The solution is used to check vulnerabilities.
Senior cybersecurity engineer at a aerospace/defense firm with 5,001-10,000 employees
A scalable and mature solution that has excellent features and provides visibility into vulnerabilities in the environment
Pros and Cons
- "It is a mature tool."
- "The product must be more comprehensive."
What is our primary use case?
What is most valuable?
The product has good features. It gives us a view of the vulnerabilities like open ports and different issues with software. It is a mature tool.
What needs improvement?
The product must be more comprehensive. It must catch all the issues.
For how long have I used the solution?
I have been using the solution for a few years.
Buyer's Guide
Tenable Nessus
October 2024
Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
I rate the tool’s stability a nine out of ten. The stability could be improved.
What do I think about the scalability of the solution?
The tool is scalable. We have three users. We need a team to maintain the product.
What about the implementation team?
The deployment can be done in-house.
What other advice do I have?
I recommend the solution to others. I rate the solution a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Architect at a logistics company with 10,001+ employees
The vulnerability priority rating has been accurate and helps us prioritize effectively, based on risk
Pros and Cons
- "The most valuable feature is the breadth of vulnerabilities that it finds. It's able to find across a lot of different platforms and operating systems. It's also able to combine local testing with network-based testing."
- "There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product."
What is our primary use case?
We use it for internal and external vulnerability scans.
How has it helped my organization?
Instead of just looking at high, medium or low risk for vulnerabilities, and having to remediate all of them, we can remediate in a more effective manner. We have limited resources for remediation work and we want to spend our time on the most critical issues.
It helps us focus resources on the vulnerabilities that are most likely to be exploited. It gives a higher VPR number where the things are more likely to be exploited, instead of just using the pure severity rating as a way to prioritize and decide to remediate.
What is most valuable?
The most valuable feature is the breadth of vulnerabilities that it finds. It's able to find across a lot of different platforms and operating systems. It's also able to combine local testing with network-based testing.
When it comes to vulnerability prioritization, Tenable's predictive features are off to a great start. It's definitely giving us more data to help prioritize, instead of just relying on straight CVSS. The vulnerability priority rating has been accurate and is helping us prioritize effectively, based on risk or based on the likelihood of being exploited. Based on what they say, and comparing it to what we are seeing with malware exploits, their predictions are lining up with what we are seeing being exploited.
What needs improvement?
There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product.
There is also room for improvement in some of the reporting and the role-based access. They have a pretty defined roadmap. They know where the gaps are, but it's a totally different product and so there's a lot of work that they have to do to get it to match.
For how long have I used the solution?
I have been using Nessus for three years at my current company.
We monitor Windows, Linux, Mac, workstations, servers, and cloud resources.
What do I think about the stability of the solution?
It's very stable. We haven't had any issues. There has been no database corruption or anything like that. All we've had to do to the main Security Center is give it more disk space to save more data. That's it.
What do I think about the scalability of the solution?
The scalability is okay. We would definitely run into issues if we wanted to save a longer history of the data. It would be terabytes and terabytes of data. But in terms of at least keeping all the data for all the assets that we have, it's good. We're good enough with the retention. It meets our requirements.
The issues would be storage and being able to search across it. If we needed to save five years of scan history, it would be operationally difficult to use all the data that would be saved. But it's not problematic to look at the current data or trends for the past six months. Stuff like that is fine.
We're at about 20,000 hosts and it's pretty stable. I don't think we're going to do a big increase.
How are customer service and technical support?
Tenable's technical support is good, except for things that involve some of the custom development work that we've done using their API. Early on, that was problematic, but they've gotten better and released more API documentation and sample code, and that was fine.
It was nothing that was wrong with the product itself, but tech support is more designed for normal user interactions with the product, not doing development against the API. The problem with my code was because some documentation wasn't clear or there wasn't a sample for how to do this. That's where it was a little bit tougher. The normal, user function stuff was totally fine. It was really the developer-focused side.
Which solution did I use previously and why did I switch?
We were on Rapid7. We switched because of scalability and performance.
We were looking for a solution that could handle and scan our volume of assets. It wasn't working with our previous solution. Nessus has scalability. Being able to scan in time and actually being able to report on that data were things we couldn't do with our old solution.
Also, the level of visibility that Tenable provides is much better than Rapid7 because we're able to actually see all of the data that was collected and we're able to scan for vulnerabilities and config issues and pull all the data together. We were having real trouble with that before.
