There is a particular kind of person in security who does not fit neatly into the categories the industry likes to use. Not purely a researcher, not purely a builder, not purely an attacker or a defender. HD Moore is that person. He built the most widely used hacking tool in the world, handed it to the public for free, watched it get used in ways that made a lot of people nervous, and then spent the next two decades using that same instinct for exploration to help organizations understand exactly how exposed they really are. His career reads less like a resume and more like a long argument with the security industry about what openness actually means.
To understand him, you have to go back to Austin, Texas, and a teenager with too much time and too many phone lines.
Dialing in the Dark
HD Moore grew up around Austin in the 1990s, which meant he grew up in a particular era of the internet that people who were not there tend to romanticize without fully understanding. Before the web took over everything, before social media, before the endless scroll, there was a different kind of exploration available to anyone with a modem and a phone line. You could just dial numbers. Random numbers. Area code, exchange, four digits, and see what picked up.
Most of the time nothing happened. But occasionally a computer answered. An old UNIX machine somewhere, sitting in a university basement or a corporate server room, configured to accept inbound connections from whoever happened to be curious enough to dial in. Nobody had thought particularly hard about what would happen if a teenager in Austin started working through every number in the 512 area code.
Moore's mother was a medical transcriptionist, and that job came with an unusual household setup. Multiple phone lines. An ISDN line. Two computers. And a mother who went to bed early. He would run a program called ToneLoc across the entire area code, night after night, logging whatever picked up. HVAC systems at department stores. Radio transmission towers. Machines that had no business being reachable by a kid sitting at home, but were, because nobody had locked the door.
He was not doing this to cause damage. He was doing it because it was fascinating. There was a whole world connected by phone lines, and almost none of it knew he was there. That feeling, of discovering something that was just sitting there waiting to be found, never really left him.
This is important context for everything that came later. Moore is not a person who got into security because he wanted to break things. He got into it because he wanted to know what was there.
The Phrack Channel and the Air Force
Moore spent a lot of his early online life in the Phrack IRC channel. Phrack was the hacker magazine, the one that had been running since 1985 and had, by the mid-90s, accumulated a serious body of knowledge about how systems worked and how they could be broken. The IRC channel was where the people who read Phrack talked to each other, and it was, apparently, also where defense contractors went to find entry-level talent.
Someone in that channel sent Moore a message asking if he was looking for work. He was still in high school. The job was with Computer Sciences Corporation, doing work for what was then the Air Force Intelligence Agency, building offensive tools for red teams inside the Air Force. They needed someone who could write exploits, who understood how networks worked at a low level, who was comfortable with the kind of technical problem that does not have clean documentation.
Moore was, by his own admission, not a particularly good programmer at the time. But he understood the material, and he was willing to learn. His first professional experience was getting vague briefs about tools that needed to scan networks for open registry keys or intercept specific kinds of traffic, and then going off and building them. This was before most of the industry had formalized the idea of red teaming. The people doing it were figuring it out as they went.
That job led directly to his next move. After doing a penetration test on a local business and basically walking through every layer of their security without being stopped, he and the team went back to CSC and proposed expanding into commercial pen testing. CSC said no. They were a federal contractor, and that was what they did. So the team left and started their own company: Digital Defense.
The Problem That Made Metasploit Necessary
Digital Defense was doing penetration testing for clients, and the work exposed a problem that the industry did not have a good answer to.
Here is how a pen test worked in the late 1990s: you ran a vulnerability scanner to find out what was running on the network, you matched up the versions against lists of known vulnerabilities, and then you needed to prove to the client that the vulnerability was actually exploitable. It was not enough to tell someone their server was unpatched. Anyone could say that. The value was in demonstrating what an attacker could actually do with it.
That meant you needed working exploits. And getting working exploits was, at the time, genuinely difficult. There were some hacker sites where you could download exploit code, but that code was often old, often undocumented, and potentially carrying malware. Nobody had taken the time to build a clean, trusted, well-organized collection. The commercial options, like Core Impact, existed but were expensive and limited. For a small firm doing pen tests, the practical answer was to write your own, which required constant reinvestment of time and effort.
