Over 15.000 active assets|inside 10 companies belonging to the group, the biennium recurrent project mapped the real situation, in parallel with photography of IT/Security maturity through three main domains: processes, people, and technology. 5 TOEs: Infrastructure, Databases (SQL and Oracle in deep), AWS Cloud, Connectivity (Routers, Switches, and Firewalls against/based CIS) and Web Application instances (partial tests). Nessus running over a hardened Linux customized with HA (High Availability).
Information Security Manager at a retailer with 10,001+ employees
Tests against cloud providers, database profiles, several types of telecom devices, and other highly customizable scans
Pros and Cons
- "Scanners and reports using CIS templates ("de-facto" standard, easy to fix and to locate correction tips at documentation), tests against cloud providers, database profiles, several types of telecom devices, and others highly customizable scans."
- "Model OS costs (and its segregation schema for individual modules)."
What is our primary use case?
How has it helped my organization?
Nessus has more plugins/add-ons, tests, and templates than previous tools (OpenVas) and it is faster and customizable using CLI/API features. It offers enough resources for an interesting cost-benefit rating (for small and medium companies) and minus false-positive events per type of asset.
It helped us to quickly produce a QuickWin report that guided the VulnerabilityMgmt actions and plans within the company's during the next 3-5 years using the same tool/investment/team for all companies inside the de group.
What is most valuable?
Scanners and reports using CIS templates ("de-facto" standard, easy to fix and to locate correction tips in the documentation), tests against cloud providers, database profiles, several types of telecom devices, and other highly customizable scans. You can scale your environment to gradually increase the quality, depth, and quantity of the tests, enabling you to learn and gradually optimize your vulnerability management platform(s)/instance(s). The possibility of integration with other market tools (Kenna, Archer...) is another differential.
What needs improvement?
- Add the possibility to customize attributes that define the assets critical level based on the company's "business sense".
- Improve integration and tests for OT platforms, OT application, OT hardware, and non-Ethernet protocols.
- Improve the exchange of info/insights/attributes with RM (Risk Management) domain.
- Offer a more flexible strategic and high-level dashboards based on previous comments (minus technical and more business-oriented)
- Model OS costs (and its segregation schema for individual modules).
Buyer's Guide
Tenable Nessus
October 2024
Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
For how long have I used the solution?
7+ years with Tenable and more than 15y with others.
What do I think about the stability of the solution?
Excellent. No one problem during operation time and deployment.
What do I think about the scalability of the solution?
Enough (faster than OpenVAS engine).
How are customer service and support?
It SLA/support are enough.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
OpenVAS. We reached the previous level/threshold/maturity using OpenVas (more limited tool when compared with Nessus). I/We believe that, the change to a better tool (in this and in others categories) should be carried out when these indicators are reached.
How was the initial setup?
Very simple and fast.
What about the implementation team?
In-house.
What was our ROI?
Good. Nessus Pro combined with other xLAP solutions to offer a presentation/grouping layer is great. Using SC this curve/point of ROI is slower.
What's my experience with pricing, setup cost, and licensing?
Start small, learn about your problems/fixing time and grow up gradually.
Which other solutions did I evaluate?
Several. OpenVas, Rapid7, Qualys, CORE* and Retina.
What other advice do I have?
A cost/benefit interesting tool.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Manager at a transportation company with 1,001-5,000 employees
Comes at a great price, does exactly what you expect it to do, and never lets you down from a stability point of view
Pros and Cons
- "It does exactly what you expect it to do, and its pricing is great. We couldn't really ask for a better deal."
- "The interface is a little bit clunky, and the reporting is not marvelous. There should be better integration of reporting between instances. Currently, the instance stands alone, and it produces a report. Being able to amalgamate those reports with another instance will be useful."
What is our primary use case?
We are using Nessus Pro. Our operational security team is using it at the moment. It is being used in a couple of ways. In one instance, it is being used purely to scan the internal infrastructure. In the second instance, we're using it to scan the entire network range, including all endpoints. In the third instance, we're using it to do PCI DSS compliance scanning.
