Try our new research platform with insights from 80,000+ expert users
reviewer1541385 - PeerSpot reviewer
Cybersecurity Manager at a manufacturing company with 10,001+ employees
Real User
Excellent at identifying vulnerabilities and accessing information related to that
Pros and Cons
  • "Ease of reviewing scores, identifying vulnerabilities, and getting information on them."
  • "Scans aren't done properly and some devices aren't pinged."

What is most valuable?

The valuable feature for me is being able to ping the computers to do the automated scan and to come back and be able to see everything. That's definitely a huge plus, but then there's also the ease of reviewing the scores, identifying vulnerabilities, and getting the information on the vulnerabilities; the ability to review all that within one tool has been phenomenal. When we're reviewing those Nessus scores, the solution works well.

What needs improvement?

I think there's still some things that need to be ironed out to ensure that we can have a one-stop shop to do both ACAS, SCAP automated assessments in. We've been trying to do that and they say you can, the capability is integrated into the system. But in most instances, especially when you're dealing with some systems that are standalone or a network that we built ourselves, we find that some devices aren't pinged and the scans aren't done properly. That also comes down to the hardening of the systems where the password or the privileges weren't taken, so therefore it didn't do the scan properly. 

For how long have I used the solution?

I've been using this solution for the past six or seven years. 

What do I think about the stability of the solution?

The solution is stable. We haven't run into any issues other than some passwords that don't take, but that's the way we set up the system. If it's set up properly and configured appropriately, there won't be any issues.

Buyer's Guide
Tenable Nessus
May 2025
Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: May 2025.
856,856 professionals have used our research since 2012.

What do I think about the scalability of the solution?

We could definitely make the adjustment to scale it left, right, up and down, depending on what we're using it for and we haven't run into any issues on that. It's pretty flexible.

How was the initial setup?

The setup itself is pretty straightforward. Because these are standalone systems, there are some additional steps that the IT team needs to do, but they pretty much have it down to where they could install the tools pretty easily and have it running reasonably quickly. 

What other advice do I have?

I would recommend making sure that the solution meets your needs for automated scans and the SCAP. If you're looking for a one-stop shop, I think it's a great tool for that. I would recommend some form of training if you don't have experience with this kind of solution. There's a bit of a learning curve involved in terms of configuring and using Nessus. 

I rate this solution an eight out of 10. 

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

PeerSpot user
reviewer1397976 - PeerSpot reviewer
Owner at a tech services company with 1-10 employees
Real User
Easy to use, good support, and gives full reports of what's vulnerable per device
Pros and Cons
  • "I like its ease of use. It has the script that is pre-built in it, and you just got to know which ones you're looking for."
  • "The price could be more reasonable. I used the free Nessus version in my lab with which you can only scan 16 IP addresses. If I wanted to put it in the lab in my network at work, and I'm doing a test project that has over 30 nodes in it, I can't use the free version of Nessus to scan it because there are only 16 IP addresses. I can't get an accurate scan. The biggest thing with all the cybersecurity tools out there nowadays, especially in 2020, is that there's a rush to get a lot of skilled cybersecurity analysts out there. Some of these companies need to realize that a lot of us are working from home and doing proof of concepts, and some of them don't even offer trials, or you get a trial and it is only 16 IP addresses. I can't really do anything with it past 16. I'm either guessing or I'm doing double work to do my scans. Let's say there was a license for 50 users or 50 IP addresses. I would spend about 200 bucks for that license to accomplish my job. This is the biggest complaint I have as of right now with all cybersecurity tools, including Rapid7, out there, especially if I'm in a company that is trying to build its cybersecurity program. How am I going to tell my boss, who has no real budget of what he needs to build his cybersecurity program, to go spend over $100,000 for a tool he has never seen, whereas, it would pack the punch if I could say, "Let me spend 200 bucks for a 50 user IP address license of this product, do a proof of concept to scan 50 nodes, and provide the reason for why we need it." I've been a director, and now I'm an ISO. When I was a director, I had a budget for an IT department, so I know how budgets work. As an ISO, the only thing that's missing from my C-level is I don't have to deal with employees and budgets, but I have everything else. It's hard for me to build the program and say, "Hey, I need these tools." If I can't get a trial, I would scratch that off the list and find something else. I'm trying to set up Tenable.io to do external PCI scans. The documentation says to put in your IP addresses or your external IP addresses. However, if the IP address is not routable, then it says that you have to use an internal agent to scan. This means that you set up a Nessus agent internally and scan, which makes sense. However, it doesn't work because when you use the plugin and tell it that it is a PCI external, it says, "You cannot use an internal agent to scan external." The documentation needs to be a little bit more clear about that. It needs to say if you're using the PCI external plugin, all IP addresses must be external and routable. It should tell the person who's setting it up, "Wait a minute. If you have an MPLS network and you're in a multi-tenant environment and the people who hold the network schema only provide you with the IP addresses just for your tenant, then you are not going to know what the actual true IP address that Tenable needs to do a PCI scan." I've been working on Tenable.io to set up PCI scans for the last ten days. I have been going back and forth to the network thinking I need this or that only to find out that I'm teaching their team, "Hey, you know what, guys? I need you to look past your MPLS network. I need you to go to the edge's edge. Here's who you need to ask to give me the whitelist to allow here." I had the blurb that says the plugin for external PCI must be reachable, and you cannot use an internal agent. I could have cut a few days because I thought I had it, but then when I ran it, it said that you can't run it this way. I wasted a few hours in a day. In terms of new features, it doesn't require new features. It is a tool that has been out there for years. It is used in the cybersecurity community. It has got the CV database in it, and there are other plugins that you could pass through. It has got APIs you can attach to it. They can just improve the database and continue adding to the database and the plugins to make sure those don't have false positives. If you're a restaurant and you focus on fried chicken, you have no business doing hamburgers."

