Coming October 25: PeerSpot Awards will be announced! Learn more

Tenable Nessus OverviewUNIXBusinessApplication

Tenable Nessus is #1 ranked solution in top Vulnerability Management tools. PeerSpot users give Tenable Nessus an average rating of 8.4 out of 10. Tenable Nessus is most commonly compared to Rapid7 InsightVM: Tenable Nessus vs Rapid7 InsightVM. Tenable Nessus is popular among the large enterprise segment, accounting for 63% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
Tenable Nessus Buyer's Guide

Download the Tenable Nessus Buyer's Guide including reviews and more. Updated: September 2022

What is Tenable Nessus?

Nessus Professional is the industry’s most widely deployed assessment solution for identifying the vulnerabilities, configuration issues, and malware that attackers use to penetrate your, or your customer's network. With the broadest coverage, the latest intelligence, rapid updates, and an easy-to-use interface, Nessus offers an effective and comprehensive vulnerability scanning package for one low cost.

Tenable Nessus Customers

Bitbrains, Tesla, Just Eat, Crosskey Banking Solutions, Covenant Health, Youngstown State University

Tenable Nessus Video

Tenable Nessus Pricing Advice

What users are saying about Tenable Nessus pricing:
  • "Nowadays, your vulnerability applications are going to be kind of pricey because lots of them, including Rapid7, are based upon a base price, but then they add in the nodes. That's where they get you. If you're a big network, obviously, you need to scan everything. Therefore, it's going to be costly. The risk and insurance money associated with having ransomware on my networks is going to cost me more money, time, and marketing than the price of the tool. That's why I'm speaking only as an information security officer to security operations. This is the tool that is there in my toolbox to say whether we vulnerable or not. At this point, I don't care about how much it costs my company to have it because if I wasn't able to report it and we got ransomware, then who cares? I'm probably going to be out of business because it happened. That's why I don't care about the price. I have it, and I could use it effectively and do my report. At the end of the day, even if we get ransomware, as long as I reported it, followed my protocol, and put in the change, irrespective of whether it was ignored or denied, I did my job."
  • "Tenable Nessus needs to be licensed. We own a license for the security center and that license is charged by the number of IP addresses that you can scan. You're allowed to have as many scanners as you want and there's no license for the number of scanners. We have a bunch of Nessus scanners out there, and as long as we're comfortable with staying under that IP address limit, that's really all we have to be concerned about."
  • "Its price is high for Libya. The companies here in Libya don't have the awareness of and a good budget for cybersecurity services. If you want them to go for a product, you need to provide something different. This differentiation is related to the price. They should give about 40% to 45% discount per person on the current cost."
  • "Its pricing is great and can't be improved. It is very cheap. It is less than 2,000 pounds a license, and you can't really ask for more. It has unlimited IPs and unlimited scans. There are no particular pricing constraints. The only additional cost is the inherent cost of the people to actually review the actual scans."
  • Tenable Nessus Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Owner at a tech services company with 1-10 employees
    Real User
    Top 5
    Easy to use, good support, and gives full reports of what's vulnerable per device
    Pros and Cons
    • "I like its ease of use. It has the script that is pre-built in it, and you just got to know which ones you're looking for."
    • "The price could be more reasonable. I used the free Nessus version in my lab with which you can only scan 16 IP addresses. If I wanted to put it in the lab in my network at work, and I'm doing a test project that has over 30 nodes in it, I can't use the free version of Nessus to scan it because there are only 16 IP addresses. I can't get an accurate scan. The biggest thing with all the cybersecurity tools out there nowadays, especially in 2020, is that there's a rush to get a lot of skilled cybersecurity analysts out there. Some of these companies need to realize that a lot of us are working from home and doing proof of concepts, and some of them don't even offer trials, or you get a trial and it is only 16 IP addresses. I can't really do anything with it past 16. I'm either guessing or I'm doing double work to do my scans. Let's say there was a license for 50 users or 50 IP addresses. I would spend about 200 bucks for that license to accomplish my job. This is the biggest complaint I have as of right now with all cybersecurity tools, including Rapid7, out there, especially if I'm in a company that is trying to build its cybersecurity program. How am I going to tell my boss, who has no real budget of what he needs to build his cybersecurity program, to go spend over $100,000 for a tool he has never seen, whereas, it would pack the punch if I could say, "Let me spend 200 bucks for a 50 user IP address license of this product, do a proof of concept to scan 50 nodes, and provide the reason for why we need it." I've been a director, and now I'm an ISO. When I was a director, I had a budget for an IT department, so I know how budgets work. As an ISO, the only thing that's missing from my C-level is I don't have to deal with employees and budgets, but I have everything else. It's hard for me to build the program and say, "Hey, I need these tools." If I can't get a trial, I would scratch that off the list and find something else. I'm trying to set up Tenable.io to do external PCI scans. The documentation says to put in your IP addresses or your external IP addresses. However, if the IP address is not routable, then it says that you have to use an internal agent to scan. This means that you set up a Nessus agent internally and scan, which makes sense. However, it doesn't work because when you use the plugin and tell it that it is a PCI external, it says, "You cannot use an internal agent to scan external." The documentation needs to be a little bit more clear about that. It needs to say if you're using the PCI external plugin, all IP addresses must be external and routable. It should tell the person who's setting it up, "Wait a minute. If you have an MPLS network and you're in a multi-tenant environment and the people who hold the network schema only provide you with the IP addresses just for your tenant, then you are not going to know what the actual true IP address that Tenable needs to do a PCI scan." I've been working on Tenable.io to set up PCI scans for the last ten days. I have been going back and forth to the network thinking I need this or that only to find out that I'm teaching their team, "Hey, you know what, guys? I need you to look past your MPLS network. I need you to go to the edge's edge. Here's who you need to ask to give me the whitelist to allow here." I had the blurb that says the plugin for external PCI must be reachable, and you cannot use an internal agent. I could have cut a few days because I thought I had it, but then when I ran it, it said that you can't run it this way. I wasted a few hours in a day. In terms of new features, it doesn't require new features. It is a tool that has been out there for years. It is used in the cybersecurity community. It has got the CV database in it, and there are other plugins that you could pass through. It has got APIs you can attach to it. They can just improve the database and continue adding to the database and the plugins to make sure those don't have false positives. If you're a restaurant and you focus on fried chicken, you have no business doing hamburgers."

