Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Vulnerability Management
September 2022
Get our free report covering Tenable Network Security, Tenable Network Security, Rapid7, and other competitors of Tenable.io Vulnerability Management. Updated: September 2022.
633,184 professionals have used our research since 2012.

Read reviews of Tenable.io Vulnerability Management alternatives and competitors

Co-founder at a tech services company with 1-10 employees
Real User
Top 20
Provides good visibility, automated alerting for vulnerabilities, and responsive support
Pros and Cons
  • "Orca's platform provides an agentless data collection facility that collects information directly from the cloud using APIs, with zero impact on performance."
  • "I would like to see an option to do security checks on a code level. This is possible because they have access to all of the code running in the cloud provider, and combining their site-scanning solution with that would be a nice add-on."

What is our primary use case?

We are a solution provider and Orca Security is one of the products that we implement for our clients. Most of them are start-ups and scale-ups that are building their software on the cloud platform. If they don't have cloud services, they cannot use Orca, so that's the first requirement. They need to use a cloud platform like Amazon Web Services or Microsoft Azure or Google Cloud.

Then to use Orca, they need to make a connection with the cloud platform's API. This means that they don't need to install any software or hardware. At that point, the site-scanning technology in Orca Security will check for vulnerabilities in the environment, and then check whether there are any configuration issues.

Our clients can see the progress in compliance after they implement Orca. For example, there is a weekly report to show how things change. Most of the time, our clients start with perhaps 30% compliance. It gives you the option to select which standards you want to comply with, for example to the ISO standard, or the GDPR standard. Orca Security also has its own standards for specific cloud platforms.

You can see that the security improves by changing the configuration and tightening your cloud set-up. Similarly, when you start reducing the vulnerabilities that you have, the number of alerts you are receiving will decrease compared to what it was in the beginning. It takes some time to achieve a healthy state of cloud security but once a baseline is achieved, you will immediately see the problem if there is a critical alert. When a new vulnerability appears, it can be solved as soon as possible.

Orca's platform provides an agentless data collection facility that collects information directly from the cloud using APIs, with zero impact on performance. This is something that is very important because now, there is a need to have full visibility of your cloud security every day. One cannot rely on only a penetration test once a year, because our customers are start-ups and scale-ups that are really innovating. They are deploying code almost every day. They make changes to the configuration of their clouds using automated tools like Terraform, and they really need to have a solution like Orca to have the guarantee and the confidence that there is nothing new and critical being configured or added to that environment. For me, it's a no-brainer to have Orca running in your cloud.

By using the agentless approach, our clients avoid the need to deploy and maintain multiple tools. Also, if you're using an agent then you need to have it installed. This means that you have something running in your production environment, so that can have an impact.

Secondly, if you forget to deploy the agent on the new machine, you will not know that machine is there. You will not have a complete picture, and that's an important thing to consider. With Orca, you will have a full inventory of all of your assets, your configuration, your network setup, even assets that are not internet-facing. The old-school agent approach will not work, because even if you have the agents installed, you will still need to have something in the cloud doing scans. You will also need something that will look at the configuration of your cloud platform, which is not possible if you are just installing an agent on a VM.

Prior to Orca, our clients had considerably less coverage for their environments. When we compared the results of Orca against a typical vulnerability scan using Tenable, for example, the classical solutions only found 20%. This is because Orca is scanning behind the security configuration of your cloud provider, which is possible with integration using the API.

What is most valuable?

The compliance dashboard is one of the features that our customers find very interesting. Instead of having to run checklists and provide access to auditors, you can just generate a report from Orca.

The automation and alerting capabilities are very good. When there is a new vulnerability or a new issue, you can get an automated alert in Microsoft Teams or in Slack.

The visibility that Orca gives into the environment is really in-depth because of their site-scanning technology. They provide full visibility into everything running in the cloud environment. They can look at virtual machines; they can look at serverless; they can look at the configuration of users and roles. They can also see, for example, that a specific administrative user has no multifactor authentication configured. It covers the full stack and not only one specific item.

The alerting capabilities are now being added, which is a very good evolution.

The integration with SIEM tools is now in place, which is a nice feature.

What needs improvement?

I would like to see an option to do security checks on a code level. This is possible because they have access to all of the code running in the cloud provider, and combining their site-scanning solution with that would be a nice add-on. This would guarantee our customers that whatever is running in their cloud production is secure on all layers.

It would be nice if this solution had the capability of fixing issues. As it is now, it only reports them. Having a button to patch a product, disable a service, or delete a VM would be nice. At this point, this is something they might not want to do because they are only doing audits rather than making changes. It is also something that would require having additional permissions, including write access using the API.

For how long have I used the solution?

I have been working with Orca Security for more than two years.

What do I think about the stability of the solution?

In the beginning, when we started to work with them more than two years ago, they were still just in the first phase of going live. At that point, we had some problems with the user interface and some bugs, but they have been developing very hard to solve those issues. For example, they migrated to a new version of the user interface, which is very good.

When there is a problem with stability, we can contact their support and they solve it immediately. These days, most issues have been solved and they're adding more functionality because they now have more developers working on it.

What do I think about the scalability of the solution?

In terms of scalability, we have customers that have a lot of assets, and some that only have a few. Of course, the more assets you have, the more vulnerabilities you have, and the more work that has to be done to solve those issues. That is something that takes time.

Our largest customer used to have more than 250 assets.

The customer is responsible for solving problems but because of Orca, we can track the progress and we can follow up on the vulnerability management and remediation.

How are customer service and support?

Technical support is very good. I would rate them a ten out of ten.

When you send an email, you get an answer immediately. They really try to determine what the problem is and identify the root cause. Either it's because it's something that we didn't know of or were unable to find in the documentation, or it's a bug or feature that is not known yet.

Which solution did I use previously and why did I switch?

We have seen customers moving from other solutions to Orca. When you are running your entire software solution in the cloud, and you make a lot of changes, have new deployments and new features, as well as configuration changes, your classical vulnerability scanners will miss things. 

For example, a traditional scanner will miss scanning a specific IP address or domain. When you are working in the cloud, everything is more elastic. Another problem is that you have new IP addresses not being used, but get allocated to another cloud customer. You can have a situation where you're scanning with those classical solutions, and it is actually somebody else's infrastructure. This is not the ideal situation.

These are some of the reasons that we have moved to Orca Security, replacing those classical mobility scanners.

Using Orca has helped consolidate vendors and services because it gives a better overall view. It's much easier to install and maintain than the typical vulnerability scanning approach. Our clients have replaced solutions such as Tenable, Qualys, and manual consultancy. In this last instance, if you don't have Orca or another product and you need to have a compliance check, then a security consultant will need to use a checklist and perform a manual inspection of all of the configurations.

Consolidating services has saved our clients both time and money. For instance, if you need to generate a compliance report every quarter, it will normally consume five to ten days. However, using Orca, it's checked every day and you can generate a report whenever you want.

Alternatively, you can use open-source tools but you don't always know what they are doing. 

How was the initial setup?

The initial setup is very straightforward. Everything is clearly documented and there is a video. They just need to log in and provide the API keys, which is very easy.

We have customers that first start with a trial or proof-of-concept, and then they immediately see the added value of the solution.

With the right access to the cloud platform, the deployment can take about 15 minutes.

What about the implementation team?

Our customers are responsible for doing the setup because we don't have access to their cloud platform.

Orca is a SaaS product that is always up to date.

What's my experience with pricing, setup cost, and licensing?

The pricing depends on how many assets you have running in your cloud and how many environments you have. If you have a dev environment, test environment, and a production environment then it's really important that you have coverage for all of them. But, you can start gradually because you can analyze one environment at a time. For example, you can begin with the production environment and fix all of the vulnerabilities there first. Then, add the test or acceptance environments, and then add your dev environments.

You really need to learn how Orca helps to improve your attack surface, and you don't want to start with everything at once. Instead, you want to start small and progress gradually, otherwise it will be a lot of work.

Pricing also depends on how you use your cloud provider. If you are working very cloud-native then it is much cheaper than a situation where you have a lot of virtual machines configured and running.

Which other solutions did I evaluate?

We generally look at the most innovative solution and start using it. We do not do benchmark testing because we don't have time for it.

What other advice do I have?

We normally set up customers on a trial basis to show them what the product is capable of. When you run a trial for a specific customer environment, you immediately see the benefits and value. You see that it does what they say it will and there are no hidden features. You immediately see the results in the dashboard, and how it works.

My advice for anybody who is considering Orca Security is to start with a proof of concept, as it will only take five minutes to set it up. Let it run for a few days and then look at the results. It will show you how it benchmarks against your existing tools, including things that you didn't know of and you need to solve. After the evaluation, purchase it to make sure that it keeps monitoring your existing environments.

