HD Moore is one of the most prominent figures in the world of cybersecurity, whose story has inspired generations of ethical hackers. His journey began with a homemade computer assembled from discarded parts and a curiosity that led him to new knowledge. The desire to make pentesting tools accessible to everyone led to the creation of the Metasploit Framework, an open platform that combined exploits, modules, and payloads in one flexible environment.
The name James Moore is familiar to everyone involved in pentesting. The creator of the legendary Metasploit Framework, he has come a long way from the classic Silicon Valley success stories: Moore doesn’t have a PhD, a multi-million dollar startup, or an office in California. Instead, he has school experiments with reverse engineering commissioned by the US Air Force, disassembled computers from the trash, and nights in underground IRC chats discussing hacking telephone networks and financial systems.
How did a teenager who was fond of phreaking and assembling PCs from discarded parts become one of the most influential people in information security? What led him to create Metasploit, a tool that changed the approach to pentesting? In this article, we will tell the story of HD Moore: from the first hacking experiments to the framework that is used today by both cybercriminals and intelligence agencies.
James was born in 1981 in Honolulu, but his childhood was not much like a Hawaiian paradise. The family lived below the poverty line – during his school years he changed 12 educational institutions in 13 different states. Constant moving and financial difficulties led to the fact that James’s family literally mined “resources” in garbage containers. That’s how he assembled his first PC – from someone’s discarded cases, motherboards and hard drives, adopting the principle: “you can’t buy – do it yourself”.
Social isolation and frequent changes of schools turned the Internet into his only stable “home”. In the 1990s, IRC channels became Moore’s first real community: there he found like-minded people, mastered phreaking (hacking telephone networks) and studied vulnerabilities in software.
At the age of 16, Moore made a radical decision – to drop out of school. This gives him an unexpected advantage: while his peers are in class, he can devote 12–14 hours a day to studying computer systems. And the time for experiments turned out to be very appropriate – the golden age of hacking was coming: there were no cybersecurity standards or pentest tools in the industry. Companies and government agencies protected infrastructure as best they could, often blindly. There was no division into ethical and unethical hackers, you could take any system and explore it simply because it was interesting.
For Moore, hacking has always been research, not vandalism. In various interviews, he compared his teenage experiments to archeology: “We didn’t think about ‘good’ or ‘bad’ – we just looked for interesting systems and figured out how they worked.”
Moore’s approach was different from the typical “underground” hacker: instead of demonstrative hacks, James methodically documented each vulnerability he found, creating a knowledge base that would form the basis of Metasploit. And, despite his youth, he quickly stood out in the hacker community. He had a good technical background (thanks to his experience in “assembling” computers) and unconventional thinking. IRC chats became a platform for communication for the young hacker, where everything was discussed: protocols, vulnerabilities, and network access schemes. Soon, Moore was noticed, in particular, by contractors for the US Air Force.
One day, out of the blue, a stranger texted me: Are you looking for a job by any chance? I said, “I’m not.” He asked me how far I was from San Antonio. I said, “I can drive there, no problem.”
He ended up getting me an interview at Computer Sciences Corporation (CSC). The company was a contractor for AFIC, the intelligence arm of the U.S. Air Force. They were developing redtiming tools.
I thought, writing exploits for the military? Sounds cool. That’s what I like.
A young hacker with no degree or formal education was asked to write software that would find vulnerable computers, monitor network traffic, and test systems for vulnerability. In essence, it was his first paid job doing what he had been doing on IRC: finding vulnerabilities. Only now was his hacking “legal.”
“I was a terrible programmer,” Moore laughed, recalling his first Air Force projects. “But the military didn’t need pretty solutions, they needed tools that just worked.” This principle—functionality over elegance—later became the basis of the hacker’s philosophy.
Even before IRC, Moore had been researching old-school telephone networks. Using a program called ToneLoc, he scanned Austin’s 512 area code, connecting to everything that answered the call, from HVAC controllers in stores to radio transmission systems. Such a large-scale search required a lot of phone lines—James’s house had three regular phone lines and one ISDN.