    What is our primary use case?

    We use it for vulnerability management. We have the latest version because we're using it in the cloud right now. I have a public cloud and a private cloud version.

    How has it helped my organization?

    When we do our scans, I'm able to give full reports of what's vulnerable per device. I could group them and say, "Hey, here's a vulnerability in the infrastructure. Here's all the host that needs to be addressed," by showing the report. When I give a report or a request for change, I would include the report so that they are undisputed. Instead of the sys admins giving the excuse of, "Hey, we don't have enough time," or, "We've already done it," or some other poor excuse, now I have a report behind it that says, "Hey, you're vulnerable with this. Here's the CVE, and here's the POC of the CVE," and then if I want to be a little bit more obnoxious, I provide them the POC that I ran with the proof that the POC is there, and then I'm able to say, "Hey, you need to patch this now."

    My executives now are able to say, "Hey, you know what? The ISO gave you a directive to patch this with proof. Why haven't you done it?" Because now, as we know, all C-levels are ultimately responsible. If you have an ISO that is interfacing with sys admins saying, "Hey, here's a change that you need to patch it. Here's my proof that even has POC with proof and the report," then there is no benign, "Why haven't you done it?"

    What is most valuable?

    I like its ease of use. It has the script that is pre-built in it, and you just got to know which ones you're looking for.

    What needs improvement?

    The price could be more reasonable. I used the free Nessus version in my lab with which you can only scan 16 IP addresses. If I wanted to put it in the lab in my network at work, and I'm doing a test project that has over 30 nodes in it, I can't use the free version of Nessus to scan it because there are only 16 IP addresses. I can't get an accurate scan. The biggest thing with all the cybersecurity tools out there nowadays, especially in 2020, is that there's a rush to get a lot of skilled cybersecurity analysts out there. Some of these companies need to realize that a lot of us are working from home and doing proof of concepts, and some of them don't even offer trials, or you get a trial and it is only 16 IP addresses. I can't really do anything with it past 16. I'm either guessing or I'm doing double work to do my scans. Let's say there was a license for 50 users or 50 IP addresses. I would spend about 200 bucks for that license to accomplish my job. This is the biggest complaint I have as of right now with all cybersecurity tools, including Rapid7, out there, especially if I'm in a company that is trying to build its cybersecurity program. How am I going to tell my boss, who has no real budget of what he needs to build his cybersecurity program, to go spend over $100,000 for a tool he has never seen, whereas, it would pack the punch if I could say, "Let me spend 200 bucks for a 50 user IP address license of this product, do a proof of concept to scan 50 nodes, and provide the reason for why we need it." I've been a director, and now I'm an ISO. When I was a director, I had a budget for an IT department, so I know how budgets work. As an ISO, the only thing that's missing from my C-level is I don't have to deal with employees and budgets, but I have everything else. It's hard for me to build the program and say, "Hey, I need these tools." If I can't get a trial, I would scratch that off the list and find something else.

