We changed our name from IT Central Station: Here's why
Get our free report covering Tenable Network Security, Rapid7, Wireshark, and other competitors of Rapid7 Metasploit. Updated: January 2022.
563,208 professionals have used our research since 2012.

Read reviews of Rapid7 Metasploit alternatives and competitors

Owner at a tech services company with 1-10 employees
Real User
Top 5
Understands and defends your network from vulnerabilities
Pros and Cons
  • "I liked the dashboard on it. I could customize my dashboard with different widgets and different heat maps."
  • "I would say that it improved our visibility, but it left things open."

What is our primary use case?

We used InsightVM mainly for vulnerability management. I thought it was a pretty interesting application. I'm a fan of Rapid7's Metasploit, so when I saw InsightVM I was like, "Let's see what else they have." I liked it up until we experienced some issues relating to scans. If I wanted to do mitigation, I needed to wait until the next scan was available or ran so that I could get to see if any indentations were made. 

While I was in there, if I was searching for a specific vulnerability, sometimes it was hard to find the specific ones. In the dashboard, it'll tell you the results from the scans, and it will also tell you the vulnerabilities and it will rank them for risk. I would have liked to have been able to click on the vulnerability and it would take me to another area that just has the vulnerability with all the hosts. It wouldn't let you do that. You had to come back out of that window and go into another window and search for it. Well, you wouldn't get the same results as the number of hosts. I had to work a little bit harder to find exactly what I needed.

Within our organization, there were two of us using it. Both of us were IT analysts. One was an IT analyst III (which was me), and the other one was the IT analyst manager.

How has it helped my organization?

I would say that it improved our visibility, but it left things open.

What is most valuable?

I liked the dashboard on it. I could customize my dashboard with different widgets and different heat maps. I liked that. That was a feature I liked. If your manager had a different dashboard that they liked, and you tried to go into a meeting and they say, "Well, I think your numbers are wrong because my dashboard says this" Well, you couldn't rapidly say, "Here's the default dashboard for this for risk." Whereas, with Tenable, you could go through a dashboard just for risks, and say, "Hey, let's switch to this dashboard so we're seeing the same numbers without customization."

What needs improvement?

They just need to fix it to make it more fluid. If it shows you vulnerabilities, I want to be able to click on the vulnerability and drill down into the vulnerability. If it's rating it as a 10 and it says it's got 30 hosts in it for this vulnerability, I want to click on that vulnerability and get a separate report that says, "Here's the vulnerability specific and here's the host involved." That way I could export it and say, "Hey, this vulnerability's out there, it matches a CVE number that is critical, that Microsoft, Cisco, whatever, has put a patch out there, and here guys, here's what it is and here's the proof. Here's your host that's vulnerable. Here's a change request, fix it, send me back the proof that you fixed it, then allow me to rerun a scan specific to that, on-demand, to say 'Yes, boss, we have mitigated it.'"

I want to be able to just drill down on the reports. If it showing me there's a vulnerability and there's a said number of nodes that's vulnerable to it, I want to be able to drill down and export that list without having to come back out of it, going into my assets, trying to find the name of the vulnerability, which doesn't match what the dashboard says. To me, that was backward.

For how long have I used the solution?

I have used this solution for one year.

What do I think about the stability of the solution?

It was pretty stable. We didn't have any real hiccups, but it was stable. We didn't have any real hiccups there.

What do I think about the scalability of the solution?

As far as I know, it says it's scalable. I'm not sure if that company I used to work for had to scale it up or down.

How are customer service and technical support?

The tech support was very helpful. Actually, I knew a couple of them so it was very helpful.

I would give their tech support a rating of 10 — I knew them from using Metasploit and some other products. It was more of a, "Hey, I got this issue, how can you help me with it?" They'd point me and say, "Hey, check this out."

How was the initial setup?

I wasn't involved in the initial setup, so I can't comment on that.

What other advice do I have?

Do your proof of concepts if you can. Make sure you develop your risk strategy. That's important, because it's going to give you a risk number, it's going to give you critical: highs, mediums, but you need to understand what is the risk methodology that you're going to follow. Just because it says it's critical because of how many vulnerabilities you have, doesn't mean that you need to work on it right away.

