hosting provider, Dromatics Systems. In this wave of exploitation, Rapid7 observed VPN IP assignment following the cookie authentication, granting them access to the internal network. Rapid7 observed POST requests to /ssl-vpn/hipreport.esp and /ssl-vpn/getconfig.esp in the cases where a VPN tunnel was successfully established. The first submits security profile information and the second to establish the secure tunnel. Across multiple customers, Rapid7 observed successful exploitation via authentication probes using forged cookies, but the appliance accepted the cookie without a full VPN session being established in 8 out of 10 impacted MDR customers.

<14>May 21 01:54:39 FW-PA-A 1,2026/05/21 01:54:38,010101010101,GLOBALPROTECT,0,2818,2026/05/21 01:54:38,vsys1,gateway-auth,login,Cookie,,admin,US,DESKTOP-GP01,146.19.216.125,0.0.0.0,0.0.0.0,0.0.0.0,aa:bb:cc:dd:ee:ff,,6.0.0,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"Auth latency: 1019ms, profile: SAML-o365-GP",success,,0,,0,GlobalProtect_External_Gateway,0101010101010101010 ,0x8000000000000000,2026-05-21T01:54:39.142-05:00,,,,,,30,241,35,0,,FW-PA-A,1,,",

GlobalProtect Authentication Log

Technical Analysis

Per the vendor advisory, we know the issue lies in a feature called “authentication override”. This feature allows a GlobalProtect portal or gateway to issue cookies to an authenticated user. The authenticated user can then use an authentication override cookie in future communications to the GlobalProtect portal or gateway in lieu of re-authenticating via credentials, akin to a bearer token. This is not a feature that is enabled by default.

We also know from reading the vendor advisory that the vulnerability requires a certain configuration in how certificates are used to encrypt and decrypt these authentication override cookies. Specifically, the certificate used to encrypt and decrypt authentication override cookies must not be the same certificate used for the GlobalProtect portal or gateway’s HTTPS service. This is a significant clue to how the vulnerability works.

To explore what an authentication override cookie looks like and how they are created, we can look at the implementation in the /usr/local/bin/gpsvc binary which implements the GlobalProtect service (Our testing appliance was running PAN-OS 10.2.8 in a vulnerable configuration). Inspecting the main_DoAuthLogin function, we see that if a HTTP form value of either portal-userauthcookie or portal-prelogonuserauthcookie is present during a POST request to /ssl-vpn/login.esp, authentication will be performed by a call to main_AuthWithCookie. This function will take the incoming encrypted cookie value stored in either portal-userauthcookie or portal-prelogonuserauthcookie, decrypt it and extract the cookies user name, domain name, host id, client OS, remote address, and timestamp (as auth override cookies have a lifetime after which they will expire).

void __gostk main_AuthWithCookie(
        main_GpTask_0 *t,
        paloaltonetworks_com_libs_common_AuthProfile *authProfile,
        string authCookie,
        string key,
        string stage,
        uint32 cookieLifetime,
        uint32 eventId,
        uint32 netMask,
        bool checkSrcIp,
        main_authResult_0 *result,
        string defaultDescription)
{
// ...

  ts = 0;
  errorCode = 0;
  user = 0;
  domain = 0;
  hostId = 0;
  clientOs = 0;
  remoteAddr = 0;
  result->retCode = 0;
  startTime = time_Now();
  result->cookie_auth_status = -1;
  t->Variables.authMethod.len = 6;
if ( *(_DWORD *)&runtime_writeBarrier.enabled )
    runtime_gcWriteBarrier();
else
t->Variables.authMethod.str = (uint8 *)"Cookie";
  str = authProfile->AuthProfileName.str;
  t->Variables.authProfile.len = authProfile->AuthProfileName.len;
if ( *(_DWORD *)&runtime_writeBarrier.enabled )
    runtime_gcWriteBarrier();
else
t->Variables.authProfile.str = str;
  v27 = main_DecryptAppAuthCookie(t, authCookie, key, &user, &domain, &hostId, &clientOs, &remoteAddr, &ts);

If we look at the main_DecryptAppAuthCookie function we can begin to see the problem. The incoming encrypted cookie is base64 decoded and then decrypted using a private key. The decrypted content is then trusted implicitly, with no signature verification of any kind occurring after decryption.

error __gostk main_DecryptAppAuthCookie(
        main_GpTask_0 *t,
        string authCookie,
        string privateCert,
        string *user,
        string *domain,
        string *hostId,
        string *clientOs,
        string *remoteAddr,
        int64 *ts)
{
// ...

  if ( privateCert.len )
  {
    *(retval_95DD80 *)&text[48] = paloaltonetworks_com_libs_common_DecryptRsaPrivateWithBase64Std(
                                    privateCert,
                                    (string)0LL,
                                    authCookie);

The implication here is that anyone who knows the public key for the certificate used by the authentication override feature to encrypt and decrypt cookies, can successfully forge and encrypt an arbitrary authentication override cookie. The question then becomes, how does an attacker learn the correct public key to use in this attack?

This brings us back to the vendor's advisory where they state “do not reuse the portal or gateway certificate, and do not share this certificate with other features or users”.

If a GlobalProtect portal or gateway has reused the certificate for encrypting and decrypting cookies with another feature, such as the HTTPS service of the portal or gateway, then a remote unauthenticated attacker can discover the public key for that certificate. In doing so the attacker will be able to successfully forge and encrypt arbitrary authentication override cookies. As these forged cookies will be successfully decrypted server side, they will be trusted and an authentication bypass will be achieved. An attacker can use a valid forged authentication override cookie to login and establish a VPN connection.

In addition to Exposure Command and InsightVM customers being able to assess their exposure with authenticated checks, a publicly available proof-of-concept script to test if an appliance is vulnerable to CVE-2026-0257 has been developed by Rapid7 Labs. The script will retrieve all certificates in the chain for the HTTPS service of either a GlobalProtect portal or gateway. Each certificate in the chain is iterated over and an authentication override cookie is forged using each certificate's public key. This forged cookie is then tested against the GlobalProtect portal or gateway, and the script reports back if authentication was successful or not. 

The usage of the script is shown below.

$ python3 forge_cookie.py --help
usage: forge_cookie.py [-h] --target TARGET [--port PORT] [--user USER] [--domain DOMAIN] [--host-id HOST_ID] [--client-os CLIENT_OS] [--client-ip CLIENT_IP] [--context {gateway,portal,both}] [--verbose]

Forge a GlobalProtect auth override cookie using the public key from TLS (CVE-2026-0257).

options:
  -h, --help            show this help message and exit
  --target TARGET       Target GP portal/gateway IP/hostname
  --port PORT           Target port (default: 443)
  --user USER           Username to forge cookie for (default: admin)
  --domain DOMAIN       Domain for cookie (default: empty)
  --host-id HOST_ID     Host ID for cookie (default: empty)
  --client-os CLIENT_OS
                        Client OS for cookie (default: Windows)
  --client-ip CLIENT_IP
                        Client IP in cookie (default: 0.0.0.0)
  --context {gateway,portal,both}
                        Context to test: gateway, portal, or both (default target)
  --verbose             Print full response

A successful invocation of the script against a vulnerable appliance is shown below. We can see the target's GlobalProtect gateway accepted a forged authentication override cookie using the second certificate in the chain.

$ python3 forge_cookie.py --target 192.168.86.99 --user haxor
[*] Retrieving certificate chain from 192.168.86.99:443 ...
  Found 2 certificate(s) in chain:
  [0] CN=192.168.86.99 (RSA 2048 bits, CA=False)
  [1] CN=GP-Lab-CA (RSA 2048 bits, CA=True)

[*] Forging cookie for user 'haxor', testing each key

  Trying [0] CN=192.168.86.99
  [-] Failure - Gateway did not accepted the forged cookie
  [-] Failure - Portal did not accepted the forged cookie

  Trying [1] CN=GP-Lab-CA
  [+] Success - Gateway accepted the forged cookie
  Cookie: ng9ygxlaclylNXeSHcakXZPK06Fno0svVirz6RhRtA5mDmOaZyg/KMxUuM5lRvm1Rn1Z6vqaWQQPvQOHzwJnyldOmhUKy+HDMgIYtJ/kk3ypMqmFE7BbmPxnSKxKcQQbNIcxgkrhCwuJKwybuq0aaPVNzN9BSWmh1QmZj7oLjTEo9ExAXrm951mqYhh3+MgBCScaYqP23WzrC+vzqJB74sHoMUuFWIF8/sMYDMpvENOoI4nXAFCaRYSruW9FQQy5VTzNifNWkrYcdzDCXKiP8v4G098/2QoBbVoyHBZwbgHGBsRU3ZeSgoHjrhjxyotIshKVssUs8CRpuG2HlZBM0Q==

We can observe the successful authentication via the management interface, as shown below. The two initial failures correspond to the first certificate being used which was the incorrect certificate.

Figure 1: PAN-OS Management Interface

Mitigation Guidance

According to the Palo Alto Networks advisory, the following product versions are affected by CVE-2026-0257:

Affected products must have the authentication override feature enabled in either the GlobalProtect portal or gateway, and must reuse the authentication override cookie encryption and decryption certificate with another feature in order to be vulnerable. As a mitigation, affected products should either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature.

Please refer to the vendor advisory for the latest guidance.

Rapid7 Customers

Managed Detection Response (MDR)

The following detection rules are available for InsightIDR and Managed Detection Response (MDR) customers:

• Suspicious Authentication - Palo Alto GlobalProtect Cookie Authentication to Local Admin Account

• Threat Intel (Rapid7 MDR SOC/IR) - VPN Authentication via Spoofed MAC Address

• Threat Intel (Rapid7 MDR SOC/IR) - Indicator of Compromise Observed 

• Suspicious VPN Authentication - Palo Alto GlobalProtect Login via Default Hostname

• Suspicious VPN Authentication - Local Account Logon via Generic Non-Human Identity

• Suspicious VPN Authentication - Local Account

• Suspicious Authentication - Vultr

• Suspicious Authentication - Dromatics Systems

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-0257 using an authenticated check available since the May 15 content release.