    I'm trying to set up Tenable.io to do external PCI scans. The documentation says to put in your IP addresses or your external IP addresses. However, if the IP address is not routable, then it says that you have to use an internal agent to scan. This means that you set up a Nessus agent internally and scan, which makes sense. However, it doesn't work because when you use the plugin and tell it that it is a PCI external, it says, "You cannot use an internal agent to scan external." The documentation needs to be a little bit more clear about that. It needs to say if you're using the PCI external plugin, all IP addresses must be external and routable. It should tell the person who's setting it up, "Wait a minute. If you have an MPLS network and you're in a multi-tenant environment and the people who hold the network schema only provide you with the IP addresses just for your tenant, then you are not going to know what the actual true IP address that Tenable needs to do a PCI scan."

    I've been working on Tenable.io to set up PCI scans for the last ten days. I have been going back and forth to the network thinking I need this or that only to find out that I'm teaching their team, "Hey, you know what, guys? I need you to look past your MPLS network. I need you to go to the edge's edge. Here's who you need to ask to give me the whitelist to allow here." I had the blurb that says the plugin for external PCI must be reachable, and you cannot use an internal agent. I could have cut a few days because I thought I had it, but then when I ran it, it said that you can't run it this way. I wasted a few hours in a day.

    In terms of new features, it doesn't require new features. It is a tool that has been out there for years. It is used in the cybersecurity community. It has got the CV database in it, and there are other plugins that you could pass through. It has got APIs you can attach to it. They can just improve the database and continue adding to the database and the plugins to make sure those don't have false positives. If you're a restaurant and you focus on fried chicken, you have no business doing hamburgers.

    Buyer's Guide
    Tenable Nessus
    September 2022
    Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    635,162 professionals have used our research since 2012.

    For how long have I used the solution?

    I've been using Nessus for about eight years.

    What do I think about the stability of the solution?

    Internally, it is stable. Externally also, from what I've seen, it is stable. The only problem that I've had with it was if you have a network and internet blip, you get disconnected, but that happens with anything. Right now, I would say that a lot of cloud companies are having problems because COVID has got a lot of people working from home remotely in VPN. This is the biggest problem we have. You went from 35 people using VPN to over 2,000 people using VPN. You're trying to go to a cloud that wasn't set up for VPN, or you don't have the necessary routes or bandwidth to it. The average person is going to say, "This cloud application sucks." It doesn't really suck. It means that you don't have enough bandwidth in your infrastructure.

    What do I think about the scalability of the solution?

    We haven't had to scale it yet. We haven't scaled internal Nessus because we have our own version of it. I'm not sure how many IP addresses we're feeding, but I know we only have one server. I looked at the processes, and it's only doing 50% of the process.

    We have 13 people who are capable or licensed to use it, which would be all of our risk management information, information security, and risk management office, but I would say only half or about six of us are actually using it daily.

    How are customer service and support?

    I've used the tech support a couple of times. I would say they are very good because they were able to say, "Hey, let's stop the chatting. Let's get on a Webex, and we will Webex you and ask the questions directly." They were able to get to the engineers on the Webex at the same time, and within 30 minutes, they solved our problem. I would rate them a ten out of ten.

    How was the initial setup?

    If I was installing Nessus just by itself, it is straightforward simply because I've done it before. If you're setting up Nessus from the cloud version, there's a little bit more to it because, for one, it's in the cloud version, and you got to open up ports for your network. You got network people who get all scary because they don't understand what you're doing. Other than that, once you get it set up, then it is pretty much straightforward.

    What's my experience with pricing, setup cost, and licensing?

    Nowadays, your vulnerability applications are going to be kind of pricey because lots of them, including Rapid7, are based upon a base price, but then they add in the nodes. That's where they get you. If you're a big network, obviously, you need to scan everything. Therefore, it's going to be costly.

    The risk and insurance money associated with having ransomware on my networks is going to cost me more money, time, and marketing than the price of the tool. That's why I'm speaking only as an information security officer to security operations. This is the tool that is there in my toolbox to say whether we vulnerable or not. At this point, I don't care about how much it costs my company to have it because if I wasn't able to report it and we got ransomware, then who cares? I'm probably going to be out of business because it happened. That's why I don't care about the price. I have it, and I could use it effectively and do my report. At the end of the day, even if we get ransomware, as long as I reported it, followed my protocol, and put in the change, irrespective of whether it was ignored or denied, I did my job.

    What other advice do I have?