What is most valuable?
It does exactly what you expect it to do, and its pricing is great. We couldn't really ask for a better deal.
What needs improvement?
The interface is a little bit clunky, and the reporting is not marvelous. There should be better integration of reporting between instances. Currently, the instance stands alone, and it produces a report. Being able to amalgamate those reports with another instance will be useful.
What do I think about the stability of the solution?
It has never let us down from a stability point of view.
What do I think about the scalability of the solution?
It is really scalable. It is great.
We have six people who are actually interacting with the tool itself, but obviously, it has been deployed against thousands of endpoints. There are three different roles of those six users.
How are customer service and support?
They are very good. Their formal support and the wider community support are excellent.
Which solution did I use previously and why did I switch?
We've used Rapid7 in the past. We switched because of the value for money and the fact that it feeds into the Tenable.io platform, which is where we ultimately want to be.
How was the initial setup?
It was straightforward and fast. It literally took a morning.
What about the implementation team?
It was done in-house. For its deployment and maintenance, there is just one person. He is an information security analyst.
What's my experience with pricing, setup cost, and licensing?
Its pricing is great and can't be improved. It is very cheap. It is less than 2,000 pounds a license, and you can't really ask for more.
It has unlimited IPs and unlimited scans. There are no particular pricing constraints. The only additional cost is the inherent cost of the people to actually review the actual scans.
What other advice do I have?
My advice to people who are looking into implementing this product would be to just go ahead and do it. Don't be frightened about it. It is great. It does exactly what you'd expect it to do. You can use it as a stepping stone to the other Tenable products.
I would rate it a nine out of 10. It is a lovely product. It just does what you need it to do, and lets you get on with your day.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Tenable Nessus
October 2024
Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
Cybersecurity Manager at a manufacturing company with 10,001+ employees
Excellent at identifying vulnerabilities and accessing information related to that
Pros and Cons
- "Ease of reviewing scores, identifying vulnerabilities, and getting information on them."
- "Scans aren't done properly and some devices aren't pinged."
What is most valuable?
The valuable feature for me is being able to ping the computers to do the automated scan and to come back and be able to see everything. That's definitely a huge plus, but then there's also the ease of reviewing the scores, identifying vulnerabilities, and getting the information on the vulnerabilities; the ability to review all that within one tool has been phenomenal. When we're reviewing those Nessus scores, the solution works well.
What needs improvement?
I think there's still some things that need to be ironed out to ensure that we can have a one-stop shop to do both ACAS, SCAP automated assessments in. We've been trying to do that and they say you can, the capability is integrated into the system. But in most instances, especially when you're dealing with some systems that are standalone or a network that we built ourselves, we find that some devices aren't pinged and the scans aren't done properly. That also comes down to the hardening of the systems where the password or the privileges weren't taken, so therefore it didn't do the scan properly.
For how long have I used the solution?
I've been using this solution for the past six or seven years.
What do I think about the stability of the solution?
The solution is stable. We haven't run into any issues other than some passwords that don't take, but that's the way we set up the system. If it's set up properly and configured appropriately, there won't be any issues.
What do I think about the scalability of the solution?
We could definitely make the adjustment to scale it left, right, up and down, depending on what we're using it for and we haven't run into any issues on that. It's pretty flexible.
How was the initial setup?
The setup itself is pretty straightforward. Because these are standalone systems, there are some additional steps that the IT team needs to do, but they pretty much have it down to where they could install the tools pretty easily and have it running reasonably quickly.
What other advice do I have?
I would recommend making sure that the solution meets your needs for automated scans and the SCAP. If you're looking for a one-stop shop, I think it's a great tool for that. I would recommend some form of training if you don't have experience with this kind of solution. There's a bit of a learning curve involved in terms of configuring and using Nessus.
I rate this solution an eight out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Intent Manager at SLIIT
Identifies and addresses vulnerabilities but the dashboard needs improvement
What is our primary use case?
