When this AI Innovator's Growth Exploded, so Did the Risks
RDC.AI isn’t your typical fintech company—but it faced a familiar challenge: securing a borderless, rapidly growing IT estate, overwhelmed with security tools and riddled with blind spots.
Dr. Kevin Tham, Chief Information Security Officer at RDC.AI, put it simply: "We had multiple consoles, overlapping data, and too much manual stitching just to understand our exposure." Answering basic security questions—What do we own? What’s vulnerable? What should we fix first?—became a daily struggle.
As an AI-driven, cloud-native company helping financial institutions make smarter, faster business-lending decisions, RDC.AI was also scaling quickly in 2024. Its AI platform, blending machine learning and human expertise, was in high demand. But as the business grew, so did the complexity of its infrastructure—and the risks. The engineering team expanded while the security team did not. Development cycles accelerated. New assets appeared overnight.
First move: End the mind-numbing manual work
RDC.AI chose Rapid7’s Surface Command, delivering what Dr. Tham describes as an almost “magical” experience.
Surface Command seamlessly integrated with RDC’s diverse cloud environments, consolidating asset and vulnerability data into one unified, actionable view—without the constant manual effort that traditional attack surface and vulnerability management tools required.
"Before Surface Command, the effort just to understand our exposure was enormous," says Dr. Tham. Now, engineering and security teams are coming together and driving security decisions from a single source of truth—no more guesswork, no more console-hopping. Finding critical issues has become far less like searching for needles in haystacks because the RDC.AI security team now has a continuous, 360° view of every asset and every risk, the blast radius and business impact of a potential attack, and real-time threat intelligence powered by Rapid7 Labs.RDC’s partnership with Rapid7 proved invaluable during the company’s latest ISO 27001 audit. Surface Command played a crucial role by enabling the team to clearly demonstrate asset management, vulnerability remediation, and control effectiveness—all in one interface. The result? A faster, smoother, more credible and sustainable audit process.
Next move: a true MDR partner, not just another alert factory
To strengthen its posture, RDC.AI evaluated several around-the-clock managed services. Dr. Tham sought a long-term security partner, so the Managed Detection and Response (MDR) search was well-planned and focused on value. Could the provider be a consolidator, reducing tool sprawl? Was the service mature and proven? Did it provide pricing transparency? Could it protect RDC.AI while allowing it to stay in control of its own environment and data?
Rapid7 delivered on all of this and more: perhaps most important was Rapid7’s practice of being more than a vendor. The elite MDR team worked as an extension of RDC’s in-house team—proactively surfacing emerging risks, helping prioritize actions, and offering expert guidance through 24x7x365 global coverage. Monthly strategic meetings with a Cybersecurity Advisor dedicated to RDC’s long-term success keeps everything aligned.
Rapid7 was also uniquely positioned to deliver on RDC’s pricing, transparency, and data control needs. With unlimited data ingestion and incident response included in the service, Dr. Tham knew he didn’t have to worry about caps, overage charges, and – in the worst case – incident response fees. Plus, with full visibility into Rapid7’s next-gen SIEM used to deliver the service, RDC.AI could see every alert, investigation, and outcome driven by the team.
For a high-growth company where security has to move fast, confidently and with enterprise-grade efficacy, this wasn’t a luxury. It was a necessity. “The combination of Rapid7’s MDR with RDC.AI has provided very good business value,” said Dr. Tham. “The team can rely on the service to do the day-to-day operations and monitoring, freeing up a lot of our time to focus on more strategic discussions.”
"Visibility is survival," says Dr. Tham—and what CISO wouldn’t agree?
Perhaps the most meaningful shift for Dr. Tham’s team has been time. By automating the correlation of security data and relying on Rapid7 for day-to-day threat operations, RDC’s security function has pivoted from reactive to strategic. They're no longer buried in alerts. They're building security into development cycles. They're communicating better with engineering. They're driving initiatives that align with business growth, not slowing it down.
"Every month, our Rapid7 team doesn’t just review metrics—they bring focus." Dr. Tham credits Rapid7’s success not to any one tool or service, but to how everything fits together.
"Other tools feel like they were designed by marketers. Rapid7 feels like it was built by people who’ve done the job."
That practitioner-driven alignment—between technology, service, and real-world needs—is what made the partnership transformative. RDC.AI didn’t need another flashy dashboard. It needed clarity. It needed momentum. It needed a partner who could help security scale at the speed of business.
One team. One source of truth. Rapid7 is there for that.
