Rapid7 Metasploit Reviews

I use Rapid7 Metasploit as a distributor, as an integrator, and as a user.

I use Rapid7 Metasploit in my company internally as a part of providing internal audit.

The most valuable features and capabilities of Rapid7 Metasploit are its tight connection with InsightVM. Inside VM, we are using both in our infrastructure. InsightVM searches for potential threats and vulnerabilities of the infrastructure, and after that, Rapid7 Metasploit validates whether we can break the system using this vulnerability or threat, serving as a validator component of the InsightVM solution.

The predefined step-by-step hacking tools of Rapid7 Metasploit are valuable because you don't need to create your scripts; you can use techniques predefined in the solution, though there is also the ability to create your own if needed.

The extensive exploit database of Rapid7 Metasploit is quite substantial. Some vendors work with huge customers to provide penetration testing and create internal battles to provide training for internal teams, red team and blue team. These professionals are highly skilled, which makes this base of components and other instruments really valuable, based on real infrastructures and real experiences they've faced in providing those kinds of services for customers.

The integration capabilities of Rapid7 Metasploit with third-party tools are strong, particularly its native integration with InsightVM. You can see the interface in one single management console, allowing you to get information from one solution to create a report within another solution, so it's fully integrated with InsightVM.

The automated approach in the audits or in the hacking testing with Rapid7 Metasploit could be improved because even the same attack you provide today will go in different ways another day. I prefer when the auditor or pen-tester provides the attack in a non-automated mode. For some, it might be a valuable option, but I'm not sure it's valuable for us, as after the attack has been provided, we should release a report detailing how it transpired and what the customer should improve to block this way of attack. If the attack was provided in an automated mode, you cannot receive sufficient information that helps with this final report for the customer. While you can check the vulnerability, and the system will tell you there is no vulnerability, usually, a human can change one, two, or three parameters and using the same technique and the same scripts can break the system.

Rapid7 Metasploit could be improved in areas concerning the experience with finding particular scripts pre-installed in the solution. Customers, administrators, and pen-testers spend considerable time trying to locate the specific component they need by the name of the technique or the name of the attack, so any improvements in making it easier to find those predefined components by name or timeframe would be beneficial. Search filters could be a correct improvement.

I have been working with Rapid7 Metasploit for about seven years.

My impression of the stability of Rapid7 Metasploit is that it functions effectively as a tool; it is similar to Microsoft Office in that it's just a tool used whenever needed.

Rapid7 Metasploit has limited scalability based on my experience, as the customer receives the full functionality of the product with the license. There is some limitation on the number of administrators that can run the solution at the same time due to concurrent licensing, but I haven't faced a situation where we've had many pen-testers wanting to use the solution simultaneously; even one license is entirely enough for one customer.

My experience with the initial setup and deployment of Rapid7 Metasploit is quite easy; you can install it on-premise without needing to integrate with another solution. It's a compact solution that you can immediately run in whatever infrastructure you install it. I'm not certain if it is available on cloud, but it is completely available on-premise.

The pricing of Rapid7 Metasploit is quite affordable. It has a free version that many customers start with, and after that, they usually purchase the commercial part of the solution due to its deep integration with InsightVM and its larger base of techniques and tools available for customer use in their infrastructure.

I am asking to keep my reviews anonymous. I'm checking my schedule and could do 12 o'clock Kyiv time next Wednesday. On a scale of 1-10, I rate Rapid7 Metasploit a 10 out of 10.

I use Rapid7 Metasploit primarily for scanning within my environment.

Rapid7 has a significant advantage in providing a clear picture of my environment. It provides insight and incident detection response capabilities. When deployed with the same agent in servers or endpoints, it identifies vulnerabilities and monitors data transmission to external sources. 

Rapid7 offers comprehensive features within one platform, eliminating the need to integrate multiple tools to see all alerts in one place.

The reporting feature needs improvement. The time taken to fetch reports based on the number of events can be extensive, unlike Tenable, which is more user-friendly and faster. 

Additionally, network throttling should also be considered.

I have been using Rapid7 Metasploit for two and a half years.

There are no issues with the stability of Rapid7 itself, however, network issues impact its stability.

Rapid7 Metasploit is highly scalable. It's a cloud-based solution that requires payments based on the number of agents being used and is easily scalable to meet my requirements.

The customer support is excellent, and I have a very positive impression of it.

Positive

In the past, my organization used Tenable, but with the acquisition of more companies, some of which use Tenable, we are transitioning to Rapid7 Metasploit due to its comprehensive features.