What is our primary use case?

We use it for vulnerability management. We have the latest version because we're using it in the cloud right now. I have a public cloud and a private cloud version.

How has it helped my organization?

When we do our scans, I'm able to give full reports of what's vulnerable per device. I could group them and say, "Hey, here's a vulnerability in the infrastructure. Here's all the host that needs to be addressed," by showing the report. When I give a report or a request for change, I would include the report so that they are undisputed. Instead of the sys admins giving the excuse of, "Hey, we don't have enough time," or, "We've already done it," or some other poor excuse, now I have a report behind it that says, "Hey, you're vulnerable with this. Here's the CVE, and here's the POC of the CVE," and then if I want to be a little bit more obnoxious, I provide them the POC that I ran with the proof that the POC is there, and then I'm able to say, "Hey, you need to patch this now."

My executives now are able to say, "Hey, you know what? The ISO gave you a directive to patch this with proof. Why haven't you done it?" Because now, as we know, all C-levels are ultimately responsible. If you have an ISO that is interfacing with sys admins saying, "Hey, here's a change that you need to patch it. Here's my proof that even has POC with proof and the report," then there is no benign, "Why haven't you done it?"

What is most valuable?

I like its ease of use. It has the script that is pre-built in it, and you just got to know which ones you're looking for.

What needs improvement?

The price could be more reasonable. I used the free Nessus version in my lab with which you can only scan 16 IP addresses. If I wanted to put it in the lab in my network at work, and I'm doing a test project that has over 30 nodes in it, I can't use the free version of Nessus to scan it because there are only 16 IP addresses. I can't get an accurate scan. The biggest thing with all the cybersecurity tools out there nowadays, especially in 2020, is that there's a rush to get a lot of skilled cybersecurity analysts out there. Some of these companies need to realize that a lot of us are working from home and doing proof of concepts, and some of them don't even offer trials, or you get a trial and it is only 16 IP addresses. I can't really do anything with it past 16. I'm either guessing or I'm doing double work to do my scans. Let's say there was a license for 50 users or 50 IP addresses. I would spend about 200 bucks for that license to accomplish my job. This is the biggest complaint I have as of right now with all cybersecurity tools, including Rapid7, out there, especially if I'm in a company that is trying to build its cybersecurity program. How am I going to tell my boss, who has no real budget of what he needs to build his cybersecurity program, to go spend over $100,000 for a tool he has never seen, whereas, it would pack the punch if I could say, "Let me spend 200 bucks for a 50 user IP address license of this product, do a proof of concept to scan 50 nodes, and provide the reason for why we need it." I've been a director, and now I'm an ISO. When I was a director, I had a budget for an IT department, so I know how budgets work. As an ISO, the only thing that's missing from my C-level is I don't have to deal with employees and budgets, but I have everything else. It's hard for me to build the program and say, "Hey, I need these tools." If I can't get a trial, I would scratch that off the list and find something else.

