08:13 AM
Connect Directly

Metasploit Project Sold To Rapid7

Open-source Metasploit penetration testing tool creator HD Moore joins Rapid7, commercial Metasploit products to come

Vulnerability management vendor Rapid7 has purchased the popular open-source Metasploit penetration testing tool project and named Metasploit founder HD Moore chief security officer of the company.

Moore, who is synonymous with the Metasploit Project , will continue as chief architect of Metasploit in his new role at Rapid7. He'll have an initial team of five Rapid7 researchers dedicated to the open-source project, some of whom already have been regular contributors to Metasploit. Financial terms of the deal were not disclosed.

Rapid7 plans to enhance its NeXpose vulnerability management product line and its own penetration testing services with Metasploit technology. The details on how Rapid7 -- which uses Metasploit in its penetration testing engagements -- will productize Metasploit are still being ironed out: Corey Thomas, vice president of products and operations at Rapid7, says he expects Rapid7 to keep Metasploit as a separate product with "high integration" with its existing products. "But this is all conjecture at this time," he says.

The goal is to leverage Metasploit's exploit technology to help identify which vulnerabilities discovered by NeXpose are actually exploitable, according to Thomas. "One of the things our customers have been pushing us for is how to get better data and information about their risk," he says. "And exploits are the key to that."

Either way, the potential for a commercial version of Metasploit represents a major shift in the penetration testing market, where vendors such as Core Security and Immunity have offered more user-friendly tools for enterprises.

Moore says the Rapid7 acquisition of Metasploit gives the project full-time resources; Moore and his co-developers of Metasploit traditionally have done their work on the tool after hours, during lunch breaks, and over weekends. "We are pretty competitive with Core and Immunity based on exploit coverage and features. But this is a great way to push the project forward...and kick ass in the commercial sector if we want to go in that direction," Moore says.

This also will speed turnaround of new features in Metasploit, he says. "It's night and day," Moore adds. "I can now get a feature done in a business day, not over an entire weekend...I'm excited to be able to work on this full-time."

Metasploit will also have Rapid7's vast lab resources and the ability to get more exposure for the project, he says. Opportunities for existing Metasploit contributors will expand, as well.

Both Moore and Rapid7 say they are well-aware of previous open-source and commercial marriages that have gone south, however, such as the Nessus scanning tool, which went from an open-source to a proprietary, closed-source license under Tenable Network Security. They say they are focusing on the open-source community to leverage Metasploit. "Our goal is to make sure we improve the open-source [element]," Thomas says. "Metasploit will remain open source."

"My goal is if we decide to go commercial, all the features and components are going into open-source [Metasploit, as well]," Moore says.

Rapid7's Thomas says his company started talking to Moore and his Metasploit team a few months ago about how to tie in the exploit data with its products and offerings. "How could we invest and contribute to the project over time for a more robust database [of exploits] at our disposal?" he says. "We want to use high-quality exploit data to help prioritize risk and get better insight into which attacks are most likely," for example.

Moore says the combination of Metasploit's exploits and Rapid7's vulnerability reports would go "a lot further than any tool in the market" today in vulnerability assessment and penetration testing.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.