Metasploit Anniversary Marks World's Most Successful Open Source Acquisition

Last updated at Thu, 08 Feb 2024 20:57:30 GMT

Exactly one year ago, Rapid7 acquired the Metasploit Project. Many community members feared that this would be the end of Metasploit's open source era. After all, many open source projects had been turned into commercial offerings at the cost of the community. Most prominently our space, a widely used vulnerability scanner is no longer open source.

To the surprise of many skeptics, Metasploit is arguably the most successful collaboration between an open source project and a commercial vendor in the market. The Metasploit Framework user base grew more than five-fold this year, we've seen more code commits in the past 12 months than in the previous three years combined, and more than 200 organizations have adopted the commercial editions of the product after only five months of availability.

I joined Rapid7 only three months ago to take on the role of product marketing manager for the Metasploit product line, so I can't take credit for this success, but I would like to share my observations and thoughts with you.

One reason I am excited about the challenge at Rapid7 was that I am very intrigued by the Metasploit “brand”, which has seen an incredible following. I want to be a part of leveraging it to its full potential at the benefit of both the community and the customers. We have to serve both sides because we need both grass-roots support and the commercial viability for the open source funding to be successful.

Most open source projects are challenged by developers who lack bandwidth and are hard to plan with because they moonlight for the project. At the time of the acquisition, Rapid7 said that it would be investing in open source projects by funding full-time developers that can focus on increasing code quality, turning around bug fixes more quickly, and implementing new features - and many scoffed. But over the past year, Rapid7 has demonstrated not only its desire to help the community but we have also followed through on the commitments made one year ago. In addition to the development team, the Metasploit Project is benefiting from the entire Rapid7 back office, including quality assurance, IT operations, and marketing to keep the community informed.

During that time, we've also built a solid, supportable base for commercial products, such as Metasploit Pro, a new software product for advanced penetration testing that Rapid7 announced yesterday. The open source community benefits from a more solid code base, the commercial customers from a mature product at a competitive price because it can leverage the contributions from the community. But the involvement of the community means much more to us: It raises the industry bar because it keeps us on our toes, including the latest developments and exploits we hear about from our community. 

The successful Metasploit collaboration also opened the door for other open source projects to get funded. In the first week I joined, we also announced the sponsorship of another open source project: w3af. We have started to fund dedicated resources for that project and have opened a center of excellence for Web application security in our new office in Buenos Aires, led by Andres Riancho, the founder of w3af. I'm excited to see what we will be able to report in 9 months, on their one-year anniversary.