IntelHub

IntelHub customers can look into the Platform to search for more details and correlate the indicators of compromise with the data from their own environment.

Known Indicators of Compromise

Low-cost hosting providers; frequent origin of sustained threat campaigns.

Updates

• May 29, 2026: Initial publication.
• May 29, 2026: Added CISA KEV addition.
• June 2, 2026: Added IntelHub information under Rapid7 Customers section, updated to reflect Palo Alto Networks change to security advisory (CVSS score change). Added 3 new IOCs (2 IPs and 1 machinename).
• June 3, 2026: Added observed URI endpoints accessed for successful VPN connections to the Observed Attacker Behavior section.

At the Rapid7 Global Cybersecurity Summit, the customer panel How Clarity Beats Complexity explores how leaders are navigating that reality in practice. Drawing on perspectives from CISOs and technology leaders across industries, the session focuses on how teams are managing complexity without losing sight of what matters.

Rather than focusing on theory, the discussion is structured around a set of practical questions that reflect what teams are dealing with today. These include where complexity is making security harder to manage, how alerts, data, and handoffs are slowing decisions, and what can look like progress but fails to deliver meaningful outcomes.

As the conversation develops, speakers such as Debby Briggs, VP-CISO at Netscout Systems and Raheem Daya CTO at Target RWE share how their teams are rethinking processes, habits, and assumptions that add noise without improving security. The emphasis shifts toward questioning metrics that measure activity rather than risk, and focusing instead on what drives meaningful outcomes.

From there, the session looks at what is actually making a difference. Topics include how leaders are clarifying priorities, aligning security actions with real business impact, and where visibility and context are proving more valuable than volume. Will Lambert, Information Security Manager at Culligan International adds a practitioner perspective, highlighting how clearer ownership and better coordination across teams help reduce friction in day-to-day operations.

Throughout the session, the focus remains on practical decision-making. This includes managing complexity without oversimplifying, validating investments in areas such as MDR and consolidation, and ensuring security teams are focused on outcomes that improve resilience.

For CISOs, security operations leaders, and teams evaluating their current approach, this panel offers a grounded view of how others are tackling the same challenges.

Watch the full customer panel to hear how security leaders are cutting through complexity and focusing on what actually improves outcomes.

I write this as a Field CISO at Rapid7, but also as someone who has had to live with the operational reality of MDR on the customer side. I have seen what happens when a service is a black box, when technology and service drift apart, and when cost, retention, and accountability are misaligned. That experience shapes the view in this piece: MDR selection is not just about buying monitoring in isolation, but about choosing a partner that can help your team reduce risk and improve the way security operates over time.

When organisations evaluate MDR, they often start in the wrong place. The discussion begins with integration counts, dashboards, pricing tables, and increasingly bold claims about AI or dramatic reductions in alert volume. Those things all matter to a degree, but they are not the centre of the decision. The real question is whether you are choosing a provider that will work as a genuine partner, help you reduce risk over time, and strengthen the way your team operates when the environment becomes noisy, complex, or difficult to manage.

That matters because MDR is not a service that sits neatly off to one side of the security function. It becomes part of the operating model. It influences how visibility is created, how incidents are handled, how priorities are surfaced, and how much confidence a leadership team has in the people and processes around it. For that reason, I do not think MDR selection is primarily a tooling exercise. It is a partnership decision.

What poor MDR looks like in practice

My own view on this has been shaped by more than one experience. In one case, our MSSP was part of a defence company that was later carved out into a separate business. The service was built around a legacy SIEM. They had plenty of interest elsewhere in automation and future-state capability, but the fundamentals were being missed. We could talk about what we wanted to automate, but not with enough confidence about the quality of the underlying visibility, the operational process around it, or how the service was supposed to mature over time.

In another case, the issue was an MSSP overlay wrapped around a well-known, high-cost log indexer. On paper, that should have been a strong foundation. In practice, the management layer around it was poor. There was a lack of expertise, no credible roadmap, and very little meaningful tuning. As the MSSP was also reselling the ingest, there was no obvious incentive to optimize data use in the customer’s favour. Ingest was capped because of cost, retention was limited to 90 days, and we were left with the uncomfortable combination of high spend, constrained visibility, and a service that did not appear to be improving in any meaningful way.

Those experiences shaped how I think about MDR because they exposed the same underlying problem. The technology was not absent, but the service model around it was weak. When the gap between the platform and the service becomes too wide, the customer ends up paying for capability in theory while carrying the operational risk in practice.

Why the gap between platform and service matters

This is where many MDR relationships start to fail. Even when the tooling is capable, the provider still has to connect platform, people, process, and commercial model into one coherent service. If that does not happen, the customer ends up living with support issues, awkward hand-offs, misaligned contracts, unclear accountability, and a constant sense that there are too many moving parts and not enough ownership.

That is why I would start any MDR evaluation by looking at how the relationship is meant to work in practice. 

• Does the provider genuinely own the experience end to end, or are they effectively brokering one element through another?

• Can they show how the programme will improve over the first year, not just how onboarding works in the first month?

• Do they understand the rest of your security ecosystem and how to operate within it, or do they assume every answer involves expanding their footprint?

Strong providers think holistically. They understand that the customer already has an environment to manage, existing tools to work with, and internal teams who need clarity rather than additional friction. They think in terms of operating model, monitoring, response, and continuous improvement over time, rather than treating the service as a thin wrapper around a platform. That is usually where the difference between coverage and real partnership becomes obvious.

Proactive defense starts with the fundamentals

True partnership is defined by its ability to deliver proactive defense and continuous improvement. By this, I do not just mean threat hunting or faster triage. I mean exposure reduction in the broader sense. It is understanding attack paths, using intelligence well, tuning detections properly, improving visibility where it matters, and building a service rhythm that reduces the conditions attackers rely on.

That sounds obvious, but it is surprisingly easy for organisations to be distracted from those fundamentals. Low entry prices often mask a fundamentally constrained operating model, shifting risk and cost back to the customer. 

Sweeping promises about single digit alert volumes should be treated carefully, especially before a provider has properly understood the environment. The same is true of broad agentic AI claims. Automation can absolutely help, but it does not replace accountability, operational judgement, or the need for a provider to show how the service will improve over time.

For me, that last point is one of the clearest tests of whether the relationship is working. An MDR service should not be something you set and forget. A mature partnership should look better in month twelve than it did in month one. Visibility should improve. Tuning should improve. The roadmap should improve. Confidence in escalation and response should improve. If none of that is happening, it becomes very difficult to describe the relationship as a real partnership. At that point, you may simply have outsourced a queue.

When displacement becomes the right answer

That is also how I think about displacement. An incumbent should not be displaced simply because another provider has a sharper demo or a more fashionable story. Displacement makes sense when the existing model has stopped improving, when the service feels static or opaque, when the team lacks the expertise to tune and evolve it properly, or when the commercial structure and delivery model are working against the customer rather than with them.

If the relationship is held together by workarounds, if there is no meaningful roadmap, or if the customer is left carrying too much of the integration and governance burden themselves, the problem is usually structural rather than temporary. In that situation, the question is no longer whether the service can be tweaked around the edges. The question is whether the model is fit for purpose at all.

Consolidation is only useful if it improves the model

That does not automatically mean consolidation is the answer. Consolidation can be valuable, but only when it improves the operating model rather than simply reducing the number of logos in the environment. In some cases, the right answer will be to build a broader relationship with a provider that has earned trust and shown it can deliver more. In others, the right answer will be better integration and a clearer division of responsibilities.

What matters is whether the provider helps create a more coherent, scalable, and accountable way of operating. If consolidation leads to better hand-offs, stronger accountability, and a simpler way of reducing risk, it can be very valuable. If it does not, then consolidation is not the point. A better operating model is.

This broader view is also consistent with established security guidance. NIST CSF 2.0 frames cybersecurity as a risk management discipline across governance, protection, detection, response, and recovery [1]. NIST’s latest incident response guidance reinforces that response should be integrated into wider risk management and improved over time [2]. The NCSC makes a similar point in its guidance on building a SOC and on security monitoring, where tools, skills, and operating model all need to work together [3]. CISA’s exposure reduction guidance points in the same direction by focusing on reducing the conditions attackers rely on before incidents escalate [4].

Questions worth asking any MDR provider

There are a few practical questions I would encourage any CISO, Security Director, or Security Operations Manager to ask, whether they are reviewing an incumbent or evaluating a new provider:

• How will the service improve over the first year and beyond?

• Where do the hand-offs happen between your platform, your analysts, and my team?

• How do you work with the security and IT tools we already rely on?

• How predictable is the commercial model as coverage expands?

• What are you doing to reduce risk before the next incident, not just respond after it?

• If your commercial model benefits from more ingest, what incentive do you have to tune it down?

Those questions reveal far more than a polished demo ever will.

Ultimately, the organisations that get the most value from MDR tend to be the ones that treat it as part of a wider security partnership rather than a neatly outsourced function. They expect transparency, progress, and a provider that understands both the environment they have today and the operating model they are trying to build over time. That is the standard worth holding. If the provider is not improving the programme over time, you do not have a real partnership. And if consolidation does not lead to a better operating model, it is probably not worth doing in the first place.

Learn more about Rapid7's approach to preemptive MDR.

⠀

Alan Simpson is Field CISO for the UK and Ireland at Rapid7, advising CISOs and senior leaders on cyber risk, resilience, and security strategy that supports business outcomes. Before joining Rapid7, he served as Global Security Operations Manager and Acting CISO at Keyloop, where he led security operations and wider information security initiatives. He has also held senior security leadership roles at Allianz and LV=, with experience across security operations, incident response, architecture, awareness, supplier assurance, and security testing.

⠀

[1] https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

[2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf

[3] https://www.ncsc.gov.uk/collection/building-a-security-operations-centre

[4] https://www.cisa.gov/resources-tools/resources/exposure-reduction

We also dig into what this means for Managed Detection and Response (MDR), and why the market is moving from “watch a subset of signals” toward monitoring the full environment, 24 x 7. The catch is that raw volume is not the goal. The goal is a comprehensive data set that enables decision making under pressure, with enough context to act early.

