OpenVAS → Rapid7 InsightVM

OpenVAS ↔ Rapid7 InsightVM: integration to migration path.

OpenVAS deploys alongside InsightVM first, proves it matches your real findings across three clean scan cycles, and only then takes over non-PCI internal scope in blast-radius waves. No flag-day scanner switch, no re-credentialing — and every phase rolls back in minutes.

The honest end-state is partial retirement: Rapid7 is downsized, not deleted. Its PCI ASV external scans, Insight Agent fleet and InsightConnect SOAR have no OSS equivalent, so they stay — we say so up front, because the rest of this only matters if you can trust it.

Map my migration with an engineer →

The idea

Scan in parallel first. Downsize Rapid7 last — never to zero.

The topology that makes this zero-downtime is a hard scope partition feeding one unified plane. OpenVAS and InsightVM run against the same internal targets on offset schedules, both exporting into DefectDojo where findings dedup on CVE plus CPE plus hostname, anchored to a CMDB host_id so the two asset inventories never drift. DefectDojo becomes the system of record — dedup, ticketing, exceptions and SLA timers live there, and Engagements emulate Remediation Projects — so a cutover is a config flag. OpenVAS earns each non-PCI internal class on real data before it takes over, while the ASV external scope and the Insight Agent fleet stay on Rapid7.

The phases

Seven steps. Each one reversible.

Baseline & inventory

We read your InsightVM estate read-only: assets with tracking method and CMDB criticality, every site, template and schedule, the top 500 vulnerability IDs mapped to CVE, CPE and candidate NVT OIDs, plus active Remediation Projects and Exceptions. The PCI scope boundary is confirmed with your QSA.

Users see: No user impact.

Rollback: N/A — read-only.

OpenVAS stands up in parallel

An HA GVM/OpenVAS deployment and DefectDojo go live with both importers wired, Community Feed sync proven, and one canary group of up to 25 non-PCI internal hosts on a production schedule. Real Risk Score arrives in DefectDojo as a custom field. No production traffic depends on it yet.

Users see: None — InsightVM still owns every production scan.

Rollback: Tear down OpenVAS. No production scope depends on it.

Parallel-scan window

Both scanners run the same representative classes per OS family on offset schedules at least an hour apart. Findings dedup in DefectDojo on CVE plus CPE plus hostname, with a per-cycle delta report classifying every both / Rapid7-only / OpenVAS-only finding — including the agent-only registry and package checks remote scanning structurally cannot reach.

Users see: Doubled scan load on the target subset only — monitored and backed off if production feels it.

Rollback: Disable the OpenVAS schedule. Under 15 minutes.

Cut OpenVAS primary on non-PCI internal

For non-PCI internal classes that passed parallel scanning, OpenVAS becomes primary in blast-radius waves. Rapid7 shadow-scans them for 30 more days. Tickets fire from DefectDojo's OpenVAS pipeline at the same dedup hash with SLA continuity, and any Remediation Projects scoped to the migrated class move into DefectDojo Engagements with their SLA intact.

Users see: Asset owners see DefectDojo tickets with OpenVAS as the backend — the ticket shape is unchanged.

Rollback: Re-promote Rapid7 to primary. Under 15 minutes while the Rapid7 schedule is still running.

Stand down Rapid7 Scan Engines

Rapid7 internal Scan Engine schedules are disabled on non-PCI sites and engines are decommissioned or repurposed to PCI CDE only. The InsightVM contract downsizes at next renewal. Insight Agent, ASV external and retained Projects are left untouched.

Users see: None for finding consumers — DefectDojo continues unchanged.

Rollback: Re-enable the disabled sites; the config is preserved. Under 4 hours to first re-scan.

Insight Agent fleet decision

The Insight Agent fleet is the irreducible gap. The default is to keep it — it catches roaming and ephemeral hosts OpenVAS misses, and an osquery substitute usually costs more than the saved licence. Only a small, homogeneous fleet justifies replacing it with osquery plus an in-house CVE-match service, at the cost of vendor-curated detections and InsightConnect automation.

Users see: None if Insight Agent is kept; if replaced, agented hosts move to osquery-based detection.

Rollback: Redeploy Insight Agent via MDM. Under 72 hours.

PCI CDE: decide with the QSA

The internal CDE scans (Req 11.3.1) move to OpenVAS only with written QSA sign-off after one quarterly cycle observed, or stay on Rapid7 for the simpler audit story. The external ASV scans (Req 11.3.2) never move — Rapid7 or another ASV remains contracted.

Users see: None — a compliance decision, not an operational change.

Rollback: Keep PCI internal on Rapid7; this phase only proceeds on QSA approval.

Feature parity

Where OpenVAS matches InsightVM — and where it honestly does not.

