Rapid7 Metasploit for retail chain

The retailer in question uses Rapid7 Nexpose and Rapid7 Metasploit Pro to secure their environment. Like many organizations in this industry, compliance is the primary driver for having a strong vulnerability management program in place: new PCI DSS requirements for penetration testing were what spurred their initial Rapid7 purchase. Up until that point, the security team had reviewed machines manually to see what patches were missing and what other vulnerabilities needed to be remediated.

“We got to a point where doing it manually was out of the question, given the time frame,” Steve, the company’s Information Security Manager, recalls. “Even a team triple our size couldn’t have gotten it done.”

That’s not to say that Steve considers the organization secure as long as they’re compliant – history has shown that compliant companies can still fall victim to cyberattacks.

“Compliance is certainly a key driver for our vulnerability management program, but just because I can pass a test doesn’t mean I’m secure. We need to take things a step further in order to truly secure the network.”

Both Nexpose and Metasploit can help complete the PCI-required vulnerability scans and penetration tests, but it was the combination of both Nexpose and Metasploit together that caught Steve’s eye. The two products, working in tandem, provide the capabilities he and his team need to go beyond baseline compliance assessments and get actionable security information – discovering assets and threats, assessing the organization’s security posture, and helping patch or implement mitigating controls.

“You get more bang for your buck with both of them” Steve concurs, “It’s what ultimately made me decide to go with Rapid7.”