“As soon as Mom went to bed, I would hook up computers to all the lines and scan the area all night.”
Having earned respect in a structure where it is not customary to trust anyone, Moore simultaneously began to take projects from private companies: small businesses, financial institutions – those who began to understand that digital security is a necessity. It was then that he began to realize: the industry had neither adequate tools, nor any approach. Each pentest was manual work, it was almost impossible to reuse the work. Available exploits either did not work in practice, or left too noticeable traces in the system.
Moore, who was accidentally reached through IRC, understood: the industry needed a tool – a single, flexible, modular one. Something that he never had at hand.
In the early 2000s, the cybersecurity industry faced a serious problem. On the one hand, the number of vulnerabilities was growing exponentially. On the other hand, the tools for exploiting and testing them were fragmented, poorly documented, and available only to a narrow circle of experts.
Hacker groups like ADM (The Atlantis Destroyers of Milano), TESO (Team TESO), and LSD (Last Stage of Delirium) operated like closed elite clubs. They created powerful exploits, but shared them only within their circle. This culture of secrecy meant that access to fresh exploits could only be gained if you knew the right people, accepted into the group, and proved your “uniqueness.” Novices were allowed, knowledge was passed down only from teacher to student. This created an artificial scarcity — a lot of talented security professionals could not access the tools they needed to do their jobs. It was this gap between those who created exploits and those who were supposed to protect the system that would later lead to the creation of Metasploit.
Paradoxically, Moore experienced this elitism himself. Despite his skills and knowledge, he did not fit into any closed hacking community. Perhaps the reason was his important position that “knowledge should be shared.” The result was natural: one of the most talented hackers of his generation found himself excluded from the “cool guys’ club.”
Moore’s team conducted pentests with impressive results – it was easy to hack the system and gain full control over the entire perimeter. However, clients were skeptical of reports on vulnerabilities found and demanded concrete evidence of a real threat. And here the main difficulties began: existing exploits often did not work or were too “noisy” for professional use. They had to look for working tools on dubious FTP servers or IRC chats, risking catching a virus. But a professional cannot run random code downloaded from the Internet on the client’s corporate network. Reliable, proven tools were needed, and the hacker community was in no hurry to share its developments with commercial companies.
When CSC abandoned commercial pentests, Moore’s team moved to the startup Digital Defense. It was there that Moore realized that there was a deep gap between the elitism of hacker groups and the practical needs of pentesters, which needed to be bridged.
Pentesters became hostages of the system: to protect customers, they had to take risks by using untested exploits. “We were essentially doing the same thing that regular hackers were doing, searching for code in underground chat rooms. The only difference was that we were writing reports afterwards,” joked Moore.
At that time, Core Impact, the first commercial pentesting framework, appeared on the market. The license price reached $40,000, which made it inaccessible to most specialists. It was a vicious circle: elite groups created tools only for internal use, and commercial solutions were too expensive, and there were no high-quality open-source alternatives.
The Digital Defense experience was the last straw for Moore. By the early 2000s, he was finally tired of the absurd situation in which pentesters found themselves: to prove to the customer the reality of the threat, a working exploit was needed, but such an exploit could only be obtained through fire, water and a high risk of infecting one’s own system.
That’s when Moore had the idea to create “his TESO at home.” His approach was radically different from the principles of closed hacker groups: maximum openness and accessibility for everyone. James wanted to create a framework that could be used by any information security specialist, regardless of his connections and affiliation with any groups or corporations. The first technical solutions were revolutionary not so much in essence as in approach. Moore began to collect and standardize exploits, to create a single documentation that anyone could use.
Moore had a moment of enlightenment while studying the Windows API documentation. He suddenly realized that most exploits use the same principles. The technical essence was simple but ingenious: create a database of shellcodes that could be reused. Instead of writing exploits from scratch each time, they could be assembled from ready-made components, like Lego, and shared.
