IT Central Station is now PeerSpot: Here's why

Tenable Nessus OverviewUNIXBusinessApplication

Tenable Nessus is #1 ranked solution in top Vulnerability Management tools. PeerSpot users give Tenable Nessus an average rating of 8.4 out of 10. Tenable Nessus is most commonly compared to Rapid7 InsightVM: Tenable Nessus vs Rapid7 InsightVM. Tenable Nessus is popular among the large enterprise segment, accounting for 63% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 21% of all views.
Tenable Nessus Buyer's Guide

Download the Tenable Nessus Buyer's Guide including reviews and more. Updated: July 2022

What is Tenable Nessus?

Nessus Professional is the industry’s most widely deployed assessment solution for identifying the vulnerabilities, configuration issues, and malware that attackers use to penetrate your, or your customer's network. With the broadest coverage, the latest intelligence, rapid updates, and an easy-to-use interface, Nessus offers an effective and comprehensive vulnerability scanning package for one low cost.

Tenable Nessus Customers

Bitbrains, Tesla, Just Eat, Crosskey Banking Solutions, Covenant Health, Youngstown State University

Tenable Nessus Video

Archived Tenable Nessus Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
CISO at a financial services firm with 201-500 employees
Real User
Saves me significant time when putting together reports for compliance agencies
Pros and Cons
  • "Nessus gives me a good preview of vulnerabilities and good suggestions for remediation. It's easy to find a description of a given vulnerability and solutions for it."
  • "One area that has room for improvement is the reporting. I'm preparing reports for Windows and Linux machines, etc. Currently, I'm collecting three or four reports and turning them into one report. I don't know if it is possible to combine all of them in one report, but that would be helpful."

What is our primary use case?

We use it for servers, domain controllers, application servers, Oracle servers, SQL servers, as well as network devices, like routers. For PCs that are used for services such as credit cards and ATMs, we usually do a vulnerability assessment, including Windows Servers, Linux servers, SQL servers, and database servers. We scan everything except basic PCs because it would require a lot of time to check all those reports. Our system administrators use another solution to check regular PCs for Windows and MS updates.

We're checking things every month. We created a schedule and it checks automatically. From time to time, we'll use it to check things if something unusual has happened. For example, if a stranger was on a computer, we'll check if is there a vulnerability there. 

We also use it to prepare reports when the agency asks for them.

How has it helped my organization?

One thing that is important for us is that when the regulation agency is asking for something. we can send them reports from Nessus and they're very satisfied. If they're satisfied, and they don't have any problem or additional requests, that's most important.

In the past, before we implemented Nessus, we used several products that were doing vulnerability assessments for different machines. For instance, we were using an antivirus/anti-malware and end-point security application for vulnerability assessments for Windows machines. We were using free tools for vulnerability checking for Linux machines. And we were \using Qualys' free version for external IP addresses, because Qualys allows you to check something like three IP addresses for free. I created a report for our regulation agency by combining three or four reports. I spent two weeks making that report. Now, I can create that report in one day. Nessus provides me reports within two to three hours for all our Windows machines. For Linux machines, it's half an hour; for the network, it takes about one hour. So in one day, I have everything ready for the agency. 

Similarly, for my upper management, it's my responsibility to provide security reports on a monthly basis about viruses, malware, attacks, etc. Now, it is easier for me to prepare that kind of report. The reports are also more lavish than before. In the past, I had to prepare tables and sheets by myself. Now, everything is prepared for me. If I want to play around with reports I can export to Excel and I can filter the report. Nessus makes everything easier than it was before.

What is most valuable?

Nessus gives me a good preview of vulnerabilities and good suggestions for remediation. It's easy to find a description of a given vulnerability and solutions for it.

What needs improvement?

One area that has room for improvement is the reporting. I'm preparing reports for Windows and Linux machines, etc. Currently, I'm collecting three or four reports and turning them into one report. I don't know if it is possible to combine all of them in one report, but that would be helpful. If the scans which I have already prepared could be used to combine the results into one report, it would save me additional work.

Also, when a new machine is brought into the domain, when it's first connected by the system administrator, it would be good to have some kind of automatic, basic vulnerability scan. Of course, I would have to enter my credentials if I wanted something additional, but it would be useful if, the first time, if that basic process happened. Otherwise, it can be problematic for me when, for example, a new Oracle Database is brought on. I may only be notified after 10 days that it has been connected and only then can I do a vulnerability assessment and I may find a lot of vulnerabilities. It would be better to know that before they put it into production. It would be great to have something automatically recognize a new server, a new PC, and do a basic vulnerability assessment.

