Tenable Security Center Reviews

We use the solution for patch and vulnerability management. We scan our critical systems, keep track of any exploitable vulnerabilities, and prioritize their remediation efforts in terms of patching. 

In the future, we hope to extend the solution to our cloud services. We are moving to Azure Cloud and planning to start a DevOps initiative that might include container deployment. We know Tenable has the CI/CD pipeline security support so we will seek that solution when we are ready. 

The solution has a lean and easy-to-use interface that is not confusing to first-time users.

The solution should include compliance-based scanning. 

I have been using the solution for three weeks but my company has been using it for one year. 

The solution is very stable. 

The solution is scalable and we are happy with the way it is operating. 

We currently have forty users and a team of four for maintenance. 

Technical support has been excellent and provides a lot of support when needed. 

The company was using OpenVAS, an open-source solution that is miles apart from Tenable. 

At a previous job, I used Rapid7 which compares strongly to Tenable. 

I did not handle the initial setup but know from previous implementations that setting up a vulnerability management solution can be somewhat complex because it involves loading assets, configuring the network, and authenticating.

The ROI is almost guaranteed because there is a lot of value in using the product and reporting that to our company. 

The price is reasonable based on our scope of work and how we use the solution. 

The rule is always garbage in, garbage out. Be sure to configure the solution well and take advantage of technical support to understand how things should work. Mistakes are made when people assume they know how to do things. I believe in using technical support to confirm the process and ensure everything is done correctly. 

I rate the solution a ten out of ten. 

We use Tenable SC for internal vulnerability scans with agents, and agentless scanning in the cloud. For example, we're scanning the AMI in the cloud and making it part of the base image.

The most valuable features of Tenable SC are scanning, reporting, dashboards, and automation.

Tenable SC can improve by adding more integrations with HCI-type tools and more accurate vulnerability detection.

I have been using Tenable SC for approximately three years.

Tenable SC is stable.

The scalability of Tenable SC is scalable.

We have more than 10,000 people using this solution. We are using the solution extensively.

The support from Tenable SC is good.

I rate the support from Tenable SC a four out of five.

We previously used Qualys.

The implementation of Tenable SC is straightforward. It took us approximately two to three months to complete.

I rate the initial setup of Tenable SC a four out of five.

We did the implementation of Tenable SC in-house. We used five or six staff members for the process and we did most of it through automation. We have engineers, managers, administrators, and product managers assisting.

I would recommend this solution to others.

I rate Tenable SC an eight out of ten.

Our customers use the product for scanning their network for vulnerabilities.

Tenable is the leading product for vulnerability scanning. Most of the customers use Tenable in our region. The customers are happy with the product.

People do not prefer the solution for web applications. They prefer Acunetix or Netsparker over Tenable for web applications. The solution should provide better web application features and support. It could provide some add-ons to customers.

I have been using the solution for the past six months.

I rate the tool’s stability a ten out of ten.

We have 15 to 25 customers who use the solution. I rate the tool’s scalability a nine out of ten.

The support team was helpful. Usually, we don't contact the support team because our engineers do the installation. It's not so complicated.

Positive

The initial setup is easy. We have certified engineers of the product.

Two engineers are needed to maintain the solution. The time taken for deployment depends on the prerequisites of the customers. If the customers provide all details to us at the proper time, we can deploy the solution in two to three days.

The annual licensing fee of the product is $25,000. The pricing depends upon the number of IPs. There are no additional fees associated with the solution.

I am dealing with the latest version of the solution. It's a very good product to use. Overall, I rate the product a nine out of ten.

We use Tenable SC for compliance and vulnerability scans. 

We are fully updated in terms of the version, and we have its latest version.

Compliance and vulnerability scans are most valuable. Compliance scan helps in validating how our teams are complying, and vulnerability scan helps in future-proofing. Its vulnerability detection is accurate.

Its reporting can be improved. It is not easy to generate a scan report the way we want. The data is okay, but we can't easily change the template to make it look the way we want.

I have been using this solution for about two years.

It is stable and reliable, but it also depends on the on-premise resources.

It is easy to scale. It is currently being used by a few people in our company.

We sometimes took support from Tenable when we had issues with the scans and we couldn't get the results. They were helpful. It is easy to get support.

It is easy to set up. We need to set it up from the appliance.

We can do it on our own, but we sometimes need help from the vendor.

Its maintenance is done from our side.

It is a bit expensive. Everything is included in the license.

It has been good so far. I would rate it an eight out of 10.

I primarily use this solution for vulnerability assessment on the assets that we have. This includes servers, network equipment, appliances, routers, firewalls, and switches. 

Before, we did manual management of our assets. We have an EXO file that has all our assets in it. They have the IP address and all the details of each equipment. We manually enrolled those assets to our vulnerability scanning tool for them to be scanned on a monthly basis and check what new vulnerabilities they may have. With the  Security Center, we are able to automate. We were able to automate how we enroll our assets in the Security Center, and the scheduling of when we scan each asset, and how we report them to respective system owners. We are trying to use it as a channel of a self-service platform to the system owners or system administrators. It helps to access the Security Center for them to review the vulnerabilities that the equipment or the servers may be assigned or under the domain.