I'm trying to set up Tenable.io to do external PCI scans. The documentation says to put in your IP addresses or your external IP addresses. However, if the IP address is not routable, then it says that you have to use an internal agent to scan. This means that you set up a Nessus agent internally and scan, which makes sense. However, it doesn't work because when you use the plugin and tell it that it is a PCI external, it says, "You cannot use an internal agent to scan external." The documentation needs to be a little bit more clear about that. It needs to say if you're using the PCI external plugin, all IP addresses must be external and routable. It should tell the person who's setting it up, "Wait a minute. If you have an MPLS network and you're in a multi-tenant environment and the people who hold the network schema only provide you with the IP addresses just for your tenant, then you are not going to know what the actual true IP address that Tenable needs to do a PCI scan."

I've been working on Tenable.io to set up PCI scans for the last ten days. I have been going back and forth to the network thinking I need this or that only to find out that I'm teaching their team, "Hey, you know what, guys? I need you to look past your MPLS network. I need you to go to the edge's edge. Here's who you need to ask to give me the whitelist to allow here." I had the blurb that says the plugin for external PCI must be reachable, and you cannot use an internal agent. I could have cut a few days because I thought I had it, but then when I ran it, it said that you can't run it this way. I wasted a few hours in a day.

In terms of new features, it doesn't require new features. It is a tool that has been out there for years. It is used in the cybersecurity community. It has got the CV database in it, and there are other plugins that you could pass through. It has got APIs you can attach to it. They can just improve the database and continue adding to the database and the plugins to make sure those don't have false positives. If you're a restaurant and you focus on fried chicken, you have no business doing hamburgers.

For how long have I used the solution?

I've been using Nessus for about eight years.

What do I think about the stability of the solution?

Internally, it is stable. Externally also, from what I've seen, it is stable. The only problem that I've had with it was if you have a network and internet blip, you get disconnected, but that happens with anything. Right now, I would say that a lot of cloud companies are having problems because COVID has got a lot of people working from home remotely in VPN. This is the biggest problem we have. You went from 35 people using VPN to over 2,000 people using VPN. You're trying to go to a cloud that wasn't set up for VPN, or you don't have the necessary routes or bandwidth to it. The average person is going to say, "This cloud application sucks." It doesn't really suck. It means that you don't have enough bandwidth in your infrastructure.

What do I think about the scalability of the solution?

We haven't had to scale it yet. We haven't scaled internal Nessus because we have our own version of it. I'm not sure how many IP addresses we're feeding, but I know we only have one server. I looked at the processes, and it's only doing 50% of the process.

We have 13 people who are capable or licensed to use it, which would be all of our risk management information, information security, and risk management office, but I would say only half or about six of us are actually using it daily.

How are customer service and technical support?

I've used the tech support a couple of times. I would say they are very good because they were able to say, "Hey, let's stop the chatting. Let's get on a Webex, and we will Webex you and ask the questions directly." They were able to get to the engineers on the Webex at the same time, and within 30 minutes, they solved our problem. I would rate them a ten out of ten.

How was the initial setup?

If I was installing Nessus just by itself, it is straightforward simply because I've done it before. If you're setting up Nessus from the cloud version, there's a little bit more to it because, for one, it's in the cloud version, and you got to open up ports for your network. You got network people who get all scary because they don't understand what you're doing. Other than that, once you get it set up, then it is pretty much straightforward.

What's my experience with pricing, setup cost, and licensing?