Buyer's Guide
Tenable Nessus
July 2022
Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
621,703 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Nessus for about half a year.

What do I think about the stability of the solution?

We haven't any problems so far.

A few days ago, I was scanning a range, three or subnets, the whole domain. That was something like 1,000 IP addresses. The first time I did it, things were a little bit slow. I was thinking that it was stuck or blocked. But I left it overnight and checked it in the morning. Everything had finished, correctly, after three or four hours. 

That was the only case where I had any issue but it was a problem because I was a little bit lazy. Instead of creating multiple jobs, I put everything together. I didn't know for sure which IP addresses in which segments were being used. That's the reason I wanted Nessus to scan them. I didn't want to check with the system administrator regarding IP addresses because every time I get such information, I usually find IP addresses with computers that the system administrator didn't tell me about. This way, I was sure to get a full vulnerability assessment. And I found two or three computers which had not been updated for two or three months. That was very important for me to find out.

How was the initial setup?

In May, the guys from Alem Systems came to my office and we finished everything for the installation. They showed me how to configure it, how to add new assets, how to check networks, Linux machines, Windows machines, etc.

What's my experience with pricing, setup cost, and licensing?

We bought a one-year license. We are now preparing a new budget for next year and, given our experience with Nessus, we plan to continue with it for next year. We are satisfied with it. It's the best option for small banks. For us, here in Bosnia, a small bank would have about 150 to 250 employees, with 20 to 30 branches throughout the country. The biggest bank here has more than 2,000 and maybe as many as 3,000 employees.

Which other solutions did I evaluate?

I didn't have a lot of experience with this type of product. I heard and knew that vulnerability assessment is most important. We paid a company to do a pen-test in our bank. That was the first time I heard about vulnerability assessment and about Nessus, Qualys, and Guardium. At that moment, I started to think about it and to search for the best option for us.

In the past, it was tricky to find money for this kind of application. But recently, a new director started with our company. He understands what security actually means and that it's important for a bank. He gave me a bigger budget.

I started, one year ago, checking all products on the market for vulnerability checking and scanning. The first option was Qualys because everybody here, my colleagues, were saying that Qualys is the best. But there were two problems with Qualys for me. First, there is no on-premise version, only a cloud version. And the second issue was the price. The first issue, that Qualys is only connected to the cloud, was most important because I must prepare documents for our regulation agency in banking. With Qualys in the cloud, I would have to prepare risk assessments, etc., and that would be a lot of work for me. And then I would have to wait for that agency's approval, which could take some three months. Finally, when I started thinking, "Okay, I'll go that route and will prepare everything," when I asked about the price of Qualys here in Bosnia, I realized it was too much for us because we are a small bank.

I also checked an IBM solution, Guardium, because there are a lot of companies working with IBM here. It's easier to find solutions for IBM. The reason I didn't go with Guardium was its price.

After that, I started checking other products. Nessus was one of the options. I had a friend working for Alem Systems and spoke with him over a coffee. We spoke about solutions and he said, "Why don't you use Nessus? Nessus is good." He explained everything to me, and he showed me a demo and how it works in a particular company. I said, "Okay, if Nessus is good enough for me, who will sell it to me?" He said, "I will do that."

We are a small bank. I don't need to take care of 100 or 200 servers or many switches and routers and PCs. Nessus is easy to configure and it's easy to add additional searching and scanning for new assets, like a new router. I had seen Qualys at conferences, but I hadn't used it myself. A presenter showed how it worked, but I didn't have hands-on experience. My friend showed me Nessus and he gave me an idea of how to work with it. When I first used it by myself — I created a scheduled job for a server — when I got the report, I realized that it was easy for me, and that was great. Maybe Qualys has better graphics, but I didn't have experience with it. Nessus, now, is perfect.

Finally, I decided that the price was good enough for me and for my bosses. So I finally found a solution after six months.

I didn't need it to be something complicated, to have some NASA-level product. I needed it to work properly and simply, to show me what I need to do. I had to be able to explain to my system administrators what they should do. When I get a report I explain it and give it to my system administrators to solve the problem.

What other advice do I have?

If I were to speak to someone who works with IBM Guardium they would probably tell me, "Ah, Nessus is too simple for me. Guardium is better." But I can recommend Nessus to anyone who wants a good product for a "small amount of money." It's the best buy.

