Rapid7 InsightIDR SIEM & UEBA

The cloud SIEM for faster detection and response of incidents.

InsightIDR provides immediate and accurate detection and reduces the time to respond to attacks by combining behavioural analytics, threat intelligence, and automation in a scalable, easy to love solution that boasts the fastest deployment times in the industry.


  • User Behaviour Analytics: expose compromised accounts & lateral movement
  • Attacker Behaviour Analytics: find known bad micro-behaviours that cause breach
  • Endpoint Detection and Visibility: includes remote & travelling workers
  • Centralized Log Management: simple, cloud-based performant search
  • Visual Investigation Timeline: investigate incidents 20x faster
  • Deception Technology: add new monitoring capabilities for malicious behavior
  • File Integrity Monitoring (FIM): meet multiple compliance requirements w/InsightIDR
  • Automation for accelerated response: workflows and integrations
  • Azure cloud environments: Tight Microsoft integration
  • AWS cloud environments: Full cloud visibility


  • 79% faster time to value: average 2-weeks deploy and baseline
  • 38% reduction in incident management efforts: respond quicker
  • 27% reduction in false positives: High fidelity alerting
  • Identify Evolving Attacker Behaviour
  • Solve Multiple Compliance Regulations
  • Streamlined Case Management


£5 to £24 a device

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

6 6 6 7 0 3 6 0 1 3 4 6 0 9 7


ITHQ LTD Dale Nursten
Telephone: 02039977979

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
In order to deliver our user and asset attribution based detections, you should look to add as many logging sources as possible. These include DHCP, LDAP, AD, DNS, firewalls, IDS', endpoints and more. The more sources, the more complete the picture. There is, however, no constraints as to minimums and maximums.
System requirements
  • Collector: 2GHz processor, 8GB RAM, internet access (HTTPS)
  • Recommended 60GB+ disk space

User support

Email or online ticketing support
Email or online ticketing
Support response times
S1 - Critical - <2 hours
S2 - High - <4 business hours
S3 - Medium - <12 business hours
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Customer Support Levels:

Technical Account Management:
Support available to third parties

Onboarding and offboarding

Getting started
Rapid7 products are easy to install and use, and our team can provide expert guidance to take your usage of the product much further. The Quick Start Services for InsightIDR help you through deployment and ensure that you get the most value out of your investment.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
All data is available for export at the end of the contract.
End-of-contract process
At the end of a contract, you will have the opportunity to collect and transfer any data possible to export. If you request that Rapid7 delete all of your data, the request will be processed within 14 days. No additional fees apply.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Compatible operating systems
  • Linux or Unix
  • MacOS
  • Windows
Designed for use on mobile devices
Differences between the mobile and desktop service
Responsive design means the interface will have less features on mobile.
The desktop app is purely for log collection purposes and does not need to be installed, however, this adds significant benefits / visibility to the SIEM solution.
Service interface
Description of service interface
Admin & reporting interface through the web.
Accessibility standards
None or don’t know
Description of accessibility
Further details available on request
Accessibility testing
Further details available on request
What users can and can't do using the API
The InsightIDR API supports the Representation State Transfer (REST) design pattern. Unless noted otherwise, this API accepts and produces the application/json media type.

Users can access Investigations, Threats, Queries and Logs through the API.
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available
Description of customisation
Dashboards, queries and even custom connectors can be requested.


Independence of resources
Cloud components are hosted in AWS. Rapid increases in CPU, memory, storage, and networking capacity are performed on demand to meet the scaling and performance needs of enterprise customers. There are currently more than 9000 customers using the platform globally.


Service usage metrics
Metrics types
- Number of events processed.
- Number of notable behaviours.
- Number of alerts.
Reporting types
  • API access
  • Real-time dashboards


Supplier type
Reseller providing extra support
Organisation whose services are being resold

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach
All of the data processed and stored is encrypted at rest using various file or disk level encryption mechanisms. Data is encrypted using industry standard AES-256 encryption with keys managed through AWS’s Key Management Service (KMS). Where possible, Rapid7 utilizes AWS’s services to manage encryption at rest (e.g. S3, EBS, RDS, etc.). When not possible, Rapid7 utilizes block level encryption provided by LUKS.

