Tenable Nessus Reviews

I have been using Tenable Nessus for my personal use. It works well.

I am using this solution for testing.

The most valuable features are that it's fast, it's easy to use, and it provides good reports.

The only thing that I don't like is KBs information. For example, if we scan our workstation and you go to the results report that Nessus provides, we are going to see a lot of KBs as remediation. But in most cases, the KBs are always superseded.

Also, we are not able to apply those because Microsoft has already released a new TB. 

Nessus is not doing a good job in updating its remediation section of the reports.

Remediation needs improvement. They are providing a lot of superseded KBs as remediation.

For example, when you share that with several team members or with one individual, and you ask them to work on this, they reply with Microsoft already has something new.

I have been using Tenable Nessus for approximately two years.

This solution is stable. I have not experienced any issues. It worked fine.

It's a scalable solution. I have not had any problems.

I am the only person using this solution.

Technical support is good. They provided information that is needed.

Previously, I was not using another solution. I use Nessus through a course that I was taking in the security field.

The initial setup was straightforward.

We did not use a vendor or vendor team to implement this solution.

I have evaluated one other solution, but because of my company policies. I can't share that information.

Tenable has Tenable.io, and I believe that they have the remediation updated, but Tenable Nessus Professional does not. I don't think that they will continue to keep it available in the market. They should probably decommission it.

Remediation is better in other tools than with Nessus.

For anyone who is interested in this solution, they should test the scan timing to see if it consumes a lot of time or not.

Research the remediation information to see if it is okay, or trust proof or not.

The reporting works well and it allows you to share. Also, support is important.

I would rate Tenable Nesuss an eight out of ten.

We use Tenable Nessus to provide service to our bank.

I use it to provide our main service related to our big management.

Other than providing information security to our clients, it is our information security provider, service provider — we manage it. Using Nessus, we are able to scan and locate any potential vulnerabilities that our clients may have and point them out to them.

I am not sure how many users we have using this solution, but we have more than 100,000 assets distributed between roughly 40 clients.

Tenable Nessus is cheap and flexible.

Currently, they don't have all of the features that I am looking for. I am looking for a technology that installs agents into the machines to perform complicated scanning. That's a good feature that I'm looking for.

Our issues are not all due to Tenable Nessus; we have more than one console that we administrate.

I have been using this solution for 10 to 15 years.

I use this solution on a regular basis at my current company. I used it at my previous company as well.

This solution is quite stable.

The professional version is not very scalable. It's not really scalable considering the number of assets and clients that I have.

Many of our clients would like to switch to a better solution.

The technical support is great. We have called them a few times and they have always helped us.

The initial setup was pretty straightforward. Within a week we had set up all of the infrastructure and were ready to deploy.

We primarily use the solution for vulnerability management. We also use it during our IP scans.

The VPR scores are the solution's most valuable aspects.

The plug-in text information is quite useful.

The solution can scale well.

We've found the solution to be quite stable.

It wasn't very clear how the scripts are running the scans. There's information about the script but it's not straightforward. The script information for each of the plugins should be available, but it doesn't give us straightforward direct information about how it was executed. That needs to be more clear.

We find that the solution causes several issues due to the fact that it runs even before it calculates, the asset in prevention. 

I can't think of any features that are lacking.

I've been using the solution for one to two years at this point.

It's stable. I don't have any major complaints. It doesn't have bugs. It isn't affected by glitches. It doesn't crash or freeze on us. It's reliable.

We have about 100 direct users who are logging onto the solution on a daily basis.

We don't plan on increasing usage at this time.

We have been able to scale it in the past, however, and a company that needs to expand it should not face too many issues doing so.

We've worked with technical support in the past, and we've found them to be quite efficient. They are knowledgable and responsive.

We previously used McAfee and switched over completely at the end of May.

We had some help with the initial setup. We were able to use our vendor's expertise and have them walk us through any issues we had.

However, we completely handle the maintenance now that is it up and running. We have admins who deal with any upkeep.

The vendor assisted us in the initial implementation.

I don't have any information when it comes to the cost of the solution. It's not part of my job to deal with billing or payments, so I don't have any visibility on the cost structure.

We are simply customers. We don't have a business relationship with Tenable.

We're using the latest version of the solution.

I would definitely recommend this solution. It's the best that I've used so far.

On a scale from one to ten, I'd rate it at an eight overall.

