What is our primary use case?
We are a solution provider and we offer a variety of services that include security and vulnerability management. Rapid7 Metasploit is one of the products that we use to identify vulnerabilities.
Specifically, Metasploit is for penetration testing. It uses models to check for exploitable vulnerabilities, and if one is detected then we would raise the importance of solving the problem. We normally operate Metasploit at the client site, which helps us to explore and assess the vulnerabilities directly in the environment.
How has it helped my organization?
This solution allows us to offer additional services to our clients. Projects can vary, where one will include vulnerability testing and another may include penetration testing.
One of the services that we provide is security during the development process. This means that beyond user acceptance and performance testing, we are doing all of the security tests. It helps customers ensure that the code they are developing and deploying has all of the necessary security controls.
What is most valuable?
The most valuable feature for us is the support for testing Linux-based web server components.
What needs improvement?
Integration with popular vulnerability scanners would be a useful feature.
Better automation capabilities would be an improvement. For example, if a project is moving from a development to a testing environment, then automation is crucial. We are using Jenkins, JIRA, and other tools for SecOps and DevOps. If somebody is storing code or a project in SVN then it needs to be fully automated. We need the ability for the scanner to run, then have Checkmarx scan them, then exploit the vulnerabilities if any are found.
For how long have I used the solution?
We began working with Metasploit about 15 years ago.
What do I think about the stability of the solution?
I do not have any complaints about stability, as it has been fine.
What do I think about the scalability of the solution?
For the projects that we have worked on, the scalability has been fine. I'm not sure how it would perform in a hybrid environment, but for our on-premises deployment, it is quite a nice product.
We have a team of 12 people and it is used for perhaps 10 large companies.
How are customer service and technical support?
We have not been in contact with technical support.
Which solution did I use previously and why did I switch?
When we do application-level penetration testing, we employ some manual techniques. Metasploit is generally used at the infrastructure level. We did not use another solution prior to this one.
How was the initial setup?
The initial setup is pretty straightforward. We have been working with this product for several years and it isn't a problem for us to set it up. The deployment can be completed in a matter of hours, depending on the size of the environment.
What other advice do I have?
For our needs, which is usually a dedicated environment for our customers, I cannot envision any significant improvements that need to be made.
My advice for anybody who is considering this solution is that it works well as a component in a vulnerability testing platform. We use a combination of tools with a certain level of automation and integration, which gives us the flexibility that we need to accommodate customers with differing needs. There is no one tool in the market that covers everything and ultimately, Metasploit helps to produce the reports that we need.
The biggest lesson that I have learned from using this product is that if proper security checks are not done during the development process then very likely, you will face major vulnerabilities or risks in the production environment.
Overall, it is a very good product for penetration testing.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?