I rate the initial setup an eight out of ten, which indicates it is easy.

The cost is approximately $15 per device.

We were using Tenable previously and compared its features to those offered by Rapid7.

Rapid7 Metasploit is a robust tool. Think about network throttling and consider improvements in the reporting feature.

I'd rate the solution ten out of ten.

My primary use case for Metasploit is vulnerability assessment.

When I compare Metasploit with Nessus, I find that Metasploit is faster and it does not burden the system as much. While Nessus is more straightforward for management, for vulnerability assessment, Metasploit has the upper hand. 

Additionally, Metasploit's exploit development feature is among the best and is comparable in quality to Nessus.

While Metasploit excels in vulnerability assessment, it could improve in vulnerability management. Nessus currently holds the advantage in management functions. 

Support is another area where improvement is needed, particularly for assisting non-security users.

I have experience using Metasploit from 2012 to 2013.

I find Metasploit to be very stable, and I would rate its stability as a nine out of ten.

I would rate the scalability of Metasploit as an eight out of ten.

I rate the customer service of Rapid7 Metasploit as a seven out of ten. The global support is not as good. Tenable offers better global support. Rapid7 sometimes struggles with queries from non-security people, whereas Tenable is more patient.

Neutral

The initial setup of Metasploit is easy. I only need to start it, and it goes through to the end.

The ROI can be very rapid for organizations using vulnerability assessment for the first time. However, for those with previous experience or using multiple solutions like Qualys or Nessus, it is just so-so.

Metasploit is cheaper than Nessus and offers a more robust community edition that provides a good experience for studying Metasploit. This makes it a more economical choice for projects compared to Nessus.

I have compared Metasploit with Nessus and am aware of solutions like Qualys.

I recommend Metasploit to others, especially those within a limited budget. It is a helpful tool for assessing whether an organization's security is adequate. I usually advise clients that if they have more money to spend, investing in vulnerability assessment is indeed beneficial for their business. 

I would rate Metasploit an eight out of ten overall.

Our primary use case for Metasploit is for exploitation and scanning. It is a powerful tool for identifying vulnerabilities, such as SMTP-related vulnerabilities, user enumeration, and brute forcing. I also use it for automation related to website testing.

Metasploit has helped us save a lot of time during website testing and various projects, as it allows for efficient automation and recurrent tasks, making the overall process much faster.

The most valuable features of Metasploit include its powerful capabilities for exploitation and scanning. I have been able to exploit various vulnerabilities, such as SMTP-related vulnerabilities, user enumeration, brute forcing, and so many other vulnerabilities. 

Additionally, the ability to automate website testing and integrate it into my script makes it even more efficient.

The database is not always updated with the latest vulnerabilities or zero-day exploits. If a vulnerability arises a month or two ago, it might not be included in the database, which is something I would like to see improved.

I have been using Metasploit for over two years.

I have never faced any technical issues or downtimes. It is a pretty stable tool.

Metasploit can handle big projects and is already prepared for them. There might be some room for improvement. For me, it works well.

I have not needed to contact technical support. I have not faced any issues that required assistance.

Positive

I have not found any competitor to Metasploit in terms of exploitation and scanning capabilities. While other tools have competitors, like Nmap and SQLmap, Metasploit is quite unique.

Metasploit has helped save time, especially with testing websites or VIPD projects. This time-saving can translate into cost-saving as well.

I am not very sure about the pricing. It falls into an intermediate range. However, I am not involved with the partition part.

There are no competitors for Metasploit that I have found.

I would definitely recommend Metasploit to others. I have already recommended it to my friends.

I'd rate the solution nine out of ten.

I've been using Rapid7 Metasploit to create vulnerabilities and test exploits. I can create malicious Word documents through the Rapid7 Metasploit framework for testing purposes. I can create a backdoor through the solution to test a web server or a vulnerable machine.

The most valuable features of the solution are the scripts, the modules, and the tools that the Rapid7 Metasploit framework has.

I have been using Rapid7 Metasploit for a couple of years.

Rapid7 Metasploit is a stable solution.

I rate the solution a nine out of ten for stability.

The solution's initial setup is easy. You need to know how to install it. You can install the solution after you go through the documentation.

I installed the solution through Linux. I just had to fetch the file and the exploit pre-built in Kali Linux. When you go under the exploitation tools in Kali Linux, you get the Rapid7 Metasploit framework.

