My company uses Tenable as a vulnerability assessment.
We use it for scanning, for the discovery of vulnerabilities in the components or the software, or on the IT infrastructure of our client.
My company uses Tenable as a vulnerability assessment.
We use it for scanning, for the discovery of vulnerabilities in the components or the software, or on the IT infrastructure of our client.
The solution can conduct a full vulnerability assessment and also suggest mitigation of vulnerabilities and has a lot of other features.
It creates a classification of the vulnerability and the likelihood and the impact on other features.
The solution is easy to deploy and simple to use.
It's scalable.
The solution is stable.
It would be a good idea if they have a simulation of attacks or a use case for finding a new vulnerability or dealing with a zero-day attack.
Right now, it works based on dealing with a vulnerability that is already detected and reported, and it would be great if they have a combination of a vulnerability that existed and another use case to have a more proactive approach to potential new issues. Therefore, doing a simulation of attacks to find a new or zero-day issue or vulnerability would be helpful.
I've been using the solution for more than two years.
The solution is very stable and reliable. I'd rate it four or five out of five. The performance is good. There are no bugs or glitches, and it doesn't crash or freeze.
It is very scalable. I'd rate it a four or five out of five in terms of the ease of expansion.
We would use Nessus to conduct a vulnerability assessment. How many people use the solution depends on the client. Maybe five or six people from the engineering side use it in general.
We have a new client coming on, and we will require more users on the product to conduct vulnerability assessments, so we do have plans to increase usage.
I've never had any interaction with customer support. The solution works very well, and we haven't needed help.
The initial setup is very straightforward. It's not overly difficult, or complex.
I cannot recall how long the deployment process took.
Our technical team handled the deployment.
Another department handles the licensing. I can't speak to the exact costs. I do know that we pay a yearly licensing fee.
We would like to discover other solutions and do a comparison to see the better solution for our clients. We've, for example, tried to look into Cyber XM.
We are just end-users and customers.
I'm not sure which version of the solution we're using.
I'd rate the solution eight out of ten.
Our clients use Tenable Nessus to find vulnerabilities in websites and infrastructure.
The most valuable feature of Tenable Nessus is website scanning.
The solution could improve security updates.
I have been using Tenable Nessus for approximately three years.
The solution is stable.
I rate the stability of Tenable Nessus a seven out of ten.
I am the only one using this solution.
I rate the scalability of Tenable Nessus a seven out of ten.
I rate the support of Tenable Nessus a six out of ten.
Neutral
The setup is easy. We use the deployment manual and followed the steps.
I rate the initial setup of Tenable Nessus a nine out of ten.
The price is high for the solution. There are free tools with similar functionality available. The solution cost approximately $3,500.
I rate the price of Tenable Nessus a six out of ten.
I would recommend this solution to others.
I rate Tenable Nessus a seven out of ten.
We use Tenable Nessus for vulnerability scanning.
The results are not that bad, but the key selling point is that it is an affordable tool set.
It is a very easy tool to use.
We are happy with the existing features.
We are happy with the functionality, and what we get from the tool.
I am not sure. I see they have released new products that we haven't yet evaluated. I believe the new products are the opportunity for improvement that they are bringing to market. But for the time being,
They have added a new Tenable Nessus Expert. That is their new product, which caters to the cloud and everything else.
I am assuming that the new features and product enhancements are based on that tool set, but we haven't reviewed it yet.
I have been working with Tenable Nessus for 10 years.
It's a proper toolkit, it goes a long way with us.
We are working with the latest version.
Tenable Nessus is very stable.
I would rate the stability of this solution a five out of five.
Tenable Nessus is a scalable solution, I would rate the scalability a five out of five.
It is based on the number of endpoints. We have 1,500 endpoints in our company.
We can contact technical support using their web console. We can log a support ticket as end users, although we seldom use this feature.
I would rate their technical support a five out of five.
Positive
We are also working with Rapid7 InsightVM.
It is not as good as Rapid7 from our perspective, but it is part of our toolbox arsenal. As a result, we have it on board and solely use it internally.
It is very easy to deploy.
This solution was deployed in 30 minutes, or less. It is very easy. It is straightforward, and out of the box.
The deployment was completed in-house. We did it ourselves.
We only need one engineer to deploy and maintain this solution.
I would rate the return on investment a five out of five.
Cost-wise, it's an affordable tool.
Licensing fees are paid annually.
I would rate the licensing cost a five out of five.
I would rate Tenable Nessus a ten out of ten.
We use Tenable Nessus for vulnerability assessments.
I have found the vulnerability assessment and the reports to be useful.
The solution could improve by having better integration with different vendors' IPS solutions. The ACLs and IPS policies signatures should be enabled based on the results of Tenable Nessus automatically, we currently have to do it manually which is very time-consuming. It has done a good job integrating with Fortinet but we would like it to be better integrated with other solutions that we have. Additionally, After Tenable Nessus was able to recognize the vulnerability it would be great to have it virtually batch the systems if you are not able to update the different systems.