    The advice would be definitely doing your proof of concept because that's what you're going to need for your buy-in for your upper management because it is going to cost some money. I would do a hybrid version, where your own Nessus is internal, and then you have your cloud. If you lose connection to the internet, you could still run an internal Nessus scan to save the scan and then input the scan into Tenable.sc. Do your proof of concepts, get your reports, and use your proof of concepts when you do your presentation to upper management to purchase. If you use your own nodes and your own network as your proof of concept, it gives them an eye view of, "Hey, we're vulnerable because of this, and here's the tool that did it." To me, that was a better selling point because it was real. It wasn't the demo data. Once you have purchased it and get it all set up, use it continuously, meaning include your scanned reports with your change control. This way, it shuts all the administrators who have been there over 20 years and say, "Hey, I don't want to patch right now because it takes the network down." Yes, it's going to take the network down. However, the longer you wait, the more vulnerable you are because if I'm doing change requests every week, and I'm calling on more and more risk and you start to find the same nodes in the same reports, then somebody up high is going to say to the network administrator guy to fix it.

    I would rate Tenable Nessus a ten out of ten right now. If you had asked me last year, Rapid7 would have been the same and on top, but now that I've been using Tenable and I'm comparing the jobs that I'm doing right now, Tenable is cut and clear to what the report is saying. My favorite report is the VPR report. Instead of just looking at CVS numbers, it has a VPR report that ranks, whereas, in Rapid7, it's just focused on CVS. It is CVS version 2 or 3, which kind of gets confusing. For example, in Tenable, I can run a scheduled scan and have my report, but let's say, for instance, I did patching in the middle before my scheduled scan. I could kick off a new scan specifically for that vulnerability and get a report, whereas, in Rapid7, you could not easily do that. Therefore, you were stuck waiting for the scan to go again and to see if your mitigation efforts fixed it.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    NikhilGupta1 - PeerSpot reviewer
    Senior Manager - SRE at Zenoti
    Real User
    Reliable, easy to set up, and helps with compliance
    Pros and Cons
    • "Once you get past the initial implementation, the solution is very stable."
    • "They could make their reporting a little better."

    What is our primary use case?

    We are using the product for CIS benchmarking on our systems.

    Our primary use case is basically understanding whether our systems are compliant with the CIS benchmarks in terms of system hardening. What Tenable Nessus does is it can run a scan on the systems and it gives us a report in terms of what properties or settings on the systems are in compliance and what are not in compliance. Then we can review that and go back and improve the systems in terms of those settings.

    What is most valuable?

    What I like about it is the fact that it can figure out what changes we need to make on our systems to ensure that they're hardened properly.

    The initial setup is not difficult. 

    Once you get past the initial implementation, the solution is very stable. 

    It's scalable. 

    What needs improvement?

    So far, it has been fulfilling the requirements. From that perspective, there is not a lot that I would want to improve in the features that we are using it.

    They could make their reporting a little better. Maybe they could do some more integrations with certain other tools to extend it or make the reporting better in the sense that it could probably generate some alerts or something of that sort. It could do some real-time reporting. If there are any policies that are changing or getting violated, they could probably generate some alerts, which could involve the on-call on my side so that I could take immediate action. That could probably be one thing that they could introduce.

    For how long have I used the solution?

    We've used the solution for about a year now. It hasn't been that long. 

    What do I think about the stability of the solution?

    Initially, we had some issues. Initially, we were not very confident about how to configure certain things. Once we had integrated and deployed the product, we needed a few support calls to fix the system properly in our environment and since then it has been smooth, I would say. The stability is now good.

    What do I think about the scalability of the solution?

    The solution can scale. 

    We have very few users. It's basically based on the number of systems that we need to install it on in terms of scaling. That's something that probably is more than the number of users who actually access the system. It's largely used by the security team.

    We do have plans to increase the usage of Tenable Nessus organically. As the number of systems that we use is dynamic in nature, it likely will keep going up and down over time.

    How are customer service and support?

    We've dealt with technical support on and off I would say. We keep talking to the technical support at times to get some insights on any new features that are coming in or in terms of how to use a certain feature that we are probably trying to introduce or something of that sort.

    Which solution did I use previously and why did I switch?

    We were not using any other products before this.

    How was the initial setup?

    For the initial setup, I need to deploy an agent on my systems. It's pretty straightforward. It's not very difficult.

    I'm not really sure about how long it took, however, my understanding is it didn't take too long for our system. It was maybe a few minutes per system or maybe half an hour per system. Not more than that.

    What about the implementation team?

    We did not use a consultant or any integrator for the deployment. We did it in-house. 

    There were a couple of people on my team who were able to set it up for us.

    What's my experience with pricing, setup cost, and licensing?

    I'm not aware of the licensing cost.

