Rapid7 Metasploit Reviews

The solution is used for process automation and tracking testing in OMS. 

The Search Engineering feature is good. 

Advanced Infrastructure should be implemented in the next release for better orchestration. 

I have been using Rapid7 Metasploit for four years. 

It is a stable solution. I would rate the stability an eight out of ten. 

It is a scalable solution. I would rate the scalability an eight out of ten. 

The technical support team is good and helpful. 

Positive

The initial setup is easy. The installation takes thirty minutes time. 

It is a reasonably priced solution. I would rate it from five out of ten. 

I would recommend Rapid7. I rate the overall solution a nine out of ten. 

On-premises

I use the solution for the validation of vulnerability.

For the solution, I think it's the user interface and usability that are the main features of the solution. Also, you can do more with the interface.

Some features that are not available on the console are available in the user interface, like, for example, the creation of payload. The creation of a payload is a tough part in the terminal. So, it is kind of handy when we use Rapid7 Metasploit.

I think areas with shortcomings that need improvement are more integration and automation.

I have been using Rapid7 Metasploit for two years. Also, I am using the solution's latest version. I'm a customer and a reseller of the solution.

Stability-wise, I rate the solution a nine out of ten.

Scalability-wise, I rate the solution a nine out of ten.

Previously, we were using BurpSuite. We switched to Rapid7 Metasploit because of its features.

On a scale from one to ten, one being difficult and ten being easy, I rate the setup a ten.

The deployment takes around twenty to thirty minutes maximum.

The setup process can be carried out by a single person.

On a scale of one to ten, where one is cheap and ten is expensive, I rate the product's pricing a six. So it's fairly priced.

I would definitely recommend the solution to those planning to use it on a long-term basis. For new users planning to use it for testing, I recommend they do a PoC before starting.

Overall, I rate the solution a nine out of ten.

On-premises

The last use case is for customers that want to use the features of Metasploit, for phishing detection. We give awareness about phishing on their email accounts in the organization.

The affordability of the asset for the organization has been the biggest improvement.

The initial setup is straightforward. 

The product scales well.

It's very stable and reliable. 

Technical support has been helpful and responsive. 

It's great for detecting phishing campaigns. 

It would be better if Metasploit had a wider module, to do explorations of vulnerabilities. We'd like them to offer better coverage of malware.

I've been using the solution for three to four years. It's been a while. 

The solution is stable and reliable. There are no bugs or glitches and it doesn't crash or freeze.

It's a product that can scale as necessary.

Technical support is very good. Whenever we need assistance, they are quite helpful and responsive. We are very satisfied with them.

It's a very simple setup. The process is not overly complex or difficult. I'd rate it two out of five in terms of how easy it is (with one being the easiest and five being the hardest).

The licensing is per user account. We're set up with one account per user. The price of the product is quite reasonable and very affordable. 

We're a Rapid7 distributer.

I'm not sure which version of the solution we're using. It's likely the latest one. 

Any organization or enterprise should want to check for vulnerabilities in any kind of asset that they have. Using tools like Metasploit can help companies check internally.

I'd rate the solution eight out of ten.

On-premises

Good features- 1) Availability of both graphical and command line interfaces. 2) HTML based report collection 3) Integration with PostgreSQL 4) Integration of NMAP for network scanning, brute force techniques 5) Around 800 active modules with exploits for linux, bsd , microsoft and MacOS 6) Collaboration with team feature also available 7) Open Source 8)Integration with Backtrack OS

Few cons of metasploit are 1) Exploit updates are slow after security patches to a certain OS 2) High resource utilization when run under Window7 and Windows Server 2008 R2 3) Fewer browser exploits 4) Payloads not extremely effective against updated anti viruses.

Metasploit is the most favored toolkit for network security professionals and penetration testers. It is one of the best tools for zero day exploits and payloads for operating systems such as, Microsoft Windows, Linux, and Sun Solaris. Metasploit, which has been written in Ruby, provides the ability to seamlessly create and simulate attacks on networks and provide protection. It deals with the largest database of exploits, till date available, in a single tool for both active and passive attacks on networks and applications.

Our use case is for penetration testing. 

My organization has been happy with it.

I would like to see more capabilities, more functions, and more features. More types of attack vectors.

I have experience with this solution. Like, I have been aware of this product for a few years. 

I would rate the stability a seven out of ten. It's not a ten. There is room for improvement.

It is scalable. It's in line with our needs. There are around five end users. We have possible plans to increase the further usage.

The initial setup is fairly easy.

We deployed it ourselves.

It is worth it.

We pay monthly. The pricing is reasonable. There are additional costs. 

I may have considered others, but Rapid7 was the one that stood out to me.

It's definitely one of the best penetration testing tools available. Overall, I would rate the solution an eight out of ten. 

Hybrid Cloud

I used the community edition. It's a very handy and powerful product. For a free product, the capabilities are absolutely astonishing.

I used Rapid7 Metasploit as a marketing solution. I was working as a security expert and whenever I would meet a client as a consultant or a freelancer, I would open my laptop and start using the software.

