Tenable Nessus Reviews

We use it for internal and external vulnerability scans.

Instead of just looking at high, medium or low risk for vulnerabilities, and having to remediate all of them, we can remediate in a more effective manner. We have limited resources for remediation work and we want to spend our time on the most critical issues.

It helps us focus resources on the vulnerabilities that are most likely to be exploited. It gives a higher VPR number where the things are more likely to be exploited, instead of just using the pure severity rating as a way to prioritize and decide to remediate.

The most valuable feature is the breadth of vulnerabilities that it finds. It's able to find across a lot of different platforms and operating systems. It's also able to combine local testing with network-based testing.

When it comes to vulnerability prioritization, Tenable's predictive features are off to a great start. It's definitely giving us more data to help prioritize, instead of just relying on straight CVSS. The vulnerability priority rating has been accurate and is helping us prioritize effectively, based on risk or based on the likelihood of being exploited. Based on what they say, and comparing it to what we are seeing with malware exploits, their predictions are lining up with what we are seeing being exploited.

There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product.

There is also room for improvement in some of the reporting and the role-based access. They have a pretty defined roadmap. They know where the gaps are, but it's a totally different product and so there's a lot of work that they have to do to get it to match.

I have been using Nessus for three years at my current company. 

We monitor Windows, Linux, Mac, workstations, servers, and cloud resources.

It's very stable. We haven't had any issues. There has been no database corruption or anything like that. All we've had to do to the main Security Center is give it more disk space to save more data. That's it.

The scalability is okay. We would definitely run into issues if we wanted to save a longer history of the data. It would be terabytes and terabytes of data. But in terms of at least keeping all the data for all the assets that we have, it's good. We're good enough with the retention. It meets our requirements.

The issues would be storage and being able to search across it. If we needed to save five years of scan history, it would be operationally difficult to use all the data that would be saved. But it's not problematic to look at the current data or trends for the past six months. Stuff like that is fine.

We're at about 20,000 hosts and it's pretty stable. I don't think we're going to do a big increase.

Tenable's technical support is good, except for things that involve some of the custom development work that we've done using their API. Early on, that was problematic, but they've gotten better and released more API documentation and sample code, and that was fine.

It was nothing that was wrong with the product itself, but tech support is more designed for normal user interactions with the product, not doing development against the API. The problem with my code was because some documentation wasn't clear or there wasn't a sample for how to do this. That's where it was a little bit tougher. The normal, user function stuff was totally fine. It was really the developer-focused side.

We were on Rapid7. We switched because of scalability and performance.

We were looking for a solution that could handle and scan our volume of assets. It wasn't working with our previous solution. Nessus has scalability. Being able to scan in time and actually being able to report on that data were things we couldn't do with our old solution.

Also, the level of visibility that Tenable provides is much better than Rapid7 because we're able to actually see all of the data that was collected and we're able to scan for vulnerabilities and config issues and pull all the data together. We were having real trouble with that before.

The initial setup was straightforward. We were easily able to set up scan policies, asset groups, scan schedules, and start collecting data very quickly.

It wasn't complicated to define what we wanted to scan. It wasn't complicated to set up the credentialed scans, or to set up the different credentials for the different policies and different types of machines. Everything that that goes into building a scan policy was straightforward and we were able to get all of our assets scanned pretty quickly. Within 45 days of buying, we had good data and had done multiple scans already with all of our assets.

Our implementation strategy was that we wanted to set up credentialed scans for all of our machines as quickly as possible. We were working towards that and trying to get the coverage in Tenable as soon as possible.

We did it ourselves.

We are fulfilling our goals and able to deliver on the requirements that we have. It's hard for security to be a real ROI. We need to do vulnerability scanning, we need to know where the issues are and we need to be able to fix them. It is doing that.

Our licensing is on a yearly basis but we did a three-year deal. It is a fixed cost to cover a certain number of hosts or assets. There are no additional costs to the standard licensing fees.

Leverage authenticated scans if you can. That reduces the number of false positives compared to just network-based scanning. Leverage the Tenable Agents if you can, as well, because that will help reduce the scan time and make it easier to get data from machines that are all over your network.

The solution isn't really helping to reduce our exposure over time because there are always new vulnerabilities coming out. It's helping us keep track of what's out there better.