AI is only as good as the context behind it

One theme that kept coming up in our conversation is trust. Corey explains why earlier automation and SOAR efforts struggled. They followed strict rules, but security rarely behaves in strict patterns. When something looked similar but required a different response, teams hesitated to rely on automation. The dynamic rule making that newer AI models provide can help, but only if fueled with the right context.

Corey breaks “context” into practical components: understanding what technologies are deployed, how they are configured, what controls exist, what vulnerabilities are present, and what activity is actually happening across those systems. Without that full picture, teams spend time chasing the wrong risks. He compares it to buying earthquake insurance without knowing where you live. If you are in California, it might make sense. If you are in Florida, hurricane coverage is the real concern. Context tells you which risk actually matters.

Preemptive MDR is the shift CISOs should plan for now

Where the conversation gets especially relevant for 2026 is the move from reactive to preemptive security. To frame the change in plain terms: reactive posture waits for alerts, while leaders want partners who anticipate and identify risks earlier.

Corey describes preemptive MDR as an attack surface discipline. It starts with understanding the full attack surface, spotting where attacks are likely to occur, and identifying the most attractive exposures in the environment. The operational step is what matters: identifying those exposures quickly, prioritizing realistically, and having preset remediation and response plans ready before the moment hits. Corey is direct about constraints, too. No organization can remediate everything all the time, but better planning and efficiency are still possible, and business expectations of security leaders are rising. He also notes that government and regulators are pushing in the same direction, and that Gartner and other analysts are reinforcing the shift toward anticipation rather than after the fact response.

Cloud scale forces MDR to evolve, especially around identity

We also spent time on the cloud, because it continues to reshape how security programs operate.  Most organizations are building more, faster, across more cloud technologies and identities, and AI only accelerates that pace. Corey’s view is that MDR has to mirror that technology reality. At a baseline, teams need to monitor what their cloud providers already offer. He calls out identity as the harder requirement: understanding identity traffic across the environment, separating legitimate from malicious behavior, and tracking roles and responsibilities so investigations do not happen in a vacuum. If an MDR program is not looking across the cloud landscape, it cannot confidently say it is monitoring the right things, especially in the areas where new bugs and misconfigurations show up first.

Transparency becomes a differentiator when AI enters the loop

As AI becomes more present in triage and investigation, Corey argues that transparency will matter even more. He shares that Rapid7 built MDR with the assumption that customers should be able to log in at any time and audit what is happening in their environment. That level of visibility can be uncomfortable, but it becomes more important as AI plays a larger role in how decisions are made. The presence of AI in MDR programs does not reduce the need for trust, but increases it. And that trust is built through transparency and auditability, not assumption.

That also means being able to show where AI is actually making a difference. It is not enough to say it is working. Teams need to see the impact in real terms.

Corey contrasts that with what he sees as the market default: black box approaches that ask customers to trust the output until something goes wrong. His prediction is blunt and practical. As buyers mature, RFPs will demand the ability to inspect how alerts are processed and how investigations are run, because that is what trust looks like at scale.

Watch the full episode below to hear Corey’s take on what is changing, what is still missing, and why the strongest MDR programs in 2026 will be the ones that plan for preemptive action, not just faster reaction.

⠀

Social engineering via IT Support impersonation is not a new threat, but the recent surge in Teams-based delivery highlights a critical vulnerability in how organizations manage external access. Teams often allows any external user to message internal staff. This is the functional equivalent of operating an email server without a gateway filter. While a cautious user might notice an "External" tag on the chat, the inherent trust placed in collaboration tools often overrides standard security instincts, granting TAs a direct, high-trust channel to your end users.

Threat overview

The attack we’ve observed typically follows a specific sequence of events:

1. Initial contact: The threat actor sends spoofed Microsoft Teams chat requests to multiple users within an environment, simultaneously. These often appear to come from "IT Support," "System Admin," or other spoofed internal aliases.

2. Engagement: Once a user accepts the chat request, the threat actor initiates a conversation under the pretext of IT support offering computer support, such as "fixing a technical issue" or "performing a security update."

3. Exploitation: The threat actor requests the user to launch Quick Assist. Once the connection is established, the TA gains remote access to the machine, allowing them to deploy malware, exfiltrate data, or move laterally through the network.

What you should do now

To protect your environment from this activity, Rapid7 recommends the following technical controls:

Harden Microsoft Teams settings

In the Teams Admin Center, limit external communications to "Only allowed domains." This prevents random external tenants from messaging your employees unless they are on an approved allowlist. In addition, Rapid7 recommends disabling the ability for users to communicate with external Teams users who are not managed by an organization. 

If your business doesn't require cold outreach from external vendors, toggle off "Allow External Users to Start Conversations" to ensure only your users can initiate outside chats. If your business does require this functionality more broadly, consider implementing Spoof Intelligence.

Implement automatic blocking of spoofed Teams messages

Enable Spoof Intelligence within your Microsoft 365 security settings. This feature automatically detects and blocks senders who are not who they claim to be. This feature works by identifying and managing senders that fail SPF/DKIM/DMARC. If you have known senders who don’t have these configured, ensure you set the appropriate exceptions.

Disable/harden Quick Assist 

Rapid7 recommends removing or disabling Microsoft Quick Assist if it is not required within your environment. This can be achieved via Group Policy Object (GPO) blocking the application, blocking network traffic to the Quick Assist domain, or uninstalling the Quick Assist package.

Watch for red flags

Train staff to recognize these specific "Teams spoofing" hallmarks:

• The "external" tag: Remind users to look for the (external) tag next to a name. Real internal IT support will never have this tag.

• Sense of urgency: Attackers often claim there is a "security breach" or "expired password" to rush the user into bypassing safety protocols.

• Out-of-band verification: Establish a policy that IT will never initiate a support session via a cold-call Teams chat without a pre-existing ticket number. If a user is unsure, IT should have a pre-established process in place for a user to validate the requestor’s identity.

Rapid7 customers

We are continually monitoring your environment for related activity. Below is a non-exhaustive list of detections that are deployed:

• Suspicious Chat Request - Potential Social Engineering Attempt

• Suspicious Conversation - Potential Social Engineering Message Interaction

• Initial Access - Potential Social Engineering Session Initiated Following Chat Request

• Suspicious Chat Request - Multiple Users Contacted by Foreign Tenant via Default Tenant Domain

• Initial Access - Microsoft Teams Remote Control Granted to Suspicious External Account

Rapid7 MDR is here to support your team, strengthen your defenses, and help you stay ahead of adversaries attempting to use this tactic to gain access to your environment. Learn more about our service here.

The focus is clear: this is what modern MDR looks like when it’s designed to disrupt attackers earlier, not just react to them faster.

2026 MDR sessions: A sneak peek

Throughout the summit, several sessions will explore how detection and response are evolving in practice. In this year’s “Inside the Modern SOC”, we’ll look at how response actually unfolds when pressure is high and decisions matter. It’s a close examination of ownership, escalation, and how teams coordinate across endpoint, identity, and cloud telemetry.

In “Using Red Teaming to Power Preemptive MDR”, the conversation shifts upstream. Rather than treating red teaming as a compliance exercise, this session examines how continuous testing strengthens detection coverage and validates response workflows before a real attacker forces the issue.

For the executive leaders “A CISO’s Guide to MDR Accountability and Outcomes” will examine MDR through a leadership lens, describing how leaders can best evaluate performance, define success, and ensure response strategies hold up under scrutiny. As detection models grow more complex, clarity around accountability can become just as important as technical capability.

For hands-on practitioners, “Hunt or Be Hunted: Frontline Tales of Detection” offers a scenario-driven walkthrough of how SOC analysts triage signals, manage handoffs, and make decisions under real operational pressure. Meanwhile, "IR in Practice: Tools, Tradecraft, and Adversary-Informed Investigation” provides a deeper look at investigative workflows – including practical use cases and adversary-informed response approaches.

What preemptive MDR really means

Together, these sessions represent part of a broader theme: Preemptive security operations is not about adding more tools or generating more alerts. It is about reducing uncertainty, aligning exposure with detection, and building workflows that allow teams to act with confidence.

And this is only a preview. Additional sessions, speakers, and perspectives will continue to be announced as the summit approaches.

If you’re responsible for detection strategy, response readiness, or MDR governance, this track is designed to meet you where you operate. Join us May 12–13 and be part of the shift toward more confident, preemptive security operations.

Register now

Each episode is now embedded in its supporting blog on rapid7.com, making it even easier to watch, read, and share. Here's your full recap of Season One.

Ep 1: What Happens When Agentic AIs Talk to Each Other?

Guest: Laura Ellis, VP of Data & AI

Agentic AI was one of the most talked-about themes of the year, but few tackled it with the clarity and urgency Laura Ellis brought to this episode. From governance models to inter-agent deception, the conversation explores how AI systems can interact in unpredictable ways. Laura shares her perspective on keeping humans at the helm, how to contain agent behavior in real-world infrastructure, and what’s realistic for security teams today. The episode came from a LinkedIn conversation about autonomy, oversight, and the potential for agent-to-agent manipulation, and answered a lot of questions. If you’re curious about how AI moves from experiment to ecosystem, this is a great place to start.

[Read and watch]

Ep 2: What MDR ROI Really Looks Like

Guest: Jon Hencinski, VP of Detection & Response

In this open and honest conversation, Jon Hencinski takes us inside the modern SOC to show what strong managed detection and response really looks like. From coverage and telemetry to analyst training and noise reduction, the episode walks through the building blocks of a high-performing MDR program. Jon speaks directly to security leaders and decision-makers, breaking down which metrics matter most, how to measure confidence in your provider, and why speed is still the differentiator. If you’re evaluating MDR partners or trying to articulate the value of your program internally, this episode offers a practical benchmark. It also pairs well with Rapid7’s IDC report on MDR business value, which (Spoiler Alert) found a 422% three-year ROI and payback in under six months.

