A cybercrime is reported every six minutes in 2025, and the cost of a breach to small businesses in Australia and New Zealand (ANZ) is $56,000 per year of impact, yet many defensive tactics are stuck in the 1980s, warned Rapid7's chief product officer, Craig Adams.
He argued that an annual penetration test of known assets is no longer sufficient. In response, Rapid7 helps its customers continuously scope, discover, monitor, and mobilise against threats across their entire environment.
"Gartner has a statistic where only 17% of organisations can identify 95% of their attack surface. That means a typical organisation is missing a solid 20 to 25% of their environment," said Adams. "If I tell you there are three doors, you can lock three doors. If I don't tell you how many doors there are, it's hard to lock them all."
The typical organisation's attack surface changes twice a week, he said, whether that's an identity with access to a new system, cloud account or device. "The unique approach Rapid7 takes as an open platform is, we bring our native view of what we detect ourselves... [but] we recognise that customers have invested in different tools for a reason."
He added: "We believe very passionately that security begins with an open view of your entire attack surface, not seen by just one vendor, even if that's Rapid7, but seen by all the different tools aggregated across your environment, which we help our customers do."
To achieve this, Rapid7 uses AI to create a comprehensive view of a customer's attack surface by aggregating data and intelligence from all their different tools into a unified, deconflicted view. Once visibility is established, the next step is to continuously prioritise exposures.
"Every customer I meet with, when they look at this, uncovers that there's inconsistent policy execution in their own environment. There are assets without an endpoint. There are cloud containers that are visible externally that shouldn't be. There are identities without MFA [multifactor authentication], but we're able to bring all of that together with AI."
AI is also used to help organisations understand the biggest risks and guide them to the necessary remediation tasks. This leads to faster responses, whether the remediations are automated or not.
"Most organisations prioritise the biggest exposures across their environment almost by Gartner acronym," he said, referring to exposures revealed by DAST (dynamic application security testing), CNAPP (cloud-native application protection platform), and on-premises vulnerability management systems, as well as identity exposures.
"For the typical mid-size organisation, that's just a fundamentally ineffective way to prioritise... they need to look holistically at exposures across their environment." Instead, prioritisation should be based on overall organisational risk.
As a provider of detection and response services to over 5,000 global customers, Rapid7 can observe real-world attacks and the methods being used. This information is then applied to a customer's environment, considering any compensating controls in place.
"How you win or lose in security is how you prioritise. We all know every security team has a long list of things to do. The way we can help an organisation prioritise based on risk is a key factor in protecting the modern enterprise."
The cyber security skills shortage remains a major problem. According to ISACA's 2025-2026 State of cybersecurity report, 55% of professionals say their teams are understaffed, and 65% have unfilled positions.