InsightAppSec is Rapid7’s Dynamic Application Security Testing platform designed for modern web applications.

The tool addresses security testing challenges introduced by complex JavaScript frameworks, single-page applications, and microservices architectures.

Key differentiators include the Universal Translator for crawling modern applications and Attack Replay functionality that enables developers to validate vulnerabilities independently.

What is InsightAppSec?

InsightAppSec approaches web application security testing with a focus on modern development practices.

Traditional DAST tools often struggle with JavaScript-heavy applications that render content dynamically and manage state client-side.

InsightAppSec’s Universal Translator normalizes traffic from various frameworks (React, Angular, Vue.js) into a consistent format for security testing.

The platform provides both cloud-hosted and on-premise scan engine options, accommodating organizations with different security requirements.

Integration with the broader Rapid7 Insight platform enables correlation with vulnerability management, SIEM, and incident response workflows.

Key Features

Universal Translator

The Universal Translator technology handles the complexity of modern web applications:

JavaScript Rendering: Executes JavaScript to discover dynamically generated content
Framework Normalization: Standardizes traffic from React, Angular, Vue.js, and other frameworks
State Management: Tracks application state changes during crawling
API Discovery: Identifies REST endpoints called by the application

This approach provides broader coverage than traditional crawlers that only process static HTML.

Attack Replay

Attack Replay addresses a common friction point between security and development teams.

When InsightAppSec identifies a vulnerability, it generates a replay package that developers can execute locally to verify the finding:

Attack Replay Package:
├── replay.har          # HTTP Archive with attack request
├── instructions.md     # Steps to reproduce
├── evidence/           # Screenshots and response data
└── remediation.md      # Fix guidance

Developers validate vulnerabilities without accessing the full scan report or understanding DAST tooling.

This reduces back-and-forth between teams and accelerates remediation.

Comprehensive Attack Coverage

InsightAppSec tests for 95+ vulnerability types organized by category:

Category	Examples
Injection	SQL, LDAP, XPath, Command, Header
Cross-Site Scripting	Reflected, Stored, DOM-based
Authentication	Session fixation, weak credentials, brute force
Authorization	IDOR, privilege escalation, access control
Configuration	Security headers, SSL/TLS, information disclosure
Business Logic	Price manipulation, workflow bypass

Scan Management

The platform provides operational controls for enterprise deployments:

Scheduling: Run scans during off-peak hours
Blackout Windows: Prevent scanning during critical business periods
Incremental Scanning: Re-test only changed portions of applications
Traffic Control: Rate limiting to prevent performance impact
Parallel Scans: Multiple applications simultaneously

How to Use InsightAppSec

Creating a Scan Configuration

Navigate to InsightAppSec in the Rapid7 Insight Platform
Click “New App” and provide application details
Configure the target URL and authentication
Select scan template (Default, OWASP Top 10, PCI, etc.)
Schedule or launch scan

Authentication Configuration

InsightAppSec supports multiple authentication methods:

Form-Based Login

Login URL: https://app.example.com/login
Username Field: #email
Password Field: #password
Submit Button: #login-btn
Success Indicator: Welcome, User

HTTP Basic Authentication

Username: scan_user
Password: ********
Realm: Application API

Bearer Token

Header: Authorization
Value: Bearer eyJhbGciOiJIUzI1...

Recorded Macro For complex multi-step authentication, record browser interactions using the Traffic Recorder.

API Configuration

# InsightAppSec REST API

# Get applications list
curl "https://us.api.insight.rapid7.com/ias/v1/apps" \
  -H "X-Api-Key: YOUR_API_KEY"

# Start a scan
curl -X POST "https://us.api.insight.rapid7.com/ias/v1/scans" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "app_id": "app-uuid-here",
    "scan_config_id": "config-uuid-here"
  }'

# Get scan status
curl "https://us.api.insight.rapid7.com/ias/v1/scans/{scan-id}" \
  -H "X-Api-Key: YOUR_API_KEY"

# Get vulnerabilities
curl "https://us.api.insight.rapid7.com/ias/v1/scans/{scan-id}/vulnerabilities" \
  -H "X-Api-Key: YOUR_API_KEY"

Integration

GitHub Actions

name: InsightAppSec Security Scan
on:
  push:
    branches: [main]
  schedule:
    - cron: '0 3 * * 0'  # Weekly Sunday 3 AM

jobs:
  dast-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Start InsightAppSec Scan
        id: scan
        run: |
          SCAN_ID=$(curl -X POST "https://us.api.insight.rapid7.com/ias/v1/scans" \
            -H "X-Api-Key: ${{ secrets.RAPID7_API_KEY }}" \
            -H "Content-Type: application/json" \
            -d '{"app_id": "${{ vars.APP_ID }}", "scan_config_id": "${{ vars.CONFIG_ID }}"}' \
            | jq -r '.id')
          echo "scan_id=$SCAN_ID" >> $GITHUB_OUTPUT