When I speak with my colleagues we usually share our experiences. I know that some of my colleagues are thinking about Nessus for next year because they don't have any solution, but they need one, according to regulations. When I explain how it works they usually say that they will check into it. Probably, in Bosnia, there will be two more banks using Nessus in the next year.

Alem, as a company, is very friendly and that's most important. They come to our office to explain things. They spent three or four hours here with me, explaining everything about Nessus. They suggested a free trial. It's important to have that kind of support. I know that if I need something, I can ask them without any problems, at any time.

Overall, Nessus is working well.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Senior Systems Administrator at Government Scientific Source
Real User
Enabled us to fix holes in our network, but having vulnerabilities fixed by the solution would be better
Pros and Cons
  • "The most valuable feature is how it scanned and detected through its database to let us know exactly what fixes we needed to put in place for the vulnerabilities. It detects and it also gives you the way to fix it."
  • "There is room, overall, for improvement in the way it groups the workstations and the way it detects, when the vulnerability is scanned. Even when we would run a new scan, if it was an already existing vulnerability, it wouldn't put a new date on it."

What is our primary use case?

It is used for vulnerability management. We used Nessus to scan our machines to see how they were vulnerable, for patches or security. The CVE numbers is what we looked at, the security vulnerability, and tried to figure out what we were vulnerable to.

We monitored Windows Servers, Windows workstations, Linux servers, firewalls, switches, VMware equipment, and Cisco UCS hardware through the application.

How has it helped my organization?

We were a lot less vulnerable after implementing the changes that the application recommended.

The solution helped limit our company's cyber exposure by pointing out every single vulnerability we had and showing us how to fix them. By following the application's directions, we were less vulnerable to attackers. By implementing what the application told us to implement, we were able to fix the holes in our network and prevent any attackers from coming in.

What is most valuable?

The most valuable feature is how it scanned and detected through its database to let us know exactly what fixes we needed to put in place for the vulnerabilities. It detects and it also gives you the way to fix it.

The product's VPR did a great job in prioritizing and giving the highs versus the mediums; it did a great job providing the different ratings and priorities.  

What needs improvement?

The Nessus predictive prioritization feature is very nice, the way it displays. The interface could look better, but it has everything it needs. It could do a better grouping of the workstations and run a better schedule. But it was sufficient in what it provided.

There is room, overall, for improvement in the way it groups the workstations and the way it detects, when the vulnerability is scanned. Even when we would run a new scan, if it was an already existing vulnerability, it wouldn't put a new date on it.

For how long have I used the solution?

I used Nessus for about three years.

What do I think about the stability of the solution?

It was very stable. We didn't have any outages or downtime during its use.

What do I think about the scalability of the solution?

The scalability was very good. We were able to deploy it into multiple remote sites using the scanners. You can deploy separate scanner VMs into remote locations where you don't have access. They have Tenable.io in the cloud, which allows you to do all that.

I used it in a very large environment. Just in my sector, we had about 5,000 workstations along with about 150 servers. So it was a pretty sizable environment. The company was using it for a much bigger purpose. It had between about 50,000 and 100,000 workstations and about 10,000 servers.

In my environment we had about seven users logging into it. The company as a whole had about 150 users. They were security engineers, security administrators, system administrators, and system engineers. For maintenance of Nessus, there was only a team of about 15 people.

How are customer service and technical support?

I rarely had to call technical support. There was one time when we were troubleshooting a VMware scan. They got on and were helpful, but they weren't able to provide a solution quickly enough. I would give them a three out of five.

How was the initial setup?

I found the setup to be simple. The interface was very intuitive. It was simple yet functional.

What was our ROI?

Without Nessus, we would have had a lot more vulnerabilities which would have opened the doors to potential attacks. And attacks would have cost the company a lot more money.

What other advice do I have?

Know that it's only a detection tool and that it has limitations as a detection tool, but the deployment can be pretty scalable.

The solution didn't reduce the number of critical and high vulnerabilities we needed to patch first. It tells you what the critical vulnerabilities are that you need to patch, but it didn't reduce anything. It doesn't patch it for you.