Rapid7 Metasploit helps find vulnerabilities or loopholes in a system to determine whether the system needs to be upgraded.

Rapid7 Metasploit is an open-source solution. There is a license that users need to purchase for the Rapid7 Metasploit framework. I haven't used the one where you have to purchase and get a license.

The solution's exploit development functionality was easy to use and had all the scenarios I could use to run my security assessment. Since the solution has been updated regarding new malware, it gives data protection for security professionals. Rapid7 Metasploit is a good exploit tool, and users need to know what they're doing while using the solution.

The solution provides perfect effectiveness in simulating real-world attacks for training purposes.

Overall, I rate the solution a nine out of ten.

We use the solution to detect and prevent attacks. Penetration testing aims to prove vulnerabilities. The vulnerability scanning results provide key IDs that can be explored using tools like Rapid7 Metasploit. 

The tool's most useful feature for penetration testing is its automation capabilities. With the professional edition, you can upload the results from Nessus in the Rapid7 Metasploit solution portal.

It then automates the generation of commands to compromise the target machine without the need for manual commands. This automates the testing process and enables the creation of reports to highlight weaknesses in the target machine for management review.

The Metasploit framework is easy. 

If your company's patch is not up to date, but you have other detection or defense solutions such as endpoint detection and response and antivirus software, the product exploit may not work effectively. This is because its exploit database update process is slow and not real-time. For zero-day vulnerabilities or new security threats, relying on Rapid7 Metasploit alone may not be effective.

Adding features to Rapid7 Metasploit that enhance evasion of Endpoint Detection and Response systems would significantly improve its utility within modern organizations.

I have been using the product for three and a half years. 

I rate the product's stability a five out of ten. 

I rate the product's scalability a seven out of ten. I am a single user in the company. 

The solution's technical support is very poor. Their responses are delayed and don't meet the timelines. 

Negative

I rate the tool's setup a six point five out of ten. It is easy to deploy and takes less than an hour to complete. 

We have paid for three years of licensing. We will not be renewing it. My company is in search of an alternative. Other tools are better than Rapid7 Metasploit, and it's important to evaluate EDR for effective penetration testing. Its pricing is cheap compared to other alternatives. 

Penetration testing can potentially expose weaknesses in your Endpoint Detection and Response system. The effectiveness depends on how your EDR system is configured. If the policy is strong and well-configured, tools like Rapid7 Metasploit may not be successful. However, if the policy is poorly configured or not implemented, vulnerabilities could be exploited, and attacks, including those using Rapid7 Metasploit, may occur.

Using the manual Rapid7 Metasploit software framework in Kali Linux requires command-line inputs. In contrast, the professional edition simplifies the process by allowing users to select IPs and upload Nessus results in dot Nessus format. This eliminates the need to write complex commands. 

In countries facing economic challenges, there is limited funding for security teams and professionals due to the country's economic conditions.

The tool has delayed my certification. I don't recommend it since we get many better solutions in the market. I rate it a five out of ten. 

I use it for scanning purposes, particularly focusing on systems Rapid7 Exposed or managed through Rapid7 InsightVM.

The base has already been established. While there is a free community version commonly used, it requires manual installation of exploits. It allows us to concentrate solely on identified vulnerabilities without the hassle of additional setup. It has the capability to execute session attacks, generating deceptive pages from the target page. This mimics a fake page, enticing individuals to interact after receiving email session letters. This feature allows the creation of campaigns with efficient letters deployed within unique pages—a utility that sets it apart from other products solely focused on exploit databases.

There are numerous outdated exploits in their database that should be updated.

I have been using it for approximately five years.

I would rate its stability capabilities nine out of ten.

It doesn't provide scalability.

Technical support is responsive, but it requires patience as you may have to wait for several days before they schedule an online session to assist with problem resolution. While they offer helpful information, if the issue persists and proves challenging, you might consider seeking an alternative solution for your needs. I would rate it six out of ten.

Neutral

The initial setup was straightforward.  I would rate it eight out of ten.

The deployment process is seamless, allowing the import of projects directly from Exsposed or InsightVM. This eliminates the need for manual input of budget information and potential vulnerabilities. All that's required is to export the project and navigate through the Exposed interface to perform manual adjustments and exploration, streamlining the process of updating its database. Deployment may consume a significant amount of time due to the extensive bundle size. Additionally, there might be instances where a system restart or service reboot is necessary, especially when using units.

The pricing structure involves a one-time purchase cost of approximately twenty thousand dollars or euros for all customers. Additionally, there is an annual fee of thirty-five percent, which serves as the support fee, granting access to technical assistance.