Nowadays, your vulnerability applications are going to be kind of pricey because lots of them, including Rapid7, are based upon a base price, but then they add in the nodes. That's where they get you. If you're a big network, obviously, you need to scan everything. Therefore, it's going to be costly.

The risk and insurance money associated with having ransomware on my networks is going to cost me more money, time, and marketing than the price of the tool. That's why I'm speaking only as an information security officer to security operations. This is the tool that is there in my toolbox to say whether we vulnerable or not. At this point, I don't care about how much it costs my company to have it because if I wasn't able to report it and we got ransomware, then who cares? I'm probably going to be out of business because it happened. That's why I don't care about the price. I have it, and I could use it effectively and do my report. At the end of the day, even if we get ransomware, as long as I reported it, followed my protocol, and put in the change, irrespective of whether it was ignored or denied, I did my job.

What other advice do I have?

The advice would be definitely doing your proof of concept because that's what you're going to need for your buy-in for your upper management because it is going to cost some money. I would do a hybrid version, where your own Nessus is internal, and then you have your cloud. If you lose connection to the internet, you could still run an internal Nessus scan to save the scan and then input the scan into Tenable.sc. Do your proof of concepts, get your reports, and use your proof of concepts when you do your presentation to upper management to purchase. If you use your own nodes and your own network as your proof of concept, it gives them an eye view of, "Hey, we're vulnerable because of this, and here's the tool that did it." To me, that was a better selling point because it was real. It wasn't the demo data. Once you have purchased it and get it all set up, use it continuously, meaning include your scanned reports with your change control. This way, it shuts all the administrators who have been there over 20 years and say, "Hey, I don't want to patch right now because it takes the network down." Yes, it's going to take the network down. However, the longer you wait, the more vulnerable you are because if I'm doing change requests every week, and I'm calling on more and more risk and you start to find the same nodes in the same reports, then somebody up high is going to say to the network administrator guy to fix it.

I would rate Tenable Nessus a ten out of ten right now. If you had asked me last year, Rapid7 would have been the same and on top, but now that I've been using Tenable and I'm comparing the jobs that I'm doing right now, Tenable is cut and clear to what the report is saying. My favorite report is the VPR report. Instead of just looking at CVS numbers, it has a VPR report that ranks, whereas, in Rapid7, it's just focused on CVS. It is CVS version 2 or 3, which kind of gets confusing. For example, in Tenable, I can run a scheduled scan and have my report, but let's say, for instance, I did patching in the middle before my scheduled scan. I could kick off a new scan specifically for that vulnerability and get a report, whereas, in Rapid7, you could not easily do that. Therefore, you were stuck waiting for the scan to go again and to see if your mitigation efforts fixed it.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

PeerSpot user
Buyer's Guide
Tenable Nessus
May 2025
Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: May 2025.
856,856 professionals have used our research since 2012.
reviewer2295975 - PeerSpot reviewer
Senior cybersecurity engineer at a aerospace/defense firm with 5,001-10,000 employees
Real User
Top 5
A scalable and mature solution that has excellent features and provides visibility into vulnerabilities in the environment
Pros and Cons
  • "It is a mature tool."
  • "The product must be more comprehensive."

What is our primary use case?

The solution is used to check vulnerabilities.

What is most valuable?

The product has good features. It gives us a view of the vulnerabilities like open ports and different issues with software. It is a mature tool.

What needs improvement?

The product must be more comprehensive. It must catch all the issues.

For how long have I used the solution?

I have been using the solution for a few years.

What do I think about the stability of the solution?

I rate the tool’s stability a nine out of ten. The stability could be improved.

What do I think about the scalability of the solution?

The tool is scalable. We have three users. We need a team to maintain the product.

What about the implementation team?

The deployment can be done in-house.

What other advice do I have?

I recommend the solution to others. I rate the solution a nine out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

PeerSpot user
Pathick Kerketta - PeerSpot reviewer
Manager (Information Security) at Girnarsoft Private Limited
Real User
High availability, useful scanning and assessments
Pros and Cons
  • "The most valuable features of Tenable Nessus are the scanning option. Advanced scanning is highly useful. The offline config audits and application assessments are useful."
  • "The price and scalability of the solution could improve."

What is our primary use case?

