Tenable.io Vulnerability Management Reviews

Considering regular use cases of the solution, we wanted to cover two things, external vulnerabilities and the ability to identify misconfigurations on the perimeter, like, let's say, if someone is open, something vulnerable to outside, we monitor it. The use case was monitoring the external parameter addresses with Tenable.io and seeing changes there. If something changes or if something becomes vulnerable, as it's seen from the outside, without actual credentials to scan, you know, like, we can have several layers of scans. So, Tenable.io, we used as seen outside without providing any credentials, So it

gives you the true picture of how and what the attackers can use. It might be that if we use it with the credentials, we won't find additional vulnerabilities, but we don't cover that because it's not important because external attackers will not see it, actually. So, it's the first use case, and generally, Tenable.io is used for identifying vulnerabilities in the company infrastructure, servers, endpoints, and additional hardware and software, like routers, switches, and whatever has an IP address. Let's say, not for IoT, just for IT infrastructure and development infrastructure, and that was the use case of Tenable.io.

It improved basic things in resiliency, like cyber resiliency in the company, so as to not be attacked, not to be breached, or not be successfully attacked by hackers. So, it's basically a non-vulnerable state. This provided us with visibility of our actual status of where all the infrastructure is and helped to prioritize the vulnerability mitigation. It also indicates what to tackle first because you have a lot of stuff there, but you need to prioritize it. The main point here is to know how to prioritize since we never have enough time and resources to deal with fixing everything. You need to understand what to do first, and Tenable.io actually helps with that because they have additional intelligent sources to not just give you, like, CVSS because all the vulnerabilities have CVSS scores from zero to ten. So it gives you not just to always work by the score number because it just represents the vulnerability and how it can be hacked. But just take into account when you prioritize if it's a public-facing asset or computer or server or if not, or if this is now a trendy vulnerability to use and to exploit or not. Also, they have an additional score represented only in the system in addition to the CVSS score that helps you prioritize the mitigations.

The solution's most valuable feature is providing a single pane of visibility on all the infrastructure and its status. The aforementioned fact helps to prioritize things right and also to cover the mitigation process itself. However, what's bad about older systems, like, is when we do that, it just covers the identification. So, you have the problem and what you need to do, but it doesn't cover the whole cycle of dealing with it, and so you see the problem, you know what to do, maybe you know what to do first, But then the process needs to continue. I'm talking about a lot of negative things, but the fact remains that it doesn't cover, actually, the whole process of the identification and then the prioritization because we need to maybe open a ticket to deal with it by approaching the right people and to see that it's done, including the validation scans after it. The system gives you a way to do the scans somehow all around vulnerability and its status while not having to deal with the whole cycle. So you don't see, or you don't have this part when you mitigate the vulnerabilities themselves, and then you know what you did, what you didn't, and how you did, and which is status after it. So, it doesn't cover the whole vulnerability management process.

I would like the solution to cover the whole cycle of mitigation since it's an area where the solution currently lacks.

Nessus was created and, like, covered afterward. All the system is built around a basic unit that is mitigation, not the vulnerabilities. You don't have all the vulnerabilities where you build all the processes and all the reports that you have around it. Vulnerability is not like you have this problem. They say to you. Basically, you have a problem, but you don't have the patch. And the patch, inside of it, you have fifteen vulnerabilities, and it appears as a vulnerability. You are missing a patch, but it's not a vulnerability. All the system is built around missing mitigation. As a basic unit that everything is built around, and so this part is what you see when you do reports or when you build dashboards, and you have several databases inside that you can build reports around, but it's all beautiful, and you have a lot of reports, right, out of the box. But when you start creating something that you really need, like a new report, then you're, like, this data is in this database or downloaded database and this in another database of mitigations, and hence they cannot easily be connected, so each report can be all around this database because they have, like, two, three databases. I don't remember exactly, but they have separate databases inside, and you need to build the reports around one database, and it's not easy to connect two databases into one meaningful report. So, this is a hard part.

In short, I would like to see the databases seamlessly connected while doing a report.

The tool is okay, but, like I said, to cover the whole cycle and is like connecting the unconnectable things because they are built this way which I don't think they can change right now.

