Sr. Metasploit Researcher
The Metasploit R+D team is responsible for growing the module repository that makes Metasploit Framework the world’s most popular exploitation framework, and for producing research on offensive techniques and trends that propel the security ecosystem forward. Earlier this year, we released MSF 5 after a long pause between major versions. Now, we’re thinking about the content and capabilities offensive operators need in MSF 6—from new exploits and innovative payloads to more intuitive targeting and stealthier movement within modern environments.
We’re hiring a senior security researcher to develop high-quality modules, ideate and iterate on Framework features, and produce research that captures imaginations and inspires contributions from the security community. This role is based in Rapid7’s Austin, TX office.
Metasploit Team Opportunities
Help Rapid7 and the Metasploit community work together toward a shared vision for the future of Metasploit Framework and its ecosystem. You will work with a talented global team to develop and maintain new modules and payloads for Framework, produce research on trends that pique interest from both offensive and defensive practitioners, and make substantial technical contributions as a senior member of an engineering product team.
Desired Technical Skills
As a senior researcher, you’ll take ownership of scoping and delivering long-term research initiatives. You’ll need to balance development and security research and understand how each enhances the other. A good mix of skills includes:
Knowledge of Metasploit Framework. You understand what it's for and how to use it, and you have opinions on developing module content that makes it better. Strong opinions loosely-held are some of our favorites.
Demonstrable experience writing standalone PoCs or Metasploit modules. Experience in penetration testing, red teaming, mobile security, or security research is highly desirable, as is familiarity with the tooling and techniques used to advance these disciplines.
Experience with Ruby, Python, or Go is a major plus; while Ruby is not necessarily important as your primary language, it is necessary to be able to understand and extend the techniques that Metasploit embodies.
Conversant in distributed and open-source project development. You can review, merge, and rebase with aplomb.
Experience with vuln analysis, fuzzing, reverse engineering, and/or advanced exploitation techniques; familiarity with tools such as WinDBG, OllyDBG, GDB, IDA Pro, Burp Suite, Ghidra, etc.
Strong understanding of modern security mitigations and how to bypass them (e.g., stack cookies, SafeSEH, DEP, ASLR, CFG, and so on), as well as common detection capabilities and how to evade them.
Soft Skills (just as important as technical skills)
As a senior researcher, you’ll bring and hone an instinct for when something belongs in Framework (technique, PoC, enhancement), how to best incorporate it (module, library, integration), and how to turn development trends into public-facing research that excites the community and showcases your technical leadership. Show us how you connect dots and spot patterns.
An appetite for mentorship and knowledge-sharing. Security research is often a solo activity; the desire and ability to communicate your expertise and its impact to others is crucial, and we have a strong preference for researchers who care about guiding and growing teammates.
Ability to learn and dig into code. The Metasploit Framework code base is large and was contributed by hundreds of developers. Not everything is spelled out, but everything is discoverable. Enthusiasm for code spelunking is a prerequisite for success.
Ability to learn and evaluate new technologies quickly. You’re comfortable with and excited about experimentation and uncertainty.
Ability to work asynchronously and directly with a team of co-workers and volunteers from around the globe.
Ideally, you have a body of work you can point to that showcases your research and development interests. Have you published blogs or technical analysis of vulnerabilities, exploits, or techniques that interest you? Written purpose-built tools that made your life easier? Contributed to open-source projects? Show us what you're passionate about, where your curiosity lies, and how you've pulled things together to solve problems for yourself and others.