I would give Nessus a seven out of ten, as it doesn't automatically resolve the vulnerabilities. There are tools out there that give you an option: "Hey, do you want me to patch that vulnerability?" You just hit "yes" and it automatically does it. Nessus doesn't do that. And, as I said, the grouping could be a little bit better.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Tenable Nessus
July 2022
Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
621,703 professionals have used our research since 2012.
Network Security Engineer at a construction company with 1,001-5,000 employees
MSP
Helps us limit our vulnerabilities and reduce exploitation
Pros and Cons
  • "Among the most valuable features are scanning for vulnerabilities and the reporting. The reporting templates are okay. I like that I can see all the hosts with different vulnerabilities."
  • "We use credentialed scans. They need more permissions and more changes or settings on Windows and Linux."

What is our primary use case?

We mainly use it for scanning for vulnerability on our hosts, like network devices and servers; to find the vulnerabilities and do remediation. We monitor Windows and Linux workstations.

How has it helped my organization?

It helps us limit our vulnerabilities and to reduce exploitations.

Tenable also helps us focus resources on the vulnerabilities that are most likely to be exploited.

What is most valuable?

Among the most valuable features are scanning for vulnerabilities and the reporting. The reporting templates are okay. I like that I can see all the hosts with different vulnerabilities. I can export reports to Excel to adjust them and it's a convenient way to send them to my manager. We actually use the report feature to identify all the vulnerabilities on all the hosts.

  • The prioritization is done quickly and is good.
  • Their VPR is good.
  • I'm also able to find its features easily.

What needs improvement?

We use credentialed scans. They need more permissions and more changes or settings on Windows and Linux.

Also, Agent scanning is more efficient than credential scanning but Agent scanning is more expensive than credential scanning. I prefer, mainly, the Agent scan over the credential scan, it's better. But we will continue to use the credential scan. I would like to see Tenable make some improvements to the credential scanning; more vulnerabilities, because most of the problems have occurred on Windows Server. We have some scanning issues.

For how long have I used the solution?

We have been using Tenable for just over a year.

What do I think about the stability of the solution?

It's always working, no crashes.

What do I think about the scalability of the solution?

We can add more scanners to the scan zone. We can also create different organizations in terms of scanning, so I think the scalability is good.

We use Tenable on 300 servers. In our office we have two or three people using the solution who are network security engineers. Two or three people are enough to take care of deployment and maintenance of Tenable.

We have plans to increase our usage. We want to increase our licenses up to about 1,000.

How are customer service and technical support?

Technical support is good. I get responses quickly and they provide quick resolution. I can look at their community to find questions or the problem. The support is good.

Which solution did I use previously and why did I switch?

Before Tenable, our global team used Qualys, but I myself didn't use that. The switch to Tenable was decided on by our U.S. team. It was a global strategy to move to Tenable.

How was the initial setup?

The initial setup was good, not complex. We had the guides from Tenable to guide us through the setup. It took us two days, but one day should be good enough for the initial deployment.

Originally, we wanted to scan all our servers from multiple clouds and also on-premises, to scan the local network.

What other advice do I have?

Tenable mainly works on vulnerability scanning and prioritizing.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Security Architect at a logistics company with 10,001+ employees
Real User
The vulnerability priority rating has been accurate and helps us prioritize effectively, based on risk
Pros and Cons
  • "The most valuable feature is the breadth of vulnerabilities that it finds. It's able to find across a lot of different platforms and operating systems. It's also able to combine local testing with network-based testing."
  • "There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product."

What is our primary use case?

We use it for internal and external vulnerability scans.

How has it helped my organization?

Instead of just looking at high, medium or low risk for vulnerabilities, and having to remediate all of them, we can remediate in a more effective manner. We have limited resources for remediation work and we want to spend our time on the most critical issues.

It helps us focus resources on the vulnerabilities that are most likely to be exploited. It gives a higher VPR number where the things are more likely to be exploited, instead of just using the pure severity rating as a way to prioritize and decide to remediate.

What is most valuable?

The most valuable feature is the breadth of vulnerabilities that it finds. It's able to find across a lot of different platforms and operating systems. It's also able to combine local testing with network-based testing.

When it comes to vulnerability prioritization, Tenable's predictive features are off to a great start. It's definitely giving us more data to help prioritize, instead of just relying on straight CVSS. The vulnerability priority rating has been accurate and is helping us prioritize effectively, based on risk or based on the likelihood of being exploited. Based on what they say, and comparing it to what we are seeing with malware exploits, their predictions are lining up with what we are seeing being exploited.

What needs improvement?

There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product.

There is also room for improvement in some of the reporting and the role-based access. They have a pretty defined roadmap. They know where the gaps are, but it's a totally different product and so there's a lot of work that they have to do to get it to match.

For how long have I used the solution?

I have been using Nessus for three years at my current company. 