We use Tenable Nessus as a vulnerability management tool. It helps identify vulnerabilities in our system, how to address them, and what mitigation steps are required. We can assign high, medium, or low priority levels and schedule scans to run at specific times. The tool generates vulnerability assessment reports, valuable in our organization's environment for continuous security assessment.
How has it helped my organization?
We can onboard our organization's access and run scans as needed. We can also share the scan results every year and perform many other tasks with Tenable.
What is most valuable?
It’s a strong vulnerability assessment tool for management and serviceability. It is a reliable product that helps us identify vulnerabilities in our system effectively. I use it to scan our environment with SSM and generate vulnerability assessment reports.
What needs improvement?
The dashboard could be improved.
For how long have I used the solution?
I have been using Tenable Nessus for two years.
What do I think about the scalability of the solution?
Our team has 10-15 people using this solution. It’s a good tool for vulnerability assessment, and we can identify vulnerabilities in our organization. At this time, we can effectively use it within our organization.
I rate the solution’s scalability a nine out of ten.
What's my experience with pricing, setup cost, and licensing?
It is expensive.
I rate the product’s pricing an eight out of ten, where one is cheap, and ten is expensive.
What other advice do I have?
Overall, I rate the solution a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Sep 9, 2024
Flag as inappropriateChief Commercial Officer at Yamamah Information Technology & Communication Systems LLC
Good reporting, good support, and easy to deploy and use
Pros and Cons
- "It is easy to deploy and easy to use. Its reporting is good. From this reporting, you can see the pain point in your network, which makes it easy to fix them. It is easy to understand the reports and export them."
- "Technically, it is an excellent and the best solution available in Libya. My only concern is related to its pricing. They are an emerging company in Libya, and they need to put in some effort to provide us with very good prices so that customers can go with the best solution. Chinese companies are getting into the market here, and they're providing very cheap solutions."
What is our primary use case?
Two of our customers use it for vulnerability assessment and penetration testing, and they are getting very good results.
What is most valuable?
It is easy to deploy and easy to use. Its reporting is good. From this reporting, you can see the pain point in your network, which makes it easy to fix them. It is easy to understand the reports and export them.
What needs improvement?
Technically, it is an excellent and the best solution available in Libya. My only concern is related to its pricing. They are an emerging company in Libya, and they need to put in some effort to provide us with very good prices so that customers can go with the best solution. Chinese companies are getting into the market here, and they're providing very cheap solutions.
For how long have I used the solution?
We have been providing network and solution integration services since 2012.
What do I think about the stability of the solution?
It is a stable solution. It is the best one in the world. I am not considering any other solutions.
What do I think about the scalability of the solution?
It is scalable.
How are customer service and support?
Their technical support is very good. The feedback that I have received from the customers for the tickets that they opened is that they are satisfied with the service.
How was the initial setup?
It is easy to deploy. It can be implemented in less than 10 days, but complex projects with ISO2007 and 001 compliance requirements can take more than a year.
What about the implementation team?
From our side, there are only two engineers. One is the main engineer and the other one is the backup engineer.
It is being used by only three users. Two are from the cyber information security team and one is from the network security team.
What's my experience with pricing, setup cost, and licensing?
Its price is high for Libya. The companies here in Libya don't have the awareness of and a good budget for cybersecurity services. If you want them to go for a product, you need to provide something different. This differentiation is related to the price. They should give about 40% to 45% discount per person on the current cost. From our side, we provide the demo and show it as a very good and valuable solution, but when it comes to the price, some companies don't want to own the tool. They prefer to go for it as a service. There are a few companies that are providing it as a service where they own the tool, but they provide it as a service, which is cheaper than a customer owning the product. We strongly recommended that customers own the product and use it.
I strongly recommend to customers to go for a three-year license to use it, benefit from it, and be comfortable with it. In Libya, we are facing a problem related to the timelines and delays of projects. If they go for just a one-year license and the project gets delayed by six months, they will have only six months to use it.
