Shortlist fit
Mid-market and enterprise teams that want MDR, SIEM and vulnerability context in one Rapid7-led workflow
Provider handles
Service can take or orchestrate containment actions within the approved scope.Check before buying
Scoping protected endpoints, servers, networks and third-party event sourcesAlso fits
- Buyers that value asset-based pricing instead of SIEM data-volume pricing
- Security teams that want provider-led containment for endpoints and user accounts but still retain response governance
- Microsoft Defender or mixed-EDR environments that can use Rapid7-supported event and Active Response integrations
Can replace
- Some 24/7 alert monitoring and first-pass triage work
- Some endpoint and user containment actions through configured Active Response
- Some incident-response retainer demand inside the MDR scope
- Some SIEM data-volume budgeting uncertainty when Rapid7 SIEM is the monitoring layer
Coverage
Provider covers
- 24/7/365 SOC monitoring, triage and investigation through Rapid7 MDR
- Exposure-informed investigations that use vulnerability and asset context to prioritize response
- Rapid7 SIEM visibility into validated threats, response actions and resolution
Your team still owns
- Maintaining telemetry quality, agent coverage and third-party alert integrations
- Defining Active Response permissions, exclusions and approval rules
- Handling business remediation, recovery and changes outside Rapid7-managed workflows
Tradeoffs
Works well
- Documented containment actions make it stronger than alert-only or advice-only MDR
- Rapid7's exposure-management context can help prioritize which alerts and weaknesses matter most
- Public AWS Marketplace pricing gives buyers a better starting point than quote-only MDR profiles
Watch out for
- The service is centered on Rapid7 SIEM, so buyers committed to another SIEM should verify workflow fit
- Third-party alert response is bounded by supported integrations, source-system APIs and configured data flow
- Public package pages do not expose every entitlement boundary, add-on cost or response authority rule
Reviews
Review synthesis
Public review signals are positive but uneven in depth. Gartner and PeerSpot show meaningful MDR review surfaces, G2 has a smaller MDR-specific review set, and Reddit comments praise analyst quality, retention and vulnerability bundling while flagging cost, automation, portal workflow and third-party integration limits.Customers like
- Reviewers commonly value 24/7 monitoring, analyst support and investigation help
- Customers point to useful SIEM visibility, vulnerability context and long retention
- PeerSpot and G2 reviews describe Rapid7 as useful for both mid-market and enterprise teams
Watch out for
- MDR-specific G2 review volume is small
- Community discussion raises pricing, automation and portal workflow concerns
- Third-party alert handling can be limited by source-system APIs and data-flow reliability
Pricing
- Price
- AWS Marketplace lists a 12-month Managed Threat Complete Essential contract from $73,000.
- Billing
- Per-asset, Tiered, Custom
- Contract
- 12 months
- Proof of concept
- Available
- Onboarding
- Rapid7 service material says MDR monitoring starts detecting threats within the first 60 days of onboarding.
Questions to ask
- Which containment and remediation actions can Rapid7 execute in our environment without waiting for approval?
- Which third-party tools will Rapid7 only triage inside Rapid7 SIEM, and which systems receive bidirectional updates?
- How do Essential, Advanced and Ultimate differ for threat hunting, third-party monitoring, advisors, Velociraptor and breach protection?
Integrations
- SIEM
- Rapid7 SIEM (InsightIDR)
- Rapid7 Command Platform
- EDR / Endpoint
- Rapid7 Insight Agent
- Microsoft Defender for Endpoint
- CrowdStrike Falcon
- SentinelOne
- Carbon Black Cloud
- Cisco Secure Endpoint
- Cloud
- AWS GuardDuty
- Microsoft Defender for Cloud
- Google Cloud Security Command Center
- Other
- InsightVM / Exposure Management
- InsightConnect SOAR
- Velociraptor DFIR
- Microsoft Defender XDR
- Microsoft Defender for Identity
- Microsoft Defender for Office 365
- CyberArk Vault
- Netskope
- Palo Alto Networks Cortex XDR
- Sophos Central
- Trend Vision One
- Varonis DatAdvantage
Editorial notes
Why contain threats
Rapid7 publishes Active Response documentation showing SOC analysts can isolate endpoints and disable compromised user accounts through supported agents and EDR tools. That supports the Contain threats lane, but not full SOC ownership.
Not a neutral managed SIEM
The public MDR page says the service is delivered on Rapid7's SIEM and uses Rapid7 platform context. Enterprise MDR can ingest custom event sources, but the normal operating model still centers Rapid7's platform rather than any customer-owned SIEM.
Third-party boundary
Rapid7 documentation says the SOC can triage, investigate and respond to selected third-party security alerts within Rapid7 SIEM, while also noting that Rapid7 does not control disruptions in third-party data flow or universally close alerts in source systems.
Pricing boundary
Rapid7 publishes package names and asset-based pricing logic, while AWS Marketplace exposes public 12-month contract starting prices. The profile uses those marketplace amounts as indicative procurement signals and keeps final pricing quote-dependent.
Review caveat
Public customer sentiment is mostly favorable on analyst quality, visibility and bundled vulnerability context, but review volume for the MDR-specific G2 surface is small and community comments include pricing, automation, portal and integration caveats.