Tenable.sc Reviews

We primarily use the solution for vulnerability scanning across the network . 

A few months back, I conducted a training on Tenable SecurityCenter for a Reputed Bank. I had to teach the Usage and features and then show them how the scan things work and how results can help analyze and report. also helped developing some use case like Scheduling scan and email that to specific users for mitigation, Generating Alert for particular level of vulnerability etc.

In Tenable SecurityCenter, the Risk-based approach for Prioritizing vulnerability is something that is unique to any vulnerability management platform. Compared to Qualys and Rapid7, Tenable VPR is a special thing that those products don't have. The security over the CVSS and V1 and V2 with the VPR feature help an organization reveal the exact risk of any asset. There might be thousands of vulnerabilities, however, the most impactful vulnerabilities are listed and prioritized in the VPR. 

As tenable SecurityCenter is powered by popular Nessus technology, It is really easy to set up.

The solution is stable and considered as the most solid vulnerability management platform in the industry. 

Tenable.sc provides a wide range of dashboards which makes it easy to grasp the vulnerability profile of the organization. These dashboards allow us to view vulnerabilities in different categories in a simple to understand format. The upgrade to Tenable.sc+ has improved on this as well. Regularity of plugin updates are also exceptional. The speed at which tenable has pushed plugin updates and overall platform updates is great. Also the automatic update capability makes maintenance very simplified. Easy to use User interface. For someone who is not familiar with Tenable.sc, the interface is not difficult to follow along and the documentation makes it very simple for anyone

The solution has a very nice Asset discovery feature that gives you gives you unified visibility of your entire attack surface, As It leverages Nessus Sensors, a mix of active scanners, agents, passive network monitoring, and CMDB integrations to maximize scan coverage across your infrastructure to reduce vulnerability blind spots. This mix of data sensor types helps you track and assess both known and unknown assets and their vulnerabilities

The solution is a bit on the expensive site. In a country like  Bangladesh, most of the customers don't have a budget that could afford Tenable SecurityCenter. They'd rather go for Qualys and Nexpose, which cost less. The licensing policy is something they can improve. 

Support could be faster.

I've used the solution for last 4 years now. 

The solution is verry stable. That said, some customers complain about the results and how they are shown. Compared to Nessus, if a customer gets used to using Nessus, and then comes into Tenable SecurityCenter, then the compliance results are an area where they might find a difference. In Nessus, the compliance results are shown in past and failed. In Tenable.sc, it's shown in medium and high. This could be more clear. 

Tenable can be scaled easily, just to add additional IP's on the licensing and that's it.

I haven't really dealt much with technical support. In the initial stage, however, when I started deploying Tenable SecurityCenter, I faced a bit of a challenge implementing the Nessus Network Monitor. I figured it out, and now I don't have issues. 

Support is top-notch, however, in terms of response times, they are slow, and they need to be faster. 

Neutral

I have also worked with Qualys for a long time.

In our country, People are yet not comfortable adopting SaaS/cloud based solutions also,there are some government jurisdictions that require data to be within the country and an on-prem solution is always needed for the organization. Other solutions, Qualys and Rapid7, are mainly cloud designed. Tenable SecurityCenter is the only solution that can be fully on-prem for small to mid Enterprises. 

Also, Tenable is better for compliance requirements in terms of regulations around vulnerability management. it has reporting on compliance with pre-defined checks, metrics and proactive alerts on violations for industry standards like CERT, NIST, DISA STIG, DHS CDM, FISMA, PCI DSS etc. and regulatory mandates. while it comes to other solutions i dint find the compliance feature as good as Tenable 

The initial setup is simple. It's not complex at all. 

You can go with the installer for Tenable SecurityCenter, which has an installer file for Linux and Unix platforms only. talking about the Nessus scanners, It can be deployed anywhere, including on Windows machines or Linux. There is not much of a challenge to it.

The time it takes to deploy varies. For example, what is the implementation size? How many IPs, and what are the sites? Those things change the timing. If it's a stand-alone setup, it can take around one to two hours to deploy. If you are also talking about onboarding the IPs, and scanning all those IPs, it can take a working day to complete.

The pricing is a bit high for the region. 

Its cost depends on the Number of Assets. The licensing is per year. 

We sell Tenable.

I'm using something around version five. I have installed the demo version of it in my Docker.

The product really stands out in comparison to the competition. However, the price tag is a bit on the higher.

I would advise new users to scan all assets and grab the results and set up all security postures and do stats for mitigating those attacks which are critical. For the first time, I would recommend they go for the critical and high vulnerabilities first in order to mitigate effectively very early on. 

I'd rate the solution nine out of ten.

At work we use the enterprise version of Tenable, Tenable.io, and I also use Tenable.sc — which I refer to as SecurityCenter — for local scanning.

I use Tenable SecurityCenter every day to scan our entire environment for vulnerabilities. I use a local license during the discovery process for penetration testing. So I'll do an en masse scan, and then also do a scan with Tenable to scan for IPs and vulnerabilities.

User-wise, with Tenable SecurityCenter, there's different roles. We have security analysts, admin, etc. I'd say there's probably four or five different roles from people that can just go in and view. Security analysts can upload manual scans and create dashboards and download reports. Then administrators can create accounts, assign roles and responsibilities, and things like that.

Tenable SecurityCenter has absolutely improved our organization, by making everything more secure and helping ensure solid vulnerability management.

