Rapid7 EU Alternative 2026: CLOUD Act 18/25 and NIS2 Vulnerability Management Compliance
Post #3 in the sota.io EU Vulnerability Management Series
Rapid7 is one of the most widely deployed vulnerability management and SIEM platforms globally. InsightVM handles asset discovery and vulnerability prioritisation, InsightIDR aggregates logs and detects threats, and AttackerKB provides vulnerability intelligence from the security research community. For European security teams, the platform offers real capability — but raises a structural question that many procurement teams overlook: where does all that scan data actually go, and who can compel access to it?
The answer sits in Rapid7's corporate structure. Rapid7 Inc. is incorporated in Delaware, headquartered in Boston, Massachusetts, listed on NASDAQ under RPD, and operates its Insight Platform primarily on US-controlled cloud infrastructure. That combination means the CLOUD Act applies — and EU organisations deploying InsightVM agents across their infrastructure need to understand what that means for vulnerability data sovereignty.
Rapid7's CLOUD Act Exposure: 18/25
Here is how Rapid7 Inc. scores on the 25-point CLOUD Act risk framework:
| Factor | Score | Detail |
|---|---|---|
| US incorporation (Delaware) | 3/3 | Rapid7 Inc. incorporated Delaware |
| US headquarters | 2/2 | 120 Causeway Street, Boston MA 02114 |
| NASDAQ listed (RPD) | 2/2 | Subject to SEC jurisdiction and US securities law |
| US cloud infrastructure (primary) | 2/3 | AWS-backed Insight Platform; EU regions available but parent-controlled |
| No structural EU subsidiary independence | 3/3 | No legally separate EU entity controlling EU data |
| US executive and board domicile | 2/2 | Entire C-suite US-based |
| US government intelligence apparatus | 2/4 | No FedRAMP (lower than Tenable/Qualys), but CLOUD Act applies regardless |
| Scope of personal data processed | 2/6 | Agent telemetry, user accounts in IDR, network maps |
| Total | 18/25 | High CLOUD Act exposure |
Rapid7 scores slightly lower than Tenable (19/25) and Qualys (19/25) on this framework because it lacks FedRAMP authorization — that US-government-specific certification both signals deeper government integration and increases the likelihood of compliance-related data requests. But 18/25 is still firmly in the high-risk tier for GDPR-conscious organisations.
What Data Rapid7 Processes About Your Infrastructure
The scope of what Rapid7 collects makes the CLOUD Act question particularly acute for EU security teams.
InsightVM deploys agents on every scanned asset and sends findings to the Insight Platform. Those findings include: full software inventory (versions, patch levels), open port lists, configuration audit results, CVE exposure per asset, and network topology maps. This is an extraordinarily detailed fingerprint of your infrastructure — the kind of data a state actor would pay significant sums to obtain.
InsightIDR functions as a cloud-native SIEM. It ingests logs from endpoints, network devices, authentication systems, and cloud workloads. Those logs contain user account names, IP addresses, authentication events, and application-level activity records. Under GDPR Article 4(1), virtually all of this constitutes personal data.
InsightAppSec performs dynamic application security testing (DAST) against your web applications — and can process responses containing real user data if not carefully scoped.
InsightCloudSec scans your cloud configurations including IAM policies, S3 bucket permissions, and service account privileges. The configuration state of your cloud environment, including who has access to what, lands in Rapid7's platform.
AttackerKB is a community vulnerability intelligence platform. While the published data is public, contributors create accounts and submit research — that identity and contribution data sits under US jurisdiction.
GDPR Risk Analysis: Five Concrete Scenarios
Risk 1: Cross-Border Data Transfer Without Adequate Safeguards
When an EU organisation deploys InsightVM agents and those agents report to the Insight Platform's US data processing environment, that constitutes a transfer under GDPR Chapter V. Rapid7 offers Standard Contractual Clauses (SCCs) and a Data Processing Agreement. However, post-Schrems II, SCCs require a Transfer Impact Assessment (TIA) — and for a US company subject to the CLOUD Act, that TIA must acknowledge that US law can compel disclosure of EU data even when it is stored in a European region.