For example, there was a vulnerability that had 2,000 nodes affected. It put it as a high-risk, whereby there was another vulnerability where there were only about 10 hosts affected — it put it at medium-risk. However, the high-risk one, because it had more nodes affected, did not have a POC associated with it. A novice person looking at it would say, "I need to work on these 1,000 vulnerabilities because it's a high-risk, and ignore the medium." Well, the medium one had an active POC on it. If you didn't have a person who understood how to read the report and what it's actually telling you, then you would say, "Hey, you know what, I'm going to use these, I'm going to cut my risk down because I got 1,000 nodes with this vulnerability and I'm going to put this chain out real quick and I'm going to reduce my risk real quick because of the numbers." Well, in my opinion, you didn't reduce your risk because you have 10 nodes out there with a vulnerability that's rated medium and it has a POC on it.

Overall, on a scale from one to ten, I would give this solution a rating of eight. I'm going to say that is because shame on Rapid7 for having such great applications, but then that little piece there that they know about hasn't been fixed. If I remember, if I go probably log back into the community, it's probably been asked a couple of times.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CIO / IT Consultant at RedShift
Reseller
Top 20
Good dashboards, reporting, and technical support, with a low rate of errors
Pros and Cons
  • "This product has the best results in terms of the lowest number of false-positives and false-negatives."
  • "The integration is very good, although it still needs to improve."

What is our primary use case?

We are a reseller and Tenable SC is one of the products that we implement for our clients.

The primary use case is to check for compliance against a specific framework, like NIST, CIS, or something similar. Tenable will check compliance on the assets against that specific framework and give that visibility to the technical staff, top management, and the risk management team. In turn, this will enable them to evaluate the risk that they are facing for non-compliance issues.

The second use case is helping the technical staff that handles updates and upgrades to the operating system. It means that they have the most urgent upgrades that they need to cover the high-risk vulnerabilities that can be found and exploited.

Beyond this, Tenable SC assists with malware detection and similar functionality.

What is most valuable?

The most valuable features are the dashboards and reporting. They have multiple dashboards and reports for different types of details that can be used for different levels of reporting.  This means that by using a high-level report, the top rank in the company can understand what the risk is, as well as how it is violating policy. Similarly, technical people can use a more detailed report to understand what they have to cover and what the criticality of it is.

This product has the best results in terms of the lowest number of false-positives and false-negatives.

There are multiple types of engines that cover almost any necessity that the company can have for vulnerability and compliance.

What needs improvement?

Parallel scanning would be a nice improvement because it would speed up the detection process. It is not possible to search for vulnerabilities and do compliance checking at the same time. Rather, they are done one after the other.

The integration is very good, although it still needs to improve. For example, it would be useful to have better integration with other tools in the space of identity management (IAM). As it is now, integration with new tools has to be developed specifically, so it's not easy.

We would like to see better collection capability for external data that will help to improve detection and discovery.

For how long have I used the solution?

I have been working with Tenable SC for six years.

What do I think about the stability of the solution?

In the past six years, we have had no disruption in terms of functionality. We have seen problems arise because of development and deployment strategy, but it is a very stable product. We have not had any problems with our implementations.

What do I think about the scalability of the solution?

This platform is very scalable, both horizontally and vertically.

Our customers for Tenable SC vary in size. A smaller one might have 500 or 1,000 assets with two or three users, whereas a larger organization might have 100,000 assets with 30 users.

How are customer service and technical support?

The support from Tenable is very agile. We use them regularly when we have problems.

There are three levels of support, all of which are very adept and available. It is very easy to get in touch with support.

Which solution did I use previously and why did I switch?

We used to work with Rapid7 Metasploit.

How was the initial setup?

The initial setup is always a little bit complex because most of the time, the people don't really know about their infrastructure. So, the most complex part is becoming familiar with the infrastructure and knowing what to search for. Tenable is very helpful in this regard because it has tools for discovery that help people to understand their infrastructure.

There is always a danger if the product is not well-configured but afterward, it is easy to use. When correctly implemented, this is a very effective and accurate product.

The length of time required for deployment varies based on several factors. The first is the level of integration, the second is the complexity of the assets that need to be covered, and the third is the maturity of the infrastructure. It can take weeks to deploy in an environment with a very mature infrastructure. If it is a larger organization that is graphically dispersed then it can even take months, depending on the capability of the company to cover all of the necessities for scanning.

The company has to address the necessities of the vulnerability management capabilities because it puts stress on traffic, stress on hosts, and it needs to be well-designed. Taking these precautions is necessary so that there is no damage to the infrastructure.

In the case of a smaller company, with perhaps 1,000 assets, it can take a week to install it and get everything working.

What about the implementation team?