I have been using Tenable Nessus within the last 12 months.
While doing the scans we have not had any issues, the solution is stable.
Tenable Nessus is scalable.
The technical support was responsive and helpful. We were trying different integrations and needed some assistance.
The initial setup is very easy and straightforward. The VM can be done very quickly and the whole process takes approximately 30 minutes. The installation is quicker than others solutions, such as Qualys.
The price of the solution is reasonable.
I rate Tenable Nessus an eight out of ten.
We use it for internal and external vulnerability scans.
Instead of just looking at high, medium or low risk for vulnerabilities, and having to remediate all of them, we can remediate in a more effective manner. We have limited resources for remediation work and we want to spend our time on the most critical issues.
It helps us focus resources on the vulnerabilities that are most likely to be exploited. It gives a higher VPR number where the things are more likely to be exploited, instead of just using the pure severity rating as a way to prioritize and decide to remediate.
The most valuable feature is the breadth of vulnerabilities that it finds. It's able to find across a lot of different platforms and operating systems. It's also able to combine local testing with network-based testing.
When it comes to vulnerability prioritization, Tenable's predictive features are off to a great start. It's definitely giving us more data to help prioritize, instead of just relying on straight CVSS. The vulnerability priority rating has been accurate and is helping us prioritize effectively, based on risk or based on the likelihood of being exploited. Based on what they say, and comparing it to what we are seeing with malware exploits, their predictions are lining up with what we are seeing being exploited.
There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product.
There is also room for improvement in some of the reporting and the role-based access. They have a pretty defined roadmap. They know where the gaps are, but it's a totally different product and so there's a lot of work that they have to do to get it to match.
I have been using Nessus for three years at my current company.
We monitor Windows, Linux, Mac, workstations, servers, and cloud resources.
It's very stable. We haven't had any issues. There has been no database corruption or anything like that. All we've had to do to the main Security Center is give it more disk space to save more data. That's it.
The scalability is okay. We would definitely run into issues if we wanted to save a longer history of the data. It would be terabytes and terabytes of data. But in terms of at least keeping all the data for all the assets that we have, it's good. We're good enough with the retention. It meets our requirements.
The issues would be storage and being able to search across it. If we needed to save five years of scan history, it would be operationally difficult to use all the data that would be saved. But it's not problematic to look at the current data or trends for the past six months. Stuff like that is fine.
We're at about 20,000 hosts and it's pretty stable. I don't think we're going to do a big increase.
Tenable's technical support is good, except for things that involve some of the custom development work that we've done using their API. Early on, that was problematic, but they've gotten better and released more API documentation and sample code, and that was fine.
It was nothing that was wrong with the product itself, but tech support is more designed for normal user interactions with the product, not doing development against the API. The problem with my code was because some documentation wasn't clear or there wasn't a sample for how to do this. That's where it was a little bit tougher. The normal, user function stuff was totally fine. It was really the developer-focused side.
We were on Rapid7. We switched because of scalability and performance.
We were looking for a solution that could handle and scan our volume of assets. It wasn't working with our previous solution. Nessus has scalability. Being able to scan in time and actually being able to report on that data were things we couldn't do with our old solution.
Also, the level of visibility that Tenable provides is much better than Rapid7 because we're able to actually see all of the data that was collected and we're able to scan for vulnerabilities and config issues and pull all the data together. We were having real trouble with that before.
The initial setup was straightforward. We were easily able to set up scan policies, asset groups, scan schedules, and start collecting data very quickly.
It wasn't complicated to define what we wanted to scan. It wasn't complicated to set up the credentialed scans, or to set up the different credentials for the different policies and different types of machines. Everything that that goes into building a scan policy was straightforward and we were able to get all of our assets scanned pretty quickly. Within 45 days of buying, we had good data and had done multiple scans already with all of our assets.
Our implementation strategy was that we wanted to set up credentialed scans for all of our machines as quickly as possible. We were working towards that and trying to get the coverage in Tenable as soon as possible.
We did it ourselves.
We are fulfilling our goals and able to deliver on the requirements that we have. It's hard for security to be a real ROI. We need to do vulnerability scanning, we need to know where the issues are and we need to be able to fix them. It is doing that.
Our licensing is on a yearly basis but we did a three-year deal. It is a fixed cost to cover a certain number of hosts or assets. There are no additional costs to the standard licensing fees.
Leverage authenticated scans if you can. That reduces the number of false positives compared to just network-based scanning. Leverage the Tenable Agents if you can, as well, because that will help reduce the scan time and make it easier to get data from machines that are all over your network.
The solution isn't really helping to reduce our exposure over time because there are always new vulnerabilities coming out. It's helping us keep track of what's out there better.
The next part is going to be convincing external auditors that VPR is a reasonable way to actually prioritize, in terms of whatever our policy statements say for what we fix and how quickly; to get that to line up. A lot of people are still in the, "You must patch criticals with this number of days, highs with this number of days." We want to be able to turn that into a more risk-based approach but haven't really been able to do that.
