Tenable Vulnerability Management Reviews

The solution is mainly for vulnerability scanning management. It's more like an extension of the Nessus.

I like the ten points of scanning. 

The performance is good.

It is quite straightforward to set up.

The solution is stable, and it is quite scalable. 

We'd like to see a bit more user-friendliness. They need to work on that aspect of the solution.

We've recently adopted the solution and have been dealing with it for just over a year or so.

The product offers good performance. There are no bugs or glitches. It doesn't crash or freeze. 

This is a scalable solution. It's easy to expand. 

I'm not sure how many users there are, however, my understanding is there are more than ten people.

We've never had any real difficulties, and therefore we haven't really dealt with support.

The solution is easy to set up. It's straightforward. It's not overly complex. 

It's based on landscape dependencies. However, it's easily deployed. It can take a few weeks to set up. If you are deploying across the globe, it might take longer. 

I don't work in an area that would keep track of ROI. I can't say we have been following that.

We pay for an annual license.

If there are extra fees, it depends on what use cases you want to deploy. If you want to use simple vulnerability management and you want to extend it to application scanning, then pricing modules will be different.

I'd recommend the solution to others. 

I would rate the solution nine out of ten.

The product operates on a license-based model, where you purchase a license based on the number of IP addresses you intend to scan. For example, if you purchase a license for 50 IP addresses and your network has 200 users, it will only scan for those 50 IPs. You can gain visibility into all IPs within your environment, including subnets with a full license. Also, you can geographically segment your scanning targets based on the number of IPs allocated for each location.

The product is very friendly. It is easy to manage. Most of the information the tool provided was correct and helped to further investigate the vulnerability and its impact.

The most important feature is network scanning.

The solution’s pricing could be improved.

I have been using Tenable Vulnerability Management for one year.

I rate the solution’s stability an eight out of ten.

The solution is very scalable. It allows you to adjust according to your needs. You can add more features if you wish to purchase additional tools.

The initial setup is very easy. To deploy, run the setup command, and then it can deploy on your Linux and Windows platforms. I did it by myself.

The product is expensive but manageable.

I recommend the solution. Although, it varies from person to person experience. Rapid7 users can use free tools. I'm very satisfied with the product.

Overall, I rate the solution an eight out of ten.

We actually needed clarity on the vulnerabilities in our infrastructure. We used the solution to scan and make a report for us on what is vulnerable in our infrastructure and what is not, what we can improve and update, and what is good as it is.

It is a very, very user-friendly tool. To make some sense, you just need to put in your domain and click a button to scan and give you a piece of customized information about your infrastructure. It is very easy to use to schedule a scan, and it can consume a lot of CPU resources. So, you can schedule a scan between 1 AM to 3 AM, and it works very well for us.

I didn't work a lot with the solution. My experience was pretty smooth. I don't have any recommendations for improvement. Maybe it's because I don't use it a lot.

The only drawback of the solution is that it is expensive. The pricing should be kept lower.

I have experience with Tenable.io Vulnerability Management. I used it six months ago. I used it for two years. I am a customer of the solution.

It is a very stable product.

The setup is easy. Tenable.io Vulnerability Management is known for its ease of setup.

Tenable.io is not known for being a cheap product. You definitely can have another product that could be cheaper than Tenable.io. If you have a real concern with your budget, maybe another platform would be of interest to you.

You can find other tools that are way cheaper, with similarities to Tenable.io. I would say it may not be the same tool, but similar.

The solution's user interface was very good.

It's one of the best tools available for vulnerability management. I would definitely recommend the solution to those planning to use it.

I rate the overall solution a ten out of ten.

Considering regular use cases of the solution, we wanted to cover two things, external vulnerabilities and the ability to identify misconfigurations on the perimeter, like, let's say, if someone is open, something vulnerable to outside, we monitor it. The use case was monitoring the external parameter addresses with Tenable.io and seeing changes there. If something changes or if something becomes vulnerable, as it's seen from the outside, without actual credentials to scan, you know, like, we can have several layers of scans. So, Tenable.io, we used as seen outside without providing any credentials, So it

gives you the true picture of how and what the attackers can use. It might be that if we use it with the credentials, we won't find additional vulnerabilities, but we don't cover that because it's not important because external attackers will not see it, actually. So, it's the first use case, and generally, Tenable.io is used for identifying vulnerabilities in the company infrastructure, servers, endpoints, and additional hardware and software, like routers, switches, and whatever has an IP address. Let's say, not for IoT, just for IT infrastructure and development infrastructure, and that was the use case of Tenable.io.

