The Metasploit R+D team is responsible for growing the module repository that makes Metasploit Framework the world’s most popular exploitation framework, and for producing research on offensive techniques and trends that keep pushing the security ecosystem forward. This year, we released MSF 6.4 with new offensive capabilities. Now, we’re thinking about the content and features offensive practitioners need in MSF 7—from new exploits and innovative payloads to more intuitive targeting and stealthier movement within modern environments. 

Want to help us get there? We’re hiring a security researcher to develop high-quality modules and produce research that continues to inspire contributions and interest from a growing community. 

About the Team

Help Rapid7 and the Metasploit community work together toward a shared vision for the future of the Metasploit Framework and its ecosystem. You will work with a talented global team to develop and maintain new modules and capabilities for Framework, produce research on trends that pique interest from both offensive and defensive practitioners, and make substantial technical contributions as a key member of a cross-functional team. You will have the opportunity to diagnose and understand user needs directly. The community is your customer!

About the Role

As a Metasploit researcher you’ll need to balance module development and security research and understand how each enhances the other. A good mix of skills includes:

• Knowledge of Metasploit Framework. You understand what it's for and how to use it, and you have opinions on how to develop module content that makes it better. Strong opinions loosely-held are some of our favorites.

• Experience writing standalone PoCs or Metasploit modules. Experience in penetration testing, red teaming, mobile security, or security research is a plus, as is familiarity with the tooling and techniques used to advance these disciplines.

• Experience with Ruby, Python, or Go is a major plus; while Ruby is not necessarily important as your primary language, it is important to be able to understand and extend the techniques that Metasploit embodies. 

• Experience with common vulnerability classes such as buffer overflows, command injection, and insecure deserialization.

• Conversant in distributed and open-source project development. You can review, merge, and rebase with aplomb.

• Interest in vuln analysis, fuzzing, reverse engineering, and/or advanced exploitation techniques; familiarity with tools such as WinDBG, GDB, IDA Pro, Burp Suite, etc.

• Understanding of modern security mitigations and how to bypass them (e.g., stack cookies, SafeSEH, DEP, ASLR, CFG, and so on). 

• Soft Skills (just as important as technical skills)

• Interest in hacking and hacker culture, genuine curiosity about how things work, and willingness to figure stuff out.

• Ability to learn and dig into code. Metasploit Framework is comprised of more than a million lines of code contributed by hundreds of developers. Not everything is spelled out, but everything is discoverable. 

• Ability to learn and evaluate new technologies quickly. You’re comfortable with and excited about experimentation and uncertainty. The R+D team encounters and analyzes lots of artifacts and oddities on a regular basis: CVEs, PoC, vulnerable applications, vendor patches, blogs, pastes, Twitter threads, stack traces, error messages, you name it. You’ll bring and hone an instinct for when something belongs in Framework, how to best incorporate it (e.g., module, library, integration?), and what strikes a balance between “intuitive for users” and “maintainable for developers.”

• Ability to work asynchronously and directly with a team of co-workers and volunteers from around the globe.

Ideally, you have a body of work you can point to that showcases your research and development interests. Have you published blogs or technical analysis of vulnerabilities, exploits, or techniques that interest you? Written purpose-built tools that made your life easier? Contributed to open-source projects? Show us what you're passionate about, where your curiosity lies, and how you've tried to pull things together to solve problems for yourself and others.

We know that the best ideas and solutions come from multi-dimensional teams. Teams reflecting a variety of backgrounds and professional experiences. If you are excited about this role and feel your experience can make an impact, please don’t be shy - apply today.

About Rapid7

Rapid7 is creating a more secure digital future for all by helping organizations strengthen their security programs in the face of accelerating digital transformation. Our portfolio of best-in-class solutions empowers security professionals to manage risk and eliminate threats across the entire threat landscape from apps to the cloud to traditional infrastructure to the dark web. We foster open source communities and cutting-edge research–using these insights to optimize our products and arm the global security community with the latest in attackers methods. Trusted by more than 10,000 customers worldwide, our industry-leading solutions and services help businesses stay ahead of attackers, ahead of the competition, and future-ready for what’s next.