Metaspoiler: Rapid7’s acquisition raises stakes for VA, pen test players
Posted by Paul Roberts on October 21st, 2009 under M&A, Penetration Testing, vulnerability scanning.
The acquisition of open source technology projects by closed source, for-profit ISVs almost always meet with opposition in some form. Usually, the expressed concern is that for profit owners will throw walls up around the most valuable parts of the code or steal away resources to work on commercial projects, leaving the open source bits to die of neglect. In some cases, these concerns are justified. Often, though, they’re of a knee jerk variety: the kind of stuff you hear when a favorite independent band gets signed to a major record label.
So it goes with the announcement on Tuesday that vulnerability research firm Rapid7 is acquiring Metasploit, the entity behind H.D. Moore’s Metasploit Project. The deal adds the Metasploit’s database of software exploits to Rapid7’s NeXpose platform, allowing better risk rating of vulnerabilities based on their exploitability. For Metasploit, Rapid7 provides stable corporate backing and a reliable source of funding for continued research and platform development. He’s run Metasploit as a limited liability company that owned the copyrights to the development code, trademarks, and domain names since 2006 and shifted from a hybrid proprietary license to an open source three-clause BSD license. To listen to Mr. Moore (and there’s a nice Risky Business podcast interview with him here), the short term consequence of this deal will be more, better exploits and platform updates for Metasploit as he takes off the handcuffs imposed by his previous, non-aligned corporate gig (application testing firm BreakingPoint Systems) and enjoys of the luxury of getting paid to do what he’s been doing for free for the last six years.
As my former colleague, the ever-insightful Nick Selby has pointed out, the key objectives for a corporate backed Metasploit will be a more even and predictable product development, more (and safer) exploits and that ill defined “enterprise polish” (most likely in the form of a premium version of Metasploit). But Rapid7 will face other challenges, also. While Moore’s white hat bona fides aren’t in question, Metasploit straddles the line between professional pen testing tool and force multiplier for script kiddies. So its no stretch to say that there’s some reputation risk here for Rapid7 - especially as it balances the desire to pull in Metasploit contributors with the need to expand in lucrative, but testy verticals like government and finance.
But with enterprises of all stripes increasingly interested in risk based assessments and correlated threat intelligence, the bigger question is what the union of pen testing and vulnerability management – ”vulnerability plus exploitability”– will mean for competitors in each of those spaces. Vulnerability scanning outfits like nCircle, Sourcefire, Tenable and Qualys (not to mention IBM and McAfee) will feel pressure to provide more context around exploitability to match what Nexpose+Metasploit offer. In the much smaller world of penetration testing, firms like Core Security and Immunity, Rapid7’s backing will ramp up activity on the MetaSploit platform, as H.D. and crew focus their full attention on what has been a side project. In the short term, that won’t pose too much risk to either camp. Both vendors have relationships with vulnerability management players: Immunity with Tenable, and Core with nearly every scanner you could possibly deploy. (Core’s Technology Partners page reveals just about every competitor Rapid7 could think of: Tenable, Qualys, nCircle, GFI, IBM ISS, and eEye.) Eventually, a premium version of Metasploit could land right in the sweet spot between Core and Immunity: balancing usability and platform coverage with quality exploits and enterprise must-haves like stability and support. It won’t be free anymore, but it probably won’t take too big a bite, either.
The question mark is whether Rapid7 can walk the fine line between profit-minded ISV and open source sugar daddy. As others have pointed out, Sourcefire has managed to pull this off admirably over the years, while firms like Tenable get lower marks. We’re ready to believe H.D. and Rapid7’s protestations about the importance of keeping Metasploit open source and their pledges to continue supporting the platform and the community of exploit researchers and users that sustain it. That said, Rapid7 has earned a reputation as a hard charging, take-no-prisoners kind of company. Its hard to reconcile that with the high minded, altruistic ideals of H.D. and other Metasploit contributors (”Free code is happy code,” Egypt wrote in a blog post announcing his new role at Rapid7). But who knows. Maybe, in this case, the tail will wag the dog.
Lauren Eckenroth, Research Associate at The 451 Group, contributed to this post.

Amidst all 