It improved basic things in resiliency, like cyber resiliency in the company, so as to not be attacked, not to be breached, or not be successfully attacked by hackers. So, it's basically a non-vulnerable state. This provided us with visibility of our actual status of where all the infrastructure is and helped to prioritize the vulnerability mitigation. It also indicates what to tackle first because you have a lot of stuff there, but you need to prioritize it. The main point here is to know how to prioritize since we never have enough time and resources to deal with fixing everything. You need to understand what to do first, and Tenable.io actually helps with that because they have additional intelligent sources to not just give you, like, CVSS because all the vulnerabilities have CVSS scores from zero to ten. So it gives you not just to always work by the score number because it just represents the vulnerability and how it can be hacked. But just take into account when you prioritize if it's a public-facing asset or computer or server or if not, or if this is now a trendy vulnerability to use and to exploit or not. Also, they have an additional score represented only in the system in addition to the CVSS score that helps you prioritize the mitigations.

The solution's most valuable feature is providing a single pane of visibility on all the infrastructure and its status. The aforementioned fact helps to prioritize things right and also to cover the mitigation process itself. However, what's bad about older systems, like, is when we do that, it just covers the identification. So, you have the problem and what you need to do, but it doesn't cover the whole cycle of dealing with it, and so you see the problem, you know what to do, maybe you know what to do first, But then the process needs to continue. I'm talking about a lot of negative things, but the fact remains that it doesn't cover, actually, the whole process of the identification and then the prioritization because we need to maybe open a ticket to deal with it by approaching the right people and to see that it's done, including the validation scans after it. The system gives you a way to do the scans somehow all around vulnerability and its status while not having to deal with the whole cycle. So you don't see, or you don't have this part when you mitigate the vulnerabilities themselves, and then you know what you did, what you didn't, and how you did, and which is status after it. So, it doesn't cover the whole vulnerability management process.

I would like the solution to cover the whole cycle of mitigation since it's an area where the solution currently lacks.

Nessus was created and, like, covered afterward. All the system is built around a basic unit that is mitigation, not the vulnerabilities. You don't have all the vulnerabilities where you build all the processes and all the reports that you have around it. Vulnerability is not like you have this problem. They say to you. Basically, you have a problem, but you don't have the patch. And the patch, inside of it, you have fifteen vulnerabilities, and it appears as a vulnerability. You are missing a patch, but it's not a vulnerability. All the system is built around missing mitigation. As a basic unit that everything is built around, and so this part is what you see when you do reports or when you build dashboards, and you have several databases inside that you can build reports around, but it's all beautiful, and you have a lot of reports, right, out of the box. But when you start creating something that you really need, like a new report, then you're, like, this data is in this database or downloaded database and this in another database of mitigations, and hence they cannot easily be connected, so each report can be all around this database because they have, like, two, three databases. I don't remember exactly, but they have separate databases inside, and you need to build the reports around one database, and it's not easy to connect two databases into one meaningful report. So, this is a hard part.

In short, I would like to see the databases seamlessly connected while doing a report.

The tool is okay, but, like I said, to cover the whole cycle and is like connecting the unconnectable things because they are built this way which I don't think they can change right now.

They can add things like brand reputation monitoring because it's the system that needs to identify all the vulnerabilities and infrastructure vulnerabilities. They can take it to add code vulnerabilities, like, if it's an R&D company that creates software, they have vulnerabilities of other types, like application-level vulnerabilities in the things that they are developing. And if it's a cloud, then it needs to be covered in a good way, considering the cloud infrastructure. Also, it works on the IP level. On the cloud, you can do it around EC2 instances. You can do the same in Tenable.io but then all the part of the cloud layer that is cloud-based but not on the EC2 level. Let's say it's CloudWatch logs and all the con configurations that are at a cloud provider level. So, there can be vulnerabilities there not at the EC2 level of the machine itself. So these are also vulnerabilities, and it can be good if they are shown and covered by the system.