Overall, I would rate it nine out of ten.

We are using the solution to assess vulnerabilities. We have aligned the solution with our information assets, such as the multiple plants we have. We have aligned Rapid7 Metasploit with the IP addresses, given the range of the IPs, and we scan it by using this Rapid7 Metasploit to identify vulnerabilities. We do this on a quarterly basis, but if any critical vulnerabilities, such as zero days, are identified, we immediately remediate them or take action until the patch has been deployed.

The greatest advantage of Rapid7 Metasploit is that it is the only system that can directly exploit vulnerabilities on the Metasploit platform. Metasploit is used for penetration testing, while Rapid7 and Nessus are used solely for vulnerability assessment. Metasploit can be used to both test and exploit vulnerabilities, while other systems such as Tenable and Invicti are unable to do so since they do not have a penetration testing platform.

Rapid7 is able to identify vulnerabilities, but the only way to remediate them is to manually apply patches. This can be time-consuming, as evidenced by the six months it took our team to remediate vulnerabilities found in the Tenable ICS and OT security VT. To make this process easier, there should be an automated system or API to align with the PET solution, allowing systems to quickly align with it.

The solution is not user-friendly and has room for improvement.

I would like a feature for mobile tracking, allowing us to operate it from a mobile device or at least track it technologically, the basic functionality would be something I would like. For example, when I execute a vulnerability assessment activity, it takes around two to three days to complete all the plans. In order to track that, I would have to log into my system repeatedly. Therefore, I would like to have a feature that allows me to track it from my mobile device.

I have been using the solution for six years.

The solution is stable.

The solution is scalable.

Only our Cybersecurity team is using the solution; there are approximately five people using it. We have not given access to any other Support teams.

We raised some tickets concerning the system features, as they have some bugs or technical issues. This was done by our team, not for any configuration or support.

The initial setup can be difficult. I have set up two major systems: Tenable.io Vulnerability Management from the beginning to the advanced level, and the same is true for Rapid7 Metasploit. It can be a bit challenging. We must understand the technical area, the range of IPs, our information assets, and what assets need to be aligned with the system.

I believe that the initial setup will only require a maximum of three or four days. However, maturing the system is dependent on the experience of our team.

Rapid7 Metasploit is cheaper than Tenable.io Vulnerability Management.

I give the solution an eight out of ten.

We should consider retiring Rapid7 Metasploit in case we find a better solution for exploitation. For example, if I compare Tenable.io Vulnerability Management and Rapid7 Metasploit, I prefer Tenable.io Vulnerability Management for vulnerability assessment. However, when it comes to penetration and exploitation, I have to go with Rapid7 Metasploit as Tenable.io Vulnerability Management does not have any tool or system to automatically inject vulnerabilities and exploit them for automated penetration testing. Therefore, if I find a similar system in the future, we should retire Rapid7 Metasploit and switch to the new architecture.

Whether we are a novice or experienced IT support persons, it will be difficult to use the system, as it is difficult to use any vulnerability assessment system. In order to use these systems, we must understand what a vulnerability is and what our purpose is for using it. Rapid7 Metasploit is difficult to use, as it is not very user-friendly.

Our use case is for penetration testing. 

My organization has been happy with it.

I would like to see more capabilities, more functions, and more features. More types of attack vectors.

I have experience with this solution. Like, I have been aware of this product for a few years. 

I would rate the stability a seven out of ten. It's not a ten. There is room for improvement.

It is scalable. It's in line with our needs. There are around five end users. We have possible plans to increase the further usage.

The initial setup is fairly easy.

We deployed it ourselves.

It is worth it.

We pay monthly. The pricing is reasonable. There are additional costs. 

I may have considered others, but Rapid7 was the one that stood out to me.

It's definitely one of the best penetration testing tools available. Overall, I would rate the solution an eight out of ten. 

The solution is used for process automation and tracking testing in OMS. 

The Search Engineering feature is good. 

Advanced Infrastructure should be implemented in the next release for better orchestration. 

I have been using Rapid7 Metasploit for four years. 

It is a stable solution. I would rate the stability an eight out of ten. 

It is a scalable solution. I would rate the scalability an eight out of ten. 

The technical support team is good and helpful. 

Positive

The initial setup is easy. The installation takes thirty minutes time. 

It is a reasonably priced solution. I would rate it from five out of ten. 

I would recommend Rapid7. I rate the overall solution a nine out of ten.