The users of the solution in our organization are really just the people on our security team, so the number is under ten people. They're really just using it to look at the vulnerabilities, analyze the vulnerabilities, and figure out where our risks are and what should get patched. For deployment and maintenance of the solution we have a quarter of an FTE.
Every month, I had this Windows Gold image scan. I would obtain some IP addresses, create some rules, and then run them.
Then there were the automatic automated jobs that I and my colleagues would arrange to execute.
They would run at night so they wouldn't interrupt the systems.
Enter some IP addresses for workstations and servers. Some were in a highly secure zone, while others were in a separate subnet, we enter those IP addresses in and run them, scheduling them to run biweekly or weekly.
The most valuable aspect of this solution is that you receive the entire report, which details the breakdown, especially in terms of critical, high, low, and mediums. It also informs you exactly what was wrong with it. Then I believe it copies the CVS's score as well.
To be honest, I haven't used it much to tell you that these are the things that should be improved. But I believe the UI should be enhanced somewhat.
For example, there are two ways to find a report, and people are frequently confused as to which is the correct method for locating a full report. Sometimes they go in the opposite direction, so this is an area that may be improved.
I have been using Tenable Nessus for quite some time.
Tenable Nessus is pretty stable.
Tenable Nessus is a scalable product.
I did not deal with technical support at all.
I used Nessus from JSON for a Gold image and vulnerability scans in my previous role.
I'm also seeking the same type of tenant for internal vulnerability scans like Qualys.
We now use Qualys, but we haven't fully utilized its features, but I'm searching for something specialized for our internal vulnerability scan program.
I did not set it up myself, to begin with.
It is a good tool. It's not difficult to understand. It shouldn't be an issue as long as you know what you're doing.
I would rate Tenable Nessus a seven out of ten.
We are using it to find out the vulnerabilities in our critical servers and to patch them.
We are using the latest version.
Tenable Nessus is good. It's the best vulnerability solution in the industry. Most organizations are using it.
In terms of what could be improved, I would say that the reporting feature needs to be improved.
Additionally, although it has the features, the enterprise edition is very limited. They need to add multiple reporting features in the enterprise edition.
I have been using Tenable Nessus for the last two years.
It is a stable product.
Tenable Nessus is a vulnerability product. We have two to three users who are running it, but in terms of the end devices, because it's intended for vulnerabilities scanning and you have to scan your end devices, we have around hundred devices who are scanning with it.
It is a scalable solution.
We contacted support for some scenarios, like upgrades, new security patches, and for some customized reports.
We were satisfied with the speed of the answers. It is good support.
The initial setup is very easy.
Anyone can deploy it, even the managers, the technical teams, the engineers.
I think it took five minutes.
We installed with the help of a consultant. You can do it one time and then you will learn it very easily.
We have an annual subscription.
We also evaluated the Rapid7 Nexpose product, but it has a limitation that it supports 128 users then you have to buy another 128, but with the Tenable Nessus enterprise edition, you have unlimited licenses to scan the device.
I would recommend Tenable Nessus.
On a scale of one to ten, I would rate it an eight.
We usually use the solution for infrastructure level and web application scanning, although mostly for the former. This is what we are doing at present. We were using the web application portion of Tenable Nessus for several months before switching to Veracode.
A valuable feature of the solution is that it is easy to understand. When it comes to running a scan, the scanning mechanism is also easy, and it is quite fast compared to Veracode and Qualys.
The solution should have a more in-depth level of scanning, with features to meet the developers. Other points that should be addressed involve the understanding of issues by the users and the need for improvising the reporting structure. The reports should also be more attractive and user-friendly.
This is how Tenable Nessus occasionally works when drawing up something on the field.
Additional features I wish to see addressed in the next release include customer support and ease of understanding of vulnerabilities and how they can be fixed.
In contrast to Tenable Nessus, we have found Veracode to be more user-friendly, with a greater in-depth understanding of the details and how things can be fixed. Other points in its favor include study cases, customer support, training and e-learning.
The solution is sort of down the mid range, so we are more happy with Veracode.
We have made use of Tenable Nessus over the past 12 months, and started doing so a couple of months before we got Veracode.
The solution is reliable and has good stability.
We have been in the web, so we have not tried to expand the solution.
We feel the solution's technical support to be very bad.
While we do receive a response upon creating a ticket, it is not like that of Qualys or Veracode. That extensive support is not there.
The initial setup was straightforward.
We deployed under the release plan of 8.11.
We incurred a single cost for a perpetual license, although I cannot comment on the price as this is above my management level.
There are at least ten people in our organization making use of the solution.
Tenable Nessus is an appropriate solution for a small scale company, one with budgeting constraints and no complexities within the organization. It not that user-friendly.
I would rate Tenable Nessus as a seven out of ten.