Rapid7 NeXpose is, generally, an impressive appliance. Although it is a hybrid (vulnerability scanner and penetration test tool), the pen tool is used specifically to validate vulnerabilities and is not intended to be used alone. This is typical of the way an attacker would attempt to penetrate a target.

Set-up is plug and play, and the product can use DHCP if the network supports it. Set-up begins using the LCD display on the appliance and, after setting addresses, further management and configuration is through a normal web browser.

The user interface is clean and reporting is robust. NeXpose sports an easy to use, well-organized dashboard and, like most of the products we looked at, it supports a wide range of compliance reporting including PCI.

The device begins by scanning the network to discover devices for testing. Once it completes its scans, it performs automatic penetration testing in an attempt to exploit the vulnerabilities found. This greatly limits false positives. It does, however, lower performance. NeXpose found just over 80 percent of our vulnerabilities.

This appliance has some added capabilities we found impressive. For example, it performs trouble ticketing and makes recommendations for risk reduction based on the vulnerabilities it finds.

Documentation is comprehensive, clear and well-organized and the product comes with a quick-start guide that takes you through set-up. Phone support is available during working hours at no cost and for additional cost there is an extended 24/7 plan available. Upgrades to the signature set are free and available every three days. The website is full of support tools, such as FAQs, documentation briefs and other useful documents.

At between $2,000 and $4,000 for the appliance, plus $25,000 for a class C license, NeXpose is not cheap. But it delivers a lot of bang for the buck and we rate it our Best Buy in the hybrid class.

Rapid7 NeXpose has been rated Best Buy by SC Magazine.