How was the initial setup?
The initial setup was straightforward. We were easily able to set up scan policies, asset groups, scan schedules, and start collecting data very quickly.
It wasn't complicated to define what we wanted to scan. It wasn't complicated to set up the credentialed scans, or to set up the different credentials for the different policies and different types of machines. Everything that that goes into building a scan policy was straightforward and we were able to get all of our assets scanned pretty quickly. Within 45 days of buying, we had good data and had done multiple scans already with all of our assets.
Our implementation strategy was that we wanted to set up credentialed scans for all of our machines as quickly as possible. We were working towards that and trying to get the coverage in Tenable as soon as possible.
What about the implementation team?
We did it ourselves.
What was our ROI?
We are fulfilling our goals and able to deliver on the requirements that we have. It's hard for security to be a real ROI. We need to do vulnerability scanning, we need to know where the issues are and we need to be able to fix them. It is doing that.
What's my experience with pricing, setup cost, and licensing?
Our licensing is on a yearly basis but we did a three-year deal. It is a fixed cost to cover a certain number of hosts or assets. There are no additional costs to the standard licensing fees.
What other advice do I have?
Leverage authenticated scans if you can. That reduces the number of false positives compared to just network-based scanning. Leverage the Tenable Agents if you can, as well, because that will help reduce the scan time and make it easier to get data from machines that are all over your network.
The solution isn't really helping to reduce our exposure over time because there are always new vulnerabilities coming out. It's helping us keep track of what's out there better.
The next part is going to be convincing external auditors that VPR is a reasonable way to actually prioritize, in terms of whatever our policy statements say for what we fix and how quickly; to get that to line up. A lot of people are still in the, "You must patch criticals with this number of days, highs with this number of days." We want to be able to turn that into a more risk-based approach but haven't really been able to do that.
The users of the solution in our organization are really just the people on our security team, so the number is under ten people. They're really just using it to look at the vulnerabilities, analyze the vulnerabilities, and figure out where our risks are and what should get patched. For deployment and maintenance of the solution we have a quarter of an FTE.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Tenable Nessus
October 2024
Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
Security Compliance Officer at a tech services company with 51-200 employees
Easy to use, and provides good visibility, but the user interface could be improved
Pros and Cons
- "The most valuable aspect of this solution is that you receive the entire report, which details the breakdown, especially in terms of critical, high, low, and mediums."
- "To be honest, I haven't used it much to tell you that these are the things that should be improved. But I believe the UI should be enhanced somewhat. For example, there are two ways to find a report, and people are frequently confused as to which is the correct method for locating a full report. Sometimes they go in the opposite direction, so this is an area that may be improved."
What is our primary use case?
Every month, I had this Windows Gold image scan. I would obtain some IP addresses, create some rules, and then run them.
Then there were the automatic automated jobs that I and my colleagues would arrange to execute.
They would run at night so they wouldn't interrupt the systems.
Enter some IP addresses for workstations and servers. Some were in a highly secure zone, while others were in a separate subnet, we enter those IP addresses in and run them, scheduling them to run biweekly or weekly.
What is most valuable?
The most valuable aspect of this solution is that you receive the entire report, which details the breakdown, especially in terms of critical, high, low, and mediums. It also informs you exactly what was wrong with it. Then I believe it copies the CVS's score as well.
What needs improvement?
To be honest, I haven't used it much to tell you that these are the things that should be improved. But I believe the UI should be enhanced somewhat.
For example, there are two ways to find a report, and people are frequently confused as to which is the correct method for locating a full report. Sometimes they go in the opposite direction, so this is an area that may be improved.
For how long have I used the solution?
I have been using Tenable Nessus for quite some time.
What do I think about the stability of the solution?
Tenable Nessus is pretty stable.
What do I think about the scalability of the solution?
Tenable Nessus is a scalable product.
How are customer service and support?
I did not deal with technical support at all.
Which solution did I use previously and why did I switch?
I used Nessus from JSON for a Gold image and vulnerability scans in my previous role.
I'm also seeking the same type of tenant for internal vulnerability scans like Qualys.
We now use Qualys, but we haven't fully utilized its features, but I'm searching for something specialized for our internal vulnerability scan program.
How was the initial setup?
I did not set it up myself, to begin with.
What other advice do I have?