They can add things like brand reputation monitoring because it's the system that needs to identify all the vulnerabilities and infrastructure vulnerabilities. They can take it to add code vulnerabilities, like, if it's an R&D company that creates software, they have vulnerabilities of other types, like application-level vulnerabilities in the things that they are developing. And if it's a cloud, then it needs to be covered in a good way, considering the cloud infrastructure. Also, it works on the IP level. On the cloud, you can do it around EC2 instances. You can do the same in Tenable.io but then all the part of the cloud layer that is cloud-based but not on the EC2 level. Let's say it's CloudWatch logs and all the con configurations that are at a cloud provider level. So, there can be vulnerabilities there not at the EC2 level of the machine itself. So these are also vulnerabilities, and it can be good if they are shown and covered by the system.

In general, brand reputation and external CTI are needed in the solution.

Somewhere outside in the open world that it was bridged, and it's there, and then maybe we can show it to you also that it was bridged. So it's now in the open world, and they don't want to be, you know, to be the open world and also on the external attack surface, but I think we saw that some module that they are doing that is in just the right direction. So, it's a good direction.

I have been using Tenable.io Vulnerability Management for two years. I am just a customer of the solution. We used Tenable.io and then moved to Tenable.sc, which was on-premises.

Stability-wise, I rate the solution a four out of ten since there were problems with scans that were stuck and didn't work. Also, there was no nobody to talk to about the aforementioned issues. So, it was a problematic thing.

Scalability-wise, I rate the solution an eight out of ten.

We usually give it to maintain, run and configure everything we use to just two people to see the results. Each department has a user to see their problems by themselves. So it's like, apart from the two people, an additional ten or sixteen people use the solution, and these are people that are responsible for infrastructure management, like IT people at different places.

I rate the technical support around three to four out of ten. Sometimes, when we had problems, it was hard to get answers. The support was slow because it got to the wrong people at the start. So, the problems pass through tier one and then get escalated to the right people. So, it is very hard because some problems don't need just a tier one to solve the issue. So, tier three or four support may be needed at times.

Neutral

Just installing it and keeping it running is pretty easy. However, support is very important. I think all the companies in the field lack some good support, specifically in my country.

I rate the initial setup a ten out of ten, but it's not important because afterward, when you have problems, and you want an additional initial setup, the integration needs to be done to just install it. It needs to integrate it with other systems and integrate it into processes. At this level, at least with Tenable.io, I didn't feel that they were doing that, and so I didn't just want to buy software and install it.

The solution is deployed on the cloud and on-prem. We chose some of the biggest three or four cloud providers, including Azure and Oracle.

It took two weeks to a month for the deployment process to be completed. It depends on where you want to deploy. To prepare the solution for work, you install it, then install the scanners, and later on configure the scanners. Also, you need to identify the ranges that you need to scan. If you have some problems with connections, etc., you solve them. Then, you need to do the actual work. Just actually use the system for mitigation, and you need to do the right reporting. Also, things like connecting to ticketing take more time just to install. We deployed the solution with around three to four people, including security engineers, the network team, and business owners of the places we wanted to scan.

The solution requires maintenance. We used two people for maintenance and for some stuff that didn't work or needed to be improved or to deal with scanners that had problems on this because of the configuration. For not-so-effective scans, we need to tune it because if you have a huge range and the scans are configured to scan everything, then it is stuck. So, you tune them to the right places and scan the right thing to take the right type of scan, and then tune this tool.

The system owner, the infrastructure that is responsible for it, was involved in the maintenance of the solution. So, it was from the same department.

With Tenable.sc, in comparison to Tenable.io, it was even easier to do the implementation because you don't need to do a lot of stuff.

I have experienced a return on investment using Tenable.io. It showed us what we did wrong in the process of building the vulnerability management program in our company. It also gave us an understanding, making it a good solution.

On a scale of one to ten, where one is no return on investment, and ten is a hundred percent return on investment, I rate the solution a seven.

On a scale of one to ten, where one is low, and ten is high price, I rate the pricing an eight. So, it is a pretty expensive solution.

After evaluation, we have switched from Tenable.io Vulnerability Management to Rapid7. We also looked at Tenable Attack Surface Management but didn't use its protection.

Before choosing Tenable.io, we evaluated Rapid7, Nexpose, and Qualys.

It is a viable solution, but we then preferred and switched to Rapid7 again since it was cheaper. Also, we like the one thing we like because we had, like, problems getting to all the user machines, and so Rapid7 gave us the agent that they have. So you don't need to get the scan to the machine. You just install these solutions. We install the agent that reports on vulnerabilities instead of getting credentials scanned. And today, it's more problematic because, like, it would take several years ago, like ten years ago, all the systems had the perimeter of the company, and all the users were in some understandable place, and we knew where to look for them. Today, as a company where people around the world are not always using VPNs to connect to the network, and if they connect, they connect for some time, and let's say you are scanning your user computers every night or every day at five o'clock. So when you do the scan, just ten percent of the people, you hit them because only ten percent of the people are connected to your VPN during the five o'clock window. So you don't see the other machines, and you don't get them. Hence, you don't know the vulnerability status because they are less scanned. The solution needs to be perimeter-less, let's say, or the scans we need to get to the machines to all the machines, and if you scan them somehow or even if they are on the open internet, it's hard. So here, the agent solution is very easy because they report to the management on the vulnerability status from the agent over the internet. It was a big plus.

In terms of pricing and capabilities and just of the capability, while also considering our use cases where it is most important for us to get to all the machines.

I rate the overall product a seven out of ten.

I work for a company called Maxtec, and we are a distributor. One of the solutions that we used to distribute, not anymore, is Tenable. I've worked as the product manager for Tenable, and it is one of the products on which I've worked quite extensively. We stopped its distribution last year, and I stopped working with it at the beginning of 2022. We were using its latest version.

One of the biggest cutting-edge technologies that they were able to introduce is predictive prioritization. It has helped a lot of IT teams enormously that were heavily under the weight of vulnerabilities that they needed to remediate. Just in 2019, over 19,000 vulnerabilities were discovered, and about 10,000 of those vulnerabilities were rated between high and critical. The way predictive prioritization works is that it adds a lot of context and granularity, and it helps you understand which vulnerabilities actually pose an immediate risk to your environment. It eliminates the pressure that the IT teams were under in terms of remediation because now, they don't have to focus on 10,000 vulnerabilities. They can only focus on 3% of vulnerabilities that pose an immediate risk to their environment. That, for me, has been a cutting-edge technology and a game-changer in helping a lot of IT teams in focusing more on the risk that they need to address, at least within the next 30 days.

Tenable.io, in particular, is quite a powerful product. It looks at your traditional environment, which is pretty much anything that is on-premises, and it also goes a step ahead and covers your modern assets, which is anything that is currently sitting in the cloud. You get complete visibility of your entire environment and tech operation. The ability to give you visibility across the entire tech surface is one of the biggest advantages that Tenable.io has.

The use of agents comes in very handy when a lot of the workforce is working from home, such as during COVID-19. Some of the traditional tools would not be able to monitor any of those devices that people would be working with, such as laptops, because they are remote. You can only audit their machines if they are on the business premises, but with Tenable.io agents, you can maintain that level of continuous monitoring, even if they are not on-premises at the time of the scan. The agents run the scans locally on the machine.

Tenable.io is a cloud-managed solution, but the scanners are sitting on-premises. They've also got some public cloud scanners that are sitting all over the world. They've got something called frictionless assessments, which is quite an interesting approach for vulnerability scanning of anything that is sitting in your AWS. You don't have to deploy the scanners. They've got sensors in there that are able to give you continuous monitoring without deploying scanners, doing any configurations, or inputting any credentials.

They've been able to think about everything in terms of where the world is going and the type of assets that you've got. They've everything sorted out in that aspect, but you have to pay for most of the other components that they've got to give you complete visibility across your tech surface. If it already had those capabilities in-built, without having to add them on to take advantage of them, it would be a very compelling value proposition.

Their support needs to be improved in terms of turnaround time.

It is stable.