We are a company that provides cloud migration services. We help companies to migrate to the public cloud. When our customers want to migrate applications, they're worried about the security aspect in the cloud. So we are trying to see how the application security that is on-premises can be migrated to the cloud.

We don't have any particular solution, we are working with a few options. The customer selects what best suits their needs. If we have a program, we work with that.

It's not specific to what we are working with.

We have done code scanning for a long period because as a company, we do DevOps as part of our development life cycle. We like scanning the ports and security as well as application-level security.

Some of our customers are operating on the cloud as well as on-premises.

We would like to have the option of using the solution for the cloud as well as on-premises with the same license at the same time. That would be very helpful.

We have used this solution for three or four projects in the last two years.

We are always working with the latest version.

The stability varies on the version that you are using. 

We have not had any problems with stability with what we are using. It's been stable and we have never been faced with any stability issues.

We have used this for an enterprise cloud application, which is much smaller with hundreds of users. It's pretty scalable. We have not had any challenges so far. 

I don't know the limits of scalability because we haven't trialed it fully. But for the enterprise application that we use, we didn't find any issue with scalability.

We have contacted technical support, once or twice when we have had issues with respect to some plugin related clarification. 

There are times where the solution doesn't work out of the box, and we have to install some plugins. We needed some assistance with this.

They are good, but the response resolution takes a bit of time. It would say that it's still within an acceptable response time. Within a few hours, they will get back to you with a solution.

The initial setup is pretty easy.

When we use the scales we find it to be easy.

In our experience a complete deployment and start-up, it takes only a few hours.

In some cases, we deploy on-premises because the customer is still evaluating the readiness to go to the cloud. 

A few of our customers are already on the cloud, and others are migrating. We have deployed on both models.

With my experience, I would definitely recommend it. This is the only tool we have used recently.

I would rate this solution an eight out of ten.

We use it for servers, domain controllers, application servers, Oracle servers, SQL servers, as well as network devices, like routers. For PCs that are used for services such as credit cards and ATMs, we usually do a vulnerability assessment, including Windows Servers, Linux servers, SQL servers, and database servers. We scan everything except basic PCs because it would require a lot of time to check all those reports. Our system administrators use another solution to check regular PCs for Windows and MS updates.

We're checking things every month. We created a schedule and it checks automatically. From time to time, we'll use it to check things if something unusual has happened. For example, if a stranger was on a computer, we'll check if is there a vulnerability there. 

We also use it to prepare reports when the agency asks for them.

One thing that is important for us is that when the regulation agency is asking for something. we can send them reports from Nessus and they're very satisfied. If they're satisfied, and they don't have any problem or additional requests, that's most important.

In the past, before we implemented Nessus, we used several products that were doing vulnerability assessments for different machines. For instance, we were using an antivirus/anti-malware and end-point security application for vulnerability assessments for Windows machines. We were using free tools for vulnerability checking for Linux machines. And we were \using Qualys' free version for external IP addresses, because Qualys allows you to check something like three IP addresses for free. I created a report for our regulation agency by combining three or four reports. I spent two weeks making that report. Now, I can create that report in one day. Nessus provides me reports within two to three hours for all our Windows machines. For Linux machines, it's half an hour; for the network, it takes about one hour. So in one day, I have everything ready for the agency. 

Similarly, for my upper management, it's my responsibility to provide security reports on a monthly basis about viruses, malware, attacks, etc. Now, it is easier for me to prepare that kind of report. The reports are also more lavish than before. In the past, I had to prepare tables and sheets by myself. Now, everything is prepared for me. If I want to play around with reports I can export to Excel and I can filter the report. Nessus makes everything easier than it was before.

Nessus gives me a good preview of vulnerabilities and good suggestions for remediation. It's easy to find a description of a given vulnerability and solutions for it.

One area that has room for improvement is the reporting. I'm preparing reports for Windows and Linux machines, etc. Currently, I'm collecting three or four reports and turning them into one report. I don't know if it is possible to combine all of them in one report, but that would be helpful. If the scans which I have already prepared could be used to combine the results into one report, it would save me additional work.

Also, when a new machine is brought into the domain, when it's first connected by the system administrator, it would be good to have some kind of automatic, basic vulnerability scan. Of course, I would have to enter my credentials if I wanted something additional, but it would be useful if, the first time, if that basic process happened. Otherwise, it can be problematic for me when, for example, a new Oracle Database is brought on. I may only be notified after 10 days that it has been connected and only then can I do a vulnerability assessment and I may find a lot of vulnerabilities. It would be better to know that before they put it into production. It would be great to have something automatically recognize a new server, a new PC, and do a basic vulnerability assessment.