Risk 2: Vulnerability Data as Sensitive Infrastructure Intelligence
Scan results from InsightVM are not ordinary business data. They represent a map of your organisation's weaknesses — the exact information an attacker (or a hostile state) would want. Article 32 of GDPR requires appropriate technical measures for processing data based on risk. Storing this map in a US-jurisdiction platform contradicts the "state of the art" security principle when EU-jurisdiction alternatives exist that offer identical capabilities.
Risk 3: Log Data and Personal Data Under InsightIDR
Authentication logs are personal data under GDPR Article 4(1). When InsightIDR aggregates Active Directory logs, VPN connection records, and SaaS authentication events for EU employees, that data is transferred to Rapid7's platform. The lawful basis for this processing (typically Article 6(1)(f) legitimate interest in security monitoring) does not change the jurisdiction problem — the data is still accessible under a US court order served on Rapid7.
Risk 4: NIS2 Article 21 Compliance Gap
NIS2 Article 21(2)(g) requires entities to have "vulnerability handling and disclosure" processes. The Implementing Regulation (EU) 2024/2690 requires essential and important entities to have documented vulnerability management programmes. Using a CLOUD Act-exposed tool for this programme does not per se violate NIS2 — but it creates a documentation gap: your vulnerability management system cannot guarantee confidentiality of the discovered vulnerabilities, since US law can compel their disclosure.
Risk 5: Agent Deployment Scope Creep
InsightVM agents, once deployed, operate with elevated privileges on endpoint systems. The agent communicates continuously with the Insight Platform. In an incident investigation scenario — where a threat actor has compromised some of your systems — those agents are still phoning home to a US platform with live telemetry about the compromise. That telemetry includes forensic artefacts that may be required to remain under EU legal control for incident reporting purposes under NIS2 Article 23.
EU-Native Alternatives That Keep Vulnerability Data Sovereign
Greenbone AG — OpenVAS / Greenbone Enterprise
CLOUD Act Score: 0/25
Greenbone AG is headquartered in Osnabrück, Germany — a pure-play German company with no US parent, no US cloud backend, and no NASDAQ listing. Its open-source OpenVAS scanner (now rebranded GVM, Greenbone Vulnerability Manager) is maintained and published by Greenbone, and the commercial Greenbone Enterprise Appliance product runs entirely on-premises.
Greenbone holds BSI BSZ (Bundesamt für Sicherheit in der Informationstechnik) certification for its Enterprise products — the German government's official security product certification. This makes it the default choice for German federal agencies and increasingly for private-sector organisations under BSI-IT-Grundschutz compliance frameworks.
Capabilities:
- GVM / OpenVAS: Full network vulnerability scanning (90,000+ NVTs, CVE-mapped)
- Greenbone Enterprise 650/6500/DECA appliances: Hardware or virtualised, fully on-premises
- Greenbone Security Manager (GSM): Centralised management for distributed scanner deployments
- Greenbone Vulnerability Management: Dashboards, trend analysis, ticketing integration
- Feed: Greenbone Community Feed (free) or Greenbone Enterprise Feed (commercial, more NVTs)
Migration path from Rapid7 InsightVM:
- Deploy GVM appliance on-premises or on EU VPS (Hetzner, Scaleway, OVHcloud)
- Import existing asset lists via CSV or SNMP network discovery
- Map Rapid7 scan policies to GVM scan configs (Full and Fast, Full and Fast Ultimate equivalents available)
- Set up authenticated scans with domain credentials (equivalent to InsightVM credentialed scanning)
- Configure alert-to-ticket integrations (Jira, ServiceNow) via GVM alert system
Pricing: Greenbone Community Edition is free (open source, self-hosted). Greenbone Enterprise starts at approximately €8,000/year for the 650 appliance.
Wazuh — Open Source XDR and SIEM
CLOUD Act Score: 0/25 (self-hosted)
Wazuh is an open-source security platform that covers host-based intrusion detection (HIDS), log analysis, vulnerability detection, compliance monitoring, and file integrity monitoring. The Wazuh manager and dashboard run on your own infrastructure — nothing leaves your EU environment unless you configure it to.
