Tenable Nessus Reviews

We use it for internal and external vulnerability scans.

Instead of just looking at high, medium or low risk for vulnerabilities, and having to remediate all of them, we can remediate in a more effective manner. We have limited resources for remediation work and we want to spend our time on the most critical issues.

It helps us focus resources on the vulnerabilities that are most likely to be exploited. It gives a higher VPR number where the things are more likely to be exploited, instead of just using the pure severity rating as a way to prioritize and decide to remediate.

The most valuable feature is the breadth of vulnerabilities that it finds. It's able to find across a lot of different platforms and operating systems. It's also able to combine local testing with network-based testing.

When it comes to vulnerability prioritization, Tenable's predictive features are off to a great start. It's definitely giving us more data to help prioritize, instead of just relying on straight CVSS. The vulnerability priority rating has been accurate and is helping us prioritize effectively, based on risk or based on the likelihood of being exploited. Based on what they say, and comparing it to what we are seeing with malware exploits, their predictions are lining up with what we are seeing being exploited.

There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product.

There is also room for improvement in some of the reporting and the role-based access. They have a pretty defined roadmap. They know where the gaps are, but it's a totally different product and so there's a lot of work that they have to do to get it to match.

I have been using Nessus for three years at my current company. 

We monitor Windows, Linux, Mac, workstations, servers, and cloud resources.

It's very stable. We haven't had any issues. There has been no database corruption or anything like that. All we've had to do to the main Security Center is give it more disk space to save more data. That's it.

The scalability is okay. We would definitely run into issues if we wanted to save a longer history of the data. It would be terabytes and terabytes of data. But in terms of at least keeping all the data for all the assets that we have, it's good. We're good enough with the retention. It meets our requirements.

The issues would be storage and being able to search across it. If we needed to save five years of scan history, it would be operationally difficult to use all the data that would be saved. But it's not problematic to look at the current data or trends for the past six months. Stuff like that is fine.

We're at about 20,000 hosts and it's pretty stable. I don't think we're going to do a big increase.

Tenable's technical support is good, except for things that involve some of the custom development work that we've done using their API. Early on, that was problematic, but they've gotten better and released more API documentation and sample code, and that was fine.

It was nothing that was wrong with the product itself, but tech support is more designed for normal user interactions with the product, not doing development against the API. The problem with my code was because some documentation wasn't clear or there wasn't a sample for how to do this. That's where it was a little bit tougher. The normal, user function stuff was totally fine. It was really the developer-focused side.

We were on Rapid7. We switched because of scalability and performance.

We were looking for a solution that could handle and scan our volume of assets. It wasn't working with our previous solution. Nessus has scalability. Being able to scan in time and actually being able to report on that data were things we couldn't do with our old solution.

Also, the level of visibility that Tenable provides is much better than Rapid7 because we're able to actually see all of the data that was collected and we're able to scan for vulnerabilities and config issues and pull all the data together. We were having real trouble with that before.

The initial setup was straightforward. We were easily able to set up scan policies, asset groups, scan schedules, and start collecting data very quickly.

It wasn't complicated to define what we wanted to scan. It wasn't complicated to set up the credentialed scans, or to set up the different credentials for the different policies and different types of machines. Everything that that goes into building a scan policy was straightforward and we were able to get all of our assets scanned pretty quickly. Within 45 days of buying, we had good data and had done multiple scans already with all of our assets.

Our implementation strategy was that we wanted to set up credentialed scans for all of our machines as quickly as possible. We were working towards that and trying to get the coverage in Tenable as soon as possible.

We did it ourselves.

We are fulfilling our goals and able to deliver on the requirements that we have. It's hard for security to be a real ROI. We need to do vulnerability scanning, we need to know where the issues are and we need to be able to fix them. It is doing that.

Our licensing is on a yearly basis but we did a three-year deal. It is a fixed cost to cover a certain number of hosts or assets. There are no additional costs to the standard licensing fees.

Leverage authenticated scans if you can. That reduces the number of false positives compared to just network-based scanning. Leverage the Tenable Agents if you can, as well, because that will help reduce the scan time and make it easier to get data from machines that are all over your network.

The solution isn't really helping to reduce our exposure over time because there are always new vulnerabilities coming out. It's helping us keep track of what's out there better.

The next part is going to be convincing external auditors that VPR is a reasonable way to actually prioritize, in terms of whatever our policy statements say for what we fix and how quickly; to get that to line up. A lot of people are still in the, "You must patch criticals with this number of days, highs with this number of days." We want to be able to turn that into a more risk-based approach but haven't really been able to do that.

The users of the solution in our organization are really just the people on our security team, so the number is under ten people. They're really just using it to look at the vulnerabilities, analyze the vulnerabilities, and figure out where our risks are and what should get patched. For deployment and maintenance of the solution we have a quarter of an FTE.