[Read and watch]

Ep 3: The Business of Cybercrime

Guest: Raj Samani, SVP and Chief Scientist

Cybercrime is no longer just a threat, it’s an economy. In this episode, Raj Samani unpacks the business model behind ransomware, initial access brokers, and affiliate operations. He shares his view on how cybercriminals are scaling operations like startups, what security teams can do to map that behavior, and why understanding the economy of access is key to disruption. It’s an insightful look at how attacker innovation is outpacing the traditional response, and what needs to change. Raj also reflects on the blurred lines between opportunistic access and long-tail ransomware campaigns, and how buyers on the dark web shape the threat landscape. This conversation is especially useful for defenders who want to think more strategically about adversaries and the systems that support them.

[Read and watch]

Ep 4: What SOC Teams Are Doing Differently in 2025

Guest: Steve Edwards, Director of Threat Intelligence and Detection Engineering

This episode walks through the key findings of Rapid7’s IDC study on the business value of MDR and brings them to life through real-world SOC operations. Steve Edwards shares how telemetry access changes the game, what true coverage looks like in practice, and why teams are shifting away from reactive models to faster, context-rich detection. You’ll hear what happens in the first 24 to 48 hours of incident response and how Rapid7’s no-cap IR model improves confidence during high-pressure moments. Steve also breaks down how teams are using MITRE ATT&CK  mapping to prioritize security investments and measure response maturity over time. For security leaders and buyers evaluating managed services, this conversation offers a clear, practical lens on what a successful MDR program looks like from a security and business perspective.

[Read and watch]

Ep 5: Policy to Practice - What Cyber Resilience Really Takes

Guest: Sabeen Malik, VP of Global Government Affairs and Public Policy

With new regulations emerging across the globe, it’s easy to confuse compliance with resilience. In this episode, Sabeen Malik unpacks what it takes to bridge that gap. She talks through disclosure laws, geopolitical tension, and the difficulty of turning policy into something operators can act on. Sabeen brings both policy expertise and operational realism, making the case that cybersecurity regulation needs to be built for the real world, not for a checklist. She also explores the cultural side of risk, including how insider threats and trust-based frameworks play into resilience planning. If your organization is tracking regulatory changes or working toward a more mature security posture, this episode offers a smart lens on where policy can help, and how to overcome it's shortfalls.

[Read and watch]

If you’re reading this, you already know what’s at stake. But I’ll say it louder for the folks in the back: As more of your environment consolidates onto Microsoft, the attack surface evolves – and without fully operationalizing that ecosystem, risk grows alongside it.

We are excited to announce the availability of Rapid7 MDR for Microsoft – a preemptive threat detection, investigation, and response service that brings together Rapid7’s global SOC, our market-leading SIEM technology, and deeper bi-directional Microsoft Defender integrations. The service helps security and IT teams maximize their investments, reduce cost and complexity, respond decisively to threats, and improve their security posture and resilience.

Extend the power of your stack

Microsoft Defender provides broad visibility across modern environments – from endpoint and identity to cloud and email. That visibility leads many organizations to a fine line, where it can either mean rich, actionable insight for some security teams, and overwhelming signal volume and missed alerts for others. Rapid7 helps organizations build a clear picture from the rich telemetry by bringing these Microsoft signals together with our native telemetry. And by incorporating exposure and asset risk directly into investigations, our SOC is empowered to anticipate likely breach paths and intervene earlier in the attack lifecycle. Combining your Microsoft security stack with our preemptive MDR ultimately helps you:

• Anticipate attacks before they start
• Respond with certainty across the full attack lifecycle
• Strengthen resilience through partnership

• Get better outcomes from Microsoft - not overhead

Capabilities that drive real-world outcomes

Leaning into Rapid7’s proven record as a leader in managed detection and response, MDR for Microsoft combines powerful AI-SOC technology with expert human service delivery to help Microsoft-centric organizations achieve measurable security outcomes. In IDC’s recent Business Value of Rapid7 MDR study, customers achieved a 422% three-year ROI, identified threats 87% faster, and reduced the likelihood of a major security event by 54%. MDR for Microsoft delivers these same results through capabilities designed to operationalize and protect Microsoft environments at scale, including:

• Risk-aware analysis that stops attacks earlier: By pairing enterprise vulnerability risk management with analysis of live threat activity, the service preemptively identifies the attack paths most likely to be exploited – empowering efficient analyst evaluation with a clear understanding of underlying asset context.

• Dedicated cybersecurity advisor extends your team: Your advisor leverages their practitioner experience to provide regular threat briefings, environment-hardening advice, program governance, and health checks – helping drive long-term maturity without adding headcount.

• Decisive response backed by deep forensics and unlimited IR: Remote containment, endpoint forensics powered by our open-source DFIR framework –  Velociraptor – and unlimited incident response ensure threats are stopped quickly, and fully investigated and neutralized before our team rests.

• Unlimited log ingestion delivers predictable value: Remove SIEM cost constraints and ensure complete visibility so investigations are never limited by data volume or surprise overage fees.

• Bi-Directional Defender integration that reduces friction: Endpoint alerts and analyst actions stay synchronized between Rapid7 and Microsoft consoles, keeping systems aligned while laying the foundation for broader integrations across additional Microsoft security vectors.

• Always-on, expert-led SOC coverage: Our 24x7x365 global SOC continuously monitors and investigates activity across Microsoft and non-Microsoft environments, ensuring threats are identified and acted on as soon as they emerge.

• Full transparency into SOC activity and outcomes: With direct access to the SIEM and investigation workflows, your team can ride sidecar on investigations, run your own queries, upskill internal teams, and clearly see the outcomes being delivered by the Rapid7 SOC over time.

Additional value-drivers included in the service are unlimited SOAR automation, standard 13-month data retention with the ability to extend, proactive threat hunting, and AI-assisted investigation workflows, delivering a comprehensive MDR experience that scales with your environment and outpaces attackers.

Make the most of Microsoft Defender with Rapid7

As Microsoft continues to serve as the backbone of modern environments, the ability to translate security signals into consistent action becomes increasingly critical. MDR for Microsoft is designed to help security leaders move confidently from visibility to outcomes – pairing the strength of Microsoft Defender with Rapid7’s proven expertise, preemptive risk-awareness, and resilience-building capabilities. The result is a security program that not only sees more, but responds faster, operates with greater confidence, and proves its value as environments continue to scale.

If you’d like to see how MDR for Microsoft can help you operationalize your Microsoft security stack, request a demo or reach out to your Rapid7 account team to continue the conversation.

Exposure Management: Prioritize risk across your attack surface

Rapid7 named a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms

Rapid7 was recognized as a Leader in the inaugural 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms (EAP). We believe this reflects our ability to help customers continuously understand, prioritize, and reduce risk across their hybrid environments. Exposure Command brings unified visibility, attacker-aware prioritization, and guided remediation together in one platform, enabling teams to make faster, more confident decisions with validated, business-aligned risk insights. Check out our recent blog post to learn more.

Remediate vulnerabilities faster with AI-generated Risk Intelligence

Prioritizing remediation is difficult when teams are flooded with CVEs and lack actionable context about real-world risk. We introduced AI-generated risk intelligence within Remediation Hub to help teams focus on the vulnerabilities that matter most and drive faster, more consistent risk reduction by distilling exploitability, business impact, toxic combinations, and patchability into clear summaries and guided actions. Check out our recent blog post to learn more.

⠀

Gain real-time visibility and communicate progress with the Exposure Management Dashboard

To effectively plan, track, and communicate exposure reduction, teams need a clear, real-time view of their security posture. The new Exposure Management Dashboard provides this view with an at-a-glance snapshot of asset coverage, exposure trends, and remediation progress — ideal for quarterly planning cycles and board-level reporting. Exportable views make it easy to justify investment decisions, demonstrate measurable improvements, and show how tool consolidation is strengthening your security program. Learn more in our recent blog.

⠀

Validate real cloud exposures with Public Exposure Validation

When cloud configurations drift or controls degrade, it’s critical to know which assets are actually exposed to the public internet. Public Exposure Validation confirms externally reachable cloud resources using real external scans, reducing noise and eliminating theoretical findings.

Teams gain clearer visibility into true attack paths, shorten investigation cycles, and validate that remediation efforts are closing real gaps. This strengthens their posture with evidence, not assumptions. Learn more in our recent blog.

Keep external visibility accurate with Dynamic EASM Discovery

Accurate external discovery depends on seeds that reflect what’s truly exposed. But static seed lists can quickly become outdated. Dynamic EASM Discovery continuously pulls domains and public IP ranges from authoritative sources such as MarkMonitor, NetBox, and Rapid7 AppSec, ensuring your discovery scope stays current without manual upkeep.

This eliminates blind spots, keeps external inventories aligned with real-world change, and strengthens CTEM outcomes by grounding scope, discovery, and prioritization in real-time data rather than spreadsheets. See our recent blog on Dynamic EASM Discovery to learn more.

Detection and Response: Transform your SOC operations

Rapid7 named a Leader in the 2025 Frost Radar™ for Managed Detection and Response

In addition to being named a Leader in Exposure Assessment, we’re proud to share that we have also received this recognition for Managed Detection and Response with Frost & Sullivan recognizing Rapid7 as a Leader in the 2025 Frost Radar™ for MDR, based on innovation and growth in a field of 120 evaluated vendors. The report highlights:

• Rapid7’s AI-driven triage accuracy of 99.93%, which helps security teams close benign alerts and reclaim 200+ SOC hours per week

• Our unified platform combining MDR with exposure management, threat hunting, and active remediation

• 180+ third-party integrations across endpoint, network, cloud, and identity

This recognition reinforces Rapid7’s commitment to proactive, outcome-driven security and delivering continuous innovation, transparent AI, and measurable value to customers. Learn more.