In 2003, Moore created the first version of Metasploit with a text interface – a modest set of 11 Windows exploits and 27 payloads, written in Perl. However, the real value of the framework was not in the number of components, but in the fact that they were interchangeable. Exploits, payloads, and protection bypass mechanisms could now be combined – and this radically simplified the work of pentesters.
Moore himself later admitted that the first versions of Metasploit “looked fast.” But the code worked, and most importantly, it could be understood and modified by other developers. Unlike elite groups that created “works of art” accessible only to their authors, Moore created working tools for mass use.
The first versions of Metasploit resembled a chaotic collection of scripts that Moore had stored on his PC for years. “No documentation, no system — just a folder of files that I somehow understood.” But even such a “half-finished product” was a breakthrough: now pentesters had a centralized tool with exploits that did not try to infect their clients. The problem was keeping it up to date: new vulnerabilities appeared every day, and Moore had to track them on an ongoing basis. It was then that it became clear that Metasploit had to transform from a personal project into a joint endeavor.
By 2007, the Metasploit Framework had been completely rewritten in Ruby. The move from Perl was not just a technical decision, but a philosophical one.
Ruby, with its philosophy that “programmers should enjoy their code,” was a perfect fit for a project that was being developed by a community of enthusiasts. Open source became a weapon against corporations trying to monopolize the security tools market. Instead of paying tens of thousands of dollars for a license, anyone could download Metasploit for free and start using it.
The success of Metasploit made Moore capable of waging war with virtually every industry player. Each side had its own claims to his creation.
James’s employers didn’t want to be responsible for releasing an exploit that anyone could use to hack someone else’s system — after all, anyone could download the tool and attack the company’s infrastructure. The logic was simple: if no one knew about the vulnerability, it didn’t exist.
Hackers were outraged that their secrets were publicly available: exploits that had sold for thousands of dollars were now free. Metasploit was destroying their business model, which was based on the scarcity of information. For example, in the first week after the launch of the Month of Browser Bugs campaign (2006), Moore received an angry letter from a Russian-speaking hacker who complained that the publication of the vulnerability had deprived him of income.
Others expressed their displeasure in a different way – through DDoS. For example, when a vulnerability appeared in Metasploit, which was used by the operators of one botnet, they launched a DDoS attack on the project’s website. Moore changed the DNS records of metasploit.com so that they led to the botnet’s C2 servers. As a result, infected machines began to storm their own infrastructure, and soon the operators lost control of it.
A week later, the hackers wrote a letter to Moore asking him to “turn everything back.” The answer was simple: “Only if it doesn’t touch us anymore.” They didn’t touch us anymore.
The hacker underground was not the only one to do this – corporations also joined the pressure on Metasploit. They tried to criminalize the project itself: lawyers from large companies threatened lawsuits, and some government agencies considered Metasploit a threat to national security.
To check the system for vulnerabilities, you need appropriate tools. But no one asks the pentester where he gets them from. Everyone simply assumes that if “you are a hacker”, then somehow you will manage on your own. But you can’t reinvent the wheel every time to bypass protection. You need a set of proven tools that you trust and that will not harm the client. And here another question arises: if you made such a tool and put it in the public domain, and someone then uses it for a crime – to what extent are you responsible for this?
Legal problems haunted James. Agendas from various law enforcement agencies, threats, and attempts to ban the distribution of Metasploit were all part of everyday reality. A vivid example of the duality of the situation was Moore’s first shellcode for Windows. As soon as it appeared in the public Metasploit compilation, it was almost instantly integrated into the Blaster worm – one of the most destructive network viruses of 2003.
According to researchers, in 2020 alone, more than a thousand malicious campaigns used Metasploit as a basis for attacks. But Moore remained adamant: he saw hypocrisy in the concept of “responsible disclosure of vulnerabilities.” Practice showed that only the interests of corporations were protected, not users. Moore’s philosophy was radical: public disclosure of vulnerabilities forces companies to fix problems faster and increases the overall level of security in the industry.