    What other advice do I have?

    I'd recommend the product to others. If a company wants to use it for system analysis as part of the benchmarking of the systems or if a company wants to do security benchmarking, they can use this. They should be able to use the tool.

    I'd rate the solution eight out of ten. 

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Tenable Nessus
    September 2022
    Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    635,162 professionals have used our research since 2012.
    Security Analyst at PJM Interconnection
    Real User
    Top 20
    Useful vulnerability detection, highly scalable, and good support
    Pros and Cons
    • "The most valuable feature of Tenable Nessus is vulnerability detection."
    • "Tenable Nessus could improve reporting and information sharing. It would be helpful if we could share the reports and have a little bit better flexibility in the reporting of the data."

    What is our primary use case?

    Tenable Nessus can be deployed on-premise and in the cloud.

    Tenable Nessus is a vulnerability scanner to find vulnerabilities. The solution finds the vulnerabilities in our environment and then we send those vulnerabilities that are found out to the SMEs to be fixed.

    How has it helped my organization?

    Tenable Nessus allows us to keep up on fixing the vulnerabilities that are either being exploited in the wild or the ones that we find most critical.

    What is most valuable?

    The most valuable feature of Tenable Nessus is vulnerability detection.

    What needs improvement?

    Tenable Nessus could improve reporting and information sharing. It would be helpful if we could share the reports and have a little bit better flexibility in the reporting of the data.

    In the next release, they should add some more integration with other security solutions that would be helpful.

    For how long have I used the solution?

    I have used Tenable Nessus for approximately 10 years.

    What do I think about the stability of the solution?

    The stability of Tenable Nessus is very good.

    What do I think about the scalability of the solution?

    Tenable Nessus is highly scalable.

    We have a couple of administrators and vulnerability analysts who run scans, and read-only accounts for the SMEs who fix vulnerabilities, and an executive role for management to view the data.

    We use Tenable Nessus extensively, we have scheduled jobs running all the time. We do scans on all the systems on our network, and we are always making tweaks.

    How are customer service and support?

    I rate the support of Tenable Nessus a four out of five.

    Which solution did I use previously and why did I switch?

    I have not used another solution previously to Tenable Nessus.

    How was the initial setup?

    For our deployment of Tenable Nessus, there are elements of complexity. However, the complexity depends on the use case. The solution is not that difficult to implement, the complexity comes from the many things that are involved. You do not need to be an expert there are many parts that need to be set up.

    We had Linux servers built and the Tenable Nessus software was installed on top of that. It was relatively simple as far as that goes.

    I rate the ease of setup of Tenable Nessus a three out of five.

    What about the implementation team?

    We did the implementation in-house.

    We have two administrators and one SME that does the supporting of Tenable Nessus.

    What was our ROI?

    It is difficult to show or rate ROI from a security standpoint, it is similar to having car insurance. When there are vulnerabilities out there, we can quickly look because we're scanning all the time at what our vulnerabilities are. Tenable Nessus is used for keeping our infrastructure safe.

    What's my experience with pricing, setup cost, and licensing?

    Tenable Nessus needs to be licensed. We own a license for the security center and that license is charged by the number of IP addresses that you can scan. You're allowed to have as many scanners as you want and there's no license for the number of scanners. We have a bunch of Nessus scanners out there, and as long as we're comfortable with staying under that IP address limit, that's really all we have to be concerned about.

    We pay a monthly maintenance fee, which is reoccurring.

    Which other solutions did I evaluate?

    We did evaluate other solutions before choosing Tenable Nessus, such as Rapid7. We choose Tenable Nessus because it was used by more customers and it seemed at the time to be more straightforward.

    What other advice do I have?

    Security is complicated a subject. There's a lot involved in Tenable Nessus, but the solution is easy to run and manage and we have had a lot of good success with it.

    I rate Tenable Nessus a nine out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Jairo Willian Pereira - PeerSpot reviewer
    Information Security Manager at a financial services firm with 5,001-10,000 employees
    Real User
    Top 5Leaderboard
    Tests against cloud providers, database profiles, several types of telecom devices, and other highly customizable scans
    Pros and Cons
    • "Scanners and reports using CIS templates ("de-facto" standard, easy to fix and to locate correction tips at documentation), tests against cloud providers, database profiles, several types of telecom devices, and others highly customizable scans."
    • "Model OS costs (and its segregation schema for individual modules)."

    What is our primary use case?

    Over 15.000 active assets|inside 10 companies belonging to the group, the biennium recurrent project mapped the real situation, in parallel with photography of IT/Security maturity through three main domains: processes, people, and technology. 5 TOEs: Infrastructure, Databases (SQL and Oracle in deep), AWS Cloud, Connectivity (Routers, Switches, and Firewalls against/based CIS) and Web Application instances (partial tests). Nessus running over a hardened Linux customized with HA (High Availability).

