The automated approach in the audits or in the hacking testing with Rapid7 Metasploit could be improved because even the same attack you provide today will go in different ways another day. I prefer when the auditor or pen-tester provides the attack in a non-automated mode. For some, it might be a valuable option, but I'm not sure it's valuable for us, as after the attack has been provided, we should release a report detailing how it transpired and what the customer should improve to block this way of attack. If the attack was provided in an automated mode, you cannot receive sufficient information that helps with this final report for the customer. While you can check the vulnerability, and the system will tell you there is no vulnerability, usually, a human can change one, two, or three parameters and using the same technique and the same scripts can break the system. Rapid7 Metasploit could be improved in areas concerning the experience with finding particular scripts pre-installed in the solution. Customers, administrators, and pen-testers spend considerable time trying to locate the specific component they need by the name of the technique or the name of the attack, so any improvements in making it easier to find those predefined components by name or timeframe would be beneficial. Search filters could be a correct improvement.
While Metasploit excels in vulnerability assessment, it could improve in vulnerability management. Nessus currently holds the advantage in management functions. Support is another area where improvement is needed, particularly for assisting non-security users.
The reporting feature needs improvement. The time taken to fetch reports based on the number of events can be extensive, unlike Tenable, which is more user-friendly and faster. Additionally, network throttling should also be considered.
The database is not always updated with the latest vulnerabilities or zero-day exploits. If a vulnerability arises a month or two ago, it might not be included in the database, which is something I would like to see improved.
If your company's patch is not up to date, but you have other detection or defense solutions such as endpoint detection and response and antivirus software, the product exploit may not work effectively. This is because its exploit database update process is slow and not real-time. For zero-day vulnerabilities or new security threats, relying on Rapid7 Metasploit alone may not be effective. Adding features to Rapid7 Metasploit that enhance evasion of Endpoint Detection and Response systems would significantly improve its utility within modern organizations.
Cyber Security Director at a manufacturing company with 5,001-10,000 employees
Real User
Top 10
Jun 9, 2023
The open-source version has reporting limitations. You need to develop these capabilities yourself. Built-in reporting is an excellent feature for penetration testing, but it isn't a must-have. The solution could also cover more vulnerabilities. Metasploit has around 10,000 exploits in its library, but more is always better.
Team Lead - Cyber Security & Compliance at Al Tuwairqi Group
Real User
Mar 3, 2023
Rapid7 is able to identify vulnerabilities, but the only way to remediate them is to manually apply patches. This can be time-consuming, as evidenced by the six months it took our team to remediate vulnerabilities found in the Tenable ICS and OT security VT. To make this process easier, there should be an automated system or API to align with the PET solution, allowing systems to quickly align with it. The solution is not user-friendly and has room for improvement. I would like a feature for mobile tracking, allowing us to operate it from a mobile device or at least track it technologically, the basic functionality would be something I would like. For example, when I execute a vulnerability assessment activity, it takes around two to three days to complete all the plans. In order to track that, I would have to log into my system repeatedly. Therefore, I would like to have a feature that allows me to track it from my mobile device.
Professional services team lead at a tech services company with 1,001-5,000 employees
Reseller
Top 20
Oct 5, 2021
Rapid7 Metasploit can add a GUI feature because it is only available online. While it is simple to use, including a GUI would make things easier. It would be very helpful.
Project Director at a tech services company with 1,001-5,000 employees
Real User
Oct 20, 2020
At the time I was using it, the graphical user interface needed some improvements. It might be better now because there was a very big community behind it, and of course, newer versions are always improved. The free, community edition I was using, lacked some very specific exploits but, as I remember, under the commercial version, you could find your exploits. All the features that are available on the command line could be integrated with the graphical user interface.
The solution should be more user friendly. Right now, a user needs a certain level of technicality. The solution should improve the responsiveness of its live technical support.
Principal security consultant at a computer software company with 201-500 employees
Real User
Jun 4, 2020
Integration with popular vulnerability scanners would be a useful feature. Better automation capabilities would be an improvement. For example, if a project is moving from a development to a testing environment, then automation is crucial. We are using Jenkins, JIRA, and other tools for SecOps and DevOps. If somebody is storing code or a project in SVN then it needs to be fully automated. We need the ability for the scanner to run, then have Checkmarx scan them, then exploit the vulnerabilities if any are found.
Information Security and Governance Lead Engineer at a comms service provider with 1,001-5,000 employees
Real User
Dec 24, 2018
* The GUI version is not as effective as a command prompt. For general users, the PT using GUI could be improved. At the same, the track of a phishing emails were not accurate sometimes. Rapid7 could work on this further. * Metasploit cannot be installed on a machine with an antivirus. This could be improved. * There were times when it hung, then I had to restart the DB service. This leaves an area of improvement for them. * It is necessary to add some training materials and a tutorial for beginners.
