Rapid7 Metasploit Reviews

We are a solution provider and we offer a variety of services that include security and vulnerability management. Rapid7 Metasploit is one of the products that we use to identify vulnerabilities.

Specifically, Metasploit is for penetration testing. It uses models to check for exploitable vulnerabilities, and if one is detected then we would raise the importance of solving the problem. We normally operate Metasploit at the client site, which helps us to explore and assess the vulnerabilities directly in the environment.

This solution allows us to offer additional services to our clients. Projects can vary, where one will include vulnerability testing and another may include penetration testing.

One of the services that we provide is security during the development process. This means that beyond user acceptance and performance testing, we are doing all of the security tests. It helps customers ensure that the code they are developing and deploying has all of the necessary security controls.

The most valuable feature for us is the support for testing Linux-based web server components.

Integration with popular vulnerability scanners would be a useful feature.

Better automation capabilities would be an improvement. For example, if a project is moving from a development to a testing environment, then automation is crucial. We are using Jenkins, JIRA, and other tools for SecOps and DevOps. If somebody is storing code or a project in SVN then it needs to be fully automated. We need the ability for the scanner to run, then have Checkmarx scan them, then exploit the vulnerabilities if any are found. 

We began working with Metasploit about 15 years ago.

I do not have any complaints about stability, as it has been fine.

For the projects that we have worked on, the scalability has been fine. I'm not sure how it would perform in a hybrid environment, but for our on-premises deployment, it is quite a nice product.

We have a team of 12 people and it is used for perhaps 10 large companies.

We have not been in contact with technical support.

When we do application-level penetration testing, we employ some manual techniques. Metasploit is generally used at the infrastructure level. We did not use another solution prior to this one.

The initial setup is pretty straightforward. We have been working with this product for several years and it isn't a problem for us to set it up. The deployment can be completed in a matter of hours, depending on the size of the environment.

For our needs, which is usually a dedicated environment for our customers, I cannot envision any significant improvements that need to be made.

My advice for anybody who is considering this solution is that it works well as a component in a vulnerability testing platform. We use a combination of tools with a certain level of automation and integration, which gives us the flexibility that we need to accommodate customers with differing needs. There is no one tool in the market that covers everything and ultimately, Metasploit helps to produce the reports that we need.

The biggest lesson that I have learned from using this product is that if proper security checks are not done during the development process then very likely, you will face major vulnerabilities or risks in the production environment.

Overall, it is a very good product for penetration testing.

I would rate this solution an eight out of ten.

We use it for penetration testing of our internal systems. 

• The option to generate phishing emails has proven to be very valuable in understanding the behavior of users. 
• It contains almost all the available exploits and payloads. 
• The in-built Wireshark is valuable in performing packet analysis. 
• It has different installation files for different OSs.

• The GUI version is not as effective as a command prompt. For general users, the PT using GUI could be improved. At the same, the track of a phishing emails were not accurate sometimes. Rapid7 could work on this further. 
• Metasploit cannot be installed on a machine with an antivirus. This could be improved. 
• There were times when it hung, then I had to restart the DB service. This leaves an area of improvement for them.
• It is necessary to add some training materials and a tutorial for beginners.

It is a very robust and stable product. 

Its scalability can be improved.

The tech support was not as robust as our prior experience with Cisco. With Cisco, we had immediate response. 

The initial setup was easy and straightforward. 

There is also a manual setup available for installation, both for Windows and Linux. We just had to uninstall the antivirus and disable the firewall. This is not recommended. 

It is expensive. Our license expired, and our company is not thinking to renew because of our budget. 

I use this solution to check if there are any vulnerabilities that I find during scanning.

The search engine is actually pretty cool. It actually allows you to search the vulnerability very fast, and the big difference is that the exploit you see on Metasploit has been tested and imported, it's going to work and it is not going to crash anything. That's a big thing. That's basically why I use it.

The most valuable one is the integration between Nmap, the database and Metasploit. That saves a lot of time.

I had some issues with stability in the past, but it appears that the latest upgraded version has sorted out those issues.

I do not think it scales. But, I do not understand why someone would want to scale Metasploit, at it is very specific on what you are attacking. It attacks a particular server. You can only scale if you are using Nmap.

The initial setup was a bit "tweaky" for the open-source version.

I use the open-source version, not the paid version of this product.

We looked at Metasploit vs Tenable Nessus and Metasploit vs OpenVAS. These solutions were more general scanners, and not as precise as Metasploit. 

It's not possible to do penetration testing without being very proficient in Metasploit. It's impossible.