    How has it helped my organization?

    Nessus has more plugins/add-ons, tests, and templates than previous tools (OpenVas) and it is faster and customizable using CLI/API features. It offers enough resources for an interesting cost-benefit rating (for small and medium companies) and minus false-positive events per type of asset. 

    It helped us to quickly produce a QuickWin report that guided the VulnerabilityMgmt actions and plans within the company's during the next 3-5 years using the same tool/investment/team for all companies inside the de group.  

    What is most valuable?

    Scanners and reports using CIS templates ("de-facto" standard, easy to fix and to locate correction tips in the documentation), tests against cloud providers, database profiles, several types of telecom devices, and other highly customizable scans. You can scale your environment to gradually increase the quality, depth, and quantity of the tests, enabling you to learn and gradually optimize your vulnerability management platform(s)/instance(s). The possibility of integration with other market tools (Kenna, Archer...) is another differential.

    What needs improvement?

    - Add the possibility to customize attributes that define the assets critical level based on the company's "business sense".

    - Improve integration and tests for OT platforms, OT application, OT hardware, and non-Ethernet protocols.

    - Improve the exchange of info/insights/attributes with RM (Risk Management) domain.

    - Offer a more flexible strategic and high-level dashboards based on previous comments (minus technical and more business-oriented)

    - Model OS costs (and its segregation schema for individual modules).

    For how long have I used the solution?

    7+ years with Tenable and more than 15y with others.

    What do I think about the stability of the solution?

    Excellent. No one problem during operation time and deployment.

    What do I think about the scalability of the solution?

    Enough (faster than OpenVAS engine).

    How are customer service and support?

    It SLA/support are enough. 

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    OpenVAS. We reached the previous level/threshold/maturity using OpenVas (more limited tool when compared with Nessus). I/We believe that, the change to a better tool (in this and in others categories) should be carried out when these indicators are reached.

    How was the initial setup?

    Very simple and fast.

    What about the implementation team?

    In-house.

    What was our ROI?

    Good. Nessus Pro combined with other xLAP solutions to offer a presentation/grouping layer is great. Using SC this curve/point of ROI is slower.

    What's my experience with pricing, setup cost, and licensing?

    Start small, learn about your problems/fixing time and grow up gradually.

    Which other solutions did I evaluate?

    Several. OpenVas, Rapid7, Qualys, CORE* and Retina.

    What other advice do I have?

    A cost/benefit interesting tool.

    Which deployment model are you using for this solution?

    On-premises

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Jairo Willian Pereira - PeerSpot reviewer
    Jairo Willian PereiraInformation Security Manager at a financial services firm with 5,001-10,000 employees
    Top 5LeaderboardReal User

    Authenticated users are a excellent way for you increase the quality and depth of your scanner. You can add/use cloud providers API-keys during tests, local or AD users/credentials with database, telecom devices and other types of digital assets. Normally, the difference between non/authenticated-scans is widely big.

    Wessam Altoumi - PeerSpot reviewer
    Chief Commercial Officer at Yamamah Information Technology & Communication Systems LLC
    Real User
    Top 5
    Good reporting, good support, and easy to deploy and use
    Pros and Cons
    • "It is easy to deploy and easy to use. Its reporting is good. From this reporting, you can see the pain point in your network, which makes it easy to fix them. It is easy to understand the reports and export them."
    • "Technically, it is an excellent and the best solution available in Libya. My only concern is related to its pricing. They are an emerging company in Libya, and they need to put in some effort to provide us with very good prices so that customers can go with the best solution. Chinese companies are getting into the market here, and they're providing very cheap solutions."

    What is our primary use case?

    Two of our customers use it for vulnerability assessment and penetration testing, and they are getting very good results.

    What is most valuable?

    It is easy to deploy and easy to use. Its reporting is good. From this reporting, you can see the pain point in your network, which makes it easy to fix them. It is easy to understand the reports and export them.

    What needs improvement?

    Technically, it is an excellent and the best solution available in Libya. My only concern is related to its pricing. They are an emerging company in Libya, and they need to put in some effort to provide us with very good prices so that customers can go with the best solution. Chinese companies are getting into the market here, and they're providing very cheap solutions.

    For how long have I used the solution?

    We have been providing network and solution integration services since 2012.

    What do I think about the stability of the solution?

    It is a stable solution. It is the best one in the world. I am not considering any other solutions.

    What do I think about the scalability of the solution?

    It is scalable.