The next part is going to be convincing external auditors that VPR is a reasonable way to actually prioritize, in terms of whatever our policy statements say for what we fix and how quickly; to get that to line up. A lot of people are still in the, "You must patch criticals with this number of days, highs with this number of days." We want to be able to turn that into a more risk-based approach but haven't really been able to do that.

The users of the solution in our organization are really just the people on our security team, so the number is under ten people. They're really just using it to look at the vulnerabilities, analyze the vulnerabilities, and figure out where our risks are and what should get patched. For deployment and maintenance of the solution we have a quarter of an FTE.

The platform is essential for vulnerability management tasks and integrates with various data management applications.

The product could have unique features similar to Qualys. 

We have been using Tenable Nessus for about a year to a year and a half. We are using the latest version to ensure access to all the latest features.

While Tenable offers a robust solution, the main competitor, Qualys, has some unique features. However, Tenable has a larger market share, indicating that it has undergone extensive testing and development based on customer feedback.

The complexity of deploying Nessus largely depends on the customer's operational environment. If the environment has diverse systems, implementation may be more complex, while a more uniform system allows for easier setup.

The timeline for implementation could range from one week to several months based on these factors.

The product pricing is dynamic and varies based on the specific needs of each project and customer.

Discounts can be offered based on competition and project requirements, making it a relative cost depending on the context.

The solution automates vulnerability checks, which is crucial for our customers who cannot dedicate a team to monitor security issues constantly. It notifies us of vulnerabilities as they arise, allowing us to respond quickly without manual intervention.

It automates the scanning process, allowing us to schedule regular scans, generate reports, and receive notifications about critical vulnerabilities via email. It enhances our ability to monitor the security landscape continuously.

Overall, I rate it a nine out of ten. 

We have around 500 virtual machines. Therefore, we conduct monthly scans and open tickets for our developers to address identified vulnerabilities. These scans cover the servers, other network equipment, and appliances in our infrastructure. 

One significant drawback we encounter is the tool's tendency to flag patched packages incorrectly. For instance, if a package is patched by Debian maintainers but not updated to a major or minor version, Nessus may still flag it as vulnerable based on its database. This discrepancy leads to false alarms and requires our developers, system admins, and DevOps teams to address them. 

It would be beneficial if it could handle minor additions to versions similar to how Debian manages its patches. This feature would allow it to differentiate between patched and non-patched versions.

I have been using the product for ten years. 

Tenable Nessus is very stable. We encountered some issues with scanning certain network equipment but resolved them by adjusting the parameters. Our main focus is scanning our servers; we haven't experienced any significant problems with that process.

My company has three users. 

We haven't contacted Tenable Nessus for assistance or questions because we haven't encountered any serious issues, and we are generally satisfied with the product.

We chose Tenable Nessus because we primarily rely on open-source products as a publicly funded institution. About ten years ago, we conducted research to determine the best option, and at that time, it stood out as the preferred choice.

Tenable Nessus' deployment is straightforward. 

The product is free. 

I rate the overall product a nine out of ten. 

I primarily use the solution for network scanning. I can use it when I want to see network scanning involved with the network devices and servers. 

I love everything about Nessus. I may be biased in my rating, biased in the sense that I love using Nessus.

The usability is okay. The pricing is okay. The costs are reasonable.

The level they give you is good. It depends on the kind of scan that you want to do. There are different options there. If I want to do a PCI scan, that is available. If I want to do a scan that involves checking to see if the system patching is up to date, that is available. If I want to scan against trending vulnerabilities, I can do that, too. They have so many different options. You can streamline it to what you want, and you do your scan. 

Nessus is flexible. It gives a holistic view of your entire environment. I would go for a Nessus any day, anytime.

They have a good reporting system. I love the reporting system. The references they made in terms of recommendations are great. They can give a recommendation on how to get a particular issue fixed. 

The setup is straightforward. 

It is stable and reliable.

We can scale the product. 

They should try to create an all-in-one solution. When I say all in one, I mean something that would be cheap, where I can scan a lot in terms of web applications. Right now, this is available. However, it's a bit expensive. If users want to start scanning applications, networking devices, et cetera, they should also try and work on the pricing for those and have everything together. The web application module should be included in Tenable itself.

I've used the solution over the past 13 years. I've worked with it for a long time.

The stability is fine. There are no bugs or glitches, and it doesn't crash or freeze. 