It is a good tool. It's not difficult to understand. It shouldn't be an issue as long as you know what you're doing.
I would rate Tenable Nessus a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Manager Information Security at NCCPL
Anyone can deploy it, even the managers, the technical teams, and the engineers
Pros and Cons
- "With the Tenable Nessus enterprise edition, you have unlimited licenses to scan the device."
- "The reporting feature needs to be improved."
What is our primary use case?
We are using it to find out the vulnerabilities in our critical servers and to patch them.
We are using the latest version.
What is most valuable?
Tenable Nessus is good. It's the best vulnerability solution in the industry. Most organizations are using it.
What needs improvement?
In terms of what could be improved, I would say that the reporting feature needs to be improved.
Additionally, although it has the features, the enterprise edition is very limited. They need to add multiple reporting features in the enterprise edition.
For how long have I used the solution?
I have been using Tenable Nessus for the last two years.
What do I think about the stability of the solution?
It is a stable product.
What do I think about the scalability of the solution?
Tenable Nessus is a vulnerability product. We have two to three users who are running it, but in terms of the end devices, because it's intended for vulnerabilities scanning and you have to scan your end devices, we have around hundred devices who are scanning with it.
It is a scalable solution.
How are customer service and support?
We contacted support for some scenarios, like upgrades, new security patches, and for some customized reports.
We were satisfied with the speed of the answers. It is good support.
How was the initial setup?
The initial setup is very easy.
Anyone can deploy it, even the managers, the technical teams, the engineers.
I think it took five minutes.
What about the implementation team?
We installed with the help of a consultant. You can do it one time and then you will learn it very easily.
What's my experience with pricing, setup cost, and licensing?
We have an annual subscription.
Which other solutions did I evaluate?
We also evaluated the Rapid7 Nexpose product, but it has a limitation that it supports 128 users then you have to buy another 128, but with the Tenable Nessus enterprise edition, you have unlimited licenses to scan the device.
What other advice do I have?
I would recommend Tenable Nessus.
On a scale of one to ten, I would rate it an eight.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Lead Cyber Security engineer at a tech services company with 201-500 employees
Easy to understand but is lacking technical support
Pros and Cons
- "A valuable feature of the solution is that it is easy to understand."
- "We feel the solution's technical support to be very bad."
What is our primary use case?
We usually use the solution for infrastructure level and web application scanning, although mostly for the former. This is what we are doing at present. We were using the web application portion of Tenable Nessus for several months before switching to Veracode.
What is most valuable?
A valuable feature of the solution is that it is easy to understand. When it comes to running a scan, the scanning mechanism is also easy, and it is quite fast compared to Veracode and Qualys.
What needs improvement?
The solution should have a more in-depth level of scanning, with features to meet the developers. Other points that should be addressed involve the understanding of issues by the users and the need for improvising the reporting structure. The reports should also be more attractive and user-friendly.
This is how Tenable Nessus occasionally works when drawing up something on the field.
Additional features I wish to see addressed in the next release include customer support and ease of understanding of vulnerabilities and how they can be fixed.
In contrast to Tenable Nessus, we have found Veracode to be more user-friendly, with a greater in-depth understanding of the details and how things can be fixed. Other points in its favor include study cases, customer support, training and e-learning.
The solution is sort of down the mid range, so we are more happy with Veracode.
For how long have I used the solution?
We have made use of Tenable Nessus over the past 12 months, and started doing so a couple of months before we got Veracode.
What do I think about the stability of the solution?
The solution is reliable and has good stability.
What do I think about the scalability of the solution?
We have been in the web, so we have not tried to expand the solution.
How are customer service and technical support?
We feel the solution's technical support to be very bad.
While we do receive a response upon creating a ticket, it is not like that of Qualys or Veracode. That extensive support is not there.
How was the initial setup?
The initial setup was straightforward.
We deployed under the release plan of 8.11.
What's my experience with pricing, setup cost, and licensing?
We incurred a single cost for a perpetual license, although I cannot comment on the price as this is above my management level.
What other advice do I have?
There are at least ten people in our organization making use of the solution.
Tenable Nessus is an appropriate solution for a small scale company, one with budgeting constraints and no complexities within the organization. It not that user-friendly.
I would rate Tenable Nessus as a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Enabled us to fix holes in our network, but having vulnerabilities fixed by the solution would be better
Pros and Cons
- "The most valuable feature is how it scanned and detected through its database to let us know exactly what fixes we needed to put in place for the vulnerabilities. It detects and it also gives you the way to fix it."
