Metasploit: Pen Testing Product Overview and Analysis

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

See our complete list of top penetration testing tools.

The Bottom Line

Rapid7’s Metasploit scans and tests for vulnerabilities. Backed by a huge open-source database of known exploits, it provides IT security teams with an analysis of pen testing results so remediation steps can be done efficiently. However, it doesn’t scale up to enterprise level and some users say it is difficult to use at first.

For more on Metasploit, see Getting Started With the Metasploit Framework: A Pentesting Tutorial

Type of tool: Penetration testing

Key features: Metasploit is a collection of penetration tools used to discover vulnerabilities, evaluate security and devise various approaches for defense. It can be used on servers, web applications and networks. It boasts an up-to-date database of known vulnerabilities and exploits. It supports Linux, Mac and Windows. A built-in network sniffer is included, and it provides a variety of ways to carry out attacks against exploits.

It includes automation, too, and offers pre-written scripts. Different modules cover scanning, exploiting, payload generation and analysis. Community and Pro editions are available. Both include features such as scanning of imported data, discovery scan, manual exploitation, data export, session/credential management, proxy pivot, and session clean up. Pro comes with a lot more bells and whistles such as brute force, evidence collection, complete reporting, AV/IDS/IPS evasion, data tagging, wizards for fast action, VPN pivoting, payload generators, and team collaboration.

Metasploit is backed by a community of over 200,000 users and contributors. Rapid7’s work with the user community has amassed more than 2,300 exploits and more than 3,300 modules and payloads.

“Metasploit provides a fast way to collect all the low-hanging security problems when a new system is deployed,” said a network manager in the healthcare industry.

Differentiator: Covers the entire range: scanning, finding, testing and exploiting vulnerabilities. Huge open-source database of exploits. Excellent analysis of pen testing results.

What it can’t do: Does not scale as well as some other products, and is best as a tool to use against exploits acting against particular servers or applications rather than as a general scanning tool.

Cost: Community edition is free. Pro edition is $15,000 per year. There are also express versions costing between $2,000 and $5,000 per year.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Drew Robb Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis