The tool's reports are bad. They're not very customizable or flexible. During audits, we often have to exclude things that aren't relevant to our organization, but we can't do that easily with the reports. They come in HTML or PDF format, and we can't compare current results with previous ones in Excel because we never receive reports in Excel.
I'm not satisfied with the reporting structure. We cannot do much customization. We can do it in Tenable.sc. We need to maintain two different solutions. We need the on-premise tool for reporting purposes. We would like to have it all as a SaaS-based solution. If we need to check for a zero-day vulnerability, we must run the scans manually to get the information. It is time-consuming. We need to do a traditional scan regularly to get zero-day information. It would be great if the zero-day vulnerabilities were published. The reporting capabilities for compliance are bad. I can get the compliance reporting on certain cases, but it is not detailed. We do not have a clear understanding of the Cyber Exposure Score. I am unable to drill down and understand the Cyber Exposure Score.
It's a fantastic product, but there are some things to consider. One is the price. Compared to on-prem solutions, the SaaS model can be expensive. Price is definitely a concern and needs improvement, especially for the Indian market. While it's a fantastic product, it should be more accessible to small and medium-sized businesses (SMBs). Currently, only larger enterprises seem to be able to afford and evaluate it thoroughly. So, pricing can be improved and be more affordable for the Indian market, specifically for SMBs. Another area of improvement is customer service and support. Tenable needs to include support in the pricing/license. Currently, they push clients to get support from partners or channel distributors, who often charge a lot. Even for a simple one-time setup, they may charge three to four lakhs, and then additional annual charges for ongoing support. We have the technical skills to handle basic tasks, but relying on Tenable itself often results in just receiving emails or being redirected back to channel partners. So, support should be bundled with the product cost.
Learn what your peers think about Tenable Vulnerability Management. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
IT Manager at a financial services firm with 1,001-5,000 employees
MSP
Top 20
2023-10-12T17:12:52Z
Oct 12, 2023
There is no good work assignment system in the product. Specifically, if an SQL patch needs to be applied, then that needs to go to the SQL team, but Tenable wants to assign the ticket to an individual and not a team. The reporting was never great in Tenable Vulnerability Management, so, in my company, we imported all the data into Ivanti RiskSense to start using it for reporting.
Improvements should be made to the solution to make it easy to use. It's not a user-friendly tool since it has a complicated interface. The solution needs to have a more user-friendly interface.
I didn't work a lot with the solution. My experience was pretty smooth. I don't have any recommendations for improvement. Maybe it's because I don't use it a lot. The only drawback of the solution is that it is expensive. The pricing should be kept lower.
CSO at a manufacturing company with 1,001-5,000 employees
Real User
Top 5
2023-05-29T15:09:00Z
May 29, 2023
I would like the solution to cover the whole cycle of mitigation since it's an area where the solution currently lacks. Nessus was created and, like, covered afterward. All the system is built around a basic unit that is mitigation, not the vulnerabilities. You don't have all the vulnerabilities where you build all the processes and all the reports that you have around it. Vulnerability is not like you have this problem. They say to you. Basically, you have a problem, but you don't have the patch. And the patch, inside of it, you have fifteen vulnerabilities, and it appears as a vulnerability. You are missing a patch, but it's not a vulnerability. All the system is built around missing mitigation. As a basic unit that everything is built around, and so this part is what you see when you do reports or when you build dashboards, and you have several databases inside that you can build reports around, but it's all beautiful, and you have a lot of reports, right, out of the box. But when you start creating something that you really need, like a new report, then you're, like, this data is in this database or downloaded database and this in another database of mitigations, and hence they cannot easily be connected, so each report can be all around this database because they have, like, two, three databases. I don't remember exactly, but they have separate databases inside, and you need to build the reports around one database, and it's not easy to connect two databases into one meaningful report. So, this is a hard part. In short, I would like to see the databases seamlessly connected while doing a report. The tool is okay, but, like I said, to cover the whole cycle and is like connecting the unconnectable things because they are built this way which I don't think they can change right now. They can add things like brand reputation monitoring because it's the system that needs to identify all the vulnerabilities and infrastructure vulnerabilities. They can take it to add code vulnerabilities, like, if it's an R&D company that creates software, they have vulnerabilities of other types, like application-level vulnerabilities in the things that they are developing. And if it's a cloud, then it needs to be covered in a good way, considering the cloud infrastructure. Also, it works on the IP level. On the cloud, you can do it around EC2 instances. You can do the same in Tenable.io but then all the part of the cloud layer that is cloud-based but not on the EC2 level. Let's say it's CloudWatch logs and all the con configurations that are at a cloud provider level. So, there can be vulnerabilities there not at the EC2 level of the machine itself. So these are also vulnerabilities, and it can be good if they are shown and covered by the system. In general, brand reputation and external CTI are needed in the solution. Somewhere outside in the open world that it was bridged, and it's there, and then maybe we can show it to you also that it was bridged. So it's now in the open world, and they don't want to be, you know, to be the open world and also on the external attack surface, but I think we saw that some module that they are doing that is in just the right direction. So, it's a good direction.