Rapid7 Metasploit is a standalone solution, intended to be used by one person, but it can be used by a few people in a team — maybe 10 people or less.

All of the features are great. I used it as a tool for penetration testing. The exploitation capabilities and the development in general, are all great. It's open-source and very handy. 

At the time I was using it, the graphical user interface needed some improvements. It might be better now because there was a very big community behind it, and of course, newer versions are always improved. The free, community edition I was using, lacked some very specific exploits but, as I remember, under the commercial version, you could find your exploits.

All the features that are available on the command line could be integrated with the graphical user interface.

I used Rapid7 Metasploit for more than five years.

The earlier versions had some bugs, but the last version, Version Four, was much more stable compared to the previous versions — which we stopped using because of the bugs.

The scalability is not that good.

When you use the command-line interface, not very much of the process is automated. There should always be an expert present to work with the software. Under the GUI, I believe there are some features that can be automated for testing.

The solution was not intended to be automated because penetration testing requires attention and caution because it's done on a live network with line services. Automation can damage the target network or the system on the network.

You can automate the input of data, but the results are not satisfactory.

The scalability should definitely be improved.

As it's a free product, the community edition doesn't include any technical support. I haven't used the commercial edition so I can't comment on their support.

In terms of development, the team of developers that supports the software is very active and quick to help. In short, the software is being maintained very actively, and I do believe the customer support should be the same.

I would like to see some support available for the free version; however, there are a lot of open-source materials available to solve any issues, so for me personally, there wasn't any need for technical support.

If you want to install it separately on a fresh new Linux, the solution is still effective. The installation is very, very straightforward.

The great advantage with Rapid7 Metasploit, of course, is that it's free. You can download it and start using it for free, right away. The features are satisfactory, and you can do your job strictly with the free edition. Of course, you could do your job even better with the commercial edition. 

There are better products available, like Core Impact, but they are much more expensive.

On a scale from one to ten, I would give Rapid7 Metasploit a rating of eight.

We have Rapid7 Metasploit installed on our Kali Linux system and we use it for penetration testing.

The solution is open source and has many small targetted penetration tests that have been written by many people that are useful. You can choose different subjects for the test, such as Oracle databases or Apache servers.

Someone has created a graphical interface for this solution called Armitage which has been very useful and easier to use. The solution typically only has a command-line interface.

You are able to do network tests over a network, not necessarily on the web server, but on desktops and other devices.

I have been using Rapid7 Metasploit for approximately two years.

The solution is stable.

The solution is not very scalable, it does not provide any automation to be able to scale it.

I rate Rapid7 Metasploit a seven out of ten.

We are a solution provider and we offer a variety of services that include security and vulnerability management. Rapid7 Metasploit is one of the products that we use to identify vulnerabilities.

Specifically, Metasploit is for penetration testing. It uses models to check for exploitable vulnerabilities, and if one is detected then we would raise the importance of solving the problem. We normally operate Metasploit at the client site, which helps us to explore and assess the vulnerabilities directly in the environment.

This solution allows us to offer additional services to our clients. Projects can vary, where one will include vulnerability testing and another may include penetration testing.

One of the services that we provide is security during the development process. This means that beyond user acceptance and performance testing, we are doing all of the security tests. It helps customers ensure that the code they are developing and deploying has all of the necessary security controls.

The most valuable feature for us is the support for testing Linux-based web server components.

Integration with popular vulnerability scanners would be a useful feature.

Better automation capabilities would be an improvement. For example, if a project is moving from a development to a testing environment, then automation is crucial. We are using Jenkins, JIRA, and other tools for SecOps and DevOps. If somebody is storing code or a project in SVN then it needs to be fully automated. We need the ability for the scanner to run, then have Checkmarx scan them, then exploit the vulnerabilities if any are found. 

We began working with Metasploit about 15 years ago.

I do not have any complaints about stability, as it has been fine.

For the projects that we have worked on, the scalability has been fine. I'm not sure how it would perform in a hybrid environment, but for our on-premises deployment, it is quite a nice product.

We have a team of 12 people and it is used for perhaps 10 large companies.

We have not been in contact with technical support.

When we do application-level penetration testing, we employ some manual techniques. Metasploit is generally used at the infrastructure level. We did not use another solution prior to this one.

The initial setup is pretty straightforward. We have been working with this product for several years and it isn't a problem for us to set it up. The deployment can be completed in a matter of hours, depending on the size of the environment.

For our needs, which is usually a dedicated environment for our customers, I cannot envision any significant improvements that need to be made.

My advice for anybody who is considering this solution is that it works well as a component in a vulnerability testing platform. We use a combination of tools with a certain level of automation and integration, which gives us the flexibility that we need to accommodate customers with differing needs. There is no one tool in the market that covers everything and ultimately, Metasploit helps to produce the reports that we need.

The biggest lesson that I have learned from using this product is that if proper security checks are not done during the development process then very likely, you will face major vulnerabilities or risks in the production environment.

Overall, it is a very good product for penetration testing.

I would rate this solution an eight out of ten.

On-premises