Tenable Nessus is used to perform process and network assessments and sometimes for reviews.

What is most valuable?

The most valuable features of Tenable Nessus are the scanning option. Advanced scanning is highly useful. The offline config audits and application assessments are useful.

What needs improvement?

The price and scalability of the solution could improve.

For how long have I used the solution?

I have been using the solution for six years and seven months.

What do I think about the stability of the solution?

I rate the stability of Tenable Nessus a ten out of ten.

What do I think about the scalability of the solution?

The scalability of Tenable Nessus has been scalable. I am able to scan a large number of IPs.

We have all our three security staff using the solution.

How are customer service and support?

I have not contacted the support.

How was the initial setup?

The initial setup of Tenable Nessus is easy. The deployment took approximately 4 hours for the policies and the setup was not long.

I rate the initial setup of Tenable Nessus a nine out of ten.

What's my experience with pricing, setup cost, and licensing?

The price of the solution is reasonable.

What other advice do I have?

I would recommend others use this solution.

I rate Tenable Nessus a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

PeerSpot user
IT Manager at a educational organization with 1,001-5,000 employees
Real User
Stable, simple and quick setup
Pros and Cons
  • "The most valuable feature of Tenable Nessus is the dashboard. They are convenient to use."
  • "Tenable Nessus could improve the price."

What is our primary use case?

I am using Tenable Nessus to know where the vulnerabilities are on my website.

What is most valuable?

The most valuable feature of Tenable Nessus is the dashboard. They are convenient to use.

What needs improvement?

Tenable Nessus could improve the price.

For how long have I used the solution?

I have been using Tenable Nessus for approximately two months.

What do I think about the stability of the solution?

The stability of Tenable Nessus is good.

What do I think about the scalability of the solution?

We have approximately three people using this solution in my organization. The users are managers and engineers. 

How are customer service and support?

The support from Tenable Nessus is okay. However, they are sometimes slow and can take days to respond. Additionally, I would like to be able to ask them more technical questions than I am able to.

How was the initial setup?

The initial setup of Tenable Nessus is simple. It took us approximately one hour to do the process.

What about the implementation team?

We did the initial setup of the solution in-house.

What's my experience with pricing, setup cost, and licensing?

The price of Tenable Nessus could improve, it is expensive.

What other advice do I have?

I rate Tenable Nessus an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

PeerSpot user
RallisFarfarakis - PeerSpot reviewer
Principal Security Architect at a tech vendor with 10,001+ employees
Real User
Is easy to use and configure, and has a lot of plugins
Pros and Cons
  • "The ease of use is the primary valuable feature. This specific version is very straightforward. I like the ability to modify it and configure it based on the different policies."
  • "Multiple user access would be an area for improvement from a user-access perspective. A role-based access control feature would be great because at present, there is a limitation with only one account. If that account gets compromised or gets locked, then we will encounter problems."

What is our primary use case?

We use it predominantly for vulnerability scanning and compliance scanning as part of the vulnerability and compliance protocols in one of our programs.

What is most valuable?

The ease of use is the primary valuable feature. This specific version is very straightforward. I like the ability to modify it and configure it based on the different policies.

I also like the number of plugins. It has quite a lot of plugins that keep it up to date with the different vulnerabilities coming out.

What needs improvement?

Multiple user access would be an area for improvement from a user-access perspective. A role-based access control feature would be great because at present, there is a limitation with only one account. If that account gets compromised or gets locked, then we will encounter problems.

It would be good to have a way to store filters from searches so that you don't have to recreate them from scratch every time. To be able to have them saved as a list of filters would be really useful.

It would be really useful to have a way to assess the risk of a specific vulnerability based on a number of factors which could be tailored. It could be a tailored set of factors you introduce to see a potential risk score or a different view of the CVSS score.

A lot of organizations do this manually, and some of them have some other ways of identifying or assessing the risk of vulnerabilities. It would be really useful to have a framework which allows you to create a way to assess the risk of vulnerabilities on the platform and potentially prioritize them or provide information as a report to management or to other teams for resolution.