I would rate this solution a ten out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Program Manager at a tech services company with 201-500 employees
Real User
Top 20
Monitors our whole environment in real time and makes everything more secure
Pros and Cons
  • "The feature we've liked most recently was being able to take the YARA rules from FireEye and put them into Tenable's scan for the most recent SolarWinds exploit. That was really useful."
  • "I will say it's a lot slower compared to an MS scan. It takes so much longer, so the performance could definitely be worked on."

What is our primary use case?

At work we use the enterprise version of Tenable, Tenable.io, and I also use Tenable.sc — which I refer to as SecurityCenter — for local scanning.

I use Tenable SecurityCenter every day to scan our entire environment for vulnerabilities. I use a local license during the discovery process for penetration testing. So I'll do an en masse scan, and then also do a scan with Tenable to scan for IPs and vulnerabilities.

User-wise, with Tenable SecurityCenter, there's different roles. We have security analysts, admin, etc. I'd say there's probably four or five different roles from people that can just go in and view. Security analysts can upload manual scans and create dashboards and download reports. Then administrators can create accounts, assign roles and responsibilities, and things like that.

How has it helped my organization?

Tenable SecurityCenter has absolutely improved our organization, by making everything more secure and helping ensure solid vulnerability management.

What is most valuable?

The feature we've liked most recently was being able to take the YARA rules from FireEye and put them into Tenable's scan for the most recent SolarWinds exploit. That was really useful.

What needs improvement?

I'm pretty happy with it, but I do see a lot of stuff coming out about risk-based vulnerability management. And so I've been looking at that. I don't think we're using that as of yet and it seems like a newer feature they're talking about a lot that I'm interested in.

I will say it's a lot slower compared to an MS scan. It takes so much longer, so the performance could definitely be worked on.

There was also an issue with SecurityCenter once where we had agents deployed on each device, and while it was scanning we were collecting the data real time. During this process, we had an enclave that was not submitting. It didn't have the agent installed because it wasn't connected to the enterprise network.

They were scanning locally and submitting the scans and we would then upload them into SecurityCenter manually. Each time that there were any duplicates with host names or IPs, or that there were issues with the scanner device with authentication, it failed. But then you scanned it again and it was successful.

When you uploaded that, SecurityCenter was counting it as two devices. And when you ran your report for unauthorized devices, even though it was scanned a second time successfully, the first time would show as a failure. So it was throwing off reporting.

So we would run a report and say, "Okay, which device has failed scanning with authentication?" And it would give a device and we'd be like, "Well, here's the secondary scan showing that it was successful." And so we were having to manually go in there and delete the failed ones.

And that was a pain in the butt. We eventually got that enclave online so we fixed the problem, but I felt that was a limitation of Tenable SecurityCenter that it couldn't see that.

For how long have I used the solution?

I have been using Tenable SecurityCenter for the past few years now.

What do I think about the stability of the solution?

We have only run into one troublesome issue that I can remember. It had to do with the way SecurityCenter inaccurately reported real-time scan results whenever there was a transient problem such as with a duplicate host name or IP, or with authentication.

It was a pain to deal with, because we kept having to go in and manually delete all the failed (but actually successful) scan results.

What do I think about the scalability of the solution?

When it comes to scalability, so far so good, and no issues. We've got the whole environment monitored right now and I don't see any significant increases in use anytime soon.

How are customer service and technical support?

Their technical support is good. Because I don't give out tens much for anything, I would say in the eight to nine range, out of ten.

Which solution did I use previously and why did I switch?

For vulnerability management, Tenable SecurityCenter is the only one I've used in the past six years. Though we do use other tools in conjunction with it.

We've pretty much used Nessus for scanning, vulnerability management, and reporting, and that's it. And it does it very well. And then I use different tools for other things. I'm sure Tenable had that on the plugins for other things, but we don't use those.

How was the initial setup?

The setup is straightforward.

What about the implementation team?

I personally implement SecurityCenter with a local license. And then we also have different roles like security analysts and administrators who can just go in and perform various functions such as uploading manual scans, creating dashboards, downloading reports, assigning accounts, and so on.

What's my experience with pricing, setup cost, and licensing?

I use a local license to perform penetration testing and I'm pretty happy with everything when it comes to pricing and licensing. 

What other advice do I have?