Maintenance for Tenable is a necessity, as it is a product that grows and changes because there are new detections every day. Sometimes, a detection is verified, whereas in other cases, support is needed to perform the verification.

What's my experience with pricing, setup cost, and licensing?

The licensing fees are based on the number of assets. The price can start at €10,000 ($13,000 USD) for between 500 and 1,000 assets, and the price can climb into the millions as more assets are added.

There are two types of licenses available, which are the subscription, and the perpetual with maintenance. The subscription is the same price every year, with very small variations over the years. In the case of a perpetual license, there is a high initial cost compared to the subscription, but the maintenance is much lower.

Which other solutions did I evaluate?

I have researched other products on the market and by comparison, I would rate Tenable SC a ten out of ten. It still has some features lacking, but it is better than the other solutions that are on the market.

What other advice do I have?

My advice for anybody who is implementing this product is to search for a certified partner to help with the process. It's not difficult, but it's very important to have a partner who knows the product well. The first steps in the implementation have to be the correct ones. If not, the product will not achieve the objectives that the company usually needs. It would be wrong for someone that doesn't know the product very well to begin implementing it by themselves.

This is the best product that we have found for risk management.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Morey Haber
Chief Technology Officer & Chief Information Security Officer at BeyondTrust
Real User
Top 20
Non-intrusive vulnerability management and attack detection, helpful regulatory reporting, responsive support
Pros and Cons
  • "The vulnerability management does not require network scanning or agent technology, so I don't need to modify any of my products in order to do vulnerability assessments."
  • "In the future, I'd like to see Orca work better with third-party vendors. Specifically, being able to provide sanitized results from third parties."

What is our primary use case?

We manufacture cloud solutions and we employ Orca Security to monitor them.

How has it helped my organization?

When we implement Orca, we don't have to make changes to any other products. This is important because we can design the products to be best-in-class without worrying about incompatibilities from third-party vendors. Orca sits on the perimeter and is able to essentially do excellent security work without re-engineering our solutions.

The regulatory reporting has been very helpful for our own certifications from SOC and ISO.

What is most valuable?

The most valuable features are vulnerability management and attack detection.

The vulnerability management does not require network scanning or agent technology, so I don't need to modify any of my products in order to do vulnerability assessments.

The monitoring of logs and attack scenarios are basically hands-free. It's a non-intrusive approach.

What needs improvement?

In the future, I'd like to see Orca work better with third-party vendors. Specifically, being able to provide sanitized results from third parties.

I would like to see support for FedRAMP certification.

For how long have I used the solution?

I have been using Orca Security for more than two years.

What do I think about the stability of the solution?

Stability-wise, we have never had any problems. It's solid.

What do I think about the scalability of the solution?

We are a middle-size business and we've had no scalability issues.

We have more than 4,000 cloud customers. The environments are across AWS and Azure, both public and private cloud. We manage this with three admins, a director, an engineer, and an analyst.

How are customer service and support?

When there have been issues, the team is incredibly responsive to resolving them. One of the major benefits, since it's fully cloud-based, is that a single fix affects everything. You're not re-rolling agents or collectors or data aggregation tools. It's fixed once and it works everywhere. So, even from a support standpoint, it's a major benefit.

I would rate their support a nine out of ten. Nobody gets a ten.

Which solution did I use previously and why did I switch?

We were fully deployed on Rapid7 and had 100% coverage. It was the primary tool that was replaced by Orca.

Some of the advantages to using Orca are its rapid time to deployment, extensive compatibility, and honoring security best practices like using the least privilege for the implementation.

Transitioning from Rapid7 to Orca has saved us time. I estimate that we save at least one person-year per year. The costs of the two products are similar.

Another important point is that we have more accurate results with fewer false positives.

How was the initial setup?

The entire deployment was completed in two months. Actually turning on the product was weeks at most, but going through change control and testing for all of our production environments was two months, including writing standard operating procedures, all of our escalation paths, et cetera.

When I say deployment, I'm not just talking about installing the software and turning it on. I'm referring to making it fully business-integrated.

What's my experience with pricing, setup cost, and licensing?

The cost of Orca is similar to that of Rapid7.

Overall, the pricing is reasonable and the discounts have been acceptable.

We've had no issues with the licensing model, including when we've needed to use burst licensing. It's been good.

Which other solutions did I evaluate?

In terms of visibility into our environment, we compared similar technologies that use intrusive methods and we found that the results from Orca were superior. We evaluated Rapid7 for both vulnerability management and incident detection and response (IDR).

