Rapid7: Cyber defences stuck in the 1980s as threats mount
The company’s chief product officer notes that many defence tactics are still stuck in the past, urging organisations to adopt AI-driven security platforms to improve threat detection and response
A cybercrime is reported every six minutes in 2025, and the cost of a breach to small businesses in Australia and New Zealand (ANZ) is $56,000 per year of impact, yet many defensive tactics are stuck in the 1980s, warned Rapid7’s chief product officer, Craig Adams.
He argued that an annual penetration test of known assets is no longer sufficient. In response, Rapid7 helps its customers continuously scope, discover, monitor, and mobilise against threats across their entire environment.
“Gartner has a statistic where only 17% of organisations can identify 95% of their attack surface. That means a typical organisation is missing a solid 20 to 25% of their environment,” said Adams. “If I tell you there are three doors, you can lock three doors. If I don't tell you how many doors there are, it's hard to lock them all.”
The typical organisation’s attack surface changes twice a week, he said, whether that’s an identity with access to a new system, cloud account or device. “The unique approach Rapid7 takes as an open platform is, we bring our native view of what we detect ourselves... [but] we recognise that customers have invested in different tools for a reason.”
He added: “We believe very passionately that security begins with an open view of your entire attack surface, not seen by just one vendor, even if that’s Rapid7, but seen by all the different tools aggregated across your environment, which we help our customers do.”
To achieve this, Rapid7 uses AI to create a comprehensive view of a customer’s attack surface by aggregating data and intelligence from all their different tools into a unified, deconflicted view. Once visibility is established, the next step is to continuously prioritise exposures.
“Every customer I meet with, when they look at this, uncovers that there’s inconsistent policy execution in their own environment. There are assets without an endpoint. There are cloud containers that are visible externally that shouldn’t be. There are identities without MFA [multifactor authentication], but we’re able to bring all of that together with AI.”
AI is also used to help organisations understand the biggest risks and guide them to the necessary remediation tasks. This leads to faster responses, whether the remediations are automated or not.
“For the typical mid-size organisation, that’s just a fundamentally ineffective way to prioritise... they need to look holistically at exposures across their environment.” Instead, prioritisation should be based on overall organisational risk.
As a provider of detection and response services to over 5,000 global customers, Rapid7 can observe real-world attacks and the methods being used. This information is then applied to a customer’s environment, considering any compensating controls in place.
“How you win or lose in security is how you prioritise. We all know every security team has a long list of things to do. The way we can help an organisation prioritise based on risk is a key factor in protecting the modern enterprise.”
We believe very passionately that security begins with an open view of your entire attack surface, not seen by just one vendor, even if that’s Rapid7, but seen by all the different tools aggregated across your environment
Craig Adams, Rapid7
The cyber security skills shortage remains a major problem. According to ISACA’s 2025-2026 State of cybersecurity report, 55% of professionals say their teams are understaffed, and 65% have unfilled positions.
AI-driven detection and response
Rapid7’s mission is to make security cost-effective for everyone through an AI-driven detection and response platform “that’s able to provide you the critical coverage across your environment anytime, anywhere for any piece of your software stack,” explained Adams.
With the time between a cybercriminal’s entry and damage occurring now under 24 hours, the traditional model of addressing threats only during business hours is no longer sufficient. “The traditional model of leaving work at 6pm on a Friday and coming back in at 8am on a Monday to address what threats occurred simply isn't sufficient. So, we provide the 24/7 coverage that an organisation needs.”
Rapid7 uses AI to handle the massive amount of data involved and does so transparently. The AI might show it performed 15 different steps, the results, and the recommended remediation. “That transparency of work product is one of the things we constantly hear from customers that they love and gives them the confidence to trust Rapid7 for their defences,” he said.
The company’s more than 10,000 customers worldwide range from those with 50 employees to hundreds of thousands. “Our typical customer is focused on how to consolidate their data silos so they can get a unified view of their attack surface and cost-effective security at scale.”
Rapid7 helps them achieve this view and then execute prevention measures through its exposure detection and response capabilities, with the option to include other providers’ tools.
“In the SIEM [security information and event management] space, it’s very common for security vendors to charge customers based on the amount of data they put in. I can think of nothing more customer-unfriendly than giving them a tool to understand threats across their environment and then charging them for each piece of data, disincentivising getting an aggregate view of threats across their environment,” he said.
Instead, Rapid7 charges by the number of assets being protected, a method Adams notes is cheaper for smaller organisations and scales with volume discounts for larger ones.
While large organisations like Goldman Sachs and HSBC can afford dedicated AI engineering teams, Rapid7 aims to bring cost-effective, AI-driven security to the mid-market.
“We believe we’re on a mission to bring AI-driven defence for all, in ways that are transparent and inspectable across an environment,” Adams said.
Even at smaller organisations, he noted that security teams are not going to trust AI unless they're able to deeply inspect the tasks that the AI is doing in order to have confidence that they're not being negligent in the decisions they make.
And while a small organisation may not inspect every alert, they will choose a provider based on trust and the ability to see the work being done.
AI-driven detection and response have two main benefits, according to Adams. First, AI helps humans manage the increasing number of alerts. Second, AI-driven validation tools can conduct continuous red-teaming assessments, allowing humans to identify and remediate issues more quickly and confidently.
Rapid7 also assists customers with the governance of AI use by helping them uncover unauthorised AI, enforce software development lifecycle methodologies for AI projects, and check for application security vulnerabilities.
The company has a security operations centre (SOC) in Australia, along with onshore threat intelligence and customer success staff. This local presence also helps in meeting the compliance requirements of local customers.
“We know compliance is one of those increasingly burdensome threats across an environment. And by automatically having a view of your entire attack surface and the exposures across your environment, it’s just an incremental step to meet the compliance obligations.
“Rapid7 is all in on AI, making sure that our customers can see and defend at the speed that their adversaries are attacking,” Adams said.
Read more about cyber security in APAC
Proofpoint is expanding its footprint in APAC, aiming for growth of up to four times that of its global business as it responds to a threat landscape supercharged by AI and cryptocurrency.
Singapore non-profit organisation HomeTeamNS suffered a ransomware attack that affected some servers containing employee and member data, prompting an investigation and enhanced security measures.