I have been using Nessus for about half a year.

We haven't any problems so far.

A few days ago, I was scanning a range, three or subnets, the whole domain. That was something like 1,000 IP addresses. The first time I did it, things were a little bit slow. I was thinking that it was stuck or blocked. But I left it overnight and checked it in the morning. Everything had finished, correctly, after three or four hours. 

That was the only case where I had any issue but it was a problem because I was a little bit lazy. Instead of creating multiple jobs, I put everything together. I didn't know for sure which IP addresses in which segments were being used. That's the reason I wanted Nessus to scan them. I didn't want to check with the system administrator regarding IP addresses because every time I get such information, I usually find IP addresses with computers that the system administrator didn't tell me about. This way, I was sure to get a full vulnerability assessment. And I found two or three computers which had not been updated for two or three months. That was very important for me to find out.

In May, the guys from Alem Systems came to my office and we finished everything for the installation. They showed me how to configure it, how to add new assets, how to check networks, Linux machines, Windows machines, etc.

We bought a one-year license. We are now preparing a new budget for next year and, given our experience with Nessus, we plan to continue with it for next year. We are satisfied with it. It's the best option for small banks. For us, here in Bosnia, a small bank would have about 150 to 250 employees, with 20 to 30 branches throughout the country. The biggest bank here has more than 2,000 and maybe as many as 3,000 employees.

I didn't have a lot of experience with this type of product. I heard and knew that vulnerability assessment is most important. We paid a company to do a pen-test in our bank. That was the first time I heard about vulnerability assessment and about Nessus, Qualys, and Guardium. At that moment, I started to think about it and to search for the best option for us.

In the past, it was tricky to find money for this kind of application. But recently, a new director started with our company. He understands what security actually means and that it's important for a bank. He gave me a bigger budget.

I started, one year ago, checking all products on the market for vulnerability checking and scanning. The first option was Qualys because everybody here, my colleagues, were saying that Qualys is the best. But there were two problems with Qualys for me. First, there is no on-premise version, only a cloud version. And the second issue was the price. The first issue, that Qualys is only connected to the cloud, was most important because I must prepare documents for our regulation agency in banking. With Qualys in the cloud, I would have to prepare risk assessments, etc., and that would be a lot of work for me. And then I would have to wait for that agency's approval, which could take some three months. Finally, when I started thinking, "Okay, I'll go that route and will prepare everything," when I asked about the price of Qualys here in Bosnia, I realized it was too much for us because we are a small bank.

I also checked an IBM solution, Guardium, because there are a lot of companies working with IBM here. It's easier to find solutions for IBM. The reason I didn't go with Guardium was its price.

After that, I started checking other products. Nessus was one of the options. I had a friend working for Alem Systems and spoke with him over a coffee. We spoke about solutions and he said, "Why don't you use Nessus? Nessus is good." He explained everything to me, and he showed me a demo and how it works in a particular company. I said, "Okay, if Nessus is good enough for me, who will sell it to me?" He said, "I will do that."

We are a small bank. I don't need to take care of 100 or 200 servers or many switches and routers and PCs. Nessus is easy to configure and it's easy to add additional searching and scanning for new assets, like a new router. I had seen Qualys at conferences, but I hadn't used it myself. A presenter showed how it worked, but I didn't have hands-on experience. My friend showed me Nessus and he gave me an idea of how to work with it. When I first used it by myself — I created a scheduled job for a server — when I got the report, I realized that it was easy for me, and that was great. Maybe Qualys has better graphics, but I didn't have experience with it. Nessus, now, is perfect.

Finally, I decided that the price was good enough for me and for my bosses. So I finally found a solution after six months.

I didn't need it to be something complicated, to have some NASA-level product. I needed it to work properly and simply, to show me what I need to do. I had to be able to explain to my system administrators what they should do. When I get a report I explain it and give it to my system administrators to solve the problem.

If I were to speak to someone who works with IBM Guardium they would probably tell me, "Ah, Nessus is too simple for me. Guardium is better." But I can recommend Nessus to anyone who wants a good product for a "small amount of money." It's the best buy.

When I speak with my colleagues we usually share our experiences. I know that some of my colleagues are thinking about Nessus for next year because they don't have any solution, but they need one, according to regulations. When I explain how it works they usually say that they will check into it. Probably, in Bosnia, there will be two more banks using Nessus in the next year.