What other advice do I have?
It is a very good and useful tool. I would rate it a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Operation Director at GLOBALIP
Automates scanning process, enhancing the ability to monitor the security landscape continuously
Pros and Cons
- "It notifies us of vulnerabilities as they arise, allowing us to respond quickly without manual intervention."
- "The product could have unique features similar to one of its competitors."
How has it helped my organization?
The platform is essential for vulnerability management tasks and integrates with various data management applications.
What needs improvement?
The product could have unique features similar to Qualys.
For how long have I used the solution?
We have been using Tenable Nessus for about a year to a year and a half. We are using the latest version to ensure access to all the latest features.
Which solution did I use previously and why did I switch?
While Tenable offers a robust solution, the main competitor, Qualys, has some unique features. However, Tenable has a larger market share, indicating that it has undergone extensive testing and development based on customer feedback.
How was the initial setup?
The complexity of deploying Nessus largely depends on the customer's operational environment. If the environment has diverse systems, implementation may be more complex, while a more uniform system allows for easier setup.
The timeline for implementation could range from one week to several months based on these factors.
What's my experience with pricing, setup cost, and licensing?
The product pricing is dynamic and varies based on the specific needs of each project and customer.
Discounts can be offered based on competition and project requirements, making it a relative cost depending on the context.
What other advice do I have?
The solution automates vulnerability checks, which is crucial for our customers who cannot dedicate a team to monitor security issues constantly. It notifies us of vulnerabilities as they arise, allowing us to respond quickly without manual intervention.
It automates the scanning process, allowing us to schedule regular scans, generate reports, and receive notifications about critical vulnerabilities via email. It enhances our ability to monitor the security landscape continuously.
Overall, I rate it a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Last updated: Sep 23, 2024
Flag as inappropriateProject Manager at a computer software company with 1,001-5,000 employees
Discovers all the assets and identifies existing vulnerabilities
Pros and Cons
- "You can then direct your team to create a report on the discovered vulnerabilities."
- "Tenable Nessus could include a broader range of IT assets."
What is our primary use case?
We do infrastructure audits in the state, and we have a lot of organizations and customers for which we do security assessments.
How has it helped my organization?
Nessus assists you to complete the job in a shorter period of time. It discovers all the assets and identifies existing vulnerabilities in the environment.
You can then direct your team to create a report on the discovered vulnerabilities. Basically, you can use Tenable to shorten the activity and get faster results.
What needs improvement?
Tenable Nessus could include a broader range of IT assets. Nowadays, IT is not limited to laptops and desktops. It can be any environment in the organization, such as iOS or Android mobile phones.
Apart from that, organizations use APIs and specific tools. We would like Tenable to cover every aspect of IT infrastructure, not just generic systems like laptops, desktops, switches, or servers. It should include every kind of device, like Raspberry Pi. This small chunk of devices acts as sensors in several organizations.
We would like to be able to scan every device in the network, and the solution should present vulnerabilities within their system.
For how long have I used the solution?
I've been working with it for ten years.
What do I think about the stability of the solution?
Tenable is a stable solution. I would rate the stability a ten out of ten.
What do I think about the scalability of the solution?
Tenable's scalability is good. I would rate the scalability a seven out of ten.
How are customer service and support?
We have no issues with support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We had used some open-source solutions previously.
We made a switch to Tenable Nessus because of the vulnerability coverage. It has a huge scope.
How was the initial setup?
Nessus is quite easy. It is quite easy to deploy, quite easy for my team to use this software for vulnerability scanning. So it is very easy.
I would rate my experience with the initial setup a nine out of ten, with ten being easy.
It took one to two hours.
What about the implementation team?
We do this in-house. We, ourselves, deployed this solution.
Sometimes we take assistance from the OEM or the reseller, but generally, we make it an in-house activity.
What was our ROI?
There is a ROI in terms of cost savings, time savings and more.
What's my experience with pricing, setup cost, and licensing?
