I've been through 2 offensive courses (SANS GPEN and Parrot Labs Offensive Methodology and Analysis) and yeah, that was the take I got even back then (5+ years ago). Everything we used was open source and near-fully functional. There was a lot of knowledge needed on the syntax for some tools, but otherwise it was insane to think how easily these could be used by a motivated person.

For some of them, it makes sense. Metasploit, Cobalt Strike, and similar tools are good because they can be used to give people a good idea of the impact of the vulnerabilities in their system as well as giving them knowledge of the TTPs that attackers use.

But some of these, like Bloodhound are not really telling you much you didn't know. They are tools to make exploiting access, whether authorized or otherwise, easier and more automated. Hell, even in the case of Cobalt Strike, they are doing their best to limit who can obtain it and chasing down rogue copies because used for real attack purposes.

I'm not really saying anything should (or can) be done about this. Just ruminating about it, as after many years in the industry, seeing a list of a mostly open source stack used for every aspect of cybercrime sometimes surprises me at just how good a job we've done of equipping malicious actors. For all the high minded talk of making everyone more secure, a lot of things just seem to be done for a mixture of bragging rights ego and sharing things with each other to make our offensive sec job a bit easier.