Rapid7's offensive R+D team is responsible for keeping Metasploit the world's most popular exploitation framework, and for producing vulnerability and offensive research that propels the security ecosystem forward. Earlier this year, we released MSF 5 after a long pause between major versions. Now, we're thinking about the content and capabilities offensive operators need in MSF 6—from new exploits and innovative payloads to more intuitive targeting and stealthier movement within modern environments.
Of Metasploit's 4,000+ modules, exploits have long led the pack and served as our bread and butter. We're hiring a lead exploit developer to create high-value, high-quality exploit and other modules for Framework, and to publish technical analysis that inspires and educates the research community.
We'd prefer candidates who are based in, or willing to relocate to, Rapid7's Austin, TX office. Remote candidates may be considered depending on skills and team fit.
Help Rapid7 and the Metasploit community work together toward a shared vision for the future of Metasploit Framework and its ecosystem. You will work with a talented global team to develop new exploits, produce research on security trends that have an impact on both offensive and defensive practitioners, and make substantial technical contributions as a senior member of an engineering research team.
As a lead R+D team member, you'll take ownership of prioritizing, developing, and delivering exploits that excite Metasploit users and help defenders understand and validate emergent threats. See 0day posted on Twitter? You can determine whether it's worth weaponizing and communicate your analysis effectively to other teams. Patch Tuesday vulns garnering hype from news outlets and dev teams? You have measured opinions on what's useful to attackers and which vulns you'd prioritize for exploit development.
A good mix of skills includes:
Solid experience developing exploits, standalone PoCs, and/or Metasploit modules. Ideally, you should have a body of work you can point to that showcases your vuln research and exploit development interests. Show us how you connect dots and spot patterns!
Experience with vuln analysis, fuzzing, reverse engineering, and advanced exploitation techniques; hands-on familiarity with tools such as WinDBG, GDB, Wireshark, IDA Pro, Burp Suite, Ghidra, etc.
Solid working knowledge of different OS and network structures and protocols; experience with different classes of coding flaws and offensive primitives (e.g. integer/stack/heap overflows, use-after-free bugs, info leaks).
Strong understanding of modern security mitigations and how to bypass them (e.g., stack cookies, SafeSEH, DEP, ASLR, CFG, and so on), as well as common detection capabilities and how to evade them.
Knowledge of Metasploit Framework. You understand what it's for and how to use it, and you have opinions on developing module content that makes it better. The emphasis is on exploits, but scanner, post, payload, and evasion modules are also in scope. Strong opinions loosely-held are some of our favorites.
Conversant in distributed and open-source project development. You can review, merge, and rebase with aplomb.
Experience with Ruby, Python, or Go is a major plus; while Ruby is not necessarily important as your primary language, it is necessary to be able to understand and extend the techniques that Metasploit embodies.
Experience with modern network topologies and application deployment platforms such as AWS, Azure, Kubernetes, and Docker is a plus.
You'll bring and hone an instinct for which exploits and attack techniques offer the most value to Metasploit users and how to communicate the impact of your analysis to internal stakeholders and community members.
The ability to learn ‘just enough' of a language or technology in order to analyze it in the context of a vulnerability.
A knack for speaking truth to power in the service of realistic prioritization—in other words, knowing when to cut your losses and re-focus on something that has a better chance of yielding results.
An appetite for mentorship and knowledge-sharing. Security research is often a solo endeavor; the desire and ability to communicate your expertise and its impact to others is crucial, and we have a strong preference for researchers who care about guiding and growing teammates.
Ability to learn and dig into code. The Metasploit Framework code base is large and was contributed by hundreds of developers. Not everything is spelled out, but everything is discoverable. Enthusiasm for code spelunking is a prerequisite for success.
Ability to work asynchronously and directly with a team of co-workers and volunteers from around the globe.
Show us what you're passionate about, where your curiosity lies, and how you've pulled things together to solve problems for yourself and others.