Block level encryption is used for ElasticSearch (only used to index some asset metadata). For all other persistence technologies/layers, AWS KMS is used.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
You can export all data in either CSV or PDF format. This is available from the admin console / dashboard.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats
  • Syslog
  • CEF
  • UEF
  • Windows Event Log
  • Custom Logs
  • Database Audit Logs
  • Raw Data

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
During the term of Customer’s subscription, the Service will perform in accordance with and subject to this Service Level Agreement (“SLA”). Rapid7’s target is 100% System Availability. If the System Availability during a given month is less than 99.95%, Customer may be eligible for a credit (“Service Credit”), which is the sole and exclusive remedy for any failure to meet the SLA.
Approach to resilience
Rapid7 maintains a Business Continuity Plan for the Insight platform. The primary goal of this plan is to ensure organizational stability, as well as coordinate recovery of critical business functions in managing and supporting business recovery in the event of disruption or disaster.

Thus, the plan accomplishes the following:
• Ensures critical functions can continue during and after a disaster with minimal interruption;
• Identifies and decreases potential threats and exposures; and
• Promotes awareness of critical interdependencies.

We can share a high-level overview of our Business Continuity Plan for the Insight platform upon request.
Outage reporting
Service status is available at Users may elect to subscribe to notifications from this site.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
All access is granted through role-based access controls and utilises a least privilege and zero trust approach. Members of the team using InsightIDR can be made Administrator (full access), Investigator (Incident-only access), or Read Only. These roles will limit the functional access of the user, but will not restrict the data that is accessible in InsightIDR. Creating this three-level structure allows interested members outside of the security team to gain insight into the network and view incident alerts without disrupting the workflow of others.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Rapid7 is SAQ (Self Assessment Questionnaire) compliant in alignment with our bank’s PCI guidelines, and we can provide a PCI certificate
Other security certifications
Any other security certifications
SOC2 Type II

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
The Insight platform is hosted by AWS. All AWS compliance and audit reports, including SOC 2, SOC 3, FedRAMP Partner Package, ISO 27001:2013 SoA etc. are easily accessible
Information security policies and processes
The Information Security team distributes relevant policies internally upon hire, including the Rapid7 Acceptable Use Policy, which addresses the following standards: Asset Usage, Data Protection, Secure Access, Software Usage, Monitoring, Loss and Theft, and Physical and Computer Security.

The Information Security and Information Technology groups are responsible for monitoring compliance with data security policies and procedures. Users found in violation of information security policies may be subject to disciplinary action, up to and including termination of employment and legal action. When required, Information Security will work with Legal and People Strategy to address any instance of noncompliance.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Rapid7 applies a systematic approach to managing change so that changes to services impacting Rapid7 and our customers are reviewed, tested, approved, and well communicated. Separate change management processes are in place for corporate IT systems and Insight platform systems to ensure changes are tailored to the specifics of each environment. The goal of Rapid7’s change management process is to prevent unintended service disruptions and to maintain the integrity of services provided to customers. All changes deployed to production undergo a review, testing, and approval process.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The Information Security team continuously monitors Rapid7’s corporate IT and Insight platform environments for system vulnerabilities in accordance with formally documented vulnerability management processes and procedures. Information Security conducts network and agent-based vulnerability scans of these environments on a continuous basis using InsightVM, with new vulnerability results coming in daily or weekly. Information Security partners with Rapid7’s Managed Vulnerability Management team to augment our vulnerability management processes.Rapid7 also utilizes InsightAppSec and Information Security partners with Rapid7’s Managed AppSec team to monitor Insight platform and Rapid7 web properties for web application vulnerabilities.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The Platform Security team ensures security is built into our products by providing security requirements, code analysis, and infrastructure configuration monitoring throughout multiple stages of our software development lifecycle
Incident management type
Supplier-defined controls
Incident management approach
Rapid7 uses InsightIDR to monitor on-premises and cloud environments for security incidents. Information Security partners with the MDR and Incident Response services teams to augment Rapid7’s incident response program. InsightIDR alerts are regularly reviewed by analysts and escalated via a paging system when indications of potentially malicious activity are detected.Rapid7 maintains a formal Incident Response process for analysis, containment, eradication, recovery, and follow up in the event of a security incident. Rapid7 will notify customers of any breaches affecting their data within 48 hours. For other breaches, Rapid7 will follow internal policy and all applicable federal, state, and local laws

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£5 to £24 a device
Discount for educational organisations
Free trial available
Description of free trial
30 day trial where you can:

Add in security data across network, cloud services & infrastructure, and endpoints.
Detect common and targeted threats, or simulate attacks to validate pre-built detections.
Investigate incidents & try automation and containment integrations.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.