Rapid7 Security Services

Start your connected product review where it counts: at the points attackers touch. Rapid7’s IoT security engagement pairs your engineers with hands-on specialists during architecture and prototype stages. In working sessions, you sketch the system map—device, radio, boot chain, debug interfaces, mobile app, cloud—and turn it into an actionable attack surface. Together you build a threat model, define abuse cases, and select focus areas (e.g., secure boot, key storage, OTA update integrity, JTAG/UART lockdown). Consultants co-create a design checklist, sample configs, and test cases you can run before hardware freeze, so high-impact fixes land early, not after production.

Once builds start, you wire the environment into Rapid7’s platform. Asset discovery sweeps your lab and staging networks so every new board, gateway, VM, and service is cataloged automatically. Lightweight, agentless checks evaluate constrained devices that can’t run tooling, while authenticated agents provide deep host coverage where feasible. You schedule OS, network, and application exposure scans; point API testing at your OpenAPI specs or captured traffic; and crawl the web console to catch common web flaws. Containers and Kubernetes get image and cluster configuration reviews—RBAC, secrets, pod policies—then you add pass/fail gates to CI so unsafe images never ship.

To cut noise, you rank findings with CVSS-based severity enhanced by exploit-likelihood intelligence. The platform opens tickets with remediation steps, owners, and due dates; change a setting or apply a patch, then kick off a quick validation scan to confirm the fix. For systemic issues, you get guided hardening playbooks—TLS settings, certificate rotation, network segmentation—and sample policies you can adopt. Recurring assessments track drift across device fleets, and dashboards show leadership where risk is falling. When auditors call, export ready-to-use reports aligned to your frameworks and regulations to evidence controls and results.

Here’s a typical sprint: the team ships a new firmware build for a smart gateway. Pre-merge gates catch a base image vulnerability and a risky Kubernetes admission rule, so the pipeline blocks release and generates tickets. API tests flag permissive rate limits; a one-line config change resolves it. Before go-live, a final pass finds a debug UART left active; the hardware team blows a fuse and updates the checklist. Post-release, asset discovery spots unapproved devices on a test VLAN; ops quarantines them and re-runs scans. The iteration ends with a short retest and a clean report for stakeholders.