Rapid7 purchases Metasploit

Published: 2009-10-21
Last Updated: 2009-10-21 15:44:11 UTC
by Joel Esler (Version: 1)
12 comment(s)

Woke up this morning to find the news in my inbox, that Vulnerability Management company Rapid7 purchased Metasploit.  Personally, I think this is a good thing.  Anytime there can be commercial funding and backing put behind an Open Source program in order to further it's development, I consider it a good thing.   I know this model works, as I work for Sourcefire.  We have a few open source programs ourselves.

Better funding = better (more) exploits = better pen-test tool.  Not that Metasploit isn't already awesome, because it is, but this will make Metasploit turn another corner in its (already successful) evolution.

I applaud HD's (and of course everyone else on the Metasploit team's) work, and may this acquisition further the success of the platform.

Read more about the purchase here.


-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

12 comment(s)


Well so much for that...Rapid7 is a JOKE. They tried to sell my company their amazingly overpriced product...hounded me until I had to send them an email to cease....hope they don't screw up Metasploit too much :(
My only concern is that it Metasploit will go the way of Lopftcrack after it was acquired, ie, nearly died on the vine.
I agree that Rapid7's sales people are VERY persistent, and their product is quite expensive. I don't think that HD Moore will allow Metasploit to die, and we can expect good things in the future for Metasploit!
Two things: did I miss the meeting where we decided it no longer mattered if we knew when to use principal versus principle? The press release is yet another example of this. If that's the level of attention to detail we can expect from Rapid7, well, let's hope they give HD free reign as well.

Second, doesn't this present a larger litigation target? Suing an open source project is just goofy; suing a security company for (arguably) selling attack tools and the means of defending yourself... That seems to me to be the kind of thing attorneys could spend time writing about. Not too hard to cast Rapid7 in the role of the heavy in a brief intended for non-savvy judges or jurors.
Perhaps they will put a privacy policy on the web site now so IP addresses cannot be shared with anyone.
Rapid7 is terrible. I have had to hang up on their "used car" sales staff a few times. I have grave concerns that Metasploit is Metatoast. Tenable kept Nessus alive, so it is possible this won't ruin it.
So, keep the good stuff for paying customers for X number of days before giving it up to the kidz or those who cant afford the licensing. OK, this is an understandable business decision but joel its shortsighted to flatly assume that commercial funding behind an OSS'd project is a good thing. The model may work for sourcefire and its paying customers, but not those who used the flagship project under its previous deployment umbrella. The same goes for other assimilated formerly OSS'd projects that became mainstream, despite their rather dubious beginnings and intentions, and borderline hinky associations.
Its a good thing I can write my own sigs and occasional exploit so I can try to keep up with those who can pay for having the data once its purchased from the exploit writers.
Good luck for cashing out I suppose there, HD, but I dont think this is a good thing for traditional users of Metasploit.
Three words: Network Associates, PGP.
Here's to hoping it doesn't turn out like that fubar. RIP metasploit freedom.
Well, I am putting my hopes in that OSS projects being well funded is a good thing, a la, the model we have at Sourcefire. (Snort, Daemonlogger, ClamAV, etc) Metasploit is still BSD licensed, and is still community driven. As for dealing with Rapid7's sales guys, I have no idea, I've never had to.
NAI bought PGP. Turned it to crap. Company spun itself back off eventually.
Symantec bought the l0pht. Buried it. Company spun itself back off eventually (just l0pthcrack, but really, that's the only tool they sold beside the web site proxy for testing stuff that I can't remember the name of).
Nessus built their own company called Tenable. No more open source, but reasonable licensing.
Snort created Sourcefire. Still open source. Still monetarily viable.
CACE took over Ether^H^H^H^H^HWireshark (sort of). Better than ever.
Hopefully, this Metasploit buy will continue the positive trend... but I sort of doubt it.

Diary Archives