Attackers are always developing new exploits and attack methods—Metasploit penetration testing software helps you use their own weapons against them. Utilizing an ever-growing database of exploits, you can safely simulate real-world attacks on your network to train your security team to spot and stop the real thing.
The automated approach in the audits or in the hacking testing with Rapid7 Metasploit could be improved because even the same attack you provide today will go in different ways another day. I prefer when the auditor or pen-tester provides the attack in a non-automated mode. For some, it might be a valuable option, but I'm not sure it's valuable for us, as after the attack has been provided, we should release a report detailing how it transpired and what the customer should improve to block this way of attack. If the attack was provided in an automated mode, you cannot receive sufficient information that helps with this final report for the customer. While you can check the vulnerability, and the system will tell you there is no vulnerability, usually, a human can change one, two, or three parameters and using the same technique and the same scripts can break the system. Rapid7 Metasploit could be improved in areas concerning the experience with finding particular scripts pre-installed in the solution. Customers, administrators, and pen-testers spend considerable time trying to locate the specific component they need by the name of the technique or the name of the attack, so any improvements in making it easier to find those predefined components by name or timeframe would be beneficial. Search filters could be a correct improvement.
While Metasploit excels in vulnerability assessment, it could improve in vulnerability management. Nessus currently holds the advantage in management functions. Support is another area where improvement is needed, particularly for assisting non-security users.
The reporting feature needs improvement. The time taken to fetch reports based on the number of events can be extensive, unlike Tenable, which is more user-friendly and faster. Additionally, network throttling should also be considered.
The database is not always updated with the latest vulnerabilities or zero-day exploits. If a vulnerability arises a month or two ago, it might not be included in the database, which is something I would like to see improved.
Rapid7 Metasploit could be made easier for new users to learn.
If your company's patch is not up to date, but you have other detection or defense solutions such as endpoint detection and response and antivirus software, the product exploit may not work effectively. This is because its exploit database update process is slow and not real-time. For zero-day vulnerabilities or new security threats, relying on Rapid7 Metasploit alone may not be effective. Adding features to Rapid7 Metasploit that enhance evasion of Endpoint Detection and Response systems would significantly improve its utility within modern organizations.
I would like to see more capabilities, more functions, and more features. More types of attack vectors.
There are numerous outdated exploits in their database that should be updated.
Advanced Infrastructure should be implemented in the next release for better orchestration.
The open-source version has reporting limitations. You need to develop these capabilities yourself. Built-in reporting is an excellent feature for penetration testing, but it isn't a must-have. The solution could also cover more vulnerabilities. Metasploit has around 10,000 exploits in its library, but more is always better.
I think areas with shortcomings that need improvement are more integration and automation.
Rapid7 is able to identify vulnerabilities, but the only way to remediate them is to manually apply patches. This can be time-consuming, as evidenced by the six months it took our team to remediate vulnerabilities found in the Tenable ICS and OT security VT. To make this process easier, there should be an automated system or API to align with the PET solution, allowing systems to quickly align with it. The solution is not user-friendly and has room for improvement. I would like a feature for mobile tracking, allowing us to operate it from a mobile device or at least track it technologically, the basic functionality would be something I would like. For example, when I execute a vulnerability assessment activity, it takes around two to three days to complete all the plans. In order to track that, I would have to log into my system repeatedly. Therefore, I would like to have a feature that allows me to track it from my mobile device.
It would be better if Metasploit had a wider module, to do explorations of vulnerabilities. We'd like them to offer better coverage of malware.
Rapid7 Metasploit can add a GUI feature because it is only available online. While it is simple to use, including a GUI would make things easier. It would be very helpful.
At the time I was using it, the graphical user interface needed some improvements. It might be better now because there was a very big community behind it, and of course, newer versions are always improved. The free, community edition I was using, lacked some very specific exploits but, as I remember, under the commercial version, you could find your exploits. All the features that are available on the command line could be integrated with the graphical user interface.
The solution should be more user friendly. Right now, a user needs a certain level of technicality. The solution should improve the responsiveness of its live technical support.
Integration with popular vulnerability scanners would be a useful feature. Better automation capabilities would be an improvement. For example, if a project is moving from a development to a testing environment, then automation is crucial. We are using Jenkins, JIRA, and other tools for SecOps and DevOps. If somebody is storing code or a project in SVN then it needs to be fully automated. We need the ability for the scanner to run, then have Checkmarx scan them, then exploit the vulnerabilities if any are found.
* The GUI version is not as effective as a command prompt. For general users, the PT using GUI could be improved. At the same, the track of a phishing emails were not accurate sometimes. Rapid7 could work on this further. * Metasploit cannot be installed on a machine with an antivirus. This could be improved. * There were times when it hung, then I had to restart the DB service. This leaves an area of improvement for them. * It is necessary to add some training materials and a tutorial for beginners.