We really love the Security Center dashboard. It performs vulnerability scanning and then outputs vulnerability data. When you are working with one, two, three, up to 10 IT pieces of equipment, managing the vulnerability data would just be fine, but when you are managing assets across an organization of 10,000+ employees, you have a really hard time normalizing those vulnerability data. The dashboard helps us out to map what things need to be prioritized, what is our current threat landscape and what would be the latest threats that we have in our network.

One of the challenges that we may have experienced with that platform would be the flexibility of how to modify or create. They have this configuration compliance audit function, so if ever an organization has their own configuration standards that should be set on their servers, you have to modify those plugins in Tenable for it to match the specific values that you are looking for when you perform the configuration assessment on your equipment. It is a small challenge because it uses regular expressions on their plugins and so we are having a hard time either creating a blank template from scratch. We usually base our compliance audit plugin on an existing one and then modify the values or describe whatever is not up to our standards. A good plugin editor is an additional option for the Security Center.

Whenever you have a vulnerability scan running of  5000 IP addresses all at the same time running, it tends to keep resources on the Tenable server itself, a huge amount of CPU and memory. Right now, it's still goes up, but at least it's below the threshold, which I think would be 73% or 75%.

As long as you can buy the license, you can easily add up until you need an additional scan engine.

We previously used Qualys Virtual Scanner Appliance.

Setup is easy as long as you have the right hardware requirements. The deployment took about a week. We used two network guys, two system admins, one application admin, and two security admins to implement the solution.

The longer process was on the hardening part of the components of the servers. We had to install everything on servers, all the dependencies, all of the software that Tenable needs, including the Security Center itself, and then once everything is installed, meaning everything is locked down, no other software is needed to be added to it. We performed a patch check and configuration checks on it to see they have met our standards. After that, we requested the connectivity performance from our firewall team and performed discovery across our network, if it will be able to see all the systems or all the IPs or all the networks that we have in our network. That would be one of the long processes that we took since there were a lot of different network segments that each engine or each Tenable component will pass through. We had to look for each one, just to make sure that we have the full coverage of our network.

We're able to save because we don't have to employ more staff members to help with the scheduling of the scans, running the reports or sending them out to the system owners. That alone is a big ROI. A massive security breach would cost us a lot. This is a preventative measure worth our investment.

Before, just preparing the monthly scans alone would take us about two weeks to set up. Then, we would have to wait for at least another two weeks for those assessments to be done, for the scanning to be done, and then it will take us about another two weeks to generate the report before we can send them out to the system owners. That's the reason why those were our main drivers, as well, for us to push the use of the Tenable Security Center as a self-service platform to the system owners. The quick turnaround time in terms of generating reports and sending them out to the respective system owners is significant.

The dashboard is a valuable feature. So is the scanning, which is based on the nexus and the scripts. The solution offers an extremely limited margin of error, of obtaining false positives within it. These are its strengths. 

Everything in life has room for improvement. While I consider the solution to perform as it should, most customers, for the wrong reasons, wish for it to have the penetration testing capabilities. This is not a problem with the product, but with the demands of the customer and I remain uncertain if I can meet these. 

The pricing is reasonable, but this could be brought down more aggressively, such as we see with Rapid7, Tenable SC's main competitor. 

An easily installable and very scalable and stable solution which boasts great dashboard and scanning features

The solution is one of the most, if not the most, stable product available. 

The solution is scalable. It can go up many thousands of endpoints for scanning purposes.

Technical support does what it should. The solution is pretty straightforward and simple. As such, as with all vulnerability management solutions, it will not need much technical support and this is rarely required. I am referring to the need to address bugs. Mainly, the support will focus on the search for new features or reports. 

The initial setup is straightforward and very easy. 

Though reasonable, the main competitor of Tenable SC, Rapid7, offers a more aggressive and better priced product. 

The size of our customers run the gamut, from small medium to large, in certain cases exceeding 5,000 IPs. 

I would definitely recommend the solution. 

I rate Tenable SC as an eight-plus out of ten. 

At work we use the enterprise version of Tenable, Tenable.io, and I also use Tenable.sc — which I refer to as SecurityCenter — for local scanning.

I use Tenable SecurityCenter every day to scan our entire environment for vulnerabilities. I use a local license during the discovery process for penetration testing. So I'll do an en masse scan, and then also do a scan with Tenable to scan for IPs and vulnerabilities.

User-wise, with Tenable SecurityCenter, there's different roles. We have security analysts, admin, etc. I'd say there's probably four or five different roles from people that can just go in and view. Security analysts can upload manual scans and create dashboards and download reports. Then administrators can create accounts, assign roles and responsibilities, and things like that.