Alem, as a company, is very friendly and that's most important. They come to our office to explain things. They spent three or four hours here with me, explaining everything about Nessus. They suggested a free trial. It's important to have that kind of support. I know that if I need something, I can ask them without any problems, at any time.

Overall, Nessus is working well.

It is used for vulnerability management. We used Nessus to scan our machines to see how they were vulnerable, for patches or security. The CVE numbers is what we looked at, the security vulnerability, and tried to figure out what we were vulnerable to.

We monitored Windows Servers, Windows workstations, Linux servers, firewalls, switches, VMware equipment, and Cisco UCS hardware through the application.

We were a lot less vulnerable after implementing the changes that the application recommended.

The solution helped limit our company's cyber exposure by pointing out every single vulnerability we had and showing us how to fix them. By following the application's directions, we were less vulnerable to attackers. By implementing what the application told us to implement, we were able to fix the holes in our network and prevent any attackers from coming in.

The most valuable feature is how it scanned and detected through its database to let us know exactly what fixes we needed to put in place for the vulnerabilities. It detects and it also gives you the way to fix it.

The product's VPR did a great job in prioritizing and giving the highs versus the mediums; it did a great job providing the different ratings and priorities.  

The Nessus predictive prioritization feature is very nice, the way it displays. The interface could look better, but it has everything it needs. It could do a better grouping of the workstations and run a better schedule. But it was sufficient in what it provided.

There is room, overall, for improvement in the way it groups the workstations and the way it detects, when the vulnerability is scanned. Even when we would run a new scan, if it was an already existing vulnerability, it wouldn't put a new date on it.

I used Nessus for about three years.

It was very stable. We didn't have any outages or downtime during its use.

The scalability was very good. We were able to deploy it into multiple remote sites using the scanners. You can deploy separate scanner VMs into remote locations where you don't have access. They have Tenable.io in the cloud, which allows you to do all that.

I used it in a very large environment. Just in my sector, we had about 5,000 workstations along with about 150 servers. So it was a pretty sizable environment. The company was using it for a much bigger purpose. It had between about 50,000 and 100,000 workstations and about 10,000 servers.

In my environment we had about seven users logging into it. The company as a whole had about 150 users. They were security engineers, security administrators, system administrators, and system engineers. For maintenance of Nessus, there was only a team of about 15 people.

I rarely had to call technical support. There was one time when we were troubleshooting a VMware scan. They got on and were helpful, but they weren't able to provide a solution quickly enough. I would give them a three out of five.

I found the setup to be simple. The interface was very intuitive. It was simple yet functional.

Without Nessus, we would have had a lot more vulnerabilities which would have opened the doors to potential attacks. And attacks would have cost the company a lot more money.

Know that it's only a detection tool and that it has limitations as a detection tool, but the deployment can be pretty scalable.

The solution didn't reduce the number of critical and high vulnerabilities we needed to patch first. It tells you what the critical vulnerabilities are that you need to patch, but it didn't reduce anything. It doesn't patch it for you.

I would give Nessus a seven out of ten, as it doesn't automatically resolve the vulnerabilities. There are tools out there that give you an option: "Hey, do you want me to patch that vulnerability?" You just hit "yes" and it automatically does it. Nessus doesn't do that. And, as I said, the grouping could be a little bit better.

We use it for internal and external vulnerability scans.

Instead of just looking at high, medium or low risk for vulnerabilities, and having to remediate all of them, we can remediate in a more effective manner. We have limited resources for remediation work and we want to spend our time on the most critical issues.

It helps us focus resources on the vulnerabilities that are most likely to be exploited. It gives a higher VPR number where the things are more likely to be exploited, instead of just using the pure severity rating as a way to prioritize and decide to remediate.

The most valuable feature is the breadth of vulnerabilities that it finds. It's able to find across a lot of different platforms and operating systems. It's also able to combine local testing with network-based testing.

When it comes to vulnerability prioritization, Tenable's predictive features are off to a great start. It's definitely giving us more data to help prioritize, instead of just relying on straight CVSS. The vulnerability priority rating has been accurate and is helping us prioritize effectively, based on risk or based on the likelihood of being exploited. Based on what they say, and comparing it to what we are seeing with malware exploits, their predictions are lining up with what we are seeing being exploited.

There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product.

There is also room for improvement in some of the reporting and the role-based access. They have a pretty defined roadmap. They know where the gaps are, but it's a totally different product and so there's a lot of work that they have to do to get it to match.