Wazuh Inc. is a US company (Austin, Texas), but the software is Apache 2.0 licensed and runs entirely self-hosted. When you deploy Wazuh on EU infrastructure with no telemetry or update calls to Wazuh's commercial systems, the CLOUD Act simply does not apply — there is no US entity holding your data.
Capabilities relevant to Rapid7 InsightIDR replacement:
- Log collection from Linux, Windows, macOS, network devices, cloud services
- Active threat detection with rule-based correlation (7,000+ built-in rules)
- MITRE ATT&CK mapping
- Vulnerability detection via Wazuh SCA (Security Configuration Assessment) + CVE database integration
- File integrity monitoring (FIM)
- Compliance dashboards: PCI DSS, HIPAA, GDPR, NIS2, NIST 800-53
- Native OpenSearch integration for log search and dashboards
Migration path from Rapid7 InsightIDR:
- Deploy Wazuh manager on EU VPS (Wazuh requires ~4 vCPU, 8GB RAM for up to 50 agents)
- Install Wazuh agents on all endpoints (drop-in replacement for InsightIDR collectors)
- Configure log decoders for your existing log sources (Wazuh ships decoders for most common vendors)
- Set up Wazuh indexer cluster for log retention requirements (NIS2 Art.21 recommends 12 months)
- Integrate OpenSearch Dashboards for equivalent of InsightIDR's investigation workbench
Pricing: Free (Apache 2.0). Commercial support from Wazuh Inc. is available but optional.
OpenVAS / GVM Self-Hosted — Community Deployment
CLOUD Act Score: 0/25
For teams that want Greenbone's scanner without the commercial licence, the Greenbone Community Edition (GCE) is fully open source and supported on Ubuntu, Debian, and RHEL-family Linux. The Greenbone Community Feed provides daily CVE updates — covering the same vulnerability intelligence as the commercial feed for most common technologies.
Deploying GCE on a Hetzner CX22 (€3.79/month, AMD EPYC, 2 vCPU, 4GB RAM, Falkenstein Germany) gives you a fully sovereign vulnerability scanner at near-zero cost. The scanner supports credentialed scanning of Windows domains, Linux hosts, network devices (SNMP), and web applications.
Deployment steps:
# On Debian 12 / Ubuntu 22.04 (Hetzner CX22 recommended)
curl -f https://greenbone.github.io/greenbone-vulnerability-manager/install.sh | bash
# First feed sync: ~45 minutes
gvm-start
# Access GVM web interface: http://<your-server>:9392
prowler — Cloud Security Posture Management (Open Source)
CLOUD Act Score: 0/25 (self-hosted)
prowler is an open-source tool for AWS, Azure, GCP, and Kubernetes security assessments. Where InsightCloudSec is a commercial cloud security posture management (CSPM) platform under Rapid7 ownership, prowler is Apache 2.0 licensed and runs locally or on your own CI/CD pipeline — cloud configuration scan results never leave your environment.
prowler maps findings directly to GDPR, NIS2, ISO 27001, CIS Benchmarks, and SOC 2. For EU organisations using multiple cloud providers, prowler provides a single tool that runs entirely under your control.
Feature Comparison: Rapid7 vs EU-Native Stack
| Feature | Rapid7 InsightVM | Greenbone Enterprise | Wazuh | prowler |
|---|---|---|---|---|
| Network vuln scanning | ✅ | ✅ | Partial (SCA) | ❌ |
| Agent-based host scanning | ✅ | ✅ | ✅ | ❌ |
| SIEM / log correlation | InsightIDR | ❌ | ✅ | ❌ |
| Cloud security posture | InsightCloudSec | ❌ | Partial | ✅ |
| DAST (web app scanning) | InsightAppSec | ❌ | ❌ | ❌ |
| Vulnerability intelligence | AttackerKB | Greenbone Feed | CVE DB | Prowler DB |
| NIS2 compliance dashboard | ✅ | ✅ | ✅ | ✅ |
| BSI certification | ❌ | ✅ BSZ | ❌ | ❌ |
| CLOUD Act exposure | 18/25 | 0/25 | 0/25 | 0/25 |
| On-premises deployment | Partial | ✅ Full | ✅ Full | ✅ Full |
| Open source | ❌ | Community Ed. | ✅ | ✅ |
| Approx. annual cost | ~€30-80k | €8k+ (Enterprise) | Free | Free |
Migration Playbook: Rapid7 → EU-Sovereign Stack
A phased migration avoids the security gap that comes from removing a vulnerability management tool before its replacement is operational.