Capability	OpenVAS / Greenbone CE	Rapid7 InsightVM	Parity
Network scanning (unauth)	OpenVAS scanner daemon + Community Feed NVTs	InsightVM distributed Scan Engines (Nexpose lineage)	At parity
Authenticated scanning	NVT LSC families (SSH/sudo, SMB/WMI, SNMP, DB creds)	InsightVM credentialed scan + secret-store integration	Partial
Agent-based scanning	None first-party in CE	Rapid7 Insight Agent (ir_agent) continuous on-host detection	SaaS only
Vuln content / feed cadence	Community Feed (~170k NVTs); Enterprise Feed paid; lags days to weeks on KEV CVEs	Bundled content, same-day to 72h for high-pri	Partial
Prioritisation scoring	CVSS only; bolt-on EPSS + KEV + criticality in DefectDojo	Real Risk Score (1-1000) = CVSS + exploit + malware-kit + weighting + ML	Partial
PCI ASV certification	Not ASV-certified; cannot certify the binary	Rapid7 is a PCI SSC Approved Scanning Vendor	SaaS only
Asset inventory	Per-scan; no cross-scan auto-dedup	Insight Agent + cloud connectors + asset linking	Partial
Remediation workflow / ticketing	DefectDojo Engagements + Jira/ServiceNow	Remediation Projects — SLA campaigns with native dashboards	Partial
SOAR / automation	None — DefectDojo webhooks to n8n / Shuffle / Tines	InsightConnect (~300+ pre-built plugins)	SaaS only
Custom check authoring	NASL — author internal-only NVTs, source visible	Custom Policy Builder + limited custom checks (XML)	OSS only
API surface	GMP (XML over TLS) + gvm-tools + python-gvm	REST v3 (/api/3/...) + SQL Query Export	At parity
RBAC + multi-tenant	Basic CE user model; Enterprise adds permission scopes	Console roles + access; Insight Platform org/user model	Partial
Container scanning	None first-party CE; Trivy / Grype in CI	Container Security (separate SKU)	SaaS only
Compliance (CIS/STIG, SOC 2)	Limited CE NVTs; Enterprise adds Policy Compliance; org absorbs SOC 2	InsightVM Policies module (CIS / DISA STIG / USGCB) + vendor SOC 2 inheritance	Partial
Deployment & HA	Self-hosted, air-gap deployable, you own HA	On-prem Console + Engines; Insight Platform SaaS, vendor-managed	Partial
Cost model	Free at small scale; Enterprise Feed at scale = small Rapid7 band	Per-asset subscription + SKU add-ons	Partial

What we're honest about

The caveats most vendors leave out.

PCI ASV scans cannot move to OpenVAS

PCI DSS v4.0 Req 11.3.2 requires external scans by a PCI SSC Approved Scanning Vendor. Rapid7 is one; OpenVAS is not, and cannot be — ASV status attaches to the vendor org, not the scanner binary. If any system is in PCI external scope, Rapid7 (or another ASV) stays contracted. Target: InsightVM downsized, not deleted — we surface this before procurement zeroes the line item.

Insight Agent fleet and SOAR have no OSS equal

Greenbone CE ships no first-party agent, so roaming laptops, ephemeral cloud workloads and air-gapped subnets lose continuous coverage on cutover; the default is to keep Insight Agent on a reduced fleet. InsightConnect's plugin library also has no OSS clone — we move that automation to your existing config-management plus an open SOAR before downsizing, never assuming it is free.

Real Risk Score and Remediation Projects don't port cleanly

Rapid7's Real Risk Score blends CVSS, exploit availability, malware-kit presence and ML weighting into a 1-to-1000 number that isn't exportable. We rebuild ranking in DefectDojo from CVSS, EPSS, KEV and exploit flags and publish a band-translation table, communicated to on-call 30 days ahead. Remediation Projects map to DefectDojo Engagements with SLA timers preserved, but you lose the native dashboards.

Community Feed lags, and you own the platform

The Community Feed can trail Rapid7's same-day-to-72-hour coverage by days to weeks on KEV-listed CVEs; we mitigate with interim NASL or nuclei templates per KEV add and document the SLA. Self-hosting OpenVAS plus DefectDojo, Postgres, Redis and feed sync becomes your SOC's problem — HA, monitored backups and a DR runbook are part of the deal.

Why this beats a flag day

Reversible in minutes, downsized only after a long soak.

No phase forces an outage. Each non-PCI internal cutover rolls back in under 15 minutes while the Rapid7 schedule is still running, and a class only counts as migrated after at least 30 days of OpenVAS-primary scanning with zero Rapid7-only critical findings missed, SLA performance at or under the Rapid7 baseline, and migrated Remediation Projects tracking without a single SLA-timer reset. Rapid7 is never zeroed: its internal Scan Engines downsize after the soak, while the ASV external contract and the Insight Agent fleet stay on indefinitely under PCI DSS v4.0 Req 11.3.2.

See how much of Rapid7 you can actually retire.

A call with a senior vulnerability-management engineer. We map your vulnerability IDs to OpenVAS NVTs, size your PCI ASV, Insight Agent and InsightConnect gaps honestly, and model the realistic Rapid7 spend reduction — without inventing risk on your CDE.

Map my migration →