I use it for performing vulnerability scans for both my environment and for clients. I provide fractional CISO consulting services. As such, I will perform a vulnerability scan on an environment before I say "yes."

Everybody has to have a vulnerability scan. You should do them periodically which, to me, is monthly. It's just good practice to perform that scan monthly and whenever there's a major change, to make sure that you don't have any open environment. 

I monitor web servers, database servers, app servers, desktops; everything you'd find on a network, besides switches and routers. I don't have that, but I monitor any Windows- and Linux-based nodes.

I went to a client's site and I ran the report. They had a number of fives, fours, and threes. With that information, we were able to remediate the fives, fours, and threes down to a couple of threes.

It also helps to prioritize based on risk. If it provides a notification that you have an older operating system out there, for example, obviously you would have that as a higher risk and wish to remediate that above any and all other risks. It details what that the risk is and what you should do about it.

The solution helps to limit cyber exposure. By running it on a monthly basis, you tighten the window of opportunity for any nefarious individual to get into your environment. Industry standards say that you have to do it quarterly or yearly and I do it monthly, so I think I'm in a better position to secure the environment.

The solution reduces the number of critical and high vulnerabilities which need to be patched first. In terms of a percentage reduction, it's more of a detective control, along with the preventative control. I can't give you a percentage. It reduces the risks by providing the information that you can react to, quicker than finding out that you've been breached.

Nessus is good at finding out what nodes you have in place. It will then provide you a report, by node, of what the vulnerabilities are. It does it quickly and stealthfully. 

It also has an executive report where you don't have to provide the client all the detail for them to sift though. But if they wish to dig through the detail they can.

The predictive prioritization features are spot-on. I enjoy how it actually gives me a prioritization that I can address and it associates it with a known vulnerability. I like that.

One area with room for improvement is instead of there just being a PDF format for output, I'd like the option of an Excel spreadsheet, whereby I could better track remediation efforts and provide reporting off of that. Or, if they change the product itself for you to add comments of remediation efforts and allow you to sort on that and report on it, that would be helpful. Most of us would rather not have that information out in the cloud. We'd rather have it in-house. It would be better if you could provide it in an Excel spreadsheet for us to work with.

I've been using it for four years.

It's very stable. It hasn't aggravated my environment, so I'm happy with that. It's up and running. It runs all the time.

Scaling is easy because it goes out and examines the network and identifies all the nodes that are out there. You don't have to worry about scalability, per se. It's just another node that it adds to the list, so it's easy.

It's being used for under 500 nodes. I would like to increase it if possible, but I have no plans to do so.

Before Nessus, I used Qualys. I switched because the reporting in Nessus is better. The reporting in Nessus is more executive-friendly. When giving information to clients, I don't need to repackage it. It is fine the way it is.

The level of visibility Nessus provides, compared to a solution like Qualys, from an executive standpoint, is better. From a technical standpoint, it does not provide you that documentation capability that I would like. Having said that, from my standpoint, for my client base, the executive reporting is better.

The initial setup was straightforward. It was easy-peasy. I just said, "Run," and it set it up. After that, it was a matter of putting in my company's information and setting up a scan. It wasn't hard at all. It was very intuitive, very easy.

It took about half-an-hour.

All I had to do was download the software, install it, and run it. That was it.

If you're going to employ this product, it's the better one for smaller to medium businesses because of the executive documentation. I would not try to sell it as a technical tool for a technical group. As a consultant it would be best for you to run it and manage it for clients. With that, you're a one-stop shop for them. I would remind clients that most auditing requirements state that you need a third-party individual to do an assessment of your environment. As a consultant you would do that for them. Keep it in-house. I wouldn't sell it.

The priority rating is an industry-standard rating, so it's not like it pulls it out of a hat. It's a known rating, so that's good.

Our primary use case of this solution is scanning of our external websites.

The feature I find most valuable is the vulnerability reporting.

I would like to see an improvement in the ranking of high, medium and low vulnerability.

The solution is very stable.

Tenable Nessus is a very scalable solution. We have over 50 devices running on it currently, and over 50 locations. And we plan to increase our usage in the future. We use our existing team for maintenance, so we didn't have to increase our headcounts. One person is enough to do the maintenance.

The technical support is good.

I will say the initial setup was not straightforward, and not complex either. It's medium. Technically it's not too complicated, but if you work with a good partner, they can help. The deployment took us about three to six months.

My advice to others would be to include post-implementation support for six months from the vendor to help with the fine-tuning. I rate this solution an eight out of ten. In the future, I would like to see better reporting for high impact vulnerabilities.

Nessus was used to scan vulnerabilities and compliances in our clients' networks and with this, carry out the remediation process through constant cycles in time until threats to the network are considerably reduced. The environments are small business networks (less than 50 employees), and so far there have been no major impediments in the scans performed.