We monitor Windows, Linux, Mac, workstations, servers, and cloud resources.

What do I think about the stability of the solution?

It's very stable. We haven't had any issues. There has been no database corruption or anything like that. All we've had to do to the main Security Center is give it more disk space to save more data. That's it.

What do I think about the scalability of the solution?

The scalability is okay. We would definitely run into issues if we wanted to save a longer history of the data. It would be terabytes and terabytes of data. But in terms of at least keeping all the data for all the assets that we have, it's good. We're good enough with the retention. It meets our requirements.

The issues would be storage and being able to search across it. If we needed to save five years of scan history, it would be operationally difficult to use all the data that would be saved. But it's not problematic to look at the current data or trends for the past six months. Stuff like that is fine.

We're at about 20,000 hosts and it's pretty stable. I don't think we're going to do a big increase.

How are customer service and technical support?

Tenable's technical support is good, except for things that involve some of the custom development work that we've done using their API. Early on, that was problematic, but they've gotten better and released more API documentation and sample code, and that was fine.

It was nothing that was wrong with the product itself, but tech support is more designed for normal user interactions with the product, not doing development against the API. The problem with my code was because some documentation wasn't clear or there wasn't a sample for how to do this. That's where it was a little bit tougher. The normal, user function stuff was totally fine. It was really the developer-focused side.

Which solution did I use previously and why did I switch?

We were on Rapid7. We switched because of scalability and performance.

We were looking for a solution that could handle and scan our volume of assets. It wasn't working with our previous solution. Nessus has scalability. Being able to scan in time and actually being able to report on that data were things we couldn't do with our old solution.

Also, the level of visibility that Tenable provides is much better than Rapid7 because we're able to actually see all of the data that was collected and we're able to scan for vulnerabilities and config issues and pull all the data together. We were having real trouble with that before.

How was the initial setup?

The initial setup was straightforward. We were easily able to set up scan policies, asset groups, scan schedules, and start collecting data very quickly.

It wasn't complicated to define what we wanted to scan. It wasn't complicated to set up the credentialed scans, or to set up the different credentials for the different policies and different types of machines. Everything that that goes into building a scan policy was straightforward and we were able to get all of our assets scanned pretty quickly. Within 45 days of buying, we had good data and had done multiple scans already with all of our assets.

Our implementation strategy was that we wanted to set up credentialed scans for all of our machines as quickly as possible. We were working towards that and trying to get the coverage in Tenable as soon as possible.

What about the implementation team?

We did it ourselves.

What was our ROI?

We are fulfilling our goals and able to deliver on the requirements that we have. It's hard for security to be a real ROI. We need to do vulnerability scanning, we need to know where the issues are and we need to be able to fix them. It is doing that.

What's my experience with pricing, setup cost, and licensing?

Our licensing is on a yearly basis but we did a three-year deal. It is a fixed cost to cover a certain number of hosts or assets. There are no additional costs to the standard licensing fees.

What other advice do I have?

Leverage authenticated scans if you can. That reduces the number of false positives compared to just network-based scanning. Leverage the Tenable Agents if you can, as well, because that will help reduce the scan time and make it easier to get data from machines that are all over your network.

The solution isn't really helping to reduce our exposure over time because there are always new vulnerabilities coming out. It's helping us keep track of what's out there better.

The next part is going to be convincing external auditors that VPR is a reasonable way to actually prioritize, in terms of whatever our policy statements say for what we fix and how quickly; to get that to line up. A lot of people are still in the, "You must patch criticals with this number of days, highs with this number of days." We want to be able to turn that into a more risk-based approach but haven't really been able to do that.

The users of the solution in our organization are really just the people on our security team, so the number is under ten people. They're really just using it to look at the vulnerabilities, analyze the vulnerabilities, and figure out where our risks are and what should get patched. For deployment and maintenance of the solution we have a quarter of an FTE.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Keith S. Crumpton - PeerSpot reviewer
President and Sr CISO Consultant at CISO Consulting Inc.
Consultant
Provides me with executive-friendly reporting for my clients
Pros and Cons
  • "Nessus is good at finding out what nodes you have in place. It will then provide you a report, by node, of what the vulnerabilities are. It does it quickly and stealthfully."
  • "It also has an executive report where you don't have to provide the client all the detail for them to sift though. But if they wish to dig through the detail they can."
  • "One area with room for improvement is instead of there just being a PDF format for output, I'd like the option of an Excel spreadsheet, whereby I could better track remediation efforts and provide reporting off of that."