IDC publishes its Business Value of Rapid7 MDR Study

IDC recently published its Business Value of Rapid7 MDR study, highlighting how customers can achieve a 422% three-year ROI, a 5-month payback period, and an impressive range of additional security outcomes delivered through Rapid7 Managed Detection and Response. The study found that Rapid7 MDR significantly reduced the chances of major security incidents and improved the speed to identify threats for customers – translating to both risk reduction and cost savings. Learn more about the study in our blog or download the full report.

New third party event sources available for Rapid7 SOC management

For organizations to stay secure, they need visibility across their entire attack surface. With recent third party event source expansions, our Rapid7 SOC can now manage PAN Cortex XDR, Okta Identity, and Google Security Command Center alerts as a part of our MDR and Managed Threat Complete offerings. This reinforces our defense-in-depth approach, in which Rapid7 collects, correlates, and maps native and third party telemetry to the MITRE ATT&CK framework, providing expanded visibility and greater protection across your entire attack surface. Learn more about SOC-supported third-party event sources here.

Introducing Incident Command

In July we announced our new AI-powered, next-gen SIEM, Incident Command. Designed to transform how security teams manage investigations and response, Incident Command automates manual tasks and guides analysts through complex workflows — accelerating triage, providing real-time recommended actions, and unifying critical context across alerts and incidents. 

Backed with generative AI, our next-gen SIEM helps teams reduce mean time to respond (MTTR), improve consistency, and scale security operations without adding headcount. Learn more about what Incident Command can do for your team here.

⠀

Rapid7 recognized for the 7th consecutive year in Gartner® Magic Quadrant™ for SIEM

Rapid7 has been recognized in the 2025 Gartner^® Magic Quadrant™ for Security Information and Event Management (SIEM), proof of our continued focus on helping security teams work smarter, respond faster, and stay ahead of evolving threats. This year’s report explores how SIEMs are transforming to meet the demands of modern, hybrid environments with greater automation, stronger analytics, and improved efficiency across security operations. We believe our inclusion underscores our commitment to delivering speed, transparency, and extensibility with our next-gen SIEM. Read the report for more insights.

InsightGovCloud: Trusted security for federal agencies

Rapid7 achieves FedRAMP authorization for InsightGovCloud platform

Our achievement of FedRAMP Authorization to Operate (ATO) underscores our commitment to delivering secure, trusted cloud security solutions for federal agencies. The InsightGovCloud Platform provides government customers with vetted capabilities for vulnerability management, cloud security posture, and threat detection, meeting the rigorous standards required to protect sensitive federal environments, while enabling faster, more efficient security operations. Learn more.

Rapid7 Labs: Uplevel your defenses with our latest cybersecurity intelligence and research findings

New research: Q3 2025 Threat Landscape Report

Our Threat Landscape Report provides an analysis of global adversary behavior drawn from Rapid7’s MDR operations, vulnerability intelligence, and threat research. Our latest Q3 2025 report outlines key trends that are shaping today’s threat environment - including AI-assisted attacks and the rapid operationalization of new vulnerabilities - offering clear guidance to help security teams anticipate emerging risks and strengthen defenses in an increasingly fast-evolving landscape. Read the report here.

Emergent threat response: Real-time guidance for critical threats

Rapid7’s Emergent Threat Response (ETR) program from Rapid7 Labs delivers fast, expert analysis and first-rate security content for the highest-priority security threats. In H2 2025, Rapid7’s ETR team provided expert analysis, content, and mitigation guidance for a variety of notable vulnerabilities, including:

• CVE-2025-37164: Critical unauthenticated RCE affecting Hewlett Packard Enterprise OneView 

• CVE-2025-59718 and CVE-2025-59719: Critical vulnerabilities in Fortinet exploited in the wild 

• CVE-2025-55182 (React2Shell): Critical unauthenticated RCE affecting React Server Components

• CVE-2025-64446: Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild 

• CVE-2025-20333, CVE-2025-20362, CVE-2025-20363: Multiple critical vulnerabilities affecting Cisco products 

• CVE-2025-10035: Critical unauthenticated RCE in GoAnywhere MFT 

• CVE-2025-53770: Zero-day exploitation in the wild of Microsoft SharePoint servers 

Follow along here to see the latest emergent threat guidance from our team.

Technical assessments of CVEs in AttackerKB

Rapid7 researchers also publish additional vulnerability assessments in AttackerKB to help customers and the community understand and prioritize notable CVEs. Notable contributions from the back-half of 2025 include: 

• CVE-2025-20362 and CVE-2025-20333 - Cisco ASA unauthenticated RCE chain

• CVE-2025-10035 - Fortra GoAnywhere MFT unauthenticated RCE

• CVE-2025-58034 - Fortinet FortiWeb command injection

• CVE-2025-12480 - Gladinet CentreStack RCE via access control bypass

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

⠀

As organizations deepen their Microsoft investments, there’s an even greater opportunity to strengthen and simplify threat detection and response. Microsoft delivers powerful visibility and security insights across user identities, endpoints, and cloud workloads, but security teams often need help bringing those capabilities together with the rest of their environment to ensure that data, detections, and decisions that drive their threat detection and response program align seamlessly. 

⠀

That’s where Rapid7 comes in.

⠀

A shared vision for simplified, unified security

We’re excited to announce the launch of an expanded partnership between Rapid7 and Microsoft, focused on helping organizations fully realize the potential of their Microsoft security investments. Together, we’re building a unified approach to threat detection and response that combines Microsoft’s ecosystem and scale with Rapid7’s AI-native security operations platform and decades of SOC expertise.

⠀

Our shared goal: help customers protect their businesses with clarity, speed, and confidence.

⠀

For many organizations, Microsoft is the backbone of their IT and security programs. But it’s only one part of a larger, interconnected environment. Security leaders need a way to bring Microsoft Defender, Sentinel, and Entra data into context with the rest of their infrastructure, cloud, and SaaS investments. Rapid7 helps make that possible by connecting Microsoft’s advanced telemetry and analytics with broader visibility and context into all security data, automation, and 24/7 expert-led managed operations.

⠀

We’ve long incorporated deep Microsoft visibility across the Command Platform, integrating with tools across different use cases, such as attack surface management, exposure management, cloud security, and application security. This foundation already allows us to correlate insights across on-premises and cloud environments, including Active Directory, Azure, and Microsoft 365 – providing outcomes across endpoints, workloads, and applications. These capabilities unify context from more than a dozen different Microsoft and Azure tools, giving customers a complete picture of risk across their environment. 

⠀

This partnership combines Microsoft Defender’s signal depth with Rapid7’s threat intelligence, automation, and human-led operations to deliver complete visibility and coordinated response across your environment – from Microsoft to everything it touches.

⠀

This means:

• Unified security operations managed for you: Rapid7 delivers 24x7 monitoring, investigation, and response across Microsoft and non-Microsoft environments, combining Defender insights with our own detection and response workflows to act quickly on what matters most.

• Faster, smarter response: AI-driven correlation and human-led expertise reduce alert noise and accelerate containment when threats arise.

• Simplified, predictable operations: Our managed detection and response (MDR) service removes ingestion complexity so you can focus on security outcomes.

• Transparency and trust: Built in through seamless integration with the Microsoft consoles security teams already use.

⠀

A foundation for what’s next

Over the coming months, we'll introduce new capabilities that make it easier for customers to operationalize Microsoft security within the Rapid7 ecosystem, including unified MDR coverage across the Defender products that protect the key vectors of endpoint, identity, cloud, and email.

⠀

These enhancements will enable organizations to not only respond to Microsoft-based threats faster but also proactively reduce risk across their entire environment through unified detection, investigation, and response.

⠀

We’re excited for this next step in advancing our MDR services to meet Microsoft customers where they are and maximize their investments with comprehensive visibility, faster response, and measurable security outcomes.

⠀

We’ll be releasing more information soon. In the meantime, learn more about Rapid7’s leading MDR service here.

In this Experts on Experts: Commanding Perspectives episode, Craig Adams chats with Steve Edwards, Director of Threat Intelligence & Detection Engineering, about what customers really get from Rapid7 MDR and how to think more clearly about value.

They cut through buzzwords and talk real-world outcomes: visibility, consolidation, faster response, and trust.

What ROI really looks like

As Steve explains, the ROI conversation starts with confidence. Once customers know they can trust the MDR team to cut through noise and take action, the benefits snowball from reduced false positives, to better visibility and smarter spend.

The IDC study highlighted a 422% ROI over three years. But the real signal is what teams can do with the time and clarity they gain.

To bring these numbers into your own context, you can use the Rapid7 MDR ROI Calculator - simply plug in your own parameters and apply IDC’s methodology to estimate your unique return. Try the ROI Calculator!

Telemetry without tradeoffs

Craig and Steve also dig into one of the biggest detection challenges today: partial visibility. Many orgs still pay by the log, creating disincentives for full data ingestion. MDR’s all-in access model helps customers detect threats earlier and act faster, without needing to triage upstream data decisions.

MITRE mapping makes it click

One of the most actionable insights? MITRE mapping. Steve talks about how customers are using visual coverage data to pinpoint gaps and prioritize onboarding new tech, or building compensating controls.

No-cap incident response

They also walk through what happens during the first 24 - 48 hours of an incident, and why having no cap on IR hours means Rapid7 can stay involved from containment to eradication.

Ready to dive in? Watch the full episode below, then check out Rapid7's full ROI analysis:
⠀

Missed our earlier episodes?
Catch up on Episode 1 with Laura Ellis on agentic AI and system governance here, Episode 2 with Jon Hencinski on MDR strategy and SOC readiness here, and Episode 3 with Raj Samani on cybercrime-as-a-service here.

1. Exposure detection is gaining ground

Gartner® projects that by 2028, 50% of MDR findings will include threat exposures, up from ~20% today.

We believe this reflects an important shift in how MDR services are expected to operate: helping teams identify not just threats in progress, but the conditions that make those threats possible. At Rapid7, our MDR service is purpose-built to include vulnerability and risk management for a holistic view of your security posture, reducing risk while we keep eyes on your environment 24/7, investigate threats, and keep your environment safe. 