The solution can scale as needed. 

I've not escalated anything to technical support. 

I'm aware of other solutions. 

What makes Nessus outstanding is the different options. There are so many scanning options. They give you the room to be flexible. You can scan your server how you want. Other options may just allow for a general scan of my system. With Nessus, I can streamline and customize my scan. 

It is an easy solution to set up. The deployment is not lengthy. Within two hours, I had it up and running. 

There is no crazy maintenance needed. Sometimes when there are new updates, it just alerts you the moment you log into your appliance. It just alerts you and gives you room to do the updates. Sometimes it may just set automatically, and it picks the updates. When you log in, it asks for you to reinitialize your system, and you're good to go.

The price is not bad. We are comfortable with the cost of the solution right now and with what we are paying for what we get in return. 

We just pay for the license and do not deal with any other additional fees. 

We're using the latest version of the solution. 

When you are doing a spot check, and something rescues you a lot from disaster, you really appreciate that service. The product has really worked for me.

I highly recommend the solution.

I'd suggest new users run a POC and exhaust all the functionality and test other solutions as well. At the end of the day, compare them. Don't forget to consider budgets. Ensure that it matches what your company needs and the budget that they have for that particular solution. 

Make sure that functionality is taken into account. Some people only look at the budget and go for something cheaper and then do not have the functionality they require. 

I'd rate the solution nine out of ten. 

Tenable Nessus can be deployed on-premise and in the cloud.

Tenable Nessus is a vulnerability scanner to find vulnerabilities. The solution finds the vulnerabilities in our environment and then we send those vulnerabilities that are found out to the SMEs to be fixed.

Tenable Nessus allows us to keep up on fixing the vulnerabilities that are either being exploited in the wild or the ones that we find most critical.

The most valuable feature of Tenable Nessus is vulnerability detection.

Tenable Nessus could improve reporting and information sharing. It would be helpful if we could share the reports and have a little bit better flexibility in the reporting of the data.

In the next release, they should add some more integration with other security solutions that would be helpful.

I have used Tenable Nessus for approximately 10 years.

The stability of Tenable Nessus is very good.

Tenable Nessus is highly scalable.

We have a couple of administrators and vulnerability analysts who run scans, and read-only accounts for the SMEs who fix vulnerabilities, and an executive role for management to view the data.

We use Tenable Nessus extensively, we have scheduled jobs running all the time. We do scans on all the systems on our network, and we are always making tweaks.

I rate the support of Tenable Nessus a four out of five.

I have not used another solution previously to Tenable Nessus.

For our deployment of Tenable Nessus, there are elements of complexity. However, the complexity depends on the use case. The solution is not that difficult to implement, the complexity comes from the many things that are involved. You do not need to be an expert there are many parts that need to be set up.

We had Linux servers built and the Tenable Nessus software was installed on top of that. It was relatively simple as far as that goes.

I rate the ease of setup of Tenable Nessus a three out of five.

We did the implementation in-house.

We have two administrators and one SME that does the supporting of Tenable Nessus.

It is difficult to show or rate ROI from a security standpoint, it is similar to having car insurance. When there are vulnerabilities out there, we can quickly look because we're scanning all the time at what our vulnerabilities are. Tenable Nessus is used for keeping our infrastructure safe.

Tenable Nessus needs to be licensed. We own a license for the security center and that license is charged by the number of IP addresses that you can scan. You're allowed to have as many scanners as you want and there's no license for the number of scanners. We have a bunch of Nessus scanners out there, and as long as we're comfortable with staying under that IP address limit, that's really all we have to be concerned about.

We pay a monthly maintenance fee, which is reoccurring.

We did evaluate other solutions before choosing Tenable Nessus, such as Rapid7. We choose Tenable Nessus because it was used by more customers and it seemed at the time to be more straightforward.

Security is complicated a subject. There's a lot involved in Tenable Nessus, but the solution is easy to run and manage and we have had a lot of good success with it.

I rate Tenable Nessus a nine out of ten.

We use the solution for vulnerability management trafficking across an entire group. 

I am impressed with the tool's vulnerability scanning. 

The tool needs to upgrade asset tracking. 

I am using the tool for two years. 

The solution is extremely stable. I would rate the tool's stability a nine out of ten. 