What is our primary use case?

I use it for performing vulnerability scans for both my environment and for clients. I provide fractional CISO consulting services. As such, I will perform a vulnerability scan on an environment before I say "yes."

Everybody has to have a vulnerability scan. You should do them periodically which, to me, is monthly. It's just good practice to perform that scan monthly and whenever there's a major change, to make sure that you don't have any open environment. 

I monitor web servers, database servers, app servers, desktops; everything you'd find on a network, besides switches and routers. I don't have that, but I monitor any Windows- and Linux-based nodes.

How has it helped my organization?

I went to a client's site and I ran the report. They had a number of fives, fours, and threes. With that information, we were able to remediate the fives, fours, and threes down to a couple of threes.

It also helps to prioritize based on risk. If it provides a notification that you have an older operating system out there, for example, obviously you would have that as a higher risk and wish to remediate that above any and all other risks. It details what that the risk is and what you should do about it.

The solution helps to limit cyber exposure. By running it on a monthly basis, you tighten the window of opportunity for any nefarious individual to get into your environment. Industry standards say that you have to do it quarterly or yearly and I do it monthly, so I think I'm in a better position to secure the environment.

The solution reduces the number of critical and high vulnerabilities which need to be patched first. In terms of a percentage reduction, it's more of a detective control, along with the preventative control. I can't give you a percentage. It reduces the risks by providing the information that you can react to, quicker than finding out that you've been breached.

What is most valuable?

Nessus is good at finding out what nodes you have in place. It will then provide you a report, by node, of what the vulnerabilities are. It does it quickly and stealthfully. 

It also has an executive report where you don't have to provide the client all the detail for them to sift though. But if they wish to dig through the detail they can.

The predictive prioritization features are spot-on. I enjoy how it actually gives me a prioritization that I can address and it associates it with a known vulnerability. I like that.

What needs improvement?

One area with room for improvement is instead of there just being a PDF format for output, I'd like the option of an Excel spreadsheet, whereby I could better track remediation efforts and provide reporting off of that. Or, if they change the product itself for you to add comments of remediation efforts and allow you to sort on that and report on it, that would be helpful. Most of us would rather not have that information out in the cloud. We'd rather have it in-house. It would be better if you could provide it in an Excel spreadsheet for us to work with.

For how long have I used the solution?

I've been using it for four years.

What do I think about the stability of the solution?

It's very stable. It hasn't aggravated my environment, so I'm happy with that. It's up and running. It runs all the time.

What do I think about the scalability of the solution?

Scaling is easy because it goes out and examines the network and identifies all the nodes that are out there. You don't have to worry about scalability, per se. It's just another node that it adds to the list, so it's easy.

It's being used for under 500 nodes. I would like to increase it if possible, but I have no plans to do so.

Which solution did I use previously and why did I switch?

Before Nessus, I used Qualys. I switched because the reporting in Nessus is better. The reporting in Nessus is more executive-friendly. When giving information to clients, I don't need to repackage it. It is fine the way it is.

The level of visibility Nessus provides, compared to a solution like Qualys, from an executive standpoint, is better. From a technical standpoint, it does not provide you that documentation capability that I would like. Having said that, from my standpoint, for my client base, the executive reporting is better.

How was the initial setup?

The initial setup was straightforward. It was easy-peasy. I just said, "Run," and it set it up. After that, it was a matter of putting in my company's information and setting up a scan. It wasn't hard at all. It was very intuitive, very easy.

It took about half-an-hour.

All I had to do was download the software, install it, and run it. That was it.

What other advice do I have?

If you're going to employ this product, it's the better one for smaller to medium businesses because of the executive documentation. I would not try to sell it as a technical tool for a technical group. As a consultant it would be best for you to run it and manage it for clients. With that, you're a one-stop shop for them. I would remind clients that most auditing requirements state that you need a third-party individual to do an assessment of your environment. As a consultant you would do that for them. Keep it in-house. I wouldn't sell it.

The priority rating is an industry-standard rating, so it's not like it pulls it out of a hat. It's a known rating, so that's good.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Senior Infrastructure Project Manager at a energy/utilities company with 501-1,000 employees
Real User
Has good vulnerability reporting and is stable and scalable

What is our primary use case?

Our primary use case of this solution is scanning of our external websites.

What is most valuable?

The feature I find most valuable is the vulnerability reporting.

What needs improvement?

I would like to see an improvement in the ranking of high, medium and low vulnerability.