In general, brand reputation and external CTI are needed in the solution.

Somewhere outside in the open world that it was bridged, and it's there, and then maybe we can show it to you also that it was bridged. So it's now in the open world, and they don't want to be, you know, to be the open world and also on the external attack surface, but I think we saw that some module that they are doing that is in just the right direction. So, it's a good direction.

I have been using Tenable.io Vulnerability Management for two years. I am just a customer of the solution. We used Tenable.io and then moved to Tenable.sc, which was on-premises.

Stability-wise, I rate the solution a four out of ten since there were problems with scans that were stuck and didn't work. Also, there was no nobody to talk to about the aforementioned issues. So, it was a problematic thing.

Scalability-wise, I rate the solution an eight out of ten.

We usually give it to maintain, run and configure everything we use to just two people to see the results. Each department has a user to see their problems by themselves. So it's like, apart from the two people, an additional ten or sixteen people use the solution, and these are people that are responsible for infrastructure management, like IT people at different places.

I rate the technical support around three to four out of ten. Sometimes, when we had problems, it was hard to get answers. The support was slow because it got to the wrong people at the start. So, the problems pass through tier one and then get escalated to the right people. So, it is very hard because some problems don't need just a tier one to solve the issue. So, tier three or four support may be needed at times.

Neutral

Just installing it and keeping it running is pretty easy. However, support is very important. I think all the companies in the field lack some good support, specifically in my country.

I rate the initial setup a ten out of ten, but it's not important because afterward, when you have problems, and you want an additional initial setup, the integration needs to be done to just install it. It needs to integrate it with other systems and integrate it into processes. At this level, at least with Tenable.io, I didn't feel that they were doing that, and so I didn't just want to buy software and install it.

The solution is deployed on the cloud and on-prem. We chose some of the biggest three or four cloud providers, including Azure and Oracle.

It took two weeks to a month for the deployment process to be completed. It depends on where you want to deploy. To prepare the solution for work, you install it, then install the scanners, and later on configure the scanners. Also, you need to identify the ranges that you need to scan. If you have some problems with connections, etc., you solve them. Then, you need to do the actual work. Just actually use the system for mitigation, and you need to do the right reporting. Also, things like connecting to ticketing take more time just to install. We deployed the solution with around three to four people, including security engineers, the network team, and business owners of the places we wanted to scan.

The solution requires maintenance. We used two people for maintenance and for some stuff that didn't work or needed to be improved or to deal with scanners that had problems on this because of the configuration. For not-so-effective scans, we need to tune it because if you have a huge range and the scans are configured to scan everything, then it is stuck. So, you tune them to the right places and scan the right thing to take the right type of scan, and then tune this tool.

The system owner, the infrastructure that is responsible for it, was involved in the maintenance of the solution. So, it was from the same department.

With Tenable.sc, in comparison to Tenable.io, it was even easier to do the implementation because you don't need to do a lot of stuff.

I have experienced a return on investment using Tenable.io. It showed us what we did wrong in the process of building the vulnerability management program in our company. It also gave us an understanding, making it a good solution.

On a scale of one to ten, where one is no return on investment, and ten is a hundred percent return on investment, I rate the solution a seven.

On a scale of one to ten, where one is low, and ten is high price, I rate the pricing an eight. So, it is a pretty expensive solution.

After evaluation, we have switched from Tenable.io Vulnerability Management to Rapid7. We also looked at Tenable Attack Surface Management but didn't use its protection.

Before choosing Tenable.io, we evaluated Rapid7, Nexpose, and Qualys.