Tenable SecurityCenter has absolutely improved our organization, by making everything more secure and helping ensure solid vulnerability management.

The feature we've liked most recently was being able to take the YARA rules from FireEye and put them into Tenable's scan for the most recent SolarWinds exploit. That was really useful.

I'm pretty happy with it, but I do see a lot of stuff coming out about risk-based vulnerability management. And so I've been looking at that. I don't think we're using that as of yet and it seems like a newer feature they're talking about a lot that I'm interested in.

I will say it's a lot slower compared to an MS scan. It takes so much longer, so the performance could definitely be worked on.

There was also an issue with SecurityCenter once where we had agents deployed on each device, and while it was scanning we were collecting the data real time. During this process, we had an enclave that was not submitting. It didn't have the agent installed because it wasn't connected to the enterprise network.

They were scanning locally and submitting the scans and we would then upload them into SecurityCenter manually. Each time that there were any duplicates with host names or IPs, or that there were issues with the scanner device with authentication, it failed. But then you scanned it again and it was successful.

When you uploaded that, SecurityCenter was counting it as two devices. And when you ran your report for unauthorized devices, even though it was scanned a second time successfully, the first time would show as a failure. So it was throwing off reporting.

So we would run a report and say, "Okay, which device has failed scanning with authentication?" And it would give a device and we'd be like, "Well, here's the secondary scan showing that it was successful." And so we were having to manually go in there and delete the failed ones.

And that was a pain in the butt. We eventually got that enclave online so we fixed the problem, but I felt that was a limitation of Tenable SecurityCenter that it couldn't see that.

I have been using Tenable SecurityCenter for the past few years now.

We have only run into one troublesome issue that I can remember. It had to do with the way SecurityCenter inaccurately reported real-time scan results whenever there was a transient problem such as with a duplicate host name or IP, or with authentication.

It was a pain to deal with, because we kept having to go in and manually delete all the failed (but actually successful) scan results.

When it comes to scalability, so far so good, and no issues. We've got the whole environment monitored right now and I don't see any significant increases in use anytime soon.

Their technical support is good. Because I don't give out tens much for anything, I would say in the eight to nine range, out of ten.

For vulnerability management, Tenable SecurityCenter is the only one I've used in the past six years. Though we do use other tools in conjunction with it.

We've pretty much used Nessus for scanning, vulnerability management, and reporting, and that's it. And it does it very well. And then I use different tools for other things. I'm sure Tenable had that on the plugins for other things, but we don't use those.

The setup is straightforward.

I personally implement SecurityCenter with a local license. And then we also have different roles like security analysts and administrators who can just go in and perform various functions such as uploading manual scans, creating dashboards, downloading reports, assigning accounts, and so on.

I use a local license to perform penetration testing and I'm pretty happy with everything when it comes to pricing and licensing. 

I can easily recommend Tenable SecurityCenter, and I have nothing really bad to say about it. I think it's a great tool for what it does. I enjoy the webinars, and the people that run the company seem very engaged with what's going on when you're into current events and the overall security climate, and they're continuously looking to improve.

I can't speak to every option that they have, but I have no reservations recommending them.

I would rate Tenable SecurityCenter an eight out of ten.

The primary use case is to perform vulnerability assessments across the entire network.

This solution has given us visibility of the vulnerability in our network. It also shows what needs to be done to negate the vulnerabilities by providing links to the solution for those issues. Generally, we are now able to manage our vulnerabilities better. We can identify them, prioritize them, and then negate them. It has improved our security posture.

The most valuable feature is its ability to scan for vulnerabilities in our important systems, networks devices, and so on.

The web application scanning area can be improved.

A feature that I would like to see is the ability to integrate with exploit tools. 

It's a really stable solution. So far, I have not had any issues. Once it was installed it was very stable, very few bugs. It has topped expectations.

It's easily scalable. If you are required to scan more assets then you just request for it to be expanded, such as from two thousand to five thousand. Scalability is not an issue.

The system is used by around thirty-five users including system admins, who ensure that the system is up, and the application admins who are responsible for fixing the issues that are picked up with the solution.

We use it across our entire network so we cannot expand its use any further.

Their technical support is quite good, and they're very responsive. If there is any issue they perform quite quickly. Also, the local partner is well versed in the solution so they give us the support we need.

We did not use a solution prior to this one.

The initial setup, including the GUI, is very straightforward.

The implementation took about three months, and then the maturation took about six months.

We have about two people for maintenance.

We were working with a local partner for the deployment.

We have seen ROI for this solution. It has reduced our security vulnerabilities. Even during the national audit, one of the findings is that this solution is helping us be more productive. We're able to find these issues before somebody else finds them. We can fix them before they are discovered by others.

The licensing costs for this solution are approximately $100,000 US, and I think that covers everything.

Before choosing this solution we evaluated Qualys Labs and Rapid7.

This is a good solution for evaluating vulnerability in the network. It gives wide coverage, and it is able to scan most platforms on the network.

I would rate this product an eight out of ten.