An excellent illustration at that time was Moore’s confrontation with Microsoft. James’s first startup was a partner of the corporation, which gave the company discounts on MSDN licenses and other benefits. Microsoft used this as a lever of pressure, deciding to act on a warning: a representative of the corporation began to regularly call the management with the same demand to fire Moore.
The pressure was applied methodically and ruthlessly: Microsoft understood that for a small startup, the loss of partner privileges could be a disaster. Moore’s colleagues, his boss, the CEO – all of them suddenly found themselves under the sights of a corporate machine that demanded one thing: to silence an inconvenient person. This was not just a business decision – it was an attempt to destroy the career of Moore, who dared to tell the truth.
If the corporation thought it could intimidate him with threats, it was sorely mistaken: instead of retreating, Moore redoubled his efforts. Together with like-minded people, he focused on automated search for vulnerabilities in ActiveX, developing a browser phaser on the JavaScript engine for Internet Explorer.
At first, Moore tried to act according to the rules, methodically reporting the detected problems to Microsoft. But the corporation seemed to ignore his efforts. Month after month, the vulnerabilities remained unpatched, and Microsoft did not provide any clear answers. Patience ran out, and the hacker made a radical decision, launching a campaign to attract attention called “Month of Browser Bugs”. The strategy was simple: flood Microsoft with vulnerabilities in order to force the company to abandon this dangerous technology. Moore did not just criticize ActiveX – he declared war on it.
After thirty or forty published vulnerabilities, Moore made a statement that finally got Microsoft: “We have two or three hundred more of these. We can go on all year.”
This was not an empty threat – it was a demonstration that the problem was systemic, and ActiveX could not be made secure by definition. But the real climax of the confrontation occurred in Malaysia, at the Hack the Box conference, where Moore came to announce the creation of Metasploit. The irony of the situation was that Microsoft sponsored the event and organized a Capture the Flag competition, offering everyone interested as a target for hacking a fully updated Windows 2003 Server. For Moore, this was the perfect opportunity to publicly demonstrate the vulnerability of Microsoft products.
He decided to participate in the CTF and began work on phasing: he wrote his own utility that automatically sent random commands and data to the server, monitoring any failures in its work. Moore soon managed to achieve incorrect system behavior. He analyzed the data that caused the crash and, based on it, created an exploit that provided remote access to the server, despite its current state and the absence of known documented vulnerabilities. When James reported the find to Microsoft representatives, they offered to transfer it through official channels. However, having already had a negative experience of interacting with the company and having been faced with ignoring previously sent reports, he refused and demanded to explain what guarantees and rewards Microsoft offered.
Neither guarantees nor rewards were planned to be given to him. Moore contacted the organizers of the competition, informing them of Microsoft’s attempts to force him to hide the vulnerability he had found. It was an open challenge: the researcher publicly stated that he refused to submit to pressure from the company that sponsored the event. Almost immediately, the corporation began offering jobs to those who supported Moore, trying to buy their silence.
The war with Microsoft also had its share of “lightning bolts.” In 2005, realizing the need for a dialogue with the community, the company began inviting outside experts to BlueHat, a closed conference to discuss vulnerabilities in internal products. Microsoft had fought hackers in court for decades, and now it brought them to the holy of holies — to an internal meeting with developers.
Moore knew one of the speakers and invited him to join his speech; he had something to talk about. At the time, he was working on an experimental utility called KarMetasploit. The tool was based on a vulnerability related to Wi-Fi, typical of those years. Many laptops and mobile devices automatically connected to previously saved access points without checking their authenticity. This allowed an attacker to create a fake point with the same SSID, and the devices would connect to it, believing it to be legitimate.
KarMetasploit went even further: instead of impersonating a specific access point, Karma simply accepted the connection request, regardless of the name of the network the client was looking for. That is, any device requesting a connection to “CorpWiFi” or “HomeNet” would immediately receive confirmation from the fake access point that this was the network and connect to it. Once connected, the device would begin normal network traffic – for example, trying to connect to file services, check the availability of corporate resources, initiate a VPN connection, or even send credentials for NTLM authentication. Moore added exploits, sniffers, and interceptors to the mix that allowed it to collect NTLM hashes of transmitted passwords and automatically launch exploits against devices that connected if they had known vulnerabilities. In some cases, it was possible to seize control of the system if the client was vulnerable.