    How are customer service and support?

    Their technical support is very good. The feedback that I have received from the customers for the tickets that they opened is that they are satisfied with the service.

    How was the initial setup?

    It is easy to deploy. It can be implemented in less than 10 days, but complex projects with ISO2007 and 001 compliance requirements can take more than a year.

    What about the implementation team?

    From our side, there are only two engineers. One is the main engineer and the other one is the backup engineer. 

    It is being used by only three users. Two are from the cyber information security team and one is from the network security team.

    What's my experience with pricing, setup cost, and licensing?

    Its price is high for Libya. The companies here in Libya don't have the awareness of and a good budget for cybersecurity services. If you want them to go for a product, you need to provide something different. This differentiation is related to the price. They should give about 40% to 45% discount per person on the current cost. From our side, we provide the demo and show it as a very good and valuable solution, but when it comes to the price, some companies don't want to own the tool. They prefer to go for it as a service. There are a few companies that are providing it as a service where they own the tool, but they provide it as a service, which is cheaper than a customer owning the product. We strongly recommended that customers own the product and use it. 

    I strongly recommend to customers to go for a three-year license to use it, benefit from it, and be comfortable with it. In Libya, we are facing a problem related to the timelines and delays of projects. If they go for just a one-year license and the project gets delayed by six months, they will have only six months to use it.

    What other advice do I have?

    It is a very good and useful tool. I would rate it a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    VP - Risks, Audits & InfoSec at a tech services company with 501-1,000 employees
    Real User
    I like its ability to collate a dependable output, where we are able to get the same vulnerability when we test manually
    Pros and Cons
    • "The features of Tenable Nessus that I have found most valuable are its reliability and its ability to collate a dependable output, where we are able to get the same vulnerability when we test manually. The output is quite reliable."
    • "In terms of what could be improved, I would say its reporting portion."

    What is most valuable?

    The features of Tenable Nessus that I have found most valuable are its reliability and its ability to collate a dependable output, where we are able to get the same vulnerability when we test manually. The output is quite reliable.

    What needs improvement?

    In terms of what could be improved, I would say its reporting portion.

    Additionally, we have the on-prem version, but sometimes we want to have an on-cloud deployment as well for certain projects, although not so many. The people who used it on cloud didn't find it as good as the version they were using on-prem. Overall, the cloud version could be improved.

    For how long have I used the solution?

    I have been using Tenable Nessus for about three years now. We are currently using the latest version.

    What do I think about the stability of the solution?

    In terms of stability, recently we are seeing many updates coming in and we are finding that the updating model with its latest releases may be a little buggy. So sometimes deployment may take a couple of times and Nessus takes its own time for updating, thereby delaying the deployment time. Of late is, we are seeing updates coming in very frequently. So when we deploy it, it just updates again and again and that almost doubles the time.

    What do I think about the scalability of the solution?

    Tenable Nessus is scalable. That's not an issue.

    How are customer service and technical support?

    We did reach out to technical support. I think it was just once, but it took them a long time to respond. Maybe it was case specific, but they took a few days to get back to us and we didn't expect that. Now they've completely changed the model to email support, so we send the email and we'll have to wait until the guys answer us back.

    How was the initial setup?

    The initial setup on-prem and on-cloud did not have any issues. It just took a couple of hours.

    What other advice do I have?

    On a scale of one to ten, I would give Tenable Nessus an eight.

    What happens is Nessus keeps on updating and this becomes a showstopper. We are unable to proceed with the vulnerability scans or testing if we do not update to the latest available patch. We can understand the risk if it's maybe one version earlier, meaning, we understand something was updated with XYZ patch but there should be something which gives us an option so that not all of our deployments need to have the latest patch. This would save the deployment time because of frequent updates.

    I would recommend Tenable Nessus. Especially the commercial model. We operate in small and medium enterprises and for them, Nessus is becoming expensive. Because of this I may not buy Nessus this year and I might switch to Qualys, for example. Overall, Tenable Nessus is not so price pocket friendly for small and medium users.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Information Security Manager at a transportation company with 1,001-5,000 employees
    Real User
    Comes at a great price, does exactly what you expect it to do, and never lets you down from a stability point of view
    Pros and Cons
    • "It does exactly what you expect it to do, and its pricing is great. We couldn't really ask for a better deal."
    • "The interface is a little bit clunky, and the reporting is not marvelous. There should be better integration of reporting between instances. Currently, the instance stands alone, and it produces a report. Being able to amalgamate those reports with another instance will be useful."

    What is our primary use case?