We have one user license at present. The price is okay. I would give it a seven out of ten, where one is cheap and ten is expensive.
What other advice do I have?
I would recommend it to others. It's a good solution. Overall, I would rate it an eight out of ten. In every aspect, it is good.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jul 14, 2024
Flag as inappropriateAssistant Director for Computing and Network infrastructure at SRCE
Helps to conduct monthly scans and open tickets for developers to address identified vulnerabilities
Pros and Cons
- "We have around 500 virtual machines. Therefore, we conduct monthly scans and open tickets for our developers to address identified vulnerabilities. These scans cover the servers, other network equipment, and appliances in our infrastructure."
- "One significant drawback we encounter is the tool's tendency to flag patched packages incorrectly. For instance, if a package is patched by Debian maintainers but not updated to a major or minor version, Nessus may still flag it as vulnerable based on its database. This discrepancy leads to false alarms and requires our developers, system admins, and DevOps teams to address them."
What is our primary use case?
We have around 500 virtual machines. Therefore, we conduct monthly scans and open tickets for our developers to address identified vulnerabilities. These scans cover the servers, other network equipment, and appliances in our infrastructure.
What needs improvement?
One significant drawback we encounter is the tool's tendency to flag patched packages incorrectly. For instance, if a package is patched by Debian maintainers but not updated to a major or minor version, Nessus may still flag it as vulnerable based on its database. This discrepancy leads to false alarms and requires our developers, system admins, and DevOps teams to address them.
It would be beneficial if it could handle minor additions to versions similar to how Debian manages its patches. This feature would allow it to differentiate between patched and non-patched versions.
For how long have I used the solution?
I have been using the product for ten years.
What do I think about the stability of the solution?
Tenable Nessus is very stable. We encountered some issues with scanning certain network equipment but resolved them by adjusting the parameters. Our main focus is scanning our servers; we haven't experienced any significant problems with that process.
What do I think about the scalability of the solution?
My company has three users.
How are customer service and support?
We haven't contacted Tenable Nessus for assistance or questions because we haven't encountered any serious issues, and we are generally satisfied with the product.
Which solution did I use previously and why did I switch?
We chose Tenable Nessus because we primarily rely on open-source products as a publicly funded institution. About ten years ago, we conducted research to determine the best option, and at that time, it stood out as the preferred choice.
How was the initial setup?
Tenable Nessus' deployment is straightforward.
What's my experience with pricing, setup cost, and licensing?
The product is free.
What other advice do I have?
I rate the overall product a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Mar 14, 2024
Flag as inappropriateBuyer's Guide
Download our free Tenable Nessus Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Vulnerability ManagementPopular Comparisons
Microsoft Intune
Microsoft Defender for Cloud
Qualys VMDR
Tenable Security Center
Tanium
Rapid7 InsightVM
Tenable Vulnerability Management
Orca Security
Pentera
Acunetix
JFrog Xray
Claroty Platform
Skybox Security Suite
Buyer's Guide
Download our free Tenable Nessus Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Qualys VM vs Tenable Nessus: Comparison
- How would you choose between Rapid7 InsightVM and Tenable Nessus?
- What's the difference between Tenable Nessus and Tenable.io Vulnerability Management?
- How does Tenable Nessus compare with Qualys VM?
- What are the main differences between Qualys VMDR and Tenable Nessus?
- How inadvisable is it to use a single vulnerability analysis tool?
- What are the benefits of continuous scanning for vulnerability management?
- When evaluating Vulnerability Management, what aspect do you think is the most important to look for?
- What is a more effective approach to cyber defense: risk-based vulnerability management or vulnerability assessment?
- What are the main KPIs that need to be implemented to have better posture in vulnerability projects?
Authenticated users are a excellent way for you increase the quality and depth of your scanner. You can add/use cloud providers API-keys during tests, local or AD users/credentials with database, telecom devices and other types of digital assets. Normally, the difference between non/authenticated-scans is widely big.