My name is Eray Yilmaz, and I am the new Product Manager of Metasploit. It has been three months since I have joined Rapid7, and I wanted to share my experiences with you so far. Before we get to that, here is tiny bit about myself:
I am a 28, married, and fairly new father. I went to UTSA where I majored in Information Assurance and Information Systems, and received my B.B.A. Like anyone else in our industry, I have done my fair share of IT work, from helpdesk to managing networks, operating systems, etc. Like many geeks out there, I used Metasploit in the past, and now I can proudly announce that I am one of the people responsible for its future.
If you want to learn more about what I have done in the past, feel free to check my Linkedin profile.
When I learned about the position at Rapid7, the idea of being part of great group of people who get Metasploit to the next level really excited me. I knew about Rapid7's acquisition of Metasploit, and I was aware of their commercial products, Metasploit Express and Pro. However, I have never used the commercial versions myself in the past, mainly because I haven't done much pen testing in the past couple years. As I was considering the position and going through the interviews, there were two things really got my attention:
1. People's Republic of Metasploit (the folks in Austin, TX): During my interview, I was amazed with the dedication and care that Metasploit Team had for the product. To them, this was not simply a product but something that they truly enjoyed being part of. After the interviews, I really was drawn into the role even more, and felt that I needed to be part of this amazing team - yes, we really call ourselves People's Republic of Metasploit -.
2. Rapid7's Take on Metasploit Framework: It was super clear, from day one, that Rapid7 really respects Metasploit Community and understands its importance. Rapid7 truly believes that Metasploit Framework and Metasploit Community are as equally important as our commercial versions. I was really moved by this since it is really hard to find companies that support open source projects at this level.
At this point, things were looking great, and I went ahead made a decision to accept the position and move my family to Austin, TX.
Past Three Months
I am not going to lie; the first month was hard. One of the best things about Rapid7 is also one of the hardest things that you have to go through as a new employee. Despite the fact that Rapid7 is 15 year old company, it does not act like one. It is very much like a startup which I like a lot. This is why I was meeting with so many people to learn as much about the company as possible, which felt like drinking from a fire hose some time. I spent almost a month trying to understand everything about the company and trying to get to know Metasploit Team as much as I could.
One of the things I liked the most was how much our customers cared about the product as well. I had numerous customer calls to talk about the product and to listen their thoughts and feedback around how can we make the product even better. I truly believe that when you have customers invested in your product, not just financially, it makes the the team even more dedicated towards improving the product.
Before I say anything else, I want to thank to our open source community for supporting Metasploit Framework, which would not be a great tool like it is today without your support.
Tod Beardsley and I are always brainstorming about how we can push the Metasploit Framework forward. One of the things on our radar is to make educational content available to our users and exploit committers. todb and tdoan are doing great work with the external resource portal to make it easier to locate external educational content. You can expect more initiatives like this to come up in the future.
Metasploit Community / Express / Pro
As I was coming up to speed, I was also learning a lot about the commercial products, specifically Metasploit Pro. It was clear to me that this version gives the user two distinct advantages:
1. Web Interface: We all know pen testing can get really complicated, especially if you are dealing with many targets at one time. One of the advantages of using a graphical interface is that it makes it easier to handle multiple work streams (multi-tasking) thereby improving efficiency and enabling the user to do more things in a short period of time. Metasploit's user interface tries to do just that, making it easier and more efficient for the user. While this is certainly true for users new to pen testing, veteran pen-testers maintain a preference for Framework. That's ok by us. Framework is an awesome product and with your help it continues to get even better. We will keep investing in the UI version to make pen-testers as efficient as possible. Stay tuned for 2015 as you will see many UI improvements coming up in near future.
2. Pro Features: Metasploit Pro is powered with Metasploit Framework, along with some additional features, such as metamodules, reporting functions, social engineering features, vulnerability validation wizard, etc. Some of these are additional capabilities that are only available in Metasploit Pro, and some of them are designed to automate common tasks.
I want to finish this blog post saying that there are many challenges ahead of us, both on Framework and the commercial side, and we are happy to accept those challenges and convert them into opportunities to make Metasploit even better in the future. I am super happy to be part of People's Republic of Metasploit.
Eray Yilmaz - @erayymz
Sr. Product Manager, Metasploit