As demand for exposure-aware MDR continues to grow, we’re committed to giving security teams more ways to see and reduce risk before it becomes an active incident.

2. AI = Assistance, not autonomy

While automation is increasingly table stakes, Gartner® emphasizes MDR must remain human-led. AI should support, not replace, skilled analysts.
We believe our Agentic AI model strikes the right balance - enriching alerts, drafting response paths, and filtering noise, while keeping analysts in the driver’s seat. Our global SOC validates workflows as they investigate to ensure precision, transparency, and trust.

3. Identity, SaaS & Cloud are the new battlegrounds

MDR must now extend far beyond endpoints. According to Gartner®, effective detection and response increasingly require visibility across Infrastructure as a Service (IaaS) platforms (such as AWS and Microsoft Azure), Software as a Service (SaaS) environments (like Microsoft 365 and Google Workspace), and identity systems that manage access across both.

At Rapid7, our MDR service is built with this in mind. Our Command Platform and Insight Agent provide visibility across cloud workloads, identity activity, access pipelines, and hybrid environments, with added support for the 3rd party security tools teams rely on, helping them detect and disrupt attacks before they escalate.

4. MDR must be outcome-driven, not alert-driven

We feel Gartner® makes it clear: detection alone isn’t enough. The real value of MDR lies in the business outcomes it drives - threat containment, exposure reduction, and measurable time savings.

We believe outcome-driven MDR means more than just surfacing alerts. It means seeing issues through to resolution, with workflows that triage, prioritize, and trigger action. At Rapid7, we embed this principle across our MDR service, with built-in remediation support, unlimited DFIR, and SOC-led hardening and mitigation guidance that gets results, not just data.

It’s not about the number of alerts. It's about keeping your business and customers protected from today’s sophisticated breaches.

Raising the bar for MDR

The MDR market is maturing and with it, so are buyer expectations. According to Gartner®, outcome-driven response is no longer a differentiator, it’s the baseline.

We believe Rapid7 is already delivering on this evolution: combining 24/7 human-led coverage, exposure-aware investigation, and automated workflows that move security teams from overwhelmed to empowered. It's not just about responding to threats - it’s about reducing them before they impact your business.

Download the full Gartner® Market Guide to explore where MDR is headed next, and how Rapid7 helps you stay ahead.

⠀

Gartner, Market Guide for Managed Detection and Response Services, Pete Shoard, Andrew Davies, Angel Berrios, 1 October 2025.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Confidence by the numbers

IDC spoke with organizations in industries ranging from healthcare to energy about their experience with Rapid7 MDR. On average, each organization realized $2.19 million in annual benefits. Over three years, the return on investment reached 422%, and the service paid for itself in just five months. These gains weren’t merely hypothetical. They reflect avoided downtime from ransomware, reductions in major security events, and tangible improvements in efficiency. Security teams reported productivity increases of nearly 50%, the equivalent of almost seven full-time employees. Many also reduced their tool spend by more than half by consolidating vendors under the MDR program.

Simplifying security without sacrificing outcomes

Traditional security operations centers often struggle with fragmented tools, manual workflows, and a lack of around-the-clock expertise. These inefficiencies leave teams chasing alerts rather than driving strategy. Rapid7 MDR solves these problems. Organizations gain continuous coverage from global SOC experts who detect, validate, contain, and remediate threats across attack vectors including endpoints, cloud environments, and on-premises systems. The service combines AI-driven detection with human-led investigation, ensuring accuracy while reducing the noise that drains security resources. Integrated exposure management brings business context into the equation, helping teams focus on the vulnerabilities and risks that truly matter. And with unlimited data ingestion providing predictable pricing, the service scales with the business instead of surprising it with hidden costs.

What customers are saying

The most compelling evidence often comes directly from the people using the service. One IDC respondent described Rapid7 MDR as easy to deploy with the 24/7 coverage being a key differentiator. They also pointed to Rapid7’s multiple integrated solutions which allow small teams to punch above their weight. Another highlighted the business continuity benefits: “We’ve prevented cyberattacks with Rapid7. For us, it’s all about business continuity. Downtime could cost millions per day — that’s the biggest benefit.”

Security as a business enabler

While the immediate benefits of MDR are clear in terms of reduced incidents and faster response, many organizations pointed to an equally important outcome: the freedom for their teams to focus on higher-value work. With threat triage and containment handled by Rapid7 experts, internal staff can direct their attention to governance, compliance, and innovation. This alignment with business priorities strengthens resilience and positions security as a driver of growth, rather than a drag on resources.

Unmatched value

IDC’s research makes the case that Rapid7 MDR is more than a managed service, it’s a strategic investment. By cutting through complexity, preventing costly incidents, and delivering measurable ROI, organizations are turning security into a business advantage. With a five-month payback and a 422% return over three years, Rapid7 MDR provides the clarity, confidence, and impact that security leaders need to both protect and enable their organizations.

Click here to download the whitepaper.

Throughout that time, our mission has remained the same: to help security teams detect, investigate, and respond to threats faster and with greater confidence. We feel this continued presence reflects our consistent ability to deliver on that promise and execute on the core outcomes that matter most for security operations teams.

Our understanding is that this year’s report highlights how SIEM platforms are evolving to support increasingly hybrid environments, growing data volume, and rising analyst expectations and customizations - a direction we believe aligns closely with the evolution of the Rapid7 Command Platform.

Rapid7’s SIEM is built for the realities of today’s threat landscape: hybrid environments, alert fatigue, and chronic resource constraints. Designed with the practitioner in mind, our solution combines powerful detections, intuitive investigation workflows, and automation to help SOC teams focus on what matters most.

We believe this year’s evaluation reflects our ongoing focus on delivering real-time detection, streamlined investigations, and SOC-level outcomes that are accessible to teams of all sizes and maturity levels.

We’ve made role-specific flexibility a core part of our product strategy, adding improved support for detection engineering, reusable rule logic, and easier dashboard and reporting customization. We continue to invest in product integration, analyst experience, and automation. Our SIEM integrates tightly with other Command Platform solutions including exposure management, cloud security, automation, and application security, helping customers consolidate insights and respond faster.

Why we believe Rapid7 was recognized

We’re proud of several key strengths that evaluations recognize, as they’re foundational to how we build and evolve our SIEM for real-world security teams:

Our approach to modern SIEM
We’re proud of several capabilities we believe contributed to our inclusion in this year’s Magic Quadrant. These reflect how we design, build, and continuously improve our SIEM  to meet the needs of real-world security operations teams:

Purpose-built for different SOC roles
We believe SIEMs should be as adaptable as the teams who use them. That’s why we’ve focused on role-specific customization, making it easier for analysts, engineers, and detection content owners to build dashboards, tune rules, and tailor workflows based on what matters most to them.

Cloud-native and built to scale
Our SIEM is delivered as part of our Command Platform - SaaS-native architecture designed to scale with you. Whether you're centralizing logs, automating threat detection, or investigating across environments, we believe our platform’s flexibility makes it easy to grow without added complexity.

Driven by frontline insight
Our own global MDR team uses our SIEM every day to protect thousands of organizations. This means our features are continuously informed by real attacks, validated in live SOC environments, and refined to reduce noise, accelerate triage, and drive clearer response.

What’s happened since the evaluation

Since the evaluation period, we’ve delivered several major advancements across our SIEM solution and the broader Command Platform, including:

• AI Triage: Our AI-driven triage engine now filters and classifies alerts with 99.93% accuracy, enabling analysts to focus on what matters most.

• Agentic AI for investigation workflows: As part of our new Incident Command offering, analysts can now accelerate investigations with step-by-step AI guidance, built natively into the SIEM workflow.

• AI-powered log search: Threat hunting at scale, now simplified through natural language queries, removing the need for more complex syntax writing.

These updates are part of our broader mission to bring precision, automation, and scale to modern SOC teams, whether you're a three-person shop or an enterprise-wide operation.

What’s next: enter Incident Command

With the recent launch of Incident Command, the next evolution of our SIEM platform, we are building on the strong foundations provided by InsightIDR to provide our customers with the AI-enhanced detections, triage and investigations they need to meet the scale and velocity of modern attacks. 

We are continuing to unify threat detection and response with exposure and attack surface to help our customers feel confident in their understanding of their attack and detection coverage.

⠀

Gartner® Magic Quadrant for Security Information and Event Management, Andrew Davies, Eric Ahlm, Angel Berrios, Darren Livingstone, 8 October 2025.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Oct 16 Update: Additions have been made in the "What happened" and "Hosted customers" sections of this blog to further clarify CVE-2025-6264.

Oct 15 Update: CISA recently added CVE-2025-6264, affecting Velociraptor, to the KEV list. To clarify: in the activity referenced, attackers did not exploit this vulnerability. They had already gained access and later deployed an older Velociraptor version to maintain persistence within the environment. In other words, the tool was misused after compromise, not exploited to gain it. We believe it’s important to keep this distinction clear when discussing real-world abuse versus vulnerability exploitation.

Overview

Open-source technologies and communities are a big part of the Rapid7 ethos, and that’s not by chance – it’s by design. We believe that our Metasploit, AttackerKB, and Velociraptor initiatives help create a strong threat intelligence foundation as well as a secure digital future for all. 

Unfortunately, the same open-source tools that help security teams prioritize risk and enhance security outcomes can be misused by threat actors for nefarious purposes. For example, we are aware that the digital forensics and incident response (DFIR) tool Velociraptor has been observed being leveraged by threat actors to execute a ransomware campaign. Rapid7 has implemented detections for this and other Velociraptor-related misuse, and is not impacted by this incident.

What happened

Velociraptor is an open-source technology and community that enables incident response teams to deliver forensic detail following a security incident. As an open-source community for DFIR professionals, any identified vulnerabilities are quickly prioritized, addressed, and reported.

The observed ransomware campaign makes use of Velociraptor to maintain persistence in the network of the victims. The Velociraptor version the threat actors used, version 0.73.4.0, was exposed to a privilege escalation vulnerability (CVE-2025-6264) in the artifact that does remote upgrade. Exploitation of open-source users first requires the attacker to possess authenticated Investigator role privileges, making it a low-severity vulnerability due to a low probability of this occurring. Rapid7 patched this vulnerability on  June 18, 2025.

