Good to Great: Capital on Tap's Security Transformation with Rapid7
For Capital on Tap, a UK-based FinTech serving small and medium-sized businesses, security isn't just about protecting data - it's about protecting the dreams and livelihoods of the entrepreneurs they serve. Founded on the ethos of making life simpler for SMBs through innovative credit card solutions, Capital on Tap has built its reputation on customer-first service, including 24/7 UK-based customer operations and seamless banking integrations.
But as Joe Whelan, Cybersecurity and Infrastructure Director at Capital on Tap, explains, rapid growth brings its own unique security challenges that require equally innovative solutions.
The scaling security challenge
Capital on Tap's success story is one of rapid evolution. The company has scaled significantly over recent years, transitioning from traditional infrastructure to a modern microservices architecture. While this transformation has enabled greater agility and customer service excellence, it has also created new vulnerabilities and complexities in their security landscape.
For a financial services company handling sensitive customer data and transactions, managing this expanding attack surface became critical. The team needed to ensure robust vulnerability management while maintaining the agility that made their customer service exceptional.
Navigating the vendor selection minefield
When it came time to upgrade their security capabilities, Capital on Tap faced the same challenge that confronts many growing organizations: how to choose the right partner from an overwhelming array of options.
"Vendor selections, it's a difficult process, and it can be a minefield, especially when you've got Gartner and Forrester and the rest of the industry advisors pulling and pushing you one way or another. I would say you've really got to get hands-on with the tool and with the people that are going to be helping you implement and manage that tool in order for you to really realize the value out of it. I think you can do it yourself absolutely, but making sure that you've got that support in the background to be able to help bring you on that journey and help mature you - that's invaluable."
Capital on Tap's search focused on organizations that were innovating, particularly in the AI space, and could provide positive threat intelligence data from multiple feeds. Most importantly, they needed a solution that could help them prioritize vulnerabilities effectively - a capability that would prove transformative for their security operations.
Seamless onboarding sets the foundation for success
Capital on Tap's journey with Rapid7 began with a significant advantage: their security lead had used Rapid7's platform in a previous organization and was already a strong advocate for its capabilities. This internal expertise, combined with Rapid7's comprehensive onboarding support, created the perfect foundation for rapid implementation.
The implementation focused on taking Capital on Tap's already mature three-year-old vulnerability management program "from good to great." The platform made it significantly easier not just for the security team, but for internal business stakeholders - including cloud platform teams and site reliability engineers - to access and interpret vulnerability data for remediation.
Cutting through the noise with risk-based prioritization
The security team at Capital on Tap values how Rapid7 provides clear, tangible guidance for reducing risk, and how it's crystal clear to visualize how actions map to risk. Joe states, as an example in the platform, "You go and fix these five vulnerabilities, it removes 90% of the risk score. And that's a really nice metric that we can then report back into the business. It shows maturity over time."
This capability transforms how security teams spend their time. Instead of manually sifting through hundreds of vulnerabilities to determine which ones actually matter, practitioners can cut straight to the chase and focus their limited resources on fixing what will genuinely reduce risk. The platform reveals that addressing just a handful of carefully selected vulnerabilities can eliminate the majority of risk exposure from that specific threat vector - allowing teams to achieve maximum security impact with minimal effort.
This targeted approach has proven particularly valuable for demonstrating ROI to business stakeholders. By focusing on high-impact vulnerabilities - especially those being exploited in the wild and affecting edge-facing services - Capital on Tap can show measurable risk reduction and justify their security investments with concrete data. The ability to report that specific actions led to significant risk reduction provides compelling evidence of the security team's effectiveness and strategic value to the organization.
Managing a moving target: Attack surface visibility
For a rapidly evolving organization like Capital on Tap, attack surface management presents unique challenges. Infrastructure and services are constantly being spun up and tested, creating a dynamic environment that requires continuous monitoring.
"So, attack surface, again, it's one of those moving targets as an organization that's evolving very quickly and adapting very quickly to what's going on. Infrastructure and services are being spun up and tested," Whelan explains. "And so, we really wanted to make sure that we were monitoring everything right from playground to production."
The solution lay in Rapid7's integration capabilities, which allowed Capital on Tap to compare data from multiple sources and establish a single source of truth. Crucially, this information is made accessible to other teams and groups across the organization.
"We made sure that we were able to compare data from multiple sources, made sure we had a single source of truth, and then make that accessible to other teams and groups, because if you become the gatekeeper for that information, it stifles your ability to fix and remediate. From a strategy perspective, it's about being able to rationalize the data you have, really sifting through the noise to get to what's actually important."
Innovation in action: AI-powered security insights
Capital on Tap's forward-thinking approach to security extends beyond traditional vulnerability management. The team has been experimenting with AI and natural language processing to make security data even more accessible across the organization.
"In a recent hackathon we were able to build a natural language processing chatbot so that our lower-level engineering teams could query endpoint data in Rapid7 using Gemini,." Whelan shares. "And so, they were able to ask, 'I've got this laptop, and it's flagging high risk. What are the vulnerabilities in that endpoint?' As we evolve with Rapid7, it's those types of features and collaborations that I'm really excited about."
This innovation demonstrates how Capital on Tap is leveraging Rapid7's platform not just as a security tool, but as a foundation for building custom solutions that enhance their overall security posture.
Achieving compliance without compromising agility
Capital on Tap's success with Rapid7 has enabled them to achieve crucial compliance certifications, including SOC 2 and ISO 27001, while maintaining the agility that defines their customer service approach. The platform's ability to provide clear KPIs and SLAs around critical and high vulnerabilities has been essential for meeting these stringent requirements.
For organizations embarking on their own security journey, Whelan offers this advice: establishing clear requirements and ensuring cross-team collaboration is essential. The key insight: collaboration. As Whelan puts it: "If you don't have everybody on the bus, that job becomes much, much harder."
Looking ahead: The future of security at Capital on Tap
As Capital on Tap continues to innovate, their partnership with Rapid7 provides the foundation for tackling future security challenges. The company's focus on AI, machine learning, and natural language processing aligns perfectly with Rapid7's vision.
For Capital on Tap, Rapid7 isn't just a vendor - it's a partner that understands the pace of their business and can evolve alongside them. In an industry where security can often slow down innovation, this partnership proves that the right approach can accelerate security maturity and business growth.
The result is a security program that doesn't just protect Capital on Tap's customers - it enables the company to serve them better, faster, and more securely than ever before.