It is a cloud solution. Therefore, it is highly scalable. There is no limit to how many assets and devices you can handle.

In terms of verticals, in the public sector, we've seen a huge uptake. That could be because of compliance reasons. We've also seen it being used quite extensively within the banking and financial verticals. Those are the biggest users of the product. There has also been an uptake in other verticals but just not as big or as vast as the public sector and the finance and banking sector.

One area that they could improve is technical support. Oftentimes, it's not as good as it should be. The turnaround time could be improved quite significantly.

It is pretty easy and straightforward. For the cloud, you don't have to do anything on the management console. That is already set up for you. The only thing that you need to configure is your scanners that are sitting on-premise. For that, you just need a linking key that you obtain from Tenable.io so that there is directional communication between the cloud, your cloud instance, and various scanners that are sitting on-premises. It would be the same process if you want to install an agent, for example, on a machine. It would apply the same way. The only difference is that instead of choosing a scanner, you'd choose an agent.

For future users of Tenable.io, I would recommend using a layered approach. Tenable.io has an open API. So, it can be integrated with SIEM solutions. You can look at integrating it with privileged access management or any SIEM solution so that you've got all the data being pumped into a centralized location, and you are able to read the data alongside other security events coming from the SIEM and privileged access management solutions. 

Companies that are currently using Tenable.io can definitely start looking at integrating some of their security solutions for a much more robust security approach.

I would rate it a solid eight out of ten.

We use the solution for our vulnerability management program.

The solution is deployed in the cloud.

When the logging logic is lacking certain columns, Tenable.io Vulnerability Management provides comprehensive coverage, thereby simplifying the reporting process.

One of the most valuable features of Tenable.io Vulnerability Management is its exportability, which allows us to conduct risk assessments efficiently. This feature enables us to prioritize security issues based on their level of importance, without being distracted by other irrelevant details. Additionally, the system is frequently updated to ensure it complies with industry standards.

The asset identification has room for improvement. Since we are using a cloud-based scanner, we must scan devices based on their ID. However, we are encountering many issues with reporting. Assets are often being incorrectly merged or we encounter issues related to assets. If we had an agent with a scanning system, this issue may not have occurred, but it currently exists.

The UI has room for improvement. The previous version of the UI was better.

The technical support has room for improvement.

I have been using the solution for nine months.

The solution is generally stable, although we have experienced two instances in the past where it was down. The first outage was related to the scanner and lasted a few hours, while the second was caused by storage issues that prevented us from clearing the logs.

Scalability depends on our licensing agreement and the number of scanners we use. Currently, the number of scanners and our license allows for scalability up to a certain limit. Beyond that limit, we would need to purchase additional licenses to expand.

The technical support team responds promptly to basic issues. However, when faced with major issues or more complex problems, it can take longer to receive adequate assistance due to a high volume of entries. In such cases, we are required to submit detailed logs, which the support team will analyze before we can proceed to ask further questions.

Negative

Our current license covers 2,500 assets. If we want to add more assets we need to buy another license for another scanner.

I give the solution an eight out of ten.

We have around nine people using the solution.

The necessary maintenance pertains to storage. As it will be hosted on a specific cloud instance, we need to periodically manage the storage when the logs become full. This involves manually logging into the deployment platform and clearing the storage every few months.

The features of Tenable.io Vulnerability Management are impressive, the management system is well-designed, and the scanning options are thorough. Additionally, there are numerous built-in templates available. However, when utilizing the twelve-day scanner, asset identification can become challenging because of the dynamic IP addresses, which the solution struggles to properly identify the devices.

Tenable.io Vulnerability Management is a leading solution for vulnerability management and excels at aggregating information.

I primarily implement the solution for clients. It's mostly used for security purposes. 

The product has many features and continues to develop its capabilities at a rapid pace. 

It's done a lot of acquisitions and has really built out its cloud functionality. They're doing a good job of building out their cloud security.

The initial setup is mostly straightforward. 

The solution is stable. 

It can scale as necessary.

I'd like to see them improve their support.