Moore was accumulating exploits. He had bits and pieces scattered across his machines, some written by him, some shared by people he trusted, none of it organized in a way that made it easy to hand to a teammate or use reliably on a client engagement. The information security community had started to dry up around sharing exploits. The people who had been sharing freely in the 90s were either getting real jobs that made sharing complicated, or running into legal concerns, or simply drifting away. What had been available was disappearing.
Moore's answer was to build a framework. A single application that held exploits in a consistent format, with documentation, with known payloads, without hidden garbage. Something he could trust on a client network. Something he could add to over time. That was the original Metasploit: a practical tool, built to solve a real problem he was having at work, that he happened to release publicly.
What Metasploit Actually Was
The first version was menu-based, terminal-based, and not particularly elegant. You picked an exploit, picked an encoder, picked a payload, and sent it. Functional but rigid.
By Metasploit 2, the architecture had been rethought. The core idea was modularity. An exploit and a payload were separate things, and you could combine them like components. Before this, most exploits came with one or two hardcoded payloads and that was it. What Moore and his collaborators built was a system where any compatible payload could be attached to any compatible exploit, which multiplied the number of possible attack configurations enormously.
The payload metaphor is worth understanding. If the exploit is the needle that gets through a system's defenses, the payload is what the needle is carrying. It could open a command shell. It could establish a persistent connection back to the attacker. It could do almost anything, depending on what you loaded into it. Metasploit made it easy to swap payloads in and out, which meant that security researchers could test not just whether a system was vulnerable, but what an attacker could realistically do with that vulnerability.
This was genuinely useful for pen testers. It was also genuinely useful for people who wanted to attack systems without permission. Moore knew this and released it anyway, which is where the controversy started and never really stopped.
His position was consistent. The information was not secret. The vulnerabilities were already known. Hiding the tools did not make the vulnerabilities go away; it just made it harder for defenders to understand what they were defending against. A security professional who could not replicate what an attacker could do was working with incomplete information. The argument had real merit, and it still does.
The Moral Weight of Building Metasploit
The Darknet Diaries episode about Moore frames this tension honestly. Metasploit was crammed with exploits and payloads that could be used to compromise computers. Anyone with the tool and a target could cause serious damage. And Moore put it on the internet for free.
What makes his position defensible is not that the tool was never misused. It was misused. What makes it defensible is that the alternative, keeping effective security tools restricted to commercial vendors and government agencies, does not actually make systems more secure. It just makes it easier for institutions to charge money for security services while leaving the broader community without the knowledge needed to evaluate the claims those institutions make.
There is also the question of what Metasploit did for education. For the generation of security professionals who came up in the 2000s and 2010s, Metasploit was often the first real penetration testing tool they got their hands on. It was free, it was documented, and it lowered the barrier to actually understanding how exploits worked at a technical level. People who went on to do serious security work, both offensive and defensive, often trace part of their foundation to time spent with Metasploit. You cannot fully evaluate that against the cases where someone misused it and pretend the accounting is straightforward.
Moore built something that changed the industry. The people who benefited from it vastly outnumber the people who used it to cause harm, and the harm that was caused would largely have been possible anyway for anyone with the motivation to find the same exploits elsewhere. What would not have existed otherwise is the community, the shared language, the common framework that allowed the field to develop a shared understanding of offensive techniques.
Rapid7 and What Came After
In 2009, Rapid7 acquired Metasploit. Moore joined the company as chief security officer and stayed on as chief architect of the framework. He had been building Metasploit largely in his spare time, nights and weekends and lunch breaks, and the acquisition meant there would be actual resources dedicated to it full-time.
At Rapid7, Moore continued the kind of large-scale internet scanning work that had been a thread through his whole career. The most significant of these projects was what became known as Project Sonar, which involved scanning the entire public internet to understand what was actually exposed. In 2013, this work produced a notable finding: roughly 50 million networked devices were exposed to the internet through flaws in Universal Plug and Play, a protocol that had been designed for home networks and had no business being accessible from the public internet. This was not a targeted discovery. It was the result of simply scanning everything and looking at what came back.
That kind of work, running probes across the entire address space and analyzing what responds, gave Moore a perspective on internet exposure that almost nobody else had. He had seen the public internet from the outside, systematically, at scale. He knew what was out there and how bad the configuration problems were across every industry.