It is a viable solution, but we then preferred and switched to Rapid7 again since it was cheaper. Also, we like the one thing we like because we had, like, problems getting to all the user machines, and so Rapid7 gave us the agent that they have. So you don't need to get the scan to the machine. You just install these solutions. We install the agent that reports on vulnerabilities instead of getting credentials scanned. And today, it's more problematic because, like, it would take several years ago, like ten years ago, all the systems had the perimeter of the company, and all the users were in some understandable place, and we knew where to look for them. Today, as a company where people around the world are not always using VPNs to connect to the network, and if they connect, they connect for some time, and let's say you are scanning your user computers every night or every day at five o'clock. So when you do the scan, just ten percent of the people, you hit them because only ten percent of the people are connected to your VPN during the five o'clock window. So you don't see the other machines, and you don't get them. Hence, you don't know the vulnerability status because they are less scanned. The solution needs to be perimeter-less, let's say, or the scans we need to get to the machines to all the machines, and if you scan them somehow or even if they are on the open internet, it's hard. So here, the agent solution is very easy because they report to the management on the vulnerability status from the agent over the internet. It was a big plus.

In terms of pricing and capabilities and just of the capability, while also considering our use cases where it is most important for us to get to all the machines.

I rate the overall product a seven out of ten.

We use the solution for our vulnerability management program.

The solution is deployed in the cloud.

When the logging logic is lacking certain columns, Tenable.io Vulnerability Management provides comprehensive coverage, thereby simplifying the reporting process.

One of the most valuable features of Tenable.io Vulnerability Management is its exportability, which allows us to conduct risk assessments efficiently. This feature enables us to prioritize security issues based on their level of importance, without being distracted by other irrelevant details. Additionally, the system is frequently updated to ensure it complies with industry standards.

The asset identification has room for improvement. Since we are using a cloud-based scanner, we must scan devices based on their ID. However, we are encountering many issues with reporting. Assets are often being incorrectly merged or we encounter issues related to assets. If we had an agent with a scanning system, this issue may not have occurred, but it currently exists.

The UI has room for improvement. The previous version of the UI was better.

The technical support has room for improvement.

I have been using the solution for nine months.

The solution is generally stable, although we have experienced two instances in the past where it was down. The first outage was related to the scanner and lasted a few hours, while the second was caused by storage issues that prevented us from clearing the logs.

Scalability depends on our licensing agreement and the number of scanners we use. Currently, the number of scanners and our license allows for scalability up to a certain limit. Beyond that limit, we would need to purchase additional licenses to expand.

The technical support team responds promptly to basic issues. However, when faced with major issues or more complex problems, it can take longer to receive adequate assistance due to a high volume of entries. In such cases, we are required to submit detailed logs, which the support team will analyze before we can proceed to ask further questions.

Negative

Our current license covers 2,500 assets. If we want to add more assets we need to buy another license for another scanner.

I give the solution an eight out of ten.

We have around nine people using the solution.

The necessary maintenance pertains to storage. As it will be hosted on a specific cloud instance, we need to periodically manage the storage when the logs become full. This involves manually logging into the deployment platform and clearing the storage every few months.

The features of Tenable.io Vulnerability Management are impressive, the management system is well-designed, and the scanning options are thorough. Additionally, there are numerous built-in templates available. However, when utilizing the twelve-day scanner, asset identification can become challenging because of the dynamic IP addresses, which the solution struggles to properly identify the devices.

Tenable.io Vulnerability Management is a leading solution for vulnerability management and excels at aggregating information.

Before, they did not have an agent-based solution. Last year, they developed one. For example, before, when users were roaming or working from home, we wouldn't be able to scan previously. Now, we can cover anyone, even off-site. 

The most valuable feature is the configuration audit. 

The interface is fine. 

We haven't had issues with support.

The solution is easy to deploy and maintain. 

The solution can scale well.

The entire product is very easy to use. 

The solution is a bit slow. It should be faster. They could improve the performance. 

We primarily use the solution for vulnerability management and confidential information detection, for example, credit card information. We also use it for configuration management. 

The scalability is great. I'd rate it nine out of ten. A company can expand it if they would like to. 

Technical support is okay. The issue is they don't have a team based in India. Sometimes, it's hard to get support on time. However, they are pretty helpful. 

Positive

We are also using Tenable.sc, version 6.0.