For how long have I used the solution?

I have been using Tenable Nessus for six months now.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

Tenable Nessus is a very scalable solution. We have over 50 devices running on it currently, and over 50 locations. And we plan to increase our usage in the future. We use our existing team for maintenance, so we didn't have to increase our headcounts. One person is enough to do the maintenance.

How are customer service and technical support?

The technical support is good.

How was the initial setup?

I will say the initial setup was not straightforward, and not complex either. It's medium. Technically it's not too complicated, but if you work with a good partner, they can help. The deployment took us about three to six months.

What other advice do I have?

My advice to others would be to include post-implementation support for six months from the vendor to help with the fine-tuning. I rate this solution an eight out of ten. In the future, I would like to see better reporting for high impact vulnerabilities.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Miguel Angel Hernández Armas - PeerSpot reviewer
Implementation Engineer at GFx Soluciones
Real User
The comprehensive coverage offered has been the most remarkable

What is our primary use case?

Nessus was used to scan vulnerabilities and compliances in our clients' networks and with this, carry out the remediation process through constant cycles in time until threats to the network are considerably reduced. The environments are small business networks (less than 50 employees), and so far there have been no major impediments in the scans performed.

How has it helped my organization?

Nessus has greatly improved the security of our clients' networks. The comfortable management of their systems makes it easier for engineers to use the codes for each vulnerability or compliance. Deploying the server to launch the scans is very easy, and only the necessary prerequisites for scanning should be fulfilled. Nessus has been very valuable to the company.

What is most valuable?

The comprehensive coverage offered by Nessus has been the most remarkable; it really does everything that has been asked of the software.

It's great, the possibility of automating implementations and really your database is immense for all the compliances and vulnerabilities.

Tenable University is great and allows to train all the personnel in charge of making the scans in an optimal and effective way.

What needs improvement?

  • I think that the next versions could improve the graphical interface to make more intuitive the management of the reports. 
  • Additionally, it could include better features in the vulnerability scan at the language level.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Nessus is very stable and really works in diverse environments without any difficulty. The most important thing is to establish the necessary requirements.

What do I think about the scalability of the solution?

Scalability of this type of software does not seem so relevant.

How are customer service and technical support?

The Tenable support is very good and has really solved in a timely manner the problems that have occurred in the various projects.

Which solution did I use previously and why did I switch?

In the company, Qualys was used, and it was not possible to manage the projects with this tool.

How was the initial setup?

Quite simple and comfortable.

What about the implementation team?

Internal team.

What was our ROI?

Phenomenal.

What's my experience with pricing, setup cost, and licensing?

The costs are not high, considering all the support and service offered by Tenable.

What other advice do I have?

Scans using agents are very useful, and taking advantage of them is the best way to take advantage of the tool.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
KalaiarasuSanthirasekeran - PeerSpot reviewer
Security Professional at a tech services company with 10,001+ employees
Real User
An affordable product that needs to improve the reporting function

What is our primary use case?

Primarily, I use this for assessment and administration testing.

What is most valuable?

I find the features that are most valuable are the policies that help us identify the vulnerabilities. These policies are then used for scanning and identifying instabilities.

What needs improvement?

The reporting functionality needs improvement. I think it would be beneficial to have a high level explanation for a particular user. 

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

It is very stable, based on our past experience. We have had some false positives in the past, which we hope can improve in the future.

What do I think about the scalability of the solution?

The scalability is fine. It is tied to the licensing agreement. We currently have 20 people using this tool in our organization. It is primarily used by people in our cellular team. If we see a need to add more users in the future, we will renegotiate our licensing agreement to do so. 

How are customer service and technical support?

We have not needed to contact tech support much. We contacted them about the false positives, and they were helpful. 

Which solution did I use previously and why did I switch?

We also evaluated Netplus. 

How was the initial setup?

The installation is very straightforward and easy. We did not use a third-party installer. 

What's my experience with pricing, setup cost, and licensing?

I think the price is fairly affordable. It provides a license that is fair.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Thomas Kung - PeerSpot reviewer
Senior Consultant at a tech company with 1,001-5,000 employees
MSP
Reduces the amount of time spent on finding vulnerabilities.
Pros and Cons
  • "Tenable Nessus streamlines the process of scanning for our organization."
  • "This is still a maturing product. Tenable is only a scanner for one ability, while other solutions like Rapid7 have more tools for verification. We still have to manually verify to see if the vulnerability is a false positive or not."