Moore decided to use his own tool on a flight to a conference. By running the utility, he was able to collect many password hashes of Microsoft employees flying near him.
The standoff with Microsoft hardened Moore and showed him the true nature of corporate power in the IT industry. It was a war on two fronts — technical and personal, where the stakes were not only the security of millions of users, but also the right of a researcher to tell the truth. Moore won both battles, but the price of victory was high: he forever remained an inconvenient person for the largest corporation in the world.
What started as a lone project quickly grew into a movement. At its peak, Metasploit had about 300 active contributors worldwide. Among them were key figures like Spoonm and Skape, who made fundamental contributions to the framework.
Of particular interest was the “exploit laundering” system for government officials and newcomers. Many security experts working in government agencies were unable to officially participate in the project due to bureaucratic restrictions. Therefore, they passed their developments through intermediaries who published them on their behalf. Moore actively invited the community to participate in the dialogue, sometimes in exchange for a treat — for example, a modified Wi-Fi router with firmware based on OpenWRT.
Not only changes to the framework were published on the official website, but also author additions – everyone’s contribution was important.
Metasploit radically changed the approach to pentesting: before the framework appeared, pentesting was a kind of art, accessible only to selected experts. After that, it became an engineering discipline with standardized tools and methodologies. The emergence of Bug Bounty programs owes much to Moore’s philosophy. Companies realized: it is better to pay “white hackers” to find vulnerabilities than to deal with the consequences of attacks.
The democratization of security knowledge led to the emergence of an entire industry. Ethical hacking courses, certification, specialized conferences – all this grew on the foundation laid by Metasploit.
On October 21, 2009, it was announced that the Metasploit project had been acquired by Rapid7. The call from Rapid7 was an offer that Moore could not refuse — not so much because of the money, but because of the project’s development opportunities. The structure of the transaction was typical for startups – an earn-out model, where the final amount depended on achieving certain indicators over several years. This meant that Moore had to not only sell the project, but also continue to develop it under corporate management.
A conflict of interest was inevitable. On the one hand, Moore’s passion for independently creating tools, on the other hand, the requirements of a public company, where every solution is evaluated through the prism of ROI. The next four years turned into a serious test: James had to create a team and an office in Austin, balance the requirements of the open-source community and the commercial interests of Rapid7. Yes, the technical evolution of the project accelerated – corporate resources allowed to attract more developers and scale development. But every decision was driven by commercial considerations: the community wanted to maintain the principles of openness, and the corporation wanted to create monetizable features in closed products.
Success came at a high price for Moore. The constant pressure, the need to make decisions not only as a technical leader, but also as a business leader, led to serious health and relationship problems. Burnout was inevitable, because the man who created Metasploit out of a passion for technology turned out to be a corporate product manager with budgets, deadlines, and shareholder demands.
In 2016, Moore decided to leave to start creating something new rather than managing something already created.
After leaving Rapid7, Moore went into consulting. The main problem he decided to focus on was the increasing complexity of corporate networks — companies often did not know what assets they had, where they were located, and how they were protected. Traditional scanning tools were too slow and inaccurate for today’s dynamic environments — you can’t protect what you don’t know about.
Moore’s new project, RunZero (originally Rumble Network Discovery), is not just another network scanner, but an attempt to apply the Metasploit philosophy to IT asset inventory.
If Metasploit gave anyone access to attack tools, RunZero helps organizations see what’s really going on inside their own infrastructure. In a way, it’s a continuation of the same idea that started Metasploit — only instead of “break and prove,” the goal is “discover and protect.”
Metasploit has lived on—without Moore, but with its continued influence on the industry. But we’ll talk about the evolution of the tool in the next article.
