ASM/BASOpen source · BSD-3-Clause
Metasploit Framework
By Rapid7
The standard open-source penetration testing framework: a huge, continuously updated library of exploits and payloads that security teams use to validate whether vulnerabilities are actually exploitable and whether defenses catch the attempt. Stewarded by Rapid7 since 2009, which sells the separate Metasploit Pro on top of the free BSD-licensed framework.
Verified Source: 1
- Product type
- Software
- Deployment
- CLI
- Organization size
- IndividualSMBMid-marketEnterprise
- Pricing tier
- Free
Capability checklist
ASM/BASHow Metasploit Framework measures up against the full Attack Surface Management & Breach/Attack Simulation taxonomy.
- External attack surface discovery — not supported
- Continuously finds internet-facing assets, domains, and shadow IT before attackers do.
- Exposure prioritization — not supported
- Ranks discovered exposures using adversary and exploitability context.
- Breach and attack simulation — supported
- Safely simulates real attack techniques against live defenses to test control effectiveness.
- Security control validation — supported
- Measures whether existing tools actually detect or block the simulated attacks.
- Attack path mapping — not supported
- Shows the chained steps an attacker could take from an exposure to real impact.
- Continuous testing — not supported
- Re-runs simulations on a schedule to catch drift and regressions over time.
Alternatives
Other Attack Surface Management & Breach/Attack Simulation tools with overlapping capabilities, sized for similar teams.
Appears in stacks
Real-world stacks that include Metasploit Framework.