It would be really nice to have a way to visualize the different results from the scans. For example, if you scan a Windows 2016 Server and you have a number of vulnerabilities, it would be nice to somehow show the vulnerabilities in a graphical format and potentially combine some of the outcomes into a graphical representation showing trending. Trending is quite important, especially when I speak to my senior management stakeholders and try to show the security posture and status. It would help to provide a long and wide view of where the vulnerabilities are and what kind of aging is present.

For how long have I used the solution?

I've used it for three and a half years.

What do I think about the stability of the solution?

Nessus Manager is very stable; I haven't had any problems. I'd give the stability of the product a five out of five.

What do I think about the scalability of the solution?

The product itself is not scalable by design. It is a single-user product, so it doesn't allow you to have multiple users at the same time. You have only one account. The type of product that we're using is not really meant for huge enterprises, and it's a bit more limited in terms of usage.

At present, I use the personal version for the account I'm looking after, but we probably have less than five people using this platform.

How was the initial setup?

The initial setup was easy.

What about the implementation team?

We implemented it ourselves. The deployment was done by one engineer, and it did not take too long.

What was our ROI?

The project in which I have been using it, it has been great because we satisfy a very crucial requirement. We have brought around vulnerability management, so it's really good ROI for what we have.

What's my experience with pricing, setup cost, and licensing?

Nessus Manager is not an expensive product. It has its limitations, but the pricing reflects that.

We have a yearly subscription.

What other advice do I have?

I would recommend Nessus Manager and rate it at eight on a scale from one to ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

PeerSpot user
Sr. Information Security Engineer at Rewterz
Real User
Excellent capabilities, timely technological support replies, with overall satisfaction
Pros and Cons
  • "The scanning capabilities are most valuable when compared to Nessus."
  • "I think the reporting templates could be improved with Tenable Nessus."

What is most valuable?

The scanning capabilities are most valuable when compared to Nessus.

What needs improvement?

I think the reporting templates could be improved with Tenable Nessus.

For how long have I used the solution?

I have been working with Tenable Nessus for the past year.

What do I think about the scalability of the solution?

Tenable Nessus is scalable.

How are customer service and support?

Technical support always replies back on Mondays and it depends on the open support cases.

How was the initial setup?

The setup is straightforward. It takes about five to ten minutes to deploy and it is easy.

What other advice do I have?

I would rate Tenable Nessus an eight on a scale of one to ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner

PeerSpot user
reviewer1818828 - PeerSpot reviewer
Security Engineer at a media company with 10,001+ employees
Real User
Helpful support, reliable, and effective real-time monitoring
Pros and Cons
  • "The most valuable feature of Tenable Nessus is real-time monitoring."
  • "Tenable Nessus could improve by having more steady updates which will reduce the vulnerabilities."

What is our primary use case?

We are using Tenable Nessus real-time monitoring.

What is most valuable?

The most valuable feature of Tenable Nessus is real-time monitoring.

What needs improvement?

Tenable Nessus could improve by having more steady updates which will reduce the vulnerabilities.

For how long have I used the solution?

I have been using Tenable Nessus for approximately 10 years.

What do I think about the stability of the solution?

Tenable Nessus is a stable solution, we are fairly satisfied.

What do I think about the scalability of the solution?

I rate the scalability of Tenable Nessus an eight out of ten.

Most of the people using this solution at this time are managers.

How are customer service and support?

The technical support has been very useful. They are helpful.

I rate the technical support from Tenable Nessus a four out of five.

How was the initial setup?

The initial setup has been straightforward. However, we are trying to roll out our agents and find all of our devices which we have experienced some challenges. The whole process has taken us approximately three months.

What about the implementation team?

We are doing the implementation in-house.

What other advice do I have?

I would advise others that if this solution fits your use case then I would try it out. Different environments require different solutions.

I rate Tenable Nessus an eight out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

PeerSpot user
Buyer's Guide
Download our free Tenable Nessus Report and get advice and tips from experienced pros sharing their opinions.
Updated: May 2025
Product Categories
Vulnerability Management
Buyer's Guide
Download our free Tenable Nessus Report and get advice and tips from experienced pros sharing their opinions.