It would be great if there was more integration with other third-party products. They have a robust API, so it's possible to write a script in Python and extend or integrate with another solution, however, will be great if they had this integration automatically.

I've been dealing with the solution for three or four years. 

The solution is stable. I haven't had any issues. There are no bugs or glitches. It doesn't crash or freeze. We use AWS infrastructure and find it to be very reliable. 

The general scalability is pretty good. It's easy to add on. We haven't had an issue with expansion. 

At this point in time, I'm not sure if our clients intend to increase usage. 

They need a better approach to support. When I have hard questions that need answers to, I prefer to jump to L3 support instead of getting pushed to L1. It's not solving my problems fast enough.

I've deployed Tenable.sc and other Tenable products. I've also dealt with FireEye.

I've been implementing the solution for four years. Therefore, I do not find it to be a difficult process. In general, it is easy to deploy, however, it depends on the client. If they are cooperative, it is easier. 

We need at least one person for deployment and maintenance. 

I can't speak to the exact cost of the solution. 

There may be some features that we have to pay for that are extra. However, when someone wants to use Tenable.io only for vulnerability scanning and vulnerability management, there is no hidden cost.

We are partners with Tenable and therefore tend to lean towards their products more than others. 

We're partners. I mainly implement the solution. 

I work with a variety of different versions. I use the whole Tenable portfolio.

I'd rate the solution eight out of ten.

Our company has 25 technicians who use the solution to scan firewalls and produce scheduled compliance reports for various environments.

The solution is easy to use and configuration is smooth with no complexities.

The solution is one of the best tools in the market for vulnerability management and remediation. It functions exactly as we desire.

The solution creates vulnerability tickets within the VM profile but should also include them under the Remediation tab so the fixes can be viewed in the ticketing queue. 

Qualys is a competitor product and handles vulnerability tickets in this comprehensive manner. 

I have been using the solution for two years. 

The solution is stable and I have only experienced hangs a few times. 

The solution is accessible from the private cloud so it is scalable to any needs. 

Technical support requires constant follow up and that is an issue. Once they are made aware of an issue, it takes time for them to find a resolution. I currently have three cases and have been waiting so long for updates that I have asked for escalation.

Support provided by Qualys is better because they work with you right away to resolve issues. 

I rate support a two out of ten. 

Negative

The initial setup is straightforward and not hard to understand if you have worked with other solutions. 

We experienced an authentication issue when the NetApp scanner was trying to log in to the system and firewall, but we modified the setting and the issue was resolved. 

We deployed the solution ourselves and the complexity depends on each environment. 

For example, our company has AWS, Azure, and on-premise data center environments. Our infrastructure team builds a list of assets and then our technicians deploy the solution to conduct scans. 

The annual license is a bit costly but the solution is worth it. 

We also use Qualys and like how it handles vulnerability tickets. 

We moved to the solution because Qualys does not support Cisco Secure Firewalls and that is a requirement in our environment. 

While Qualys offers dual locations for vulnerability tickets, it is not difficult to use API calls to integrate the solution with ServiceNow for assigning mitigation. 

Many companies use third-party tools like Jira to integrate things so it is not unusual. I do believe Tenable is working on an internal solution that will be available in the future.  

I rate the solution an eight out of ten. 

We use Rapid7 InsightVM and Tenable.io Vulnerability Management for similar purposes: a vulnerability assessment. At present, Rapid7 InsightVM is running in our IT infrastructure, while Tenable.io is running in our ICS and OT security, which includes our plants, premises, systems, SCADA systems, and PLCs. We usually find more vulnerabilities in these legacy systems, such as Windows XP and Windows 7, than in Rapid7 InsightVM. However, the use cases for vulnerability assessment are the same.

The solution is more user-friendly than Rapid7 InsightVM. A new user can easily understand the workflow, even if they are creating users for other divisions and the user is a beginner. They can easily use the system to get the data they need or fulfill their requirements.

I believe that Tenable.io is currently the best vulnerability management system. Compared to other vulnerability systems such as Rapid7 InsightVM, I find Tenable.io to be one of the best. However, Tenable.io lacks a platform to exploit or test the vulnerabilities it identifies. For example, if I identify a critical vulnerability, I cannot use Tenable.io to determine the risk of exploitation. Unfortunately, Tenable.io does not have a platform to test this.