Phase 1 (Weeks 1-4): Deploy Greenbone parallel to InsightVM
Stand up a Greenbone Enterprise appliance (or GCE for smaller environments). Configure it to scan the same asset groups as your current InsightVM deployment. Run both tools in parallel and compare findings — Greenbone typically surfaces 90-95% of InsightVM's findings with equivalent NVT coverage for common enterprise technologies.
Phase 2 (Weeks 5-8): Deploy Wazuh for log analytics
Stand up Wazuh manager and indexer cluster on EU-hosted servers. Begin routing agent logs to Wazuh while InsightIDR continues running. Validate that Wazuh captures equivalent detection events for your environment. Customise rules for your technology stack.
Phase 3 (Weeks 9-12): Cutover and Rapid7 decommission
Once both tools are validated in parallel, cut over primary alerting to the EU-native stack. Terminate InsightVM agent deployments and InsightIDR log forwarding. Export historical data from Rapid7 (CSV export available) for retention. Formally terminate Rapid7 subscription.
Phase 4 (Ongoing): Cloud posture with prowler
Integrate prowler into your CI/CD pipeline for continuous cloud configuration assessment. Run prowler checks on every infrastructure-as-code deployment to catch misconfigurations before they reach production.
Legal Checklist for EU Organisations Currently Using Rapid7
- Transfer Impact Assessment (TIA) completed for InsightVM data transfer to US
- Data Processing Agreement (DPA) signed with Rapid7, SCCs in place
- Documented justification for using CLOUD Act-exposed tool for NIS2 Art.21(2)(g) vulnerability management
- Incident response plan accounts for CLOUD Act risk in forensic data during security incidents
- Board / DPO briefing on residual CLOUD Act risk acknowledged in writing
- Alternative evaluation documented (required for DORA-regulated entities under RTS Art.28)
What Changes With EU-Native Tools
The operational change of moving from Rapid7 to Greenbone + Wazuh is real — but smaller than most teams expect. The main differences are:
What you gain: Complete data sovereignty. Scan results, logs, and configuration data never leave your EU environment. No CLOUD Act exposure. BSI certification (Greenbone). No per-asset licensing (Wazuh is agent-count-free). NIS2 compliance documentation becomes straightforward.
What you adapt to: Greenbone's UI is functional but less polished than InsightVM's dashboard. Wazuh requires more tuning for false-positive reduction than InsightIDR's out-of-box experience. No equivalent to AttackerKB for crowd-sourced vulnerability intelligence (though the NVD and Greenbone feeds provide equivalent CVE data).
What you lose: InsightAppSec (DAST) has no direct open-source equivalent with the same user experience. Teams that rely heavily on web application scanning may need to evaluate OWASP ZAP or Nuclei as open-source alternatives, or consider Detectify (Swedish company, CLOUD Act 2/25) for managed DAST.
Conclusion
Rapid7's 18/25 CLOUD Act score reflects a genuine legal risk for EU organisations using the Insight Platform. Vulnerability scan results, SIEM telemetry, and cloud configuration data represent some of the most sensitive technical information an organisation produces — and that data is processed by a Delaware corporation on US-controlled infrastructure.
The EU-native alternative stack — Greenbone for vulnerability scanning, Wazuh for SIEM and detection, prowler for cloud posture — provides equivalent operational capabilities with zero CLOUD Act exposure. For organisations under NIS2 Article 21, DORA, or German BSI IT-Grundschutz requirements, the sovereignty case for this migration is increasingly difficult to ignore.
This is post #3 in the sota.io EU Vulnerability Management Series. Post #1 covered Tenable / Nessus. Post #2 covered Qualys. Posts #4 and #5 will cover Veracode and the EU Vulnerability Management Comparison Finale.
sota.io helps European teams deploy on EU-sovereign infrastructure. Start free →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.