    We are using Nessus Pro. Our operational security team is using it at the moment. It is being used in a couple of ways. In one instance, it is being used purely to scan the internal infrastructure. In the second instance, we're using it to scan the entire network range, including all endpoints. In the third instance, we're using it to do PCI DSS compliance scanning.

    What is most valuable?

    It does exactly what you expect it to do, and its pricing is great. We couldn't really ask for a better deal.

    What needs improvement?

    The interface is a little bit clunky, and the reporting is not marvelous. There should be better integration of reporting between instances. Currently, the instance stands alone, and it produces a report. Being able to amalgamate those reports with another instance will be useful.

    What do I think about the stability of the solution?

    It has never let us down from a stability point of view.

    What do I think about the scalability of the solution?

    It is really scalable. It is great.

    We have six people who are actually interacting with the tool itself, but obviously, it has been deployed against thousands of endpoints. There are three different roles of those six users.

    How are customer service and support?

    They are very good. Their formal support and the wider community support are excellent.

    Which solution did I use previously and why did I switch?

    We've used Rapid7 in the past. We switched because of the value for money and the fact that it feeds into the Tenable.io platform, which is where we ultimately want to be.

    How was the initial setup?

    It was straightforward and fast. It literally took a morning.

    What about the implementation team?

    It was done in-house. For its deployment and maintenance, there is just one person. He is an information security analyst.

    What's my experience with pricing, setup cost, and licensing?

    Its pricing is great and can't be improved. It is very cheap. It is less than 2,000 pounds a license, and you can't really ask for more.

    It has unlimited IPs and unlimited scans. There are no particular pricing constraints. The only additional cost is the inherent cost of the people to actually review the actual scans.

    What other advice do I have?

    My advice to people who are looking into implementing this product would be to just go ahead and do it. Don't be frightened about it. It is great. It does exactly what you'd expect it to do. You can use it as a stepping stone to the other Tenable products.

    I would rate it a nine out of 10. It is a lovely product. It just does what you need it to do, and lets you get on with your day.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Md. Shahriar Hussain - PeerSpot reviewer
    Cyber Security & Compliance Lead Engineer at Banglalink
    Real User
    Top 5Leaderboard
    Very easy to carry out ransomware checking, OS auditing and implementation
    Pros and Cons
    • "Makes ransomware checking and OS auditing and implementation relatively easy."
    • "Lacks some penetration testing-related services."

    What is our primary use case?

    I use this solution for OS auditing, database auditing, virtualization, and following how closely it follows our CI or TISA benchmarks. We also use it for malware and ransomware risk and for carrying out assessments. We purchased this product from a local partner that has a premium partnership with Tenable. I'm a cybersecurity and compliance lead engineer.

    What is most valuable?

    The solution makes ransomware checking and OS auditing and implementation relatively easy. It covers most of the requirements for benchmarks for all sorts of widely available required configuration settings in the technology industry. It's also very user-friendly, easy on the eye, and saves a lot of time. It provides us with reports that perfectly satisfy compliance requirements, whatever the device or configuration settings. 

    What needs improvement?

    There is very little to improve but cloud security tests would be something helpful to have. Tenable could also offer some penetration testing-related services, which would be beneficial.

    For how long have I used the solution?

    I've been using Nessus for three years. 

    What do I think about the stability of the solution?

    It's a very stable solution. 

    What do I think about the scalability of the solution?

    The solution is scalable. I use it for around 4,000 servers on a daily basis.

    How are customer service and support?

    The technical support is good. They offer expensive professional support, but I generally use the website documentation to fix things. Compared with other companies, they provide very good support. 

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I previously used Qualys and had a bad experience. It's not very user-friendly, licensing was difficult and deployment painful. I also used Rapid7, and I think Nessus is more user-friendly than both of those products. 

    How was the initial setup?

    The initial setup was very easy and took just a few hours. It's important to plan wisely before implementing. Know how many servers you have and try to project your future requirements so that you can estimate the total number of IPs you require. If the forecast is accurate, the solution is cost-efficient. We used consultants from Singapore and they installed some agents in our on-premise servers. Maintenance is very easy.

    What's my experience with pricing, setup cost, and licensing?

    The global situation is very unstable and the dollar price has already increased significantly in our country in the last three or four months so everything has become expensive. Licensing is very competitive in our local markets and there's a lot of haggling that goes on. The option of a three-year license would be most beneficial for us because of the huge variations in the dollar. 

    What other advice do I have?

    I rate this solution nine out of 10. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Tenable Nessus Report and get advice and tips from experienced pros sharing their opinions.
    Updated: September 2022
    Product Categories
    Vulnerability Management
    Buyer's Guide
    Download our free Tenable Nessus Report and get advice and tips from experienced pros sharing their opinions.