What is our primary use case?
My main use case for Nucleus Security is vulnerability management, along with audit trail commentary and a single pane view.
I can provide a specific example of how I use Nucleus Security for meeting management or audit trails. Nucleus Security filled a gap within the vulnerability management landscape. Multiple tools available did not provide the opportunity to comment against vulnerabilities and assign vulnerabilities automatically. Nucleus Security were pioneers in bringing threat intelligence, EPSS scoring, and threat intelligence Mandiant ratings at the time. It was an opportunity to review and prioritize vulnerabilities differently, but it provides management oversight and capability that did not exist before. The allocation of vulnerabilities, setting due dates, and commentaries were the start of what made Nucleus Security great.
How has it helped my organization?
Nucleus Security has impacted my organization positively by providing a single pane view of vulnerabilities from different connectors and enabling the automation of reporting and alerting on findings that are out of due date or out of SLA. Commentary has provided significant benefit, especially from a licensing perspective, meaning that if an asset exists once, I am never billed twice for those assets as long as they exist in the platform.
Risk-based prioritization is crucial for addressing vulnerabilities in my organization, and Nucleus Security contributes significantly in this area. It is important to note that it is not just Nucleus Security that performs prioritization; multiple vulnerability management scanners do so based on their own threat modeling capabilities. One notable feature of Nucleus Security is its leverage of capability through Google Mandiant, providing real-time threat analytics. The ability to add context to assets, such as whether they are internal or external facing and whether they are critical, is key. Depending on what is important to my company or ecosystem, the prioritization is adjusted, enabling informed decisions on what to tackle next.
What is most valuable?
One of the main benefits of Nucleus Security is having built-in capability or connectors into multiple threat intelligence or vulnerability scanning tools, which enables me to interpret this data with a single connector click without having to do any of that work myself.
The best features Nucleus Security offers are its automation capabilities and the ability to alert application or system owners on their vulnerability posture, letting them know when things are out of SLA and alerting them when things are fixed. It closes the communication cycle, and the most important capabilities are the commentary features, which give visibility of the movement on certain items and the status features. Many vulnerabilities do not get remediated, some are false positives, while others require risk acceptance. The capability to have full control and visibility of the movement of vulnerabilities, whether active or not, is crucial.
The automation and commentary features have changed the way my team works day-to-day. Having a system owner comment on why something has been delayed or when it may be going into production provides context to the vulnerability findings and potential movement.
What needs improvement?
One of the main issues with Nucleus Security is its lack of reporting capability. The user interface resembles an early 2000s application style, and although its speed is decent, it could be improved as more data is ingested. The overall appearance and feel need work, especially compared to modern applications from Rapid7, Qualys, and Tenable, which have more engaging user interfaces. The reporting capability is severely lacking; not being able to filter to granularity or have custom built queries is an annoyance that needs an overhaul. Additionally, there are bugs that have not been resolved, such as when you create a report and remove an asset, the asset still appears in the report despite not being present in the system anymore, leading to issues that need to be addressed quickly.
Nucleus Security can become a difficult investment because I already have a vulnerability management solution, and I question where Nucleus Security fits with its licensing model. While I acknowledge automation has been described, it would be amazing to control the entire vulnerability management workflow from Nucleus Security without needing to log onto other systems. Having controls or actions that can be sent from the console down to the scanner for rescans would be beneficial. If Nucleus Security is going down this path, it should ensure that it becomes a one-stop shop for vulnerability management across multiple applications.
For how long have I used the solution?
I have been using Nucleus Security for about three to four years.
What do I think about the stability of the solution?
Nucleus Security is stable.
What do I think about the scalability of the solution?
The scalability of Nucleus Security is fairly impressive; even when ingesting multiple assets, there is no noticeable impact. I have been in environments with several thousand assets, and it scales in the background without any issues.
How are customer service and support?
Customer support is great; I have always had communication with executive leaders, been able to have roadmap calls, and talk with support. They are fairly responsive with no issues.
How was the initial setup?
The ease of using natural queries or advanced logic with NQL to identify vulnerabilities is fairly simple; it gives an idea of how to build queries and is relatively easy to use.
What about the implementation team?
The integration flexibility with ticketing systems and existing tools has simplified and positively impacted my deployment process with Nucleus Security, as it allows for easy integration into multiple tools.
Nucleus Security excels in handling large volumes of exposure data across complex environments; I believe it is second to none. Even before continuous threat exposure management became a focus, Nucleus Security already identified the potential gap. Although larger players from Rapid7, Qualys, and Tenable have since developed their capabilities, I find Nucleus Security fairly impressive in handling large volumes of exposure data without a noticeable impact on the platform.
What was our ROI?
I have not seen a return on investment in terms of metrics involving fewer employees or money saved, but Nucleus Security saves time. While any deployment requires initial time and effort, once it is set up, the value stream is substantial. Automation handles reporting on a scheduled basis and alerts system owners about their posture each week. In terms of employees, we still need the same number to remediate findings.
What's my experience with pricing, setup cost, and licensing?
The licensing model is straightforward, with one license across multiple assets for multiple connectors. It is always a tough ask regarding budgeting for additional security tools, but in terms of positioning, I find it relatively simple. I cannot recall if the pricing differs from an asset to a container or cloud security workload.
What other advice do I have?
I do not have anything else to add about the features.
I have not really needed to use the customizable risk model feature since we rely on the out-of-the-box capabilities.
I rate Nucleus Security a seven out of ten. I rate customer support an eight out of ten.
I would advise others looking into using Nucleus Security to consider the value offering, especially if they have multiple tools and need a single pane view. While Nucleus Security is great, it is debatable whether it will be the best tool or provide the best value in 2026, as many competitors have moved into the Continuous Threat Exposure Management space. I would recommend assessing existing vulnerability management solutions first before exploring Nucleus Security, as it can be a difficult investment when you have solutions that already meet your needs.