If you compare Orca to a competitor like Lacework, Lacework requires agents but Orca does not. Orca's agentless approach is incredibly beneficial for maintenance upgrades, change control, certifications, et cetera. So basically, there is less code to deploy, less code to manage, and another vendor not to worry about. These are all positives.

When we were evaluating Orca, it was very important to us that they are a SaaS solution. It is updated regularly and new features become available at no extra cost. Also, managing the cloud from the cloud was critical for us.

Initially, I was quite skeptical that Orca Security could do all of the things that they claimed. In fact, I was skeptical to the point where I stalled the salesperson for six months before accepting a demo.

I've been in the vulnerability-management space for over 20 years, personally, and I didn't believe the claims. When they told me how they were doing it, I thought that there was no way it was accurate. Then, when they showed it to me, I realized that it was something that I'd never seen, heard, or even considered doing.

To any skeptics that are out there, this is a unique approach and a modern approach, and worth consideration. It basically breaks the mold of how vulnerability management has been done for the last 20 years.

What other advice do I have?

Orca has a lot of features available out of the box, although that was not important for us when we initially chose it. We chose them for vulnerability management when that's all they had to replace agents. Originally, they were only for vulnerability management. All of the extra features that have come along since that time have just been very pleasant bonus add-ons. As they added features, we were able to do the rest.

The biggest lesson that I have learned from using this product is that there's a right way and a wrong way to modernize security best practices in the cloud. Orca is one of the vendors that is doing it the right way.

Overall, I'm thoroughly impressed with this product, which is the best way I can put it. It is a unicorn in the space, with a lot of people trying to play catch-up.

I would rate this solution a ten out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Security Architect at a tech services company with 51-200 employees
Real User
Top 20
Supports container scanning, and the technical support is good
Pros and Cons
  • "The most valuable feature for me is container scanning because I am interested in CICD security."
  • "It would be helpful if Tenable could be more clear with regard to everything the solution can and cannot do with the particular license that you have."

What is our primary use case?

I am a consultant and I advise my clients from a security standpoint. My goal is to get them to maximize value from Tenable.io. I am also a user of it. 

What is most valuable?

The most valuable feature for me is container scanning because I am interested in CICD security. The standard infrastructure scanning is pretty robust, which is why I was focusing on containers.

What needs improvement?

We had some challenges with the implementation because of Docker Version 2, although with help from the support team, we were able to proceed.

It would be helpful if Tenable could be more clear with regard to everything the solution can and cannot do with the particular license that you have. The information is not available on the web site and they should be more upfront about it.

For how long have I used the solution?

I have been using Tenable.io for between six and eight months. My company had acquired it before I joined, although it was not being utilized properly.

What do I think about the stability of the solution?

I have never encountered any issues relating to stability. I have never seen a scan crash, and we've been able to configure multiple scans to run concurrently. Everything appears to run smoothly.

What do I think about the scalability of the solution?

Other than running multiple scans concurrently, we have not looked at scalability. However, I have no doubt that we will be able to get support in order to meet our expectations.

How are customer service and technical support?

The support team is very good and we are quite happy with them. When we had the trouble with Docker Version 2, they responded and were able to help us troubleshoot, and then guide us to the resolution. It now works the way we wanted it to.

Which solution did I use previously and why did I switch?

I have worked with the open-source solution OpenVAS, as well as with Rapid7 and Qualys. I can see that Tenable.io is going to be one of the big players because they are doing very well in this space.

What's my experience with pricing, setup cost, and licensing?

I think that the price is reasonable for now, although given that everybody is looking to cut costs, I think that they should take measures to lower it. There are additional features that can be licensed for an additional cost.

What other advice do I have?

My advice for anybody who is implementing this product is to have all of the requirements documented and ready in advance. You match the solution to your requirements. Out of the box, we found that Tenable.io matched almost all of our requirements. The only clarification that we needed had to do with the Tenable.io Web App license. 

We have a good understanding of how Tenable.io works with containers and infrastructure, but when it comes to deep driving into applications, databases, APIs, and toolkits that you have in your environment, you need a separate license for that. This is what the Web Application license is.

In order to enjoy the maximum value, you need to have the appropriate licensing.

Overall, I am quite happy with Tenable.io.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Get our free report covering Tenable Network Security, Rapid7, Wireshark, and other competitors of Rapid7 Metasploit. Updated: January 2022.
563,208 professionals have used our research since 2012.