In another recently observed incident, a threat actor downloaded the Velociraptor binary and, in its configuration file, specified the command-and-control (C2) server. After Velociraptor was executed on the compromised asset, it established communication back to the attacker's C2 server. Once the communication was established, the threat actor used Velociraptor to perform further actions, such as downloading additional files or executing commands on the compromised asset. While this is not a vulnerability in the tool itself, it can be used for malicious purposes.

This behavior reflects a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities. In practice, they configure their own Velociraptor servers, push client binaries into compromised environments, and use artifacts such as Generic.System.Pslist or Windows.EventLogs.Evtx to conduct reconnaissance and data exfiltration — the same way DFIR teams gather evidence.

What you should do now

Rapid7 recommends verifying the legitimacy of any Velociraptor deployments in your environment. Ensure that servers and agents are under your administrative control, monitor for unsigned binaries, and alert on unexpected network connections to Velociraptor service ports. Review endpoint logging for newly created services or scheduled tasks referencing “velociraptor.exe”.

• Restrict execution of unknown Velociraptor binaries.

• Review endpoint telemetry for new outbound connections to uncommon ports used by Velociraptor (:8000, :8001, or :8889).

• Rotate API and authentication keys if any server compromise is suspected.

How Rapid7 is supporting customers

Rapid7 has detections in place including triaging to monitor for the potential abuse of Velociraptor in customer environments.

The Rapid7 Labs team has released a Sigma rule to identify the execution of Velociraptor binaries from non-standard directories and monitor unusual command-line arguments. The Sigma and a Yara rule can be found in the article referenced below.

Hosted customers

As mentioned above, CVE-2025-6264 is a patched, low-severity vulnerability in the artifact that does remote upgrade. However, this remote upgrade artifact does not operate in the hosted Velociraptor version, since the endpoint is fully managed. In other words, because there is no remote upgrade via this mechanism, hosted Velociraptor customers are not impacted. 

Learn more

To learn more about detecting Velociraptor misuse in your environment, visit  https://docs.velociraptor.app/knowledge_base/tips/velocirator_misuse/.

What is Direct Send abuse?

Direct Send is a legitimate Microsoft 365 feature that enables devices and applications, such as multifunction printers, to send emails to user mailboxes without requiring authentication or a licensed mailbox. However, Rapid7 is seeing an increase in this feature being actively exploited by threat actors to send spoofed phishing emails. These malicious emails appear to originate from within an organization, effectively bypassing standard security controls and increasing the chance of a successful phishing attack.

What you should do now

Rapid7 has assembled the following list of questions to help your organization reduce its risk:

1. Does our organization have a legitimate business need for devices or applications to send unauthenticated email directly to Microsoft 365?

2. If Direct Send is required, have we configured a dedicated inbound connector in Exchange Online that is restricted to only accept mail from a list of known, authorized public IP addresses?

3. Are the following mechanisms: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC records correctly configured to validate our email traffic and prevent spoofing?

4. Are we educating users on the risks associated with unexpected calendar invites or QR code attachments (quishing attacks)?

Best practices for defending your organization 

To strengthen your defenses against this type of threat, Rapid7 recommends implementing the following:

• Disable Direct Send by running the Set-OrganizationConfig -RejectDirectSend $true command in Exchange Online PowerShell if the feature is not required.

• Enable "Reject Direct Send" in the Exchange Admin Center.

• If Direct Send is required, configure a dedicated inbound connector restricted to authorized public IP addresses.

• Enforce a static IP address in the SPF record to prevent unwanted send abuse.

• Implement a strict DMARC policy (e.g., p=reject).

• Enforce "SPF hardfail" within Exchange Online Protection (EOP).

• Use Anti-Spoofing policies.

• Flag unauthenticated internal emails for review or quarantine.

• Enforce MFA on all users and have Conditional Access Policies in place in case a user's credentials are stolen.

• Educate users on the risks associated with QR code attachments (quishing attacks) and to be vigilant about unexpected calendar invites before accepting them.

How Rapid7 is supporting customers

Due to the inherent design of the Direct Send feature, telemetry is not available for direct detection. However, detection opportunities exist through subsequent login activity. Rapid7’s Threat Intelligence and MDR teams have launched targeted hunts and continue to refine detection rules to identify these attacks as early as possible.

Looking at it another way: this level of consistency and predictability from threat actors can be used to a defender’s advantage. For example, SOC teams should already have detections in place for Bunny Loader, and controls should also be established to block employees from mistakenly downloading trojanized versions of popular tools. Additionally, organizations can prioritize the implementation of robust multi-factor authentication (MFA) solutions, and educate employees as to why MFA is crucial to keeping the network secure. 

Many or all of the threat actor tactics we’re observing are likely to be seen in play until at least Q4, so there’s no time like the present to turn the tables on would-be attackers.

Initial access vectors

Valid accounts / no MFA reigns supreme (again)

Valid accounts / no MFA as an initial access vector (IAV) are, once again, top of Rapid7’s investigated incident responses for Q2 2025, despite a drop from 56% to 43%. The percentage of observed brute-force attacks also dropped, down from 13% in Q1 to 7% in Q2. Given that our IR team noted an uptick in both MFA and brute-force attacks in Q1, these changes may not be out of the ordinary.

⠀⠀

Below, we compare Q2 2025 and Q2 2024. There’s a big step-up for valid accounts / no MFA, and a 17% drop for vulnerability exploitation. Social engineering is also down compared to Q2 2024, but it remains a top access vector. And while 15% would place brute force in the upper realms in 2024, it's one of several access vectors trailing the top three in Q2 of this year.

Here’s what our increasingly permanent fixture of a valid accounts / no MFA graph shows across the last six quarters of investigated incidents:

IAVs from Q2 include low-cost VPN authentication without MFA leveraging credentials via phishing, organizations with no MFA in place at all, and a crossover into social engineering techniques via MFA fatigue attacks.

Vulnerability exploitation

Rapid7’s IR services team observed multiple vulnerabilities used, or likely to have been used, as an IAV in Q2 2025. This includes exploitation, or attempted exploitation, of Microsoft SharePoint Server (CVE-2023–29357, CVE-2023-24955), CentreStack (CVE-2025-30406), Palo Alto PAN-OS (CVE-2024-9474, CVE-2024-0012), and SonicWall’s SonicOS (CVE-2024-53704). We’ll look at these in more detail in the relevant individual industry sections below.

Social engineering

Threat actors focused on weaponizing employees against their own interests made up 14% of all incident responses. Popular Q2 tactics included Microsoft Teams chats involving the impersonation of employees, directing employees to renamed / trojanized remote monitoring and management (RMM) tools, or wearing targets down with MFA fatigue attacks.

Attacker behavior observations by industry

The top five industries most observed in incidents during Q2 were Services (21.2%), Manufacturing (16.8%), Retail (14.1%), Healthcare (10.3%), and Communications and Media (10%). This top 5 match those of Q1, albeit their order has changed. Most notably, Services and Manufacturing have exchanged first and second place, and Retail has moved from fifth place to third. 

Q1 2025 played host to a Bunny Loader overload, taking top spot across every industry bar one for total number of observed incidents. Q2 continues this trend, with the MaaS tool significantly ahead of the pack across the top 5, while sharing top spot with the likes of Tangerine Turkey and Lumma Stealer in industries such as Utilities & Energy and Real Estate.

Services industry

Bunny Loader dominates the pack where services are concerned (58%), with other notables such as Lumma Stealer and SocGholish sharing the limelight.

Tactics observed include malicious websites offering fake CAPTCHAs, SEO poisoning, drive-by downloads, and malvertising. Social engineering was also a popular choice for attackers targeting services, most commonly following one of the below patterns:

• IT Support Scan -> Quick Assist 

• Microsoft Teams Chat -> Quick Assist

• Download and execution of renamed ScreenConnect installer

In one business services incident we observed, a threat actor successfully impersonated an employee to social engineer the help desk. The attacker passed all security Personally Identifiable Information (PII) checks to successfully reset both MFA device and password. This targeted social engineering attack reveals the need to review help desk checks to ensure there are non-PII checks in the review chain, such as manager approval for elevated accounts. 

Rapid7 IR teams also observed several examples of vulnerability exploitation involving the following CVEs:

• CVE-2023–29357 - Microsoft SharePoint Server Elevation of Privilege Vulnerability

• CVE-2023-24955 - Microsoft SharePoint Server Remote Code Execution Vulnerability

These two vulnerabilities comprise an exploit chain that allows a remote unauthenticated attacker to achieve remote code execution against a vulnerable Microsoft SharePoint server. CVE-2023-29357 is an authentication bypass vulnerability, due to how SharePoint may skip signature validation if an attacker-controlled JSON web token does not specify a signing algorithm.
By leveraging the authentication bypass vulnerability, an attacker can then trigger CVE-2023-24955. This allows for arbitrary attacker controlled .NET code to be executed via a code injection issue. The result of this chain is unauthenticated remote code execution.

• CVE-2024-53704 - SonicOS SSLVPN Authentication Bypass Vulnerability

This CVE is an improper authentication vulnerability affecting the SSLVPN authentication mechanism of SonicWall’s SonicOS. The vulnerability allows for a remote unauthenticated attacker to successfully leak out the session cookie of an existing legitimate user's SSL VPN session. Upon leaking the session cookie, an attacker can reuse the cookies to hijack the legitimate SSL VPN connection. This allows an attacker to successfully establish a VPN connection into the target network.

Manufacturing

As with so many other industries in Q2, Bunny Loader and Lumma Stealer are out in front, although the distance between Bunny and Lumma is significant.

Here and elsewhere, fake CAPTCHAs, drive-by downloads, phishing, and infected USB drives are in play. Where social engineering is concerned, suspicious Microsoft Teams chat requests are popular. So too is the installation of renamed RMM tools, such as ScreenConnect and Quick Assist.