I have been using Nessus for three years at my current company. 

We monitor Windows, Linux, Mac, workstations, servers, and cloud resources.

It's very stable. We haven't had any issues. There has been no database corruption or anything like that. All we've had to do to the main Security Center is give it more disk space to save more data. That's it.

The scalability is okay. We would definitely run into issues if we wanted to save a longer history of the data. It would be terabytes and terabytes of data. But in terms of at least keeping all the data for all the assets that we have, it's good. We're good enough with the retention. It meets our requirements.

The issues would be storage and being able to search across it. If we needed to save five years of scan history, it would be operationally difficult to use all the data that would be saved. But it's not problematic to look at the current data or trends for the past six months. Stuff like that is fine.

We're at about 20,000 hosts and it's pretty stable. I don't think we're going to do a big increase.

Tenable's technical support is good, except for things that involve some of the custom development work that we've done using their API. Early on, that was problematic, but they've gotten better and released more API documentation and sample code, and that was fine.

It was nothing that was wrong with the product itself, but tech support is more designed for normal user interactions with the product, not doing development against the API. The problem with my code was because some documentation wasn't clear or there wasn't a sample for how to do this. That's where it was a little bit tougher. The normal, user function stuff was totally fine. It was really the developer-focused side.

We were on Rapid7. We switched because of scalability and performance.

We were looking for a solution that could handle and scan our volume of assets. It wasn't working with our previous solution. Nessus has scalability. Being able to scan in time and actually being able to report on that data were things we couldn't do with our old solution.

Also, the level of visibility that Tenable provides is much better than Rapid7 because we're able to actually see all of the data that was collected and we're able to scan for vulnerabilities and config issues and pull all the data together. We were having real trouble with that before.

The initial setup was straightforward. We were easily able to set up scan policies, asset groups, scan schedules, and start collecting data very quickly.

It wasn't complicated to define what we wanted to scan. It wasn't complicated to set up the credentialed scans, or to set up the different credentials for the different policies and different types of machines. Everything that that goes into building a scan policy was straightforward and we were able to get all of our assets scanned pretty quickly. Within 45 days of buying, we had good data and had done multiple scans already with all of our assets.

Our implementation strategy was that we wanted to set up credentialed scans for all of our machines as quickly as possible. We were working towards that and trying to get the coverage in Tenable as soon as possible.

We did it ourselves.

We are fulfilling our goals and able to deliver on the requirements that we have. It's hard for security to be a real ROI. We need to do vulnerability scanning, we need to know where the issues are and we need to be able to fix them. It is doing that.

Our licensing is on a yearly basis but we did a three-year deal. It is a fixed cost to cover a certain number of hosts or assets. There are no additional costs to the standard licensing fees.

Leverage authenticated scans if you can. That reduces the number of false positives compared to just network-based scanning. Leverage the Tenable Agents if you can, as well, because that will help reduce the scan time and make it easier to get data from machines that are all over your network.

The solution isn't really helping to reduce our exposure over time because there are always new vulnerabilities coming out. It's helping us keep track of what's out there better.

The next part is going to be convincing external auditors that VPR is a reasonable way to actually prioritize, in terms of whatever our policy statements say for what we fix and how quickly; to get that to line up. A lot of people are still in the, "You must patch criticals with this number of days, highs with this number of days." We want to be able to turn that into a more risk-based approach but haven't really been able to do that.

The users of the solution in our organization are really just the people on our security team, so the number is under ten people. They're really just using it to look at the vulnerabilities, analyze the vulnerabilities, and figure out where our risks are and what should get patched. For deployment and maintenance of the solution we have a quarter of an FTE.

Our clients use Tenable Nessus to find vulnerabilities in websites and infrastructure.

The most valuable feature of Tenable Nessus is website scanning.

The solution could improve security updates.

I have been using Tenable Nessus for approximately three years.

The solution is stable.

I rate the stability of Tenable Nessus a seven out of ten.

I am the only one using this solution.

I rate the scalability of Tenable Nessus a seven out of ten.

I rate the support of Tenable Nessus a six out of ten.

Neutral

The setup is easy. We use the deployment manual and followed the steps.

I rate the initial setup of Tenable Nessus a nine out of ten.

The price is high for the solution. There are free tools with similar functionality available. The solution cost approximately $3,500.

I rate the price of Tenable Nessus a six out of ten.

I would recommend this solution to others.

I rate Tenable Nessus a seven out of ten.