I can easily recommend Tenable SecurityCenter, and I have nothing really bad to say about it. I think it's a great tool for what it does. I enjoy the webinars, and the people that run the company seem very engaged with what's going on when you're into current events and the overall security climate, and they're continuously looking to improve.

I can't speak to every option that they have, but I have no reservations recommending them.

I would rate Tenable SecurityCenter an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT Security Operations Analyst at a manufacturing company with 10,001+ employees
Real User
Fast and easy to use, with good reporting and good support
Pros and Cons
  • "The most valuable features are that it's fast, it's easy to use and it provides good reports."
  • "Remediation needs improvement."

What is our primary use case?

I have been using Tenable Nessus for my personal use. It works well.

I am using this solution for testing.

What is most valuable?

The most valuable features are that it's fast, it's easy to use, and it provides good reports.

What needs improvement?

The only thing that I don't like is KBs information. For example, if we scan our workstation and you go to the results report that Nessus provides, we are going to see a lot of KBs as remediation. But in most cases, the KBs are always superseded.

Also, we are not able to apply those because Microsoft has already released a new TB. 

Nessus is not doing a good job in updating its remediation section of the reports.

Remediation needs improvement. They are providing a lot of superseded KBs as remediation.

For example, when you share that with several team members or with one individual, and you ask them to work on this, they reply with Microsoft already has something new.

For how long have I used the solution?

I have been using Tenable Nessus for approximately two years.

What do I think about the stability of the solution?

This solution is stable. I have not experienced any issues. It worked fine.

What do I think about the scalability of the solution?

It's a scalable solution. I have not had any problems.

I am the only person using this solution.

How are customer service and technical support?

Technical support is good. They provided information that is needed.

Which solution did I use previously and why did I switch?

Previously, I was not using another solution. I use Nessus through a course that I was taking in the security field.

How was the initial setup?

The initial setup was straightforward.

What about the implementation team?

We did not use a vendor or vendor team to implement this solution.

Which other solutions did I evaluate?

I have evaluated one other solution, but because of my company policies. I can't share that information.

Tenable has Tenable.io, and I believe that they have the remediation updated, but Tenable Nessus Professional does not. I don't think that they will continue to keep it available in the market. They should probably decommission it.

Remediation is better in other tools than with Nessus.

What other advice do I have?

For anyone who is interested in this solution, they should test the scan timing to see if it consumes a lot of time or not.

Research the remediation information to see if it is okay, or trust proof or not.

The reporting works well and it allows you to share. Also, support is important.

I would rate Tenable Nesuss an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Global Infrastructure Architect at a energy/utilities company with 5,001-10,000 employees
Real User
Top 20
Good technical support that is always there when you need them, but the prioritization of vulnerabilities needs to be improved
Pros and Cons
  • "Technical support is great and we've never really had a problem."
  • "We are moving away from Qualys to Defender ATP because I find that Defender ATP is much better at prioritizing the vulnerabilities that I should be looking at."

What is our primary use case?

We are currently using Qualys for vulnerability detection, as part of our security solution. We're moving towards Defender ATP because I am looking more at the Operational Technology (OT) side of things than I am at the Information Technology (IT) side.

What is most valuable?

What I like best about this product is that it does what it is supposed to do, which is vulnerability scanning.

What needs improvement?

We are moving away from Qualys to Defender ATP because I find that Defender ATP is much better at prioritizing the vulnerabilities that I should be looking at.

In general, I would like to see some better analytics and prioritization of vulnerabilities.

For how long have I used the solution?

We have been working with Qualys VM for three years.

What do I think about the stability of the solution?

Qualys VM is a stable solution.

What do I think about the scalability of the solution?

This is a stable product.

How are customer service and technical support?

Technical support is great and we've never really had a problem. They're always there if we need them.

Which solution did I use previously and why did I switch?

We did not work with another similar solution prior to Qualys.

How was the initial setup?

The initial setup is straightforward.

Our setup involved some on-premises deployments but ultimately, it uses the cloud.

What's my experience with pricing, setup cost, and licensing?

They have recently changed the pricing model, which is now better than it was before.

Which other solutions did I evaluate?

Right now, we don't have anything in our OT environment, and this is what I am particularly interested in. I am currently having discussions about new solutions with Qualys, Tenable, and Forescout.

What other advice do I have?

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Vulnerability Management
September 2022
Get our free report covering Tenable Network Security, Tenable Network Security, Rapid7, and other competitors of Tenable.io Vulnerability Management. Updated: September 2022.
633,184 professionals have used our research since 2012.