The asset identification has room for improvement. Since we are using a cloud-based scanner, we must scan devices based on their ID. However, we are encountering many issues with reporting. Assets are often being incorrectly merged or we encounter issues related to assets. If we had an agent with a scanning system, this issue may not have occurred, but it currently exists. The UI has room for improvement. The previous version of the UI was better. The technical support has room for improvement.
Tenable could improve visibility into assets, including automated asset tagging. You should be able to automatically tag assets based on location, function, ownership, etc. That would help us because we spend a lot of time identifying and tagging assets by hand.
Security Specialist at a security firm with 51-200 employees
Real User
Top 10
2023-02-13T20:29:00Z
Feb 13, 2023
They can improve in the area of role management and compliance reporting. They should include better customization of the dashboard and integration tools.
The one drawback that we have found is the reports. We are still getting reports from Tenable.sc since the maturity levels on the reports are lacking. They need to improve the reporting in this solution. We just aren't seeing that many features or options.
The solution creates vulnerability tickets within the VM profile but should also include them under the Remediation tab so the fixes can be viewed in the ticketing queue. Qualys is a competitor product and handles vulnerability tickets in this comprehensive manner.
They've been able to think about everything in terms of where the world is going and the type of assets that you've got. They've everything sorted out in that aspect, but you have to pay for most of the other components that they've got to give you complete visibility across your tech surface. If it already had those capabilities in-built, without having to add them on to take advantage of them, it would be a very compelling value proposition. Their support needs to be improved in terms of turnaround time.
President and CEO, Founder Executive at SecuSolutions Co., Ltd.
Real User
2021-03-30T07:13:47Z
Mar 30, 2021
The solution seems to focus too much on enterprises, and they really need a product that works for SMBs. The enterprise product is too expensive for smaller companies, however, they really are looking for a product like this in the market. It's too technologically advanced for SMBs - Tenable is kind of a little bit like flying a 747. There's a lot of bells and whistles and switches and things like that, that quite frankly are not used or not understood largely by the average user. If they don't begin to cater to smaller organizations, they'll likely lose market share. They could use a better user interface that could be developed a lot better than it is. It really could be more intuitive.
An area of improvement for this solution is being able to customize the dashboard. For example, the dashboard does not allow us to view a previous months vulnerability results alongside current results to make comparisons.
Security Architect at a computer software company with 51-200 employees
Real User
Top 20
2020-07-05T09:37:54Z
Jul 5, 2020
We had some challenges with the implementation because of Docker Version 2, although with help from the support team, we were able to proceed. It would be helpful if Tenable could be more clear with regard to everything the solution can and cannot do with the particular license that you have. The information is not available on the web site and they should be more upfront about it.
Security Specialist at a security firm with 51-200 employees
Real User
Top 10
2019-12-16T08:14:00Z
Dec 16, 2019
I don't have any issues with the solution at this time, and I don't think there are any features that are missing or could be added. The interface could be improved; right now it's running on two interfaces simultaneously.
