Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Rapid7 InsightAppSec DAST/API Integration
Rapid7 InsightAppSec is a cloud-based DAST platform that performs deep, automated scans of web applications to identify exploitable security weaknesses. This integration allows Invicti AppSec to trigger InsightAppSec scans and import vulnerability findings.
Prerequisites
| Field | Description |
|---|---|
| Region | Your Rapid7 Insight Platform region (e.g., us, eu, ap, ca, au) |
| API Key | A Rapid7 Insight Platform API key |
Get an API Key (on Rapid7 InsightAppSec Side)
- Log in to the Rapid7 Insight Platform.
- Click your profile icon in the upper right corner.
- Select API Keys from the profile menu.
- Click + New User Key.
- Enter a name for the key and click Generate.
- Copy the API key — it is shown only once.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Rapid7 InsightAppSec
Scroll through the list of DAST/API scanners to find Rapid7 InsightAppSec.
- If Rapid7 InsightAppSec is not activated, you will see an "Activate" button. Click it to enable the integration.
The scan method badge on the Rapid7 InsightAppSec card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Rapid7 InsightAppSec card to open the configuration panel. Fill in the required fields:
- Token: Paste your Rapid7 InsightAppSec API token.
- URL: Enter your Rapid7 InsightAppSec instance URL.
- Insecure: Enable this checkbox only if your Rapid7 InsightAppSec instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms the API key and region are correct.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate Rapid7 InsightAppSec |
| 4 | Enter Region and API Key |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Rapid7 InsightAppSec Scanner
- Select DAST/API as the scanner type.
- Choose Rapid7 InsightAppSec from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Bind To | InsightAppSec project to bind to | Yes |
| Start Scan | Toggle to trigger the scan immediately | No |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t insightappsec -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid API key | Regenerate the API key from the Rapid7 Insight Platform and update the integration |
| Wrong region | Confirm your account region from the Insight Platform URL (e.g., us.api.insight.rapid7.com) |
| InsightAppSec not activated | Ensure the InsightAppSec product is activated on your Rapid7 subscription |
| Network access | Ensure Invicti AppSec can reach us.api.insight.rapid7.com (or your region endpoint) on port 443 |
Scan Issues
| Issue | Resolution |
|---|---|
| No apps listed | Verify the API key account has access to the target apps in InsightAppSec |
| Scan config missing | Create a scan configuration in InsightAppSec before triggering scans |
| Scan not starting | Check InsightAppSec engine status and scan slot availability |
| Empty results | Confirm the scan completed in the InsightAppSec dashboard |
Best Practices
- Use a dedicated user API key from a service account rather than a personal account.
- Select the correct region when configuring the integration to avoid authentication failures.
- Rotate the API key annually or upon personnel changes.
- Pre-configure apps and scan configurations in InsightAppSec before using the integration.
- Use scan configurations tailored to the application type (web app, API, microservices).
Limitations
- API keys are region-specific; ensure you select the region that matches your Rapid7 account.
- The InsightAppSec product must be separately subscribed to within the Rapid7 Insight Platform.
- Apps and scan configurations must be created in InsightAppSec before they appear in Invicti AppSec.
- Concurrent scan limits are governed by your InsightAppSec subscription tier and scan engine capacity.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center