Rapid7 launches Cyber GRC for tighter Australia rules

Rapid7 has launched an early access programme for its Cyber Governance, Risk and Compliance offering, aimed at organisations in Australia facing tighter cyber reporting and governance rules.

The offering brings together security data, risk context and compliance workflows across security and governance teams. It is built to support Australian regulatory and policy frameworks including the Essential Eight, the Australian ISM, the Cyber Security Act, the Victorian Privacy and Data Protection Act and the Protective Security Policy Framework.

The launch comes as Australia enters a stricter enforcement phase for mandatory ransomware and cyber-extortion payment reporting. Businesses with turnover above AUD $3 million and critical infrastructure entities must report qualifying payments within 72 hours, increasing pressure on boards, security leaders and compliance teams.

According to Rapid7, the product runs on its Command Platform and uses exposure data to link controls, evidence and risk decisions to live threats rather than static compliance checks. It is intended to replace point-in-time compliance processes that often sit apart from day-to-day security operations.

The approach reflects a wider shift in the cyber market as companies try to show not only that controls exist, but that they remain effective over time. In Australia, that issue has become more prominent as regulation expands and cyber incidents continue to draw scrutiny from government, regulators and customers.

Sabeen Malik, Vice President of Global Government Affairs and Public Policy at Rapid7, highlighted the rising compliance pressure in Australia. "Australia's mandatory ransomware/cyber-extortion payment reporting regime under the Cyber Security Act 2024 commenced 30 May 2025, but Phase 1, running to 31 December 2025, was education-first, and from 1 January 2026 Phase 2 shifts to active compliance and enforcement. Businesses with turnover over $3M and critical infrastructure entities must report within 72 hours of payment, with civil penalties up to $19,800 for non-compliance. As such, it's go time for many cyber programs and leaders to re-evaluate if they are ready for these realities," Malik said.

Product details

Rapid7 said Cyber GRC is designed to give executives and practitioners a single view of risk, evidence and control status. It also includes AI-driven third-party risk management and a threat-aware risk register, intended to connect governance work more directly to operational security data.

Jon Schipp, Senior Director of Product Management at Rapid7, outlined the problem the company is trying to address. "Organisations invest heavily in security tools, but many are still left to determine how to validate control effectiveness and demonstrate compliance," he said. "Cyber GRC connects fragmented data across assets, exposures, and controls to the attack surface, giving teams a clear view of risk and enabling consistent, evidence-backed outcomes."

Rapid7 is also adding functions for continuous control monitoring, evidence collection and audit workflows. These include control coverage dashboards for HITRUST e1, i1 and r2, self-service export for user access data, bulk export of policy data, and a server and skill for retrieving Rapid7 data for compliance and vulnerability management reporting.

Partner network

Alongside the launch, Rapid7 is building a network of audit, assurance and GRC partners around the platform. Named partners include HITRUST, Insight Assurance and 360 Advanced, which work across certification, independent assessment and compliance services.

The partner element suggests Rapid7 is trying to place its platform at the centre of a broader compliance workflow rather than treating governance as a separate process. That could matter for customers that rely on external assessors or need to gather evidence across several frameworks at once.

Users and partners described the product as an attempt to reduce the divide between compliance tasks and operational security work. Christopher Conklin, Vice President and Chief Information Security Officer at Chemung Canal Trust Company, said: "Organisations today are in a constant tug of war between regulatory requirements and daily security operations. With Rapid7 Cyber GRC, the Command Platform now provides a unified place where controls, vulnerability insights and audit details live together. The benefit to practitioners is a single place that not only implements controls but also helps prove them with examination readiness and defensible reporting."

A services partner made a similar point about customer demand for joined-up security and governance. "Today's organisations need a partner that brings together security operations, risk management, and governance into a cohesive strategy. This technology allows us to deliver on that vision," Cornish said.

Rapid7's Cyber GRC programme is currently in early access, with broader availability planned later in 2026.