Five Minutes With: A Pen Test Pioneer

Metasploit Project founder HD Moore explains why today’s vulnerability management model is broken

What was your route into cybersecurity?

Like a lot of security professionals who were teenagers in the 90s, I got into security somewhat sideways through an interest in hacking, phreaking, and the pirated software scene. There weren’t many legitimate ways to become good at offensive security until much later and I was grateful for landing a job with CSC when I was still in high school, building offensive security tools for the US Air Force. After a year of working on piece-meal projects without a clearance and being paid hourly out of the petty cash account, a few members of my CSC team decided to start their own security assessment firm, and I joined them in creating Digital Defense. During my time there, I built our automated vulnerability scanning (originally with Nessus, and later on a custom framework), and started the Metasploit Project in 2002. Over the years I would split time between consulting, security product startups, and working on open source security tools and research. All of this laid the groundwork for runZero.

If you could retrain for a dream job, what would it be?

My work at runZero is pretty close – I love working with our customers and helping them solve tricky security problems through research and product innovation. In a perfect world I could spend more time on open source and research, but research and tool development needs a dose of reality every so often to keep it relevant.

What’s the biggest misconception about cybersecurity?

Over the years, the industry has shifted to thinking about vulnerabilities and the tools that identify them as commodities, when the reality is that we are nowhere near a point of standardisation. Every vendor has their own implementation of standards, every tool excels at some things and fails miserably at others, and a CVE-focused lens on exposure misses the bigger picture.

“Cybersecurity isn’t a solvable problem in the normal sense; it’s always a race.”

Around a third of initial access is accomplished through exploitation, with exploits primarily focused on security products at the network edge. This highlights a serious irony in the cybersecurity industry: the tools we buy to protect our networks are often the easiest entry point. We’ve hyper-focused on triaging known vulnerabilities when our real exposures are issues without CVEs or where the CVE has yet to be allocated.

Best thing about your job?

I love learning about our customers, their environments, and helping them find and fix security issues before they turn into incidents. We have an amazing group of users, covering everything from automotive manufacturers to global fish farms. Our  free community edition is used by over 30,000 individuals and small businesses.

What advice would you give to industry n00bies?

The easiest folks to hire are T-shaped: broad experience across a wide range of technologies and security topics, with a deep expertise in specific areas. Learn a bit about everything you can and then focus on whatever area interests you the most. Lastly, you need to write code. It doesn’t need to be good code, but so much of security work involves scripting, automation, and consolidating things from multiple sources. If you can’t hack up a script to poll an API, automate a task, or analyse data, you will be at a disadvantage in the job market.

What was the inspiration behind Metasploit?

“A CVE-focused lens on exposure misses the bigger picture.”

My frustration with pressure from software vendors to make vulnerability disclosure and exploit publication a crime. We were entering a world where only rich companies could afford penetration testing tools and the major software vendors were putting pressure on security researchers to not publicly disclose their findings. The concept of “responsible disclosure” was born as an underhanded way for vendors who shipped vulnerable products to gain the moral high ground when their flaws came to light. Metasploit pushed back hard, and made exploits high-quality, trustworthy, free, and boring. In addition to exploits and disclosure, Metasploit’s focus on AV and IDS/IPS evasion was a reality check against defensive products that didn’t live up to their claims.

Why are traditional approaches to vulnerability management broken?

Cybersecurity products and innovation used to be driven by hackers. Today, it’s yet another high-growth software market driven by investors and their expectation for growth. This shows up in vulnerability management products in a few ways – treatment of vulnerabilities as commodities, a hyper-fixation on CVE and risk scores, and a lack of investment into the research needed to deliver high-quality, unauthenticated vulnerability checks for better outcomes. Many vulnerability management products, even those initially founded by hackers, are now multi-product suites with shallow features. The results speak for themselves; customers can fix every vulnerability according to the risk scoring algorithms in these products and still get breached through emerging zero-day vulnerabilities. Response time and attention to detail are arguably worse in 2025 than in 2005.

What’s the biggest as-yet-unsolved problem in cybersecurity?

Cybersecurity isn’t a solvable problem in the normal sense; it’s always a race, and often a cat-and-mouse game between attackers and defenders. Attackers will always pick the easiest unprotected path into an organisation. We’ve seen endpoint defences, phishing protection, and browser security improve to the point where the easiest route into a network is often the security appliance at the network edge. The most dangerous types of attacks will continue to shift as attackers are highly incentivised to stay one step ahead of defenders, and at least two steps ahead of the products these defenders use. We need to reframe security not as a series of checkboxes, but as an active battle with determined and highly resourced attackers.