How has the threat environment changed and how has Metasploit changed with it?
Moore: If you look at the exploit coverage of Metasploit from 2003 moving forward, you’ll see a shift towards client-side exploits and, even more recently, going from client-side exploits to third-party, lesser known software packages. So, as Windows becomes slightly more secure, as Linux distributions are making defaults more secure, disabling services, folks have really had to stretch to find other ways in. And that means going after things like antivirus products, third-party backup services, things that would be overlooked in a pen test. The Rapid7 acquisition presents an opportunity to marry vulnerability assessment and pen testing. What’s the value of integrating these technologies? Moore: It depends on your audience. A lot of folks in enterprise IT want to do vulnerability assessment and that’s it. They don’t want to do exploits. A lot of folks on the pen-testing side don’t want to run a vulnerability scanner because it’s too noisy and they’re trying to come in quiet, stealthy w