Cyber Tool Stack
All tools
ASM/BASOpen source · BSD-3-Clause

Metasploit Framework

By Rapid7

The standard open-source penetration testing framework: a huge, continuously updated library of exploits and payloads that security teams use to validate whether vulnerabilities are actually exploitable and whether defenses catch the attempt. Stewarded by Rapid7 since 2009, which sells the separate Metasploit Pro on top of the free BSD-licensed framework.

Verified Source: 1

Product type
Software
Deployment
CLI
Organization size
IndividualSMBMid-marketEnterprise
Pricing tier
Free

Capability checklist

ASM/BAS

How Metasploit Framework measures up against the full Attack Surface Management & Breach/Attack Simulation taxonomy.

External attack surface discovery — not supported
Continuously finds internet-facing assets, domains, and shadow IT before attackers do.
Exposure prioritization — not supported
Ranks discovered exposures using adversary and exploitability context.
Breach and attack simulation — supported
Safely simulates real attack techniques against live defenses to test control effectiveness.
Security control validation — supported
Measures whether existing tools actually detect or block the simulated attacks.
Attack path mapping — not supported
Shows the chained steps an attacker could take from an exposure to real impact.
Continuous testing — not supported
Re-runs simulations on a schedule to catch drift and regressions over time.

Alternatives

Other Attack Surface Management & Breach/Attack Simulation tools with overlapping capabilities, sized for similar teams.

Appears in stacks

Real-world stacks that include Metasploit Framework.

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.