Nessus has greatly improved the security of our clients' networks. The comfortable management of their systems makes it easier for engineers to use the codes for each vulnerability or compliance. Deploying the server to launch the scans is very easy, and only the necessary prerequisites for scanning should be fulfilled. Nessus has been very valuable to the company.

The comprehensive coverage offered by Nessus has been the most remarkable; it really does everything that has been asked of the software.

It's great, the possibility of automating implementations and really your database is immense for all the compliances and vulnerabilities.

Tenable University is great and allows to train all the personnel in charge of making the scans in an optimal and effective way.

• I think that the next versions could improve the graphical interface to make more intuitive the management of the reports. 
• Additionally, it could include better features in the vulnerability scan at the language level.

Nessus is very stable and really works in diverse environments without any difficulty. The most important thing is to establish the necessary requirements.

Scalability of this type of software does not seem so relevant.

The Tenable support is very good and has really solved in a timely manner the problems that have occurred in the various projects.

In the company, Qualys was used, and it was not possible to manage the projects with this tool.

Quite simple and comfortable.

Internal team.

Phenomenal.

The costs are not high, considering all the support and service offered by Tenable.

Scans using agents are very useful, and taking advantage of them is the best way to take advantage of the tool.

Primarily, I use this for assessment and administration testing.

I find the features that are most valuable are the policies that help us identify the vulnerabilities. These policies are then used for scanning and identifying instabilities.

The reporting functionality needs improvement. I think it would be beneficial to have a high level explanation for a particular user. 

It is very stable, based on our past experience. We have had some false positives in the past, which we hope can improve in the future.

The scalability is fine. It is tied to the licensing agreement. We currently have 20 people using this tool in our organization. It is primarily used by people in our cellular team. If we see a need to add more users in the future, we will renegotiate our licensing agreement to do so. 

We have not needed to contact tech support much. We contacted them about the false positives, and they were helpful. 

We also evaluated Netplus. 

The installation is very straightforward and easy. We did not use a third-party installer. 

I think the price is fairly affordable. It provides a license that is fair.

My primary use case of this solution is for scanning internal networks.

We use Tenable Nessus for scanning. We find lots of vulnerabilities and then we reduce the time spent on finding inbox vulnerabilities. Of course, Tenable streamlines the process. It has been a positive experience overall.

Tenable can scan for missing patches for the endpoints. We can scan it and then, once we can support any endpoint without patching, we inform our users.

We wanted to do a lot of Hardening and we have to make sure that all endpoints are up to the certain Hardening standard and we propose the CIS benchmark to do this. That's why we use Tenable to do scanning frequency and to ensure the quality of the endpoints.

This is still a maturing product. Tenable is only a scanner for one ability, while other solutions like Rapid7 have more tools for verification. We still have to manually verify to see if the vulnerability is a false positive or not. 

It is stable. We have not had any major issues. It performs as scheduled and scans as needed.

In terms of scalability, there is an issue with cloud servers. You need the internet bandwidth to do the testing. They consume a lot of bandwidth and they use the cloud scanners for the scanning. 

I usually use the dashboard for support. It shows the critical vulnerabilities from low to high. They are very responsive when necessary. 

The implementation was straightforward. First, we noticed whether everything was ready, then we got a license key, set up some basic scanning using a default template, and finally, we scheduled time. 

The price of Tenable Nessus is much more competitive versus other solutions on the market. 

We were manually scanning before using Tenable Nessus. We looked at Rapid7 but we are satisfied with Tenable Nessus. 

I would suggest that people considering this solution should choose the cloud-based solution versus the on-premise version.

This is something that allows us to quickly get a really important information context. We can now deliver highly professional consulting using the product.

From my point of view, the solution basically is not for large enterprises. I also think there should be built-in plugins for the public cloud vendors.

I'm happy with stability, there's no problem from my point of view.

For an average sized company or for smaller enterprises, this solution is suitable. But, for large enterprises it's not a good choice. We have one customer with more than 5,000 servers. I do not think it will be suitable for that customer.

We communicated via email to solve our issue. The experience was quite good for us.

We switched because our previous solution was too expensive for us.

My advice when choosing a vendor is to always consider:

• Trustworthiness
• Quality
• Price

We looked at Tenable, Qualys and Rapid7. We found Tenable was the best of all three.

I use Tenable Nessus to evaluate the security posture of multiples acquisitions before integrating them to our network.

Tenable Nessus has helped us visualize the security posture of acquisitions. It provides actionable recommendations to the implementation team towards security remedies.

I have found the remedy recommendation feature helpful, as it:

• Provides multiple recommendations towards the remedy of vulnerabilities.
• Allows me to prioritize efforts and utilize effective technical resources.

• They should improve the I/O reporting and the customized spreadsheet export feature.
• Multiple steps to create an actionable plan will be a great addition to Nessus.