The initial setup is complex and has room for improvement.

I have been using the solution for five years.

The solution is stable.

The solution is scalable.

After deploying Tenable, I spoke with the technical support a maximum of two or three times. They are very knowledgeable and know their stuff well. We always received immediate support from them.

The initial setup can be difficult. We need to configure the case. If we are starting from the beginning, we need to set up each IP range and make sure our firewall covers it. We also need to whitelist the Tenable.io IPs. This initial setup can be challenging.

Compared to other VM solutions, Tenable.io Vulnerability Management is expensive.

I give the solution a nine out of ten.

If we are using the solution for the first time, we should be sure to understand what aspects of the target we are trying to use Tenable.io for, such as what kind of information assets we have, whether they are general devices or specific devices, or if they are deployed in the DMZs. This way, we can ensure that we get the desired results. Therefore, before logging in or implementing Tenable.io for the first time, new users should be sure to have a good understanding of their requirements.

Our primary use case for the solution is managing organizations with assets. Our on-premises assets are in the private or public cloud so the customer doesn't need to have the server installed and deployed but can touch and go once the license has a provision. The user can use it right away. 

By making different resources available for sharing among users and groups, Tenable.io provides endless possibilities for creating customized workflows for vulnerability management programs, regardless of any of the numerous regulatory or compliance drivers that demand keeping your business secure.

With Tenable.io, we can schedule scans, push policies, view scan findings, and control multiple Nessus scanners from the cloud. This enables the deployment of Nessus scanners throughout networks to both public and private clouds as well as multiple physical locations

There is no burden to update or upgrade the solution manually, so it's always up to date. 

The price could be lower, and the grouping of platforms on the dashboard can be included in the next release of the product.

We have been using the solution for approximately four years.

The solution is stable.

The solution is scalable because if you want to extend the license, you can do it over a call every quarter. Additionally, the scaling does not require infrastructure requirements or additional infrastructure because all are hosted in the Tenable.io Vulnerability Management cloud. 

The initial setup is straightforward. However, once the account is provisioned for a user, Its just the data collector to set up Scanner/Agents, and it takes approximately two hours to set everything up.

It costs approximately $2,300 yearly.

We chose this solution because it has a great reporting feature and provides the most CVE coverage and VPR. Additionally, the solution has been in the industry for a long time and performs well.

I rate the solution an eight out of ten. The solution is good, but the price could be lower, and the grouping of platforms on the dashboard can be included in the product's next release. I advise new users to know the infrastructure system and networking. Additionally, there are videos and documentation that will assist them in getting set up to use the product right away.

We use Tenable.io for vulnerability scanning.

I like the Cloud Scanning feature the most.

They can improve in the area of role management and compliance reporting.

They should include better customization of the dashboard and integration tools.

We have been partners with Tenable.io for four years.

It is pretty stable. I would rate it nine or maybe ten out of ten. I didn't realize that the solution will be dropped in availability.

It is a scalable solution. I would like to rate it a six out of ten.

Many times, I get some answers that are not suitable information for my query. Thus, I need to escalate our vendors and our contacts internally. When some task is escalated and some security engineer supports them, it becomes quite helpful. After all, we are a part of it. I am working with Tenable.io. So in general when I have some problems, it is a pretty big problem for me. And I need someone else for support. It is not a general problem that some customers can figure out.

Neutral

Two years ago, I was training for Rapid7. Since then, I have had no time to implement another solution. So we are just implementing Tenable.io right now. Also, we have some big Tenable.io projects. So, we are just working around Tenable.io. But I have some expectations to work in the future with another vendor for vulnerability management.

I don't have any comparative options from another vendor. I just work at the retail level. I know it has a pretty high cost for some features. It's a security vendor, and the security solutions are pretty high-priced. I think Tenable.io is available at the mid-range of prices, maybe the mid-high range.

I work with Tenable.io and implement this solution for many customers. I would rate it eight out of ten.

The solution needs either two engineers or one security specialist to maintain it.