InsightAppSec 2026: Rapid7 DAST with Attack Replay

InsightAppSec is Rapid7’s DAST platform for testing modern web applications. Two features set it apart: the Universal Translator, which normalizes traffic from JavaScript frameworks like React, Angular, and Vue into a consistent format for testing, and Attack Replay, which lets developers verify findings locally without running a full scan.

InsightAppSec scan configuration and vulnerability findings dashboard

Tests for 95+ vulnerability types. Runs on cloud or on-premise scan engines. Concurrent multi-target scanning at no additional cost.

Recently added LLM vulnerability scanning for AI-integrated applications.

Key features at a glance

Feature	Detail
Attack Types	95+ including OWASP Top 10, business logic, config issues
Universal Translator	Normalizes React, Angular, Vue.js traffic for testing
Attack Replay	Developers verify findings locally without full scan access
LLM Scanning	Tests AI-integrated apps for prompt injection, data leakage
GraphQL Testing	Dedicated GraphQL API scanning support
Scan Engines	Cloud-hosted and on-premise (v7.5 latest)
Concurrent Scanning	Multiple targets simultaneously, no extra cost
Compliance Reports	PCI-DSS, HIPAA, OWASP Top 10, SOX
Report Formats	Interactive HTML, static HTML, CSV, PDF
Scheduling	Recurring scans with blackout window support

What is InsightAppSec?

Traditional DAST tools struggle with JavaScript-heavy applications that render content dynamically and manage state client-side. InsightAppSec’s Universal Translator addresses this by normalizing traffic from various frameworks into a consistent format for security testing.

The tool crawls applications using a real browser, executes JavaScript, tracks state changes, and discovers REST endpoints called by the frontend. This gives it broader coverage than crawlers that only process static HTML.

Universal Translator

The Universal Translator doesn’t care which JavaScript framework you use. React, Angular, Vue.js, Ember, Backbone — it normalizes all of them into the same internal format. This means InsightAppSec’s attack modules work consistently regardless of frontend technology.

Universal Translator

Normalizes traffic from React, Angular, Vue.js, and other JavaScript frameworks. Executes JS, tracks state changes, and discovers API endpoints called by the frontend.

Attack Replay

Each finding comes with a replay package — HTTP request, reproduction steps, evidence screenshots, and fix guidance. Developers verify bugs locally without needing DAST tool access.

95+ Attack Types

Covers injection (SQL, LDAP, XPath, command), XSS (reflected, stored, DOM-based), auth flaws, authorization issues, config problems, and business logic vulnerabilities.

Attack Replay

Attack Replay is the feature that security teams actually thank Rapid7 for. It addresses the friction between security and development — the “is this a real bug?” conversation that slows down remediation.

When InsightAppSec finds a vulnerability, it packages up everything a developer needs to verify it:

The exact HTTP request that triggered the finding
Step-by-step reproduction instructions
Evidence (screenshots, response data)
Remediation guidance

Developers run the replay against their local environment. If they can reproduce it, they fix it. No back-and-forth with the security team about whether the finding is valid.

LLM vulnerability scanning

InsightAppSec added scanning for LLM-integrated applications. If your web app uses an AI model (ChatGPT API, Claude API, etc.), the scanner tests for:

Prompt injection attacks
Data leakage through model responses
Unauthorized access to model capabilities
Input validation bypasses specific to LLM interfaces

This is a newer addition and the DAST market is still figuring out what LLM testing should look like, but InsightAppSec is one of the first to ship it.

Scan management

The platform includes operational controls for enterprise deployments:

Scheduling: Recurring scans during off-peak hours
Blackout windows: Prevent scanning during critical business periods
Incremental scanning: Re-test only changed portions of applications
Rate limiting: Throttle scan traffic to prevent performance impact
Concurrent scanning: Multiple targets simultaneously at no extra cost

On-premise scan engines

For internal applications that can’t be reached from the internet, deploy on-premise scan engines (latest: v7.5). Results still centralize in the cloud console regardless of where the engine runs. Useful for scanning staging environments behind the firewall.

How to use InsightAppSec

Create an app in the Rapid7 Insight Platform — Navigate to InsightAppSec, click New App, and provide the target URL and application details.

Configure authentication — Set up form-based login, HTTP Basic, bearer token, or record a macro for complex multi-step auth flows using the Traffic Recorder.

Select scan template — Choose Default, OWASP Top 10, PCI, or a custom template. Configure scan scope and rate limits.

Run and review — Launch scans on-demand or schedule recurring runs. Review findings with Attack Replay packages for developer-friendly verification.

CI/CD integration

# GitHub Actions
name: InsightAppSec Scan
on:
  push:
    branches: [main]

jobs:
  dast-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Start InsightAppSec Scan
        run: |
          curl -X POST "https://us.api.insight.rapid7.com/ias/v1/scans" \
            -H "X-Api-Key: ${{ secrets.RAPID7_API_KEY }}" \
            -H "Content-Type: application/json" \
            -d '{"app_id": "${{ vars.APP_ID }}", "scan_config_id": "${{ vars.CONFIG_ID }}"}'

InsightAppSec also integrates with Jenkins pipelines and GitLab CI via the REST API.

Integrations

Rapid7 Platform

InsightVM

InsightConnect

InsightIDR

DevOps & Ticketing

GitHub Actions

Jenkins

Jira

ServiceNow

Managed service option

Rapid7 offers a managed application security service where their team operates InsightAppSec on your behalf. They handle application onboarding, scan scheduling, vulnerability triage, and monthly reporting. This option suits organizations that lack dedicated appsec staff.

When to use InsightAppSec

InsightAppSec works well for teams with modern JavaScript applications who want developer-friendly vulnerability verification. The Universal Translator handles SPA complexity, and Attack Replay removes friction from the remediation workflow.

Good fit when you need:

DAST for React, Angular, or Vue.js applications
Developer-friendly vulnerability verification (Attack Replay)
LLM vulnerability scanning for AI-integrated apps
Integration with Rapid7’s broader security platform (SIEM, VM, IR)
Flexible deployment (cloud or on-premise scan engines)
Managed service option for teams without dedicated appsec resources

Existing Rapid7 customers get the most value from platform integration and unified reporting. Teams that don’t use other Rapid7 products should compare InsightAppSec against standalone DAST tools like Invicti or Acunetix on scanning depth and price.

Frequently Asked Questions

What is InsightAppSec?

InsightAppSec is Rapid7’s DAST platform. Its Universal Translator normalizes traffic from modern JavaScript frameworks (React, Angular, Vue) for consistent security testing. Attack Replay lets developers verify vulnerabilities locally without running a full scan.

Is InsightAppSec free or commercial?

InsightAppSec is a commercial product from Rapid7. It integrates with the broader Insight platform. Both cloud-hosted and on-premise scan engine deployments are available. Concurrent multi-target scanning is included at no additional cost.

What is Attack Replay?

Attack Replay generates a replay package for each finding that developers can execute locally to verify the vulnerability. It includes the HTTP request, reproduction steps, evidence, and remediation guidance. Developers validate bugs without needing access to the full scan report or DAST tool.

Does InsightAppSec support LLM scanning?

Yes. InsightAppSec added LLM vulnerability scanning to test AI-integrated applications for prompt injection, data leakage, and other LLM-specific security issues.

How does InsightAppSec compare to alternatives?

The Universal Translator for SPA crawling and Attack Replay for developer-friendly verification are the main differentiators. Integration with Rapid7’s broader platform (SIEM, vulnerability management, incident response) adds value for existing Rapid7 customers.