Rapid7 buys Metaploit, remains committed to open source

Share this article:

Metasploit, the organization behind the Metasploit Project, a popular open-source tool for exploit research, has been acquired by vulnerability management provider Rapid7.

Under the terms of the deal, announced Wednesday, Metasploit will continue as an open-source project, freely licensed to noncommercial users.

Metasploit founder HD Moore will become the chief security officer at Rapid7 and remain as Metasploit`s chief architect.

“From a user's perspective, Metasploit will still be free,” Moore wrote on the Metasploit blog. “All of the important bits are going to remain open source, a point that was very important to me, since its open nature is what drew me to Metasploit in the first place and what, I believe, attracts many of its users and contributors.”

The Metasploit technology is an aid to people who do penetration testing, intrusion detection system signature development and exploit research. According to Rapid7, it will roll Metasploit into its NeXpose product, which scans networks, applications, databases and operating systems, among other IT elements, for vulnerabilities. The solution typically is used to assess security risks and even recommend remediation approaches.   

“We will leverage Metasploit technology to enhance our vulnerability management solution, Rapid7 NeXpose,” said Mike Tuchen, president and CEO at Rapid7, in the acquisition announcement. “At the same time, we will not only maintain but accelerate the open-source framework Metasploit with dedicated resources and contributions.”

What does the acquisition mean to the vulnerability management industry segment? The competition is unlikely to diminish.

“If I was to put myself in Rapid7's shoes, I would say that they would have to compete big time against Core Impact [a competing vulnerability management vendor],” Philippe Courtot, CEO of vulnerability management company Qualys, told SCMagazineUS.com Wednesday. “But more important, I would say that when you are a proprietary software company, moving into open source is a little bit tricky. They typically involve very different goals and have very different kinds of individuals involved.”

The acquisition may or may not constitute an advantage for Rapid7, one competitor said.

“If they're planning to add capabilities to their scanning technology to be able to compete more aggressively with other leading companies in vulnerability management, it opens another option,” Ivan Arce, CTO of Core Security, told SCMagazineUS.com Wednesday. “We'll see what happens in the coming months.”

But other security experts see the combination as sanguine.

Joel Esler, a handler the SANS Internet Storm Center, predicted Wednesday on the organization's blog that additional funding from a private company will enable Metasploit to produce stronger exploit tools.

“Anytime there can be commercial funding and backing put behind an open-source program in order to further its development, I consider it a good thing,” he said. 

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.