The initial setup is pretty straightforward. I'd rate the process eight out of ten overall. It is not overly complex. 

We can implement the solution in one week in one region. 

In terms of maintenance, we only really need one person. That's enough.

I do not manage the licensing or pricing. My team handles this aspect.

We did test multiple other solutions.

I'm an end-user.

This is an agent-based solution. There isn't a specific version we use.

The solution is very user-friendly if you compare it to other tools. I'd rate it eight out of ten. 

I was the manager of the vulnerability patching team in my company, and we would use it to go through everything, discover our network, find what vulnerabilities existed, and then use that for a work plan and assignments to decide who would fix what vulnerabilities.

In my company, with the help of Tenable Vulnerability Management, we could find all the things that we didn't know existed. It would be too resource-intensive to manually go into every device and figure out in which version of a solution the vulnerability exists, which is something that Tenable Vulnerability Management does for you.

The solution's most valuable feature is the product's vulnerability database, as it knows what to scan.

There is no good work assignment system in the product. Specifically, if an SQL patch needs to be applied, then that needs to go to the SQL team, but Tenable wants to assign the ticket to an individual and not a team.

The reporting was never great in Tenable Vulnerability Management, so, in my company, we imported all the data into Ivanti RiskSense to start using it for reporting.

I have been using Tenable Vulnerability Management for three to four years. I don't remember the version of the solution.

It is a stable solution. Stability-wise, I rate the solution a ten out of ten.

Scalability-wise, I rate the solution a ten out of ten.

I rate the technical support a seven out of ten.

Neutral

I have experience with another solution in the past, but I don't remember its name.

The product's initial setup was very straightforward.

The solution is deployed on an on-premises model and the cloud. With the endpoint in the product, everything was reported back to the cloud offered by Tenable.

I saw a return on investment from using the solution since I feel that finding the vulnerabilities is always much cheaper than dealing with a situation after your system gets hacked. In short, I would put it as insurance is cheaper than the fire.

In our company, we went through every other tool in the market and came down to Rapid7 and Tenable since they were the only two good options.

Network scans are very resource-intensive and can cause outages in some instances, which is a political and not a technical issue to solve.

I rate the overall tool a ten out of ten.

In my company, we use Tenable.io Vulnerability Management is a good solution for vulnerability assessment on the infrastructure and not on the applications. The solution is useful for conducting vulnerability assessments on IT infrastructures. We use Tenable to discover assets on the network and the vulnerabilities in the vulnerability management cycle.

Tenable.io Vulnerability Management is an easy-to-use product. It is a good solution, as per Gartner's SIEM Magic Quadrant. The product has a lot of documentation and blogs, so you can get lots of support from its communities while also finding a lot of online materials that can help you improve the solution's uses or implement it according to your use cases.

The shortcoming of the solution that needs improvement is related to its capability to do vulnerability assessments on applications.

I have been using Tenable.io Vulnerability Management for more than ten years.

It is a very stable and mature solution in the market since it has been around for over 15 years.

The product has no scalability solution since it can manage hundreds to thousands of networks.

The solution's technical support is good and quick to respond. If you have a problem, you can be sure that someone from the support team has a solution to your problem.

Our company doesn't use any other products from Tenable apart from Tenable Nessus for vulnerability assessment. We also use NetSuite to manage the vulnerabilities' life cycle.

The initial setup of Tenable.io Vulnerability Management was straightforward since it allows one to use a device, like a virtual machine, or one can use it on a public IP address if it is already deployed, making the process very quick and easy.

The solution is deployed on-premises.

The deployment process was very quick since it could be done using a virtual machine or the customer's network. You can do the deployment with the virtual machine by connecting to the management suite before launching the solution.

To do an assessment for all our customers, my company has over 200 users for the deployment and maintenance of the solution. There is a dedicated team in the company I currently work for to manage the solution. One technician is needed to do a vulnerability assessment.

Yearly payments are to be made toward the licensing cost of the product. It is neither a cheap nor an expensive product.

I recommended the solution to those planning to use it since it is a very good product. Though there are other good solutions like Qualys, Tenable is the best.

I rate the overall tool a nine out of ten.