In one manufacturing incident we observed, initial access was gained via a VPN with no MFA protection. The threat actor quickly collected data, including asset information and passwords into CSV files, as well as created new accounts and added them to the Domain Admin security group. This ended with installation of RMM tools, and a sizable amount of data exfiltration. The launchpad for all of this was most likely a basic phishing attack, something which would have been much more difficult to achieve if MFA controls had been in place. Also of note was the use of a .sys file to disrupt security tooling on the system — a tactic in which we saw a bit of a usage uptick in Q2.

Vulnerability exploitation observed in manufacturing includes:

• Palo Alto PAN-OS: CVE-2024-9474 & CVE-2024-0012

These two vulnerabilities comprise an exploit chain that was exploited in the wild. CVE-2024-0012 is an authentication bypass that allows a remote unauthenticated attacker to circumvent authentication and reach an endpoint that will create a new user session. CVE-2024-9474 is a command injection vulnerability in how session objects are processed. An attacker can poison a new session object via CVE-2024-9474 and insert an arbitrary operating system command to be executed. Chaining these two vulnerabilities together achieves unauthenticated RCE with root privileges.

• CentreStack RCE CVE-2025-30406

CentreStack is a file sharing platform aimed at managed services providers (MSPs). Prior to the patch for CVE-2025-30406, a CentreStack server would use a hardcoded cryptographic key to encrypt serialized .NET objects that were sent and received to clients interacting with the server, a common feature of how ASP.NET web applications work. Because the key was hardcoded, and thus known to an attacker, a remote unauthenticated attacker could correctly encrypt a malicious .NET deserialization payload and transmit it to the server, achieving authenticated remote code execution.

Retail

Retail follows a similar pattern to the services industry, filled with a mixture of fake CAPTCHAs, phishing, and drive-by downloads. Infected USB drives also make an appearance, while social engineering incidents include the download and installation of RMM tools, such as ScreenConnect and Quick Assist.

One retail investigation we observed mirrored an incident from Q1: poisoned search results leading to a trojanized version of RVTools. The software contained the previously mentioned Bumblebee, loading malicious code and ultimately communicating with Command & Control (C2) servers to execute further commands and payloads. Eventually, local accounts were created and a legitimate digital forensic tool was used to collect and exfiltrate credential information.

Rapid7 also observed CVE-2025-31324 — SAP NetWeaver Unrestricted Upload of File — used in a retail attack. This vulnerability was disclosed by SAP as a zero day that was exploited in the wild. SAP NetWeaver is a software stack that many other SAP products are built upon. The affected component within NetWeaver was the Visual Composer, which is not installed by default but is a commonly deployed component. The vulnerability allows a remote unauthenticated attacker to upload a malicious file, such as a web shell, and subsequently achieve remote code execution on the target system.

Healthcare

Malicious domains / CAPTCHAs, and phishing were popular threats in the healthcare realm in Q2. Account compromise / business email compromise (BEC) was also observed. This involved suspicious inbox rule creation, and the use of software intended for backups used as a method for exfiltrating data.

Communications and media

Bunny Loader, inevitably, is at number one spot for Comms and Media (35% of observed incidents), with SocGholish in second place (10%). CAPTCHAs, phishing, drive-by downloads, and fake browser updates make up the rest of the notable tactics on display.

Trojanized software is popular here, perhaps reflecting the specific digital needs of an industry requiring a multitude of design tools and ways to transfer large files easily. Among those observed were trojanized versions of Adobe Creative Cloud Software, ScreenConnect, and RVTools. Regular readers will know we highlighted how easily bogus versions of RVTools appear in sponsored search results in our Q1 report.

Searches for Adobe Creative Cloud and ScreenConnect in various search engines right now result in multiple downloads, from both sponsored ads and third-party websites. It’s often difficult to navigate the wealth of paid ads, bannered offers, and regular websites and figure out which ones are genuine so it’s no surprise to see a well-worn tactic still in play.

Conclusion

Q2 2025 takes many of the trends and tactics from Q1, and sees them continuing to thrive in the workplace. Bunny Loader is still very much in the running for being the most common malicious file observed by the Rapid7 Incident Response team across 2025 if it keeps up this kind of pace, standing head and shoulders above the competition. Valid accounts with no MFA protection are not going away anytime soon, and the threat posed by social engineering — largely involving exploiting help desk support, as well as a range of attacks using Microsoft Teams as a launchpad — is always a cause for concern.

There is no better time than now to take advantage of threat actor predictability, paying particular attention to training and education on CAPTCHAs and social engineering attacks focused on help desk workers. It’s also not too late to develop a fleshed-out MFA plan for your business and play a part in helping to shrink our valid accounts / no MFA chart even further.

On September 17, 2025, SonicWall disclosed a security breach affecting all SonicWall customers with MySonicWall.com cloud backups enabled. The firm detected suspicious activity targeting MySonicWall.com, through which threat actors were able to access backup firewall preference files. These files may supply threat actors with critical information, such as credentials or tokens, as well as all the services and configurations of the firewall. 

If your organization is using MySonicWall, it is recommended you log in to validate whether or not your SonicWall is affected. In the case it is affected, Rapid7 recommends following SonicWall's remediation guide playbook as well as the credential reset guidance guidelines. This includes any password or token protected service, such as, but not limited to: 

• Complete password reset of local accounts 

• Rotation of all TOTP/MFA tokens

• Resetting of LDAP password and rebinding

• Resetting any site to site VPN tunnels (L2TP, PPoE, PPTP)

• Radius or TACACS+ passwords

• SSO 

• AWSAPI

More information about the SonicWall security advisory and the Akira ransomware can be found in our original blog below. The Rapid7 MDR team is continually monitoring our customers’ environments for post-exploitation activity using the latest threat detections. As mentioned above, Rapid7 has been sending direct communications to all customers, and we will continue to send these customer updates should more insights and/or guidance become available. 

Customers leveraging Rapid7’s Intelligence Hub can also track the latest developments surrounding Akira, including indicators of compromise (IOCs), Yara rules and emerging TTPs.

Background activity

In August 2024, SonicWall published a security advisory for CVE SNWLID-2024-0015, which was related to improper access control vulnerability for SSLVPN affecting Gen5, Gen6, and Gen7 firewall appliances. This vulnerability allowed unauthorized access to SonicWall in specific conditions. This vulnerability has since been addressed and patches provided from SonicWall.

An expanding threat

Last month, an Akira ransomware campaign kicked off targeting SonicWall devices. SonicWall followed up with a security advisory. Initially, this was believed to be a new emerging threat, but SonicWall has since disclosed that this is related to the August 2024 CVE (SNWLID-2024-0015), in which remediation steps were not successfully completed. Rapid7 responded by sending emergent threat communications to our customers alerting them to this threat and advising them to prioritize patching. Since that time, the Rapid7 Incident Response (IR) team has observed an uptick in intrusions involving SonicWall appliances. 

Following its initial communication last month, SonicWall posted additional security guidance around the SSLVPN Default Users Group Security Risk. This is a security risk which, in certain configurations, can over provision access to SonicWall’s SSLVPN services based on the Default LDAP group configurations. This can allow users who are not permitted to SSLVPN to successfully obtain access to the SSLVPN irrespective of Active Directory configurations. 

Rapid7 has also observed threat actors accessing the Virtual Office Portal hosted by SonicWall appliances. The Virtual Office Portal can be used to initially set up MFA/TOTP configurations for SSLVPN users. The Virtual Office Portal in certain default configurations allows public access to the portal, which can allow threat actors to configure MFA/TOTP with valid accounts if there is a prior username and password credential exposure. 

Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations. 

What you should do now

If your organization’s network infrastructure includes SonicWall devices, Rapid7 recommends the following:

• Rotate passwords on all SonicWall local accounts and remove any unused or inactive SonicWall local accounts. Please reference SonicWall’s official security advisory guidance.

• Ensure Multi-factor Authentication (MFA/TOTP) policies are configured for SonicWall SSLVPN services. Please reference SonicWall’s official security guidance.

• Ensure successful mitigation of SSVPN Default Groups Security Risk. Please reference SonicWall’s official security guidance.

• Ensure the Virtual Office Portal is restricted to LAN/internal access or trusted network access only. Please reference SonicWall’s official security guidance.

• Monitor access to the Virtual Office Portal (access is on port 4433). 

• Ensure all SonicWall appliances are running on the latest patch. Please reference SonicWall’s vulnerability list.

Observed Akira ransomware group activity

The Akira ransomware group has been active since early 2023 and operates under a ransomware-as-a-service (RaaS) model. This group is known to aggressively target edge devices, deploy ransomware to cause an impact to the business, and gather sensitive data. Rapid7 has observed this ongoing campaign targeting SonicWall devices to be consistent with previous activity attributed to Akira. 

The Akira ransomware group follows a standard attack flow: obtaining initial access via the SSLVPN component, escalating privileges to an elevated account or service account, locating and stealing sensitive files from network shares or file servers, deleting or stopping backups, and deploying ransomware encryption at the hypervisor level.

Because of this, Rapid7 recommends reviewing security posture around the targeted components.

• Local/site backups should be logically segmented, an MFA requirement should be in place to access cloud or site backups, and backups should be immutable.

• All virtualization infrastructure should be running the most up-to-date firmware/software to prevent any bypass of security controls.

• Elevated accounts or service accounts should be added to Group Policy enforcing a restricted group within Active Directory to avoid elevated credential sprawl.

• Achieve visibility across the environment by deploying security tools to all assets and forwarding relevant log sources to a SIEM.

How Rapid7 is supporting customers

The Rapid7 MDR team is continually monitoring our customers’ environments for post-exploitation activity using the latest threat detections. As mentioned above, Rapid7 has been sending direct communications to all customers, and we will continue to send these customer updates should more insights and/or guidance become available. 

Customers leveraging Rapid7’s Intelligence Hub can also track the latest developments surrounding Akira, including indicators of compromise (IOCs), Yara rules and emerging TTPs.