Managed in the cloud and powered by Tenable Nessus, Tenable Vulnerability Management (formerly Tenable.io) provides the industry's most comprehensive vulnerability coverage with real-time continuous assessment of your organization. Built-in prioritization, threat intelligence and real-time insight help you understand your exposures and proactively prioritize remediations.
It needs additional reporting and intelligence features, as well as enhancements in AI-driven detection, which is still in its early stages.
The product is a bit expensive.
The tool's reports are bad. They're not very customizable or flexible. During audits, we often have to exclude things that aren't relevant to our organization, but we can't do that easily with the reports. They come in HTML or PDF format, and we can't compare current results with previous ones in Excel because we never receive reports in Excel.
I'm not satisfied with the reporting structure. We cannot do much customization. We can do it in Tenable.sc. We need to maintain two different solutions. We need the on-premise tool for reporting purposes. We would like to have it all as a SaaS-based solution. If we need to check for a zero-day vulnerability, we must run the scans manually to get the information. It is time-consuming. We need to do a traditional scan regularly to get zero-day information. It would be great if the zero-day vulnerabilities were published. The reporting capabilities for compliance are bad. I can get the compliance reporting on certain cases, but it is not detailed. We do not have a clear understanding of the Cyber Exposure Score. I am unable to drill down and understand the Cyber Exposure Score.
The solution’s pricing could be improved.
It's a fantastic product, but there are some things to consider. One is the price. Compared to on-prem solutions, the SaaS model can be expensive. Price is definitely a concern and needs improvement, especially for the Indian market. While it's a fantastic product, it should be more accessible to small and medium-sized businesses (SMBs). Currently, only larger enterprises seem to be able to afford and evaluate it thoroughly. So, pricing can be improved and be more affordable for the Indian market, specifically for SMBs. Another area of improvement is customer service and support. Tenable needs to include support in the pricing/license. Currently, they push clients to get support from partners or channel distributors, who often charge a lot. Even for a simple one-time setup, they may charge three to four lakhs, and then additional annual charges for ongoing support. We have the technical skills to handle basic tasks, but relying on Tenable itself often results in just receiving emails or being redirected back to channel partners. So, support should be bundled with the product cost.
The solution must provide penetration testing.
There is no good work assignment system in the product. Specifically, if an SQL patch needs to be applied, then that needs to go to the SQL team, but Tenable wants to assign the ticket to an individual and not a team. The reporting was never great in Tenable Vulnerability Management, so, in my company, we imported all the data into Ivanti RiskSense to start using it for reporting.
I don't recommend Tenable.io Vulnerability Management for web scanning.
Improvements should be made to the solution to make it easy to use. It's not a user-friendly tool since it has a complicated interface. The solution needs to have a more user-friendly interface.
The stability has room for improvement.
I didn't work a lot with the solution. My experience was pretty smooth. I don't have any recommendations for improvement. Maybe it's because I don't use it a lot. The only drawback of the solution is that it is expensive. The pricing should be kept lower.
