Rapid7 Exposure Command: Unifying Preemptive and Proactive Cloud Defense via ARMO Integration

For years, security operations centers (SOCs) and cloud security teams have battled a fragmented visibility gap. We excel at finding vulnerabilities in static code or Infrastructure as Code (IaC) templates—"left of boom." Yet, we often struggle to contextualize those findings against the reality of what is actually executing in the runtime environment—"right of boom." This disconnect allows attackers to exploit the drift between intended security posture and actual runtime reality.

Rapid7 has officially closed this gap. By integrating ARMO’s AI-powered Cloud Application Detection and Response (CADR) capabilities directly into Exposure Command, Rapid7 has delivered a complete Cloud-Native Application Protection Platform (CNAPP). This is not just an incremental update; it is a fundamental shift toward a unified defense posture that combines preemptive exposure management with proactive runtime security. For defenders, this means we now possess a single pane of glass to correlate known vulnerabilities with active exploitation attempts in real-time.

Technical Analysis

Architecture Overview: The enhanced Exposure Command introduces a dual-layered defense strategy:

1. Preemptive Exposure Management (Pre-Execution): This layer aggregates data across the cloud estate, including virtual machines, containers, and cloud storage. It focuses on identifying attack paths and prioritizing risks based on exploitability and asset criticality before an attacker can leverage them.
2. Proactive Runtime Security (Execution): Powered by the integration with ARMO (now part of the Rapid7 portfolio), this layer utilizes eBPF (extended Berkeley Packet Filter) technology to provide deep visibility into kernel-level activity without the performance overhead of traditional agents. This is the core of the Cloud Application Detection and Response (CADR) capability.

Component Integration:

• Affected Platforms: Kubernetes clusters, containerized workloads, and cloud-native environments across AWS, Azure, and GCP.
• Technology: The integration leverages Kubescape (ARMO’s open-source tooling) logic to harden Kubernetes configurations and detect anomalous behavior in real-time.
• Defensive Value: The architecture correlates preemptive data (e.g., a known CVE in a base image) with proactive signals (e.g., an anomalous shell spawned within a container utilizing that image). This correlation drastically reduces Mean Time to Detect (MTTD) by filtering out theoretical noise and highlighting active threats.

How the Defense Works:

The solution monitors the CI/CD pipeline and the runtime environment simultaneously. When a deployment occurs, Exposure Command validates the artifact against security policies. Once running, the CADR component monitors system calls, network activity, and file access. If a container attempts to access sensitive files (e.g., /etc/shadow) or establish a reverse shell, and that container possesses a high-severity vulnerability, the platform elevates the alert, providing analysts with the full context: the vulnerable entry point and the active malicious behavior.

Detection & Response

Executive Takeaways

Since this release represents a platform enhancement rather than a specific CVE or malware campaign, the following strategic recommendations are provided for security leaders looking to operationalize this CNAPP capability:

1. Consolidate Alerting Pipelines: Eliminate the silo between vulnerability management and SOC detection. Direct your SOC analysts to use Exposure Command as the primary interface for cloud incidents, ensuring they investigate runtime alerts with the full context of the host's exposure score.
2. Prioritize "Exploitable" Context: Shift remediation efforts from "patch everything" to "patch what is reachable and exploitable." Use the platform's attack path analysis to identify which exposed vulnerabilities are actually accessible via runtime traffic.
3. Enforce Kubernetes Policy at Runtime: Move beyond static manifest scanning. Implement deny-by-default policies in the CADR layer to block containers with privilege escalation capabilities or sensitive mount points from entering the runtime state.
4. Integrate CI/CD Gates: Operationalize the preemptive aspect by failing builds that do not meet the baseline security posture established in Exposure Command, preventing vulnerable artifacts from ever reaching the runtime environment.
5. Map MITRE ATT&CK Tactics to Cloud Events: Train your Tier 2 and Tier 3 analysts to map the specific CADR alerts (e.g., container escape attempts) to MITRE tactics like Privilege Escalation (TA0004) or Credential Access (TA0006), using the platform's automated correlation to speed up investigation.

Remediation

Implementation and Hardening Steps:

To fully leverage the defensive capabilities of the enhanced Rapid7 Exposure Command, organizations should execute the following remediation and configuration steps:

1. Deploy the ARMO/CADR Agents:

   • Roll out the lightweight sensor agents to all active Kubernetes clusters and critical compute nodes. Use DaemonSets for comprehensive coverage within K8s environments.

2. Establish Baseline Policies:

   • Configure "Immutability" rules in the runtime security module to prevent write access to critical filesystem directories within containers.
   • Enable alerts for any shell activity (/bin/sh, /bin/bash) inside production containers. Legitimate containers should rarely require interactive shell access.

3. Correlate and Triage:

   • Access the "Exposure View" in the dashboard. Filter assets by "Critical Risk" and cross-reference with "Active Runtime Alerts." Immediately quarantine or patch assets appearing in both categories.

4. Vendor Advisory Reference:

   • For detailed configuration guides and best practices on the ARMO integration, refer to the official Rapid7 Exposure Command Documentation.

By integrating these preemptive and proactive layers, your organization transitions from reactive patching to predictive threat hunting, significantly raising the cost of entry for potential adversaries.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub