Rapid7 Metasploit Pro Increases Vulnerability Management Efficiency by Leveraging Penetration Testing Intelligence to Validate Security Risks

Rapid7 Helps Security Professionals Prioritize Risk Remediation With Tighter Vulnerability Management Integration

Boston, MA — July 17, 2012

Rapid7, the leading provider of security risk intelligence solutions, introduces today the means to increase vulnerability management efficiency by leveraging intelligence from its powerful penetration testing solution, Rapid7® Metasploit® Pro to validate potential risks. Metasploit extended integration with Rapid7's vulnerability management product, Rapid7® Nexpose, arms security professionals with knowledge of which vulnerabilities can be exploited, enabling them to prioritize remediation efforts for maximum impact. In addition, this simplified approach to risk validation enables security professionals to measure the effectiveness of their mitigation efforts, increasing their credibility in the organization in the longer term.

“Security professionals face a huge and complex challenge and they need to know that they are focusing their efforts on the highest risk vulnerabilities,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project. “With Metasploit and Nexpose, security professionals can identify which of the numerous potential vulnerabilities are real in-roads for an attacker and prioritize these for remediation, making a more meaningful improvement to the organization's security posture.”

With so many known and unknown threats facing organizations, it can be hard for IT security teams to decide which potential risks they should focus on. A vulnerability that may be dangerous to one organization could be far less significant to another because a compensating control or other defensive solution affects its exploitability. Security professionals often have to work with reports with thousands of vulnerabilities identified: far more than they have time to address. As a result, many IT security teams are focusing on the wrong items and are not able to address the real risks before it is too late. This new Metasploit version delivers a simple solution to this frustration for IT security teams by prioritizing the critical risks.

With this release, Rapid7 provides a closed-loop security risk assessment solution: Metasploit imports vulnerability scanning results from Nexpose, validates risks, and feeds the outcome back into Nexpose to simplify reporting and streamline remediation. Metasploit does this by identifying and testing known exploits that correlate to each vulnerability. The results are listed with information about why a given vulnerability may not have been exploitable. The resulting Nexpose reports then give users straight-forward, pragmatic recommendations on how to remediate each vulnerability. Additionally, users can now group assets in Nexpose based on the powerful tagging capabilities of Metasploit Pro. Once steps have been take to remediate the vulnerabilities, security professionals can then use Metasploit to test the effectiveness of the action taken.

Specifically, Metasploit now tightly integrates with Nexpose by:

  • Importing rich vulnerability data from Nexpose scans, sites, and XML
  • Automatically validating the exploitability of many high-risk vulnerabilities
  • Providing a simplified process to spot-check individual vulnerabilities
  • Pushing granular exploit results back to Nexpose via Vulnerability Exceptions
  • Pushing device classifications back to Nexpose Asset Groups via Metasploit Tags
  • Enhancing Metasploit reports with detailed Nexpose scan data

Security professionals benefit from the integration in the following ways:

  • Quickly identify high-risk vulnerabilities not protected by compensating controls
  • Measure the effectiveness of defensive solutions designed to mitigate vulnerabilities
  • Increase credibility and reduce friction between IT operations and security teams

Pricing and Availability

Metasploit 4.4 is available immediately from www.rapid7.com.

Rapid7 will be providing demonstrations at booth 518 at Black Hat in Las Vegas later this week.


About Rapid7

Rapid7 security analytics software and services reduce threat exposure and detect compromise for 3,000 organizations across 78 countries, including over 250 of the Fortune 1000. We understand the attacker better than anyone and build that insight into our solutions to improve risk management and stop threats faster. We offer advanced capabilities for vulnerability management, penetration testing, controls assessment, incident detection and investigation across your assets and users for virtual, mobile, private and public cloud networks. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.

Media Contact