"The key thing is this is a product that is based on Metasploit," says HD Moore, creator of Metasploit and CSO and Metasploit chief architect for Rapid7. "And this is a more mainstream and affordable penetration testing product compared to other commercial products."
Rapid7 aims to drive down the price point for commercial pen testing products with Metasploit Express, which is priced at $3,000 per user per year and will ship in May. Moore says today's commercial pen testing tools are either pricey or less user-friendly. "We're trying to shoot for the middle ground -- affordable and with automation and ease of use," Moore says.
That doesn't mean the open source Metasploit Framework is obsolete, however. The open source version is just getting some new features as well: the upcoming Version 3.4.0 of the Framework will be released in mid-May, Moore says. "We are not selling out," he says. "We still have the open source [platform] and we're developing it full-time and leveraging it for the commercial offering as well."
New features in the open source Metasploit Framework 3.4.0 include improvements to the Meterpreter payload, expanded brute-force capabilities, and an overhaul of the back-end database schema and event subsystem, according to a blog post on the new version.
Rapid7 purchased Metasploit last year in a move that rocked the commercial pen testing industry.
The commercial Metasploit Express pen testing product, meanwhile, includes the Metasploit open source base plus a workflow manager back-end that automatically prioritizes pen test engagements and runs only the necessary and relevant exploits based on the situation. The third main component is a Web 2.0-based user interface. "Metasploit Express emulates what a real pen tester does in a real engagement, and is a little smarter about which exploits to run first," for example, Moore says.
Moore says most pen testers spend only about 5- to 10 percent of their time running exploits. "Most of their [engagements] are data analysis," he says. That is one of the key elements of Metasploit Express, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.