- "There is room, overall, for improvement in the way it groups the workstations and the way it detects, when the vulnerability is scanned. Even when we would run a new scan, if it was an already existing vulnerability, it wouldn't put a new date on it."
What is our primary use case?
It is used for vulnerability management. We used Nessus to scan our machines to see how they were vulnerable, for patches or security. The CVE numbers is what we looked at, the security vulnerability, and tried to figure out what we were vulnerable to.
We monitored Windows Servers, Windows workstations, Linux servers, firewalls, switches, VMware equipment, and Cisco UCS hardware through the application.
How has it helped my organization?
We were a lot less vulnerable after implementing the changes that the application recommended.
The solution helped limit our company's cyber exposure by pointing out every single vulnerability we had and showing us how to fix them. By following the application's directions, we were less vulnerable to attackers. By implementing what the application told us to implement, we were able to fix the holes in our network and prevent any attackers from coming in.
What is most valuable?
The most valuable feature is how it scanned and detected through its database to let us know exactly what fixes we needed to put in place for the vulnerabilities. It detects and it also gives you the way to fix it.
The product's VPR did a great job in prioritizing and giving the highs versus the mediums; it did a great job providing the different ratings and priorities.
What needs improvement?
The Nessus predictive prioritization feature is very nice, the way it displays. The interface could look better, but it has everything it needs. It could do a better grouping of the workstations and run a better schedule. But it was sufficient in what it provided.
There is room, overall, for improvement in the way it groups the workstations and the way it detects, when the vulnerability is scanned. Even when we would run a new scan, if it was an already existing vulnerability, it wouldn't put a new date on it.
For how long have I used the solution?
I used Nessus for about three years.
What do I think about the stability of the solution?
It was very stable. We didn't have any outages or downtime during its use.
What do I think about the scalability of the solution?
The scalability was very good. We were able to deploy it into multiple remote sites using the scanners. You can deploy separate scanner VMs into remote locations where you don't have access. They have Tenable.io in the cloud, which allows you to do all that.
I used it in a very large environment. Just in my sector, we had about 5,000 workstations along with about 150 servers. So it was a pretty sizable environment. The company was using it for a much bigger purpose. It had between about 50,000 and 100,000 workstations and about 10,000 servers.
In my environment we had about seven users logging into it. The company as a whole had about 150 users. They were security engineers, security administrators, system administrators, and system engineers. For maintenance of Nessus, there was only a team of about 15 people.
How are customer service and technical support?
I rarely had to call technical support. There was one time when we were troubleshooting a VMware scan. They got on and were helpful, but they weren't able to provide a solution quickly enough. I would give them a three out of five.
How was the initial setup?
I found the setup to be simple. The interface was very intuitive. It was simple yet functional.
What was our ROI?
Without Nessus, we would have had a lot more vulnerabilities which would have opened the doors to potential attacks. And attacks would have cost the company a lot more money.
What other advice do I have?
Know that it's only a detection tool and that it has limitations as a detection tool, but the deployment can be pretty scalable.
The solution didn't reduce the number of critical and high vulnerabilities we needed to patch first. It tells you what the critical vulnerabilities are that you need to patch, but it didn't reduce anything. It doesn't patch it for you.
I would give Nessus a seven out of ten, as it doesn't automatically resolve the vulnerabilities. There are tools out there that give you an option: "Hey, do you want me to patch that vulnerability?" You just hit "yes" and it automatically does it. Nessus doesn't do that. And, as I said, the grouping could be a little bit better.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Head of IT security at a financial services firm with 10,001+ employees
Helps with vulnerability management trafficking across an entire group
Pros and Cons
- "I am impressed with the tool's vulnerability scanning."
- "The tool needs to upgrade asset tracking."
What is our primary use case?
We use the solution for vulnerability management trafficking across an entire group.
What is most valuable?
I am impressed with the tool's vulnerability scanning.
What needs improvement?
The tool needs to upgrade asset tracking.
For how long have I used the solution?
I am using the tool for two years.
What do I think about the stability of the solution?
The solution is extremely stable. I would rate the tool's stability a nine out of ten.
What do I think about the scalability of the solution?
I didn't encounter any issues with scalability and I would rate it a nine out of ten. We have around 3000 user endpoints that are being monitored. My company has around 20 users for the tool.
