What is Metasploit?
Last reviewed June 2, 2026
Metasploit is an open-source penetration-testing framework maintained by Rapid7 that organizes security testing capabilities into modules such as exploits, payloads, and auxiliary tools. It is used by authorized penetration testers and red teams to validate defenses, and the existence of a Metasploit module for a vulnerability is a strong prioritization signal for defenders.
What Metasploit is
Metasploit is a penetration-testing framework maintained by Rapid7, with a widely used open-source edition known as the Metasploit Framework. It provides a structured environment for security professionals to assess systems they are explicitly authorized to test.
Rather than being a single tool, Metasploit is a collection of modules and supporting infrastructure that standardizes how testing capabilities are described, configured, and executed. This consistency is part of why it became a common reference point for the security community.
Module types
Metasploit organizes its functionality into module categories. Understanding these categories is useful for defenders interpreting reports and for testers operating under a defined scope.
| Module type | Purpose |
|---|---|
| Exploit | Code that targets a specific vulnerability to gain access or trigger a condition during an authorized test. |
| Payload | Code that runs on a target after an exploit succeeds, such as a session handler used in scoped engagements. |
| Auxiliary | Non-exploit modules for scanning, fingerprinting, and other supporting tasks. |
| Post | Post-engagement modules used for authorized data collection and cleanup after access is established. |
| Encoder and NOP | Modules that transform payloads, often used to study evasion for defensive research. |
How a CVE becomes a Metasploit module
After a vulnerability is published as a CVE and proof-of-concept code emerges, a corresponding Metasploit module is sometimes developed and contributed to the framework. The arrival of a reliable module typically lowers the skill required to exercise the vulnerability.
For this reason, defenders treat Metasploit module availability as a prioritization signal that complements other sources. A vulnerability that is in the CISA Known Exploited Vulnerabilities catalog, has a high EPSS score, and has a public Metasploit module should generally be remediated ahead of issues lacking those indicators.
Keep exploring
- What is Exploit-DB?The public archive of exploits and proof-of-concept code.
- What is remote code execution?A common impact class targeted by exploit modules.
- What is the CISA KEV?A catalog of vulnerabilities known to be exploited in the wild.
- What is EPSS?A score estimating the probability that a vulnerability will be exploited.
- How to prioritize vulnerabilitiesCombining exploit availability with other signals to rank remediation.
- What is an exploit?The underlying concept that Metasploit modules implement.
Frequently asked questions
- Is Metasploit legal to use?
- Yes, when used against systems you own or are explicitly authorized to test, such as under a signed penetration-testing agreement. Using it against systems without permission is illegal in most jurisdictions.
- Who maintains Metasploit?
- Metasploit is maintained by Rapid7. There is a free, open-source Metasploit Framework as well as commercial editions with additional features.
- What is the difference between an exploit and a payload?
- An exploit is the module that takes advantage of a specific vulnerability, while a payload is the code that runs on the target after the exploit succeeds. Metasploit lets testers combine compatible exploits and payloads within an authorized scope.
- Why do defenders care about Metasploit modules?
- The existence of a reliable module lowers the barrier to exploiting a vulnerability, so it serves as a strong signal to prioritize patching, especially alongside CISA KEV listing and a high EPSS score.