      - name: Wait for Scan Completion
        run: |
          while true; do
            STATUS=$(curl -s "https://us.api.insight.rapid7.com/ias/v1/scans/${{ steps.scan.outputs.scan_id }}" \
              -H "X-Api-Key: ${{ secrets.RAPID7_API_KEY }}" | jq -r '.status')
            echo "Scan status: $STATUS"
            if [ "$STATUS" = "COMPLETE" ] || [ "$STATUS" = "FAILED" ]; then break; fi
            sleep 120
          done

      - name: Check for Critical Vulnerabilities
        run: |
          VULNS=$(curl -s "https://us.api.insight.rapid7.com/ias/v1/scans/${{ steps.scan.outputs.scan_id }}/vulnerabilities" \
            -H "X-Api-Key: ${{ secrets.RAPID7_API_KEY }}")

          CRITICAL=$(echo "$VULNS" | jq '[.data[] | select(.severity == "HIGH")] | length')

          if [ "$CRITICAL" -gt 0 ]; then
            echo "Found $CRITICAL high severity vulnerabilities"
            exit 1
          fi

GitLab CI

insightappsec:
  stage: security
  variables:
    RAPID7_REGION: us
  script:
    - |
      # Trigger scan
      SCAN_ID=$(curl -X POST "https://${RAPID7_REGION}.api.insight.rapid7.com/ias/v1/scans" \
        -H "X-Api-Key: $RAPID7_API_KEY" \
        -H "Content-Type: application/json" \
        -d '{"app_id": "'$APP_ID'", "scan_config_id": "'$CONFIG_ID'"}' \
        | jq -r '.id')

      echo "Started scan: $SCAN_ID"

      # Poll for completion
      while true; do
        STATUS=$(curl -s "https://${RAPID7_REGION}.api.insight.rapid7.com/ias/v1/scans/$SCAN_ID" \
          -H "X-Api-Key: $RAPID7_API_KEY" | jq -r '.status')
        [ "$STATUS" = "COMPLETE" ] && break
        [ "$STATUS" = "FAILED" ] && exit 1
        sleep 60
      done

      # Export results
      curl "https://${RAPID7_REGION}.api.insight.rapid7.com/ias/v1/scans/$SCAN_ID/vulnerabilities" \
        -H "X-Api-Key: $RAPID7_API_KEY" -o scan-results.json
  artifacts:
    paths:
      - scan-results.json
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  allow_failure: true

Jenkins Pipeline

pipeline {
    agent any
    environment {
        RAPID7_API_KEY = credentials('rapid7-api-key')
    }
    stages {
        stage('DAST Scan') {
            steps {
                script {
                    def scanId = sh(
                        script: '''
                            curl -X POST "https://us.api.insight.rapid7.com/ias/v1/scans" \
                              -H "X-Api-Key: $RAPID7_API_KEY" \
                              -H "Content-Type: application/json" \
                              -d '{"app_id": "'"$APP_ID"'"}' | jq -r '.id'
                        ''',
                        returnStdout: true
                    ).trim()

                    timeout(time: 2, unit: 'HOURS') {
                        waitUntil {
                            def status = sh(
                                script: "curl -s 'https://us.api.insight.rapid7.com/ias/v1/scans/${scanId}' -H 'X-Api-Key: $RAPID7_API_KEY' | jq -r '.status'",
                                returnStdout: true
                            ).trim()
                            return status == 'COMPLETE'
                        }
                    }
                }
            }
        }
    }
}

Managed Application Security Service

Rapid7 offers a managed service option where their security team operates InsightAppSec on your behalf:

Initial application onboarding and configuration
Regular scan scheduling and monitoring
Vulnerability triage and prioritization
Remediation guidance and consultation
Monthly security posture reports

This option suits organizations lacking dedicated application security resources.

When to Use InsightAppSec

InsightAppSec works well for organizations with modern web applications built on JavaScript frameworks.

The Universal Translator handles complexity that trips up traditional DAST tools, while Attack Replay improves collaboration between security and development teams.

Consider InsightAppSec when you need:

Scanning of React, Angular, or Vue.js applications
Developer-friendly vulnerability validation workflow
Integration with broader Rapid7 security platform
Flexible deployment (cloud or on-premise scan engines)
Managed service option for limited security staff

Organizations already using Rapid7 products benefit from platform integration and unified reporting.

Teams with primarily traditional server-rendered applications may find simpler DAST tools sufficient.