What is our primary use case?

My primary use case of this solution is for scanning internal networks.

How has it helped my organization?

We use Tenable Nessus for scanning. We find lots of vulnerabilities and then we reduce the time spent on finding inbox vulnerabilities. Of course, Tenable streamlines the process. It has been a positive experience overall.

Tenable can scan for missing patches for the endpoints. We can scan it and then, once we can support any endpoint without patching, we inform our users.

What is most valuable?

We wanted to do a lot of Hardening and we have to make sure that all endpoints are up to the certain Hardening standard and we propose the CIS benchmark to do this. That's why we use Tenable to do scanning frequency and to ensure the quality of the endpoints.

What needs improvement?

This is still a maturing product. Tenable is only a scanner for one ability, while other solutions like Rapid7 have more tools for verification. We still have to manually verify to see if the vulnerability is a false positive or not. 

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

It is stable. We have not had any major issues. It performs as scheduled and scans as needed.

What do I think about the scalability of the solution?

In terms of scalability, there is an issue with cloud servers. You need the internet bandwidth to do the testing. They consume a lot of bandwidth and they use the cloud scanners for the scanning. 

How is customer service and technical support?

I usually use the dashboard for support. It shows the critical vulnerabilities from low to high. They are very responsive when necessary. 

How was the initial setup?

The implementation was straightforward. First, we noticed whether everything was ready, then we got a license key, set up some basic scanning using a default template, and finally, we scheduled time. 

What's my experience with pricing, setup cost, and licensing?

The price of Tenable Nessus is much more competitive versus other solutions on the market. 

Which other solutions did I evaluate?

We were manually scanning before using Tenable Nessus. We looked at Rapid7 but we are satisfied with Tenable Nessus. 

What other advice do I have?

I would suggest that people considering this solution should choose the cloud-based solution versus the on-premise version.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Ladislav Solc - PeerSpot reviewer
Managing partner at a tech services company with 51-200 employees
Consultant
We can deliver a high level of consulting using this product.
Pros and Cons
  • "We looked at Tenable, Qualys and Rapid7. We found Tenable was the best of all three."
  • "From my point of view the solution basically is not for the big enterprise."

How has it helped my organization?

This is something that allows us to quickly get a really important information context. We can now deliver highly professional consulting using the product.

What needs improvement?

From my point of view, the solution basically is not for large enterprises. I also think there should be built-in plugins for the public cloud vendors.

What do I think about the stability of the solution?

I'm happy with stability, there's no problem from my point of view.

What do I think about the scalability of the solution?

For an average sized company or for smaller enterprises, this solution is suitable. But, for large enterprises it's not a good choice. We have one customer with more than 5,000 servers. I do not think it will be suitable for that customer.

How are customer service and technical support?

We communicated via email to solve our issue. The experience was quite good for us.

Which solution did I use previously and why did I switch?

We switched because our previous solution was too expensive for us.

What's my experience with pricing, setup cost, and licensing?

My advice when choosing a vendor is to always consider:

  • Trustworthiness
  • Quality
  • Price

Which other solutions did I evaluate?

We looked at Tenable, Qualys and Rapid7. We found Tenable was the best of all three.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Manager at Medmen
User
Provides multiple recommendations towards the remedy of vulnerabilities
Pros and Cons
  • "It provides multiple recommendations towards the remedy of vulnerabilities."
  • "It allows me to prioritize efforts and utilize effective technical resources."
  • "They should improve the I/O reporting and the customized spreadsheet export feature."
  • "Multiple steps to create an actionable plan will be a great addition to Nessus."

What is our primary use case?

I use Tenable Nessus to evaluate the security posture of multiples acquisitions before integrating them to our network.

How has it helped my organization?

Tenable Nessus has helped us visualize the security posture of acquisitions. It provides actionable recommendations to the implementation team towards security remedies.

What is most valuable?

I have found the remedy recommendation feature helpful, as it:

  • Provides multiple recommendations towards the remedy of vulnerabilities.
  • Allows me to prioritize efforts and utilize effective technical resources.

What needs improvement?

  • They should improve the I/O reporting and the customized spreadsheet export feature.
  • Multiple steps to create an actionable plan will be a great addition to Nessus.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Tenable Nessus Report and get advice and tips from experienced pros sharing their opinions.
Updated: July 2022
Product Categories
Vulnerability Management
Buyer's Guide
Download our free Tenable Nessus Report and get advice and tips from experienced pros sharing their opinions.