I would like the solution to cover the whole cycle of mitigation since it's an area where the solution currently lacks. Nessus was created and, like, covered afterward. All the system is built around a basic unit that is mitigation, not the vulnerabilities. You don't have all the vulnerabilities where you build all the processes and all the reports that you have around it. Vulnerability is not like you have this problem. They say to you. Basically, you have a problem, but you don't have the patch. And the patch, inside of it, you have fifteen vulnerabilities, and it appears as a vulnerability. You are missing a patch, but it's not a vulnerability. All the system is built around missing mitigation. As a basic unit that everything is built around, and so this part is what you see when you do reports or when you build dashboards, and you have several databases inside that you can build reports around, but it's all beautiful, and you have a lot of reports, right, out of the box. But when you start creating something that you really need, like a new report, then you're, like, this data is in this database or downloaded database and this in another database of mitigations, and hence they cannot easily be connected, so each report can be all around this database because they have, like, two, three databases. I don't remember exactly, but they have separate databases inside, and you need to build the reports around one database, and it's not easy to connect two databases into one meaningful report. So, this is a hard part. In short, I would like to see the databases seamlessly connected while doing a report. The tool is okay, but, like I said, to cover the whole cycle and is like connecting the unconnectable things because they are built this way which I don't think they can change right now. They can add things like brand reputation monitoring because it's the system that needs to identify all the vulnerabilities and infrastructure vulnerabilities. They can take it to add code vulnerabilities, like, if it's an R&D company that creates software, they have vulnerabilities of other types, like application-level vulnerabilities in the things that they are developing. And if it's a cloud, then it needs to be covered in a good way, considering the cloud infrastructure. Also, it works on the IP level. On the cloud, you can do it around EC2 instances. You can do the same in Tenable.io but then all the part of the cloud layer that is cloud-based but not on the EC2 level. Let's say it's CloudWatch logs and all the con configurations that are at a cloud provider level. So, there can be vulnerabilities there not at the EC2 level of the machine itself. So these are also vulnerabilities, and it can be good if they are shown and covered by the system. In general, brand reputation and external CTI are needed in the solution. Somewhere outside in the open world that it was bridged, and it's there, and then maybe we can show it to you also that it was bridged. So it's now in the open world, and they don't want to be, you know, to be the open world and also on the external attack surface, but I think we saw that some module that they are doing that is in just the right direction. So, it's a good direction.
The asset identification has room for improvement. Since we are using a cloud-based scanner, we must scan devices based on their ID. However, we are encountering many issues with reporting. Assets are often being incorrectly merged or we encounter issues related to assets. If we had an agent with a scanning system, this issue may not have occurred, but it currently exists. The UI has room for improvement. The previous version of the UI was better. The technical support has room for improvement.
Tenable could improve visibility into assets, including automated asset tagging. You should be able to automatically tag assets based on location, function, ownership, etc. That would help us because we spend a lot of time identifying and tagging assets by hand.
They can improve in the area of role management and compliance reporting. They should include better customization of the dashboard and integration tools.
The response times from the customer service and support team could be improved. Additionally, the pricing could be better.
The price could be lower, and the grouping of platforms on the dashboard can be included in the next release of the product.
The one drawback that we have found is the reports. We are still getting reports from Tenable.sc since the maturity levels on the reports are lacking. They need to improve the reporting in this solution. We just aren't seeing that many features or options.
The solution creates vulnerability tickets within the VM profile but should also include them under the Remediation tab so the fixes can be viewed in the ticketing queue. Qualys is a competitor product and handles vulnerability tickets in this comprehensive manner.
Tenable.io Vulnerability Management could be improved with an increased number of dashboards and MSSP integration.
They've been able to think about everything in terms of where the world is going and the type of assets that you've got. They've everything sorted out in that aspect, but you have to pay for most of the other components that they've got to give you complete visibility across your tech surface. If it already had those capabilities in-built, without having to add them on to take advantage of them, it would be a very compelling value proposition. Their support needs to be improved in terms of turnaround time.
It can have more integration.
The solution seems to focus too much on enterprises, and they really need a product that works for SMBs. The enterprise product is too expensive for smaller companies, however, they really are looking for a product like this in the market. It's too technologically advanced for SMBs - Tenable is kind of a little bit like flying a 747. There's a lot of bells and whistles and switches and things like that, that quite frankly are not used or not understood largely by the average user. If they don't begin to cater to smaller organizations, they'll likely lose market share. They could use a better user interface that could be developed a lot better than it is. It really could be more intuitive.
The pricing of the solution could be more reasonable.
An area of improvement for this solution is being able to customize the dashboard. For example, the dashboard does not allow us to view a previous months vulnerability results alongside current results to make comparisons.
We had some challenges with the implementation because of Docker Version 2, although with help from the support team, we were able to proceed. It would be helpful if Tenable could be more clear with regard to everything the solution can and cannot do with the particular license that you have. The information is not available on the web site and they should be more upfront about it.
I don't have any issues with the solution at this time, and I don't think there are any features that are missing or could be added. The interface could be improved; right now it's running on two interfaces simultaneously.