I didn't encounter any issues with scalability and I would rate it a nine out of ten. We have around 3000 user endpoints that are being monitored. My company has around 20 users for the tool.

Our local partner helps with the support. 

I would rate the tool's setup a seven out of ten. It is not an easy setup but with proper support, the process is doable. 

The solution gives us ROI since it offers visibility and helps to tighten controls in our network. 

I would like to see better discounts. 

I would rate the solution a nine out of ten. It is one of the best tools to use if compliance is your priority. 

We use this solution for network and device scanning. Massive scanners have been integrated with the security center. We scan devices and pull the report from the security center. We publish the report to respective stakeholders, and we maintain the reports for our records. The reports show vulnerabilities, plugin text, and plugin outputs. We analyze the report and try to close the vulnerabilities identified in the scan.

The solution is deployed on-premises.

There are about 10 people using this solution in my organization. They were part of the security team and were doing the scanning and remediation. I led the team and dealt with any challenges.

My organization is a service provider. We provide security services to clients.

The vulnerability scanner is the most valuable feature. It's an important feature for us. We use the plugin output for that. It shows us the exact version of Nessus and what is needed for remediation. Based on that, we decide what should be remediated first to get the best result for security.

The agent scanner is a valuable feature. We also do credential scans, which gives the equivalent report. In the log project situation, we receive very good support from Nessus. They have built one policy for the log project itself. With the help of that policy and the plugins specified for the log project, the scans were faster for that project.

If we run a scan, it will usually check all of the plugins, which is a time-consuming process. We received help, and we had one plugin for the log project. That was for checking the log project only because we were already done with the complete scan.

I would like to see more on the automation side. There should be proper tools and support for automation in Tenable itself.

I have used this solution for more than four years.

It's a stable solution, but we noticed that the agent wasn't being updated. This means we have to update it manually and run a few commands to get the service running. If the solution isn't updated with the latest version, it will go offline.

We receive very good technical support from the team in India. We're very happy with them. I'm also in touch with some people from Tenable India. They helped me understand the requirements and the solution's latest features.

I would rate technical support as four out of five because they could always improve.

Initial setup was easy. That's why I proposed the solution to my current organization. 

The deployment process completely depends on approvals and how we're getting the procurement of hardware and the licenses. It depends on the organization.

The solution is worth the cost. It's a good investment. 

I have also evaluated Qualys. There were some missing features, so we weren't able to detect vulnerabilities related to specific software, like Adobe and Java.

I have also used Tenable.sc.

I would rate this solution as eight out of ten. 

For those who want to use this solution, my advice is to go to Tenable's website and read about the solution so you can properly understand its features. There are demo videos too. That will help you make a decision about whether you want to use the tool or not.

I would definitely recommend this solution to others who want to use it.

We use Tenable Nessus internally for our vulnerability scan and dynamic vulnerability assessments.

Tenable Nessus has helped us with better visibility of the current security posture of our infrastructure and helped us be proactive about remediating those findings.

The most valuable feature of Tenable Nessus is the support it provides for any new vulnerabilities quickly.

Tenable Nessus application device assessment is one of the top tools. However, in the application security assessment, there are other tools that provide better, and more accurate findings.

In a future release, I would like to see all SC reporting features included in the Professional version.

I have been using Tenable Nessus for approximately five years.

Tenable Nessus is stable.

The stability of Tenable Nessus is good.

We don't have a very big security team. It's four or five people who are using it.

We have used the support from Tenable Nessus. The support was relatively good.

The initial setup of Tenable Nessus was straightforward, we did not have any issues.

The deployment of Tenable Nessus was done in-house.

The solution is not difficult to maintain at the scale we are working on it.

We have seen a return on investment by using Tenable Nessus.

The newer tools are quite pricey. There is a case of some fine tuning that can be done in terms of licensing. The IP based licensing that is offered makes the tool very expensive. If they want the IT industry to adopt it, the price should be looked at.

For the professional the cost is reasonable. However, if you go to an HC or IO platform, then the price is high. Even though the scan engine is the same, the additional features for dashboarding and reporting should not cost more than the solution itself or the intelligence of the tool to identify those findings.

There are not any fees

In terms of the identification of vulnerabilities, this is a good tool. The engine it uses is accurate. However, it depends on which tool out of the stack you would use, and the scale of the infrastructure.

I rate Tenable Nessus a seven out of ten.