We performed a comparison between Rapid7 Metasploit and Snyk based on real PeerSpot user reviews.
Find out what your peers are saying about Tenable, Wiz, Check Point Software Technologies and others in Vulnerability Management."Stability-wise, I rate the solution a nine out of ten...Scalability-wise, I rate the solution a nine out of ten."
"All of the features are great."
"It contains almost all the available exploits and payloads."
"The greatest advantage of Rapid7 Metasploit is that it is the only system that can directly exploit vulnerabilities on the Metasploit platform."
"Technical support has been helpful and responsive."
"It is scalable. It's in line with our needs."
"The most valuable features of the solution are the scripts, the modules, and the tools that the Rapid7 Metasploit framework has."
"I don't have any other tools like it, and I always use it when I'm doing a pen test. Metasploit is a great solution for penetration testing,"
"The dependency checks of the libraries are very valuable, but the licensing part is also very important because, with open source components, licensing can be all over the place. Our project is not an open source project, but we do use quite a lot of open source components and we want to make sure that we don't have surprises in there."
"From the software composition analysis perspective, it first makes sure that we understand what is happening from a third-party perspective for the particular product that we use. This is very difficult when you are building software and incorporating dependencies from other libraries, because those dependencies have dependencies and that chain of dependencies can go pretty deep. There could be a vulnerability in something that is seven layers deep, and it would be very difficult to understand that is even affecting us. Therefore, Snyk provides fantastic visibility to know, "Yes, we have a problem. Here is where it ultimately comes from." It may not be with what we're incorporating, but something much deeper than that."
"We have integrated it into our software development environment. We have it in a couple different spots. Developers can use it at the point when they are developing. They can test it on their local machine. If the setup that they have is producing alerts or if they need to upgrade or patch, then at the testing phase when a product is being built for automated testing integrates with Snyk at that point and also produces some checks."
"The CLI feature is quite useful because it gives us a lot of flexibility in what we want to do. If you use the UI, all the information is there and you can see what Snyk is showing you, but there is nothing else that you can change. However, when you use the CLI, then you can use commands and can get the output or response back from Snyk. You can also take advantage of that output in a different way. For the same reason, we have been using the CLI for the hard gate in the pipeline: Obtain a particular CDSS score for vulnerability. Based on that information, we can then decide if we want to block or allow the build. We have more flexibility if we use the CLI."
"It is a stable solution. Stability-wise, I rate the solution a ten out of ten."
"The most valuable features are their GitLab and JIRA integrations. The GitLab integration lets us pull projects in pretty easily, so that it's pretty minimal for developers to get it set up. Using the JIRA integration, it's also pretty easy to get the information that is generated, as a result of that GitLab integration, back to our teams in a non-intrusive way and in a workflow that we are already using."
"Static code analysis is one of the best features of the solution."
"The solution's vulnerability database, in terms of comprehensiveness and accuracy, is very high-level. As far as I know, it's the best among their competitors."
"I think areas with shortcomings that need improvement are more integration and automation."
"The initial setup was a bit "tweaky" for the open-source version."
"Better automation capabilities would be an improvement."
"If your company's patch is not up to date, but you have other detection or defense solutions such as endpoint detection and response and antivirus software, the product exploit may not work effectively. This is because its exploit database update process is slow and not real-time. For zero-day vulnerabilities or new security threats, relying on Rapid7 Metasploit alone may not be effective."
"The solution is not user-friendly and has room for improvement."
"Advanced Infrastructure should be implemented in the next release for better orchestration."
"The solution is not very scalable, it does not provide any automation to be able to scale it."
"Metasploit cannot be installed on a machine with an antivirus."
"There is always more work to do around managing the volume of information when you've got thousands of vulnerabilities. Trying to get those down to zero is virtually impossible, either through ignoring them all or through fixing them. That filtering or information management is always going to be something that can be improved."
"It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities."
"The documentation sometimes is not relevant. It does not cover the latest updates, scanning, and configurations. The documentation for some things is wrong and does not cover some configuration scannings for the multiple project settings."
"The tool needs improvement in license compliance. I would like to see the integration of better policy management in the product's future release. When it comes to the organization that I work for, there are a lot of business units since we are a group of companies. Each of these companies has its specific requirements and its own appetite for risk. This should be able to reflect in flexible policies. We need to be able to configure policies that can be adjusted later or overridden by the business unit that is using the product."
"I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks."
"We use Bamboo for CI.CD, and we had problems integrating Snyk with it. Ultimately, we got the two solutions to work together, but it was difficult."
"The reporting mechanism of Snyk could improve. The reporting mechanism is available only on the higher level of license. Adjusting the policy of the current setup of recording this report is something that can improve. For instance, if you have a certain license, you receive a rating, and the rating of this license remains the same for any use case. No matter if you are using it internally or using it externally, you cannot make the adjustment to your use case. It will always alert as a risky license. The areas of licenses in the reporting and adjustments can be improve"
"The log export function could be easier when shipping logs to other platforms such as Splunk."
Rapid7 Metasploit is ranked 11th in Vulnerability Management with 18 reviews while Snyk is ranked 4th in Application Security Tools with 41 reviews. Rapid7 Metasploit is rated 7.6, while Snyk is rated 8.2. The top reviewer of Rapid7 Metasploit writes "Helps find vulnerabilities in a system to determine whether the system needs to be upgraded". On the other hand, the top reviewer of Snyk writes "Performs software composition analysis (SCA) similar to other expensive tools". Rapid7 Metasploit is most compared with Tenable Nessus, Pentera, Acunetix, Rapid7 InsightVM and Nucleus, whereas Snyk is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, Veracode and GitHub Advanced Security.
We monitor all Vulnerability Management reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.