What is our primary use case?
I used the community edition. It's a very handy and powerful product. For a free product, the capabilities are absolutely astonishing.
I used Rapid7 Metasploit as a marketing solution. I was working as a security expert and whenever I would meet a client as a consultant or a freelancer, I would open my laptop and start using the software.
Rapid7 Metasploit is a standalone solution, intended to be used by one person, but it can be used by a few people in a team — maybe 10 people or less.
What is most valuable?
All of the features are great. I used it as a tool for penetration testing. The exploitation capabilities and the development in general, are all great. It's open-source and very handy.
What needs improvement?
At the time I was using it, the graphical user interface needed some improvements. It might be better now because there was a very big community behind it, and of course, newer versions are always improved. The free, community edition I was using, lacked some very specific exploits but, as I remember, under the commercial version, you could find your exploits.
All the features that are available on the command line could be integrated with the graphical user interface.
For how long have I used the solution?
I used Rapid7 Metasploit for more than five years.
What do I think about the stability of the solution?
The earlier versions had some bugs, but the last version, Version Four, was much more stable compared to the previous versions — which we stopped using because of the bugs.
What do I think about the scalability of the solution?
The scalability is not that good.
When you use the command-line interface, not very much of the process is automated. There should always be an expert present to work with the software. Under the GUI, I believe there are some features that can be automated for testing.
The solution was not intended to be automated because penetration testing requires attention and caution because it's done on a live network with line services. Automation can damage the target network or the system on the network.
You can automate the input of data, but the results are not satisfactory.
The scalability should definitely be improved.
How are customer service and technical support?
As it's a free product, the community edition doesn't include any technical support. I haven't used the commercial edition so I can't comment on their support.
In terms of development, the team of developers that supports the software is very active and quick to help. In short, the software is being maintained very actively, and I do believe the customer support should be the same.
I would like to see some support available for the free version; however, there are a lot of open-source materials available to solve any issues, so for me personally, there wasn't any need for technical support.
How was the initial setup?
If you want to install it separately on a fresh new Linux, the solution is still effective. The installation is very, very straightforward.
What other advice do I have?
The great advantage with Rapid7 Metasploit, of course, is that it's free. You can download it and start using it for free, right away. The features are satisfactory, and you can do your job strictly with the free edition. Of course, you could do your job even better with the commercial edition.
There are better products available, like Core Impact, but they are much more expensive.
On a scale from one to ten, I would give Rapid7 Metasploit a rating of eight.