Welcome to the Rapid7 Open Source Toolkit

Otherwise affectionately known as R.O.S.T

Rapid7’s mission is to engineer simple, innovative solutions for security’s critical challenges.

These directives guide not only or portfolio offerings, but our open source tools as well. When projects are started, they are begun with a discussion around the future of the repository with a passonate cry for the open source option. These are the things that we use internally to make our lives easier, faster, and more secure.

We have a deep respect for open source work - we use it throughout our products and tools. One of the best ways we could give back is to provide best-in-breed security, tools, and applications back in open source form.

Learn more about Rapid7's commitment to the security community »

Metasploit and security related

Take advantage of these tools to help secure your environment.

Here in this section, you'll find all the open source things we've created to support our various security initatives. From the many, many metasploit-framework projects, to things like awsaml - which we use to manage AWS key rotation for our CLI development work.

For more information about leveraging the power of Metasploit tools, there's a dedicated page full of helpful resources.

Metasploit Related

  1. hackazon - Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.
  2. metasploit-framework - World's most used penetration testing software!
  3. metasploit-omnibus - This project creates full-stack platform-specific packages for metasploit-framework. This is not the same as the Metasploit Community edition. It only contains the framework command-line interface and the associated tools and modules.
  4. metasploit-payloads - Unified repository for different Metasploit Framework payloads.
  5. recog - Recog is a framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes.
  6. sonar-client - Ruby API Wrapper and CLI for Sonar
  7. ssh-badkeys - A collection of static SSH keys (public and private) that have made their way into software and hardware products.


  1. apt2 - Apt2 is a automated penetration toolkit which can perform scans or import the results of scans from Nexpose, NEssus, or NMap.
  2. awsaml - Awsaml is an application for providing automatically rotated temporary AWS credentials.
  3. backHack - backHack is a tool to perform Android app analysis by backing up and extracting apps, allowing you to analyze and modify file system contents for apps.
  4. guardian - Guardian is a lightweight authentication proxy for HTTP services. It allows authenticating existing web applications without needing to modify the underlying application to support authentication.
  5. myBFF - A Brute Force Framework.

Configuration Management

Alter and secure your configuration without restarting or redeploying.

In this section, you'll find our easy-to-use centralized configuration management tools like Propsd which combines the power of S3 along with Consul to deliver dynamic configuration and catalog changes. We are also including here our tooling for encrypting secrets via Tokend and Warden.

  1. Propsd - A Node.js based configuration management tool relying on the power and availability of S3.
  2. Tokend - A Node.js daemon that interfaces with Vault and Warden to provide a secure method to deliver secrets to servers in the cloud.
  3. Warden - Warden is an authentication middleware service that runs on each node in a Vault cluster

Standard Utilities

Leverage these utilities to develop software faster.

Wether you're trying to integrate GitHub with Active Directory, standardize your development workflow, or just keep your Elasticsearch cluster green, we've written tools that can help. Here you'll find all the things we use on a day-to-day basis that help us innovate and iterate faster.

  1. github-connector - Connect GitHub accounts to Active Directory.
  2. github-notification-proxy - Store and deliver GitHub notifications to protected locations.
  3. builderator - Leverage Vagrant, Packer, and EC2 to standardize your code deployment life-cycle.
  4. convection - A fully generic, modular DSL for AWS CloudFormation.
  5. dogwatch - A Ruby DSL to create DataDog monitors.
  6. elasticsearch-drain - Replace Elasticsearch nodes while keeping your cluster healthy.


Deliver your software the same way - everytime.

We use Chef.io here at Rapid7. Below you'll find a selection of cookbooks used for deploying both third-party products we've we use, the cookbooks needed to deploy several of our tools above, and a growing list libraries.

  1. chef-datadog - Our Cookbook for deploying and configuring the DataDog agent.
  2. chef-etcd - Our Cookbook for deploying and configuring an etcd cluster.
  3. cluster-discovery - This is a library that provides a generic interface to multiple cluster providers. It can be used with or without Chef.