Metasploit + Rapid7 shakes up pen-test landscape
Guest Editorial by Nick Selby
With the acquisition of Metasploit (MS) by Rapid7 (R7), the dynamics within the small penetration testing market have changed. We believe that more competition will challenge each of the three main penetration testing software vendors in different ways, and that this new competitive landscape will quickly inure to the benefit of end users and buyers.
To radically simplify, the dynamics have been that Core Security sat at the top of the marketplace in terms of price, scale and enterprise usability; Immunity Security cleaned up at the lower end of the enterprise market and dominated for vendors and professional services types, who also used MS as a free tool.
Immunity has been working on its UI, workflow and backend, steadily but without any great urgency. As its main “competition,” Core, costs literally ten times more for a single seat, and there was no real alternate competition other than MS. Both Immunity and Core have partnerships with vulnerability assessment vendors, but I believe that R7 will be able to market successfully a converged product over time.
R7 has been aggressive in its product development and marketing, and as MS creator HD Moore is nothing if not hyperactive (MS got this far through his relentless late-night and weekend coding) and as MS has been advertising for developers and staff, we can infer that R7 is determined to rapidly integrate MS into its suite. There will of course be integration issues. Among the legions of open-source enthusiasts who are MS fans (the Metasploit 3.x tree, according to Moore, is now under a 3-clause BSD license; earlier, Moore had changed the license from open source to a EULA to prevent commercial exploitation by third parties), there will no doubt be “End is nigh” drama of the sort suffered by Sourcefire and Tenable and other products that have commercialized atop a community-supported project. I assume that both R7 and Moore are smart enough not to kill the golden goose and confident they will manage, ultimately, the community aspect of this.
If R7 and MS are able to clean up usability issues with the product it will be marketable. What then needs to happen is that R7 and Moore, in his new role as Chief Architect of MS, must create sustainable, repeatable workflow around the process of development, testing and quality control and rollout of exploits, and converting - this is no easy task - from the hair-on-fire but ultimately functioning process Moore has been using for these years. If I had to pick one major marketing and sales disadvantage MS has over both Core and Immunity, they are quality control and “safety” of the exploits (not to mention derivation of the exploits, another kettle of fish which must be addressed in the context of community relations). Core and Immunity are expert at these processes - and their attendant post-release support. MS is not and must become so while integrating and transitioning and managing these other issues related to any acquisition.
Assuming that R7 and MSF are able to integrate and address those issues, then the dynamics will change at both Core and Immunity. You'll note that this analysis is not comparing technical details - usability of then client side exploits or quality of the exploits from Core and Immunity which the industry agrees are first rate. At this point, what we have is a complex marketing calculation and discussion, not a technical bake-off.
Let's give some credit to R7 and say that it will make MS more user friendly, easy-to-install-and-use and that it will give it the correct help desk stuff to soothe enterprise buyers. At that point, it has an advantage over Immunity - which philosophically believes its UI is the most elegant to support the workflow and mindset of a penetration tester, but which it admits is less polished than the average enterprise-ready application. This plays right at and competitive with Core's chief selling proposition - ease of use and enterprise class polish and support. Core will begin to feel pricing pressure where it never has before- I have often said that anyone who can afford Core should buy Canvas and probably already has MS. As R7 begins to pressure and erode Core's per-seat price, this calculus will change for Core.
Immunity, on the other hand, will likely continue to sell well. In fact, we see Immunity Canvas sales rising slightly as R7 will spend good money and time promoting the functionality, differentiating penetration testing from vulnerability analysis (see below) and generally helping Immunity by marketing the “why should I pen-test?” proposition. A rising tide of marketing dosh raises all boats, and Immunity will benefit from a standpoint of sales. Where Immunity will suffer is in the development dollars it will feel pressured to spend to improve the UI faster than it may have otherwise wished. The team in Miami has a plan - a good one - for getting the UI and the backend framework to a new level, and it has been executing admirably on that plan. However, I believe that in the newly-shifted landscape in which it finds itself, Immunity may have to accelerate the timeline of these improvements, which will require a shift of resources within the firm to accommodate. Immunity is clearly capable of doing this.
The problem faced by all three which has been aggravated by this acquisition is the most problematic aspect of the competitive field in penetration testing - people conflate pen testing and vulnerability analysis. At IANS Forums for the last year, I've been running sessions on developing internal pen testing resources (the next one is Chicago on 2-3 November). During these sessions, I regularly ask delegates whether they are currently running pen test software and if so which. In every session, someone says that they run Nessus or Qualys and think they are pen testing when they are assessing vulnerabilities. The fact that R7 is known as a vulnerability scanning company is trouble enough for the firm, which is diversifying its offering. To add pen testing to its mix confuses customers, and R7 will have to spend wisely on marketing. We note that Core has been marketing aggressively for years and surmounted many challenges in the space; despite the success and aggression and audacity of its campaigns to date, these confusions remain in the industry. So Core, too, will benefit from R7 entering the market from a marketing standpoint. In the end, Core may find that even if it must eventually reduce its price (something it will resist mightily), its volume will likely increase as the market becomes more educated.
The best thing about the acquisition is that enterprise customers now have three legitimate, sue-able and responsible organizations proffering tools for penetration testing. Quality will likely rise, average price will likely fall, and functionality will likely increase. This is a good time to be in the market for pen-test software.
* Nick Selby is Managing Director of Trident Risk Management. This essay first appeared on the IANS blog.