How are customer service and support?
Our local partner helps with the support.
How was the initial setup?
I would rate the tool's setup a seven out of ten. It is not an easy setup but with proper support, the process is doable.
What was our ROI?
The solution gives us ROI since it offers visibility and helps to tighten controls in our network.
What's my experience with pricing, setup cost, and licensing?
I would like to see better discounts.
What other advice do I have?
I would rate the solution a nine out of ten. It is one of the best tools to use if compliance is your priority.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Consultant at a computer software company with 11-50 employees
Simple implementation, beneficial vulnerability assessments, and helpful support
Pros and Cons
- "The most valuable feature of Tenable Nessus is vulnerability assessments. There are a lot of threats around the world and this solution is the first to come out with detection rules."
- "Tenable Nessus could improve the reporting by adding some dashboards. The reports are a hassle at this time. Tenable.io has more detailed reports. Having a better dashboard that can show where the vulnerabilities are and be categorized would be helpful. We then could present them to upper management for a deep overview of our network posture which they do not see."
What is our primary use case?
We are using Tenable Nessus for vulnerability management. Not exactly the management, but we perform vulnerability assessments mostly for internal networks. Additionally, we use Acunetix and it comes into play for the web application.
What is most valuable?
The most valuable feature of Tenable Nessus is vulnerability assessments. There are a lot of threats around the world and this solution is the first to come out with detection rules.
What needs improvement?
Tenable Nessus could improve the reporting by adding some dashboards. The reports are a hassle at this time. Tenable.io has more detailed reports. Having a better dashboard that can show where the vulnerabilities are and be categorized would be helpful. We then could present them to upper management for a deep overview of our network posture which they do not see.
For how long have I used the solution?
I have been using Tenable Nessus for approximately seven years.
What do I think about the stability of the solution?
Tenable Nessus is stable.
What do I think about the scalability of the solution?
Tenable Nessus is scalable, it can scale up and down.
We have five or six people using this solution occasionally. We have monthly schedules for scanning, the solution is not used daily.
How are customer service and support?
The support of Tenable Nessus is responsive and helpful.
I rate the support from Tenable Nessus a five out of five.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have previously used Acunetix and they are more focused on web applications instead of vulnerability assessments. Tenable Nessus lacks in this area, they should focus more on the web applications side.
How was the initial setup?
The initial setup of Tenable Nessus is straightforward. There is helpful documentation that is provided.
I rate the setup of Tenable Nessus a five out of five.
What about the implementation team?
We did the implementation of the solution in-house.
What's my experience with pricing, setup cost, and licensing?
When comparing the price of Tenable Nessus to other similar solutions, such as Acunetix, Tenable Nessus is not as expensive. It is averagely priced in the market. We pay for the solution annually.
What other advice do I have?
My advice to others wanting to implement this solution is they need to understand what will be scanned. For example, if they are using internal servers or something similar, and is it on the cloud, or web applications, this is something they need to know. It's a good idea to evaluate these things on their end before choosing to use the solution. This solution focuses more on the servers or the network security side. Acunetix focuses more on the web application side. This is where the buyer has to evaluate and know their use case.
I rate Tenable Nessus a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Tenable Nessus Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Vulnerability ManagementPopular Comparisons
Microsoft Defender for Cloud
Qualys VMDR
Tenable Security Center
Tanium
Tenable Vulnerability Management
Orca Security
Pentera
Acunetix
JFrog Xray
Claroty Platform
Skybox Security Suite
Lacework
Microsoft Defender Vulnerability Management
Rapid7 Metasploit
Buyer's Guide
Download our free Tenable Nessus Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Qualys VM vs Tenable Nessus: Comparison
- How would you choose between Rapid7 InsightVM and Tenable Nessus?
- What's the difference between Tenable Nessus and Tenable.io Vulnerability Management?
- How does Tenable Nessus compare with Qualys VM?
- What are the main differences between Qualys VMDR and Tenable Nessus?
- How inadvisable is it to use a single vulnerability analysis tool?
- What are the benefits of continuous scanning for vulnerability management?
- When evaluating Vulnerability Management, what aspect do you think is the most important to look for?
- What is a more effective approach to cyber defense: risk-based vulnerability management or vulnerability assessment?
- What are the main KPIs that need to be implemented to have better posture in vulnerability projects?