He left Rapid7 in 2016.
The Problem He Could Not Stop Thinking About
After Rapid7, Moore spent time at Atredis Partners doing research and development. But the problem that kept pulling at him was one he had run into repeatedly over the course of his career: organizations did not know what was on their own networks.
This sounds basic, but it is one of the most persistent and serious problems in enterprise security. You cannot protect what you cannot see. And the larger an organization gets, the harder it is to maintain an accurate picture of every device, every service, every connection. Things get added without being tracked. Old systems never get decommissioned. Consumer devices appear on corporate networks because employees connect personal devices to Wi-Fi. IoT devices get deployed in facilities and forgotten about. The picture that the security team has of their own network is almost always incomplete, and often dramatically so.
Moore had seen this from both sides. As a penetration tester, he had scanned client networks and found things the client did not know were there. As someone who had scanned the entire public internet, he had a clear view of how exposed the outside-facing portion of organizational infrastructure was. The inside of the network was usually worse.
In 2018, he founded what was initially called Rumble Network Discovery to address this directly. The tool was designed to scan a network and identify everything on it, fingerprinting devices precisely enough to give organizations an accurate picture of their attack surface. Not just identifying hosts, but identifying what they were, what was running on them, and what the security implications were.
The company later renamed itself runZero, a name that referenced the idea of starting from zero assumptions about what is on the network and building an accurate picture from scratch. Moore found, consistently, that when his tool ran on a corporate network, it found things the security team had not known were there. PlayStation 4s. Amazon Echo devices. Smart TVs. Weather stations that had updated their firmware and opened unauthenticated telnet services on the local network. The gap between what organizations thought they had and what was actually there was often startling.
Why His Career Makes Sense as a Whole
HD Moore has spent his career doing a version of the same thing. Finding what is there when nobody has looked carefully. As a teenager, it was running ToneLoc across area codes to see what picked up. As a young pen tester, it was building a framework for discovering what vulnerabilities were actually present and exploitable on client networks. At Rapid7, it was scanning the public internet to see what was exposed. At runZero, it is scanning internal networks to show organizations the gap between their assumed state and their actual state.
The thread is curiosity about what exists, combined with a commitment to making that knowledge available rather than hoarding it. Metasploit was not hidden. Project Sonar data was published. The research Moore did on UPnP exposure was shared publicly so that device manufacturers and ISPs could address it. The fingerprint database that runZero uses, Recog, is open source and contributed back to the broader community.
This is a coherent position. Information about how systems work, including information about how they can be broken, is more useful in the open than locked away. The security industry has spent decades trying to argue both sides of this question depending on what was commercially convenient, and Moore has been one of the clearer voices insisting that openness, on balance, makes things better.
He is also a person who clearly finds the work interesting for its own sake. He described the internet to someone once as just a series of numbers. Make up any random 32-bit address and there is probably something there. That observation has a quality of genuine wonder in it that does not come from someone who got into the field to make money or build influence. It comes from someone who dialed random phone numbers as a teenager because they wanted to know what would pick up, and never really stopped asking that question.
What He Leaves Behind
Metasploit is now owned by Rapid7 and maintained by a large team. It remains the dominant open source penetration testing framework. Certifications like OSCP require students to use it. Security courses around the world are built around it. The number of security professionals who developed their foundational skills with Metasploit is enormous.
RunZero has become a real company with funding and customers. The asset discovery problem Moore identified has not gone away. If anything, the explosion of cloud infrastructure, remote work, and IoT devices has made it worse, which means the work he started in 2018 is more relevant now than when he began it.
The Darknet Diaries episode that brought Moore to a wider audience in 2022 has over 400,000 plays. The story it tells is not a simple one. It is not a story about a genius who built something and got rich. It is a story about a person who had a particular way of looking at technical problems, who made a decision to share what he built instead of keeping it to himself, and who spent decades living with the consequences of that decision while continuing to push in the same direction.
That kind of consistency is rare. The security industry is full of people who pivot toward whatever is commercially valuable at a given moment. Moore has been doing essentially the same thing since he was a teenager in Austin dialing random phone numbers at midnight. The tools have changed. The scale has changed. The question he is asking is the same.
What is actually out there? And who else knows about it?
Top comments (0)