The feature we've liked most recently was being able to take the YARA rules from FireEye and put them into Tenable's scan for the most recent SolarWinds exploit. That was really useful.

I'm pretty happy with it, but I do see a lot of stuff coming out about risk-based vulnerability management. And so I've been looking at that. I don't think we're using that as of yet and it seems like a newer feature they're talking about a lot that I'm interested in.

I will say it's a lot slower compared to an MS scan. It takes so much longer, so the performance could definitely be worked on.

There was also an issue with SecurityCenter once where we had agents deployed on each device, and while it was scanning we were collecting the data real time. During this process, we had an enclave that was not submitting. It didn't have the agent installed because it wasn't connected to the enterprise network.

They were scanning locally and submitting the scans and we would then upload them into SecurityCenter manually. Each time that there were any duplicates with host names or IPs, or that there were issues with the scanner device with authentication, it failed. But then you scanned it again and it was successful.

When you uploaded that, SecurityCenter was counting it as two devices. And when you ran your report for unauthorized devices, even though it was scanned a second time successfully, the first time would show as a failure. So it was throwing off reporting.

So we would run a report and say, "Okay, which device has failed scanning with authentication?" And it would give a device and we'd be like, "Well, here's the secondary scan showing that it was successful." And so we were having to manually go in there and delete the failed ones.

And that was a pain in the butt. We eventually got that enclave online so we fixed the problem, but I felt that was a limitation of Tenable SecurityCenter that it couldn't see that.

I have been using Tenable SecurityCenter for the past few years now.

We have only run into one troublesome issue that I can remember. It had to do with the way SecurityCenter inaccurately reported real-time scan results whenever there was a transient problem such as with a duplicate host name or IP, or with authentication.

It was a pain to deal with, because we kept having to go in and manually delete all the failed (but actually successful) scan results.

When it comes to scalability, so far so good, and no issues. We've got the whole environment monitored right now and I don't see any significant increases in use anytime soon.

Their technical support is good. Because I don't give out tens much for anything, I would say in the eight to nine range, out of ten.

For vulnerability management, Tenable SecurityCenter is the only one I've used in the past six years. Though we do use other tools in conjunction with it.

We've pretty much used Nessus for scanning, vulnerability management, and reporting, and that's it. And it does it very well. And then I use different tools for other things. I'm sure Tenable had that on the plugins for other things, but we don't use those.

The setup is straightforward.

I personally implement SecurityCenter with a local license. And then we also have different roles like security analysts and administrators who can just go in and perform various functions such as uploading manual scans, creating dashboards, downloading reports, assigning accounts, and so on.

I use a local license to perform penetration testing and I'm pretty happy with everything when it comes to pricing and licensing. 

I can easily recommend Tenable SecurityCenter, and I have nothing really bad to say about it. I think it's a great tool for what it does. I enjoy the webinars, and the people that run the company seem very engaged with what's going on when you're into current events and the overall security climate, and they're continuously looking to improve.

I can't speak to every option that they have, but I have no reservations recommending them.

I would rate Tenable SecurityCenter an eight out of ten.

Essentially we use the solution to monitor hard devices on a network with it. That includes laptops, desktops, tablets, et cetera. I'm just using that to make sure that all of our patching is up to date.

The UI, the user interface, is really, really good. It's really simple. I started with no prior experience in vulnerability management and picked it up in less than a day, pretty quickly. It's very intuitive.

Their overall cost of service is pretty good. 

I've worked with my CS manager and with them a lot, and I'd say every case I've opened, they've reached out to me within two hours. They're pretty prompt in their responses and overall the company is really easy to get ahold of.

Scaling the solution is very easy.

The stability of the product is pretty good.

The biggest issue I have with the solution is when I'm using the scanning it picks up the original DNS of that device. That means, before we image it and actually change the DNS to something within our company structure, it'll just be random numbers and letters and Tenable will stick to that DNS for a long time. I'll be searching for a gallery or a laptop and I can't find it due to the fact that the DNS when it was scanned went in as something non-sensical, like M P X 23 Z. That's the biggest issue I have with it. it's some sort of strange glitch.

While I started using the solution in January of last year, the company itself has been on the solution for about three years or so.

The stability of the solution has been quite good. I haven't experienced any real problems so far. It's been a rather smooth proess.

Scaling the solution would be pretty simple. The process would require us to reach out to Tenable to get more licenses, however, that's a pretty simple process. Overall, it's pretty easy. Essentially it'd just be adding a list of all the new IPs into any asset groups that they would be involved in. I don't think it would take much longer than a week.

Technical support is excellent. They are extremely responsive and very helpful. We are quite satisfied with the level of support we've received from them.

I would give them a ten out of ten. They are very prompt and very knowledgeable. They are great at answering questions and walking you through anything step-by-step.

When I started, the company was actually in the process of revamping the solution. 

It was a two-day process and the company walked us through the entire thing. I had a Tenable engineer on-call with me for eight hours. It was a long process, however, it was easy as they were walking me through it, step-by-step.

When we did a recent re-vamp, Tenable was on hand to walk us through the entire process. We had a very positive experience with them.

I don't handle the billing and therefore don't have an exact idea of how much the solution costs.

We just renewed the solution and didn't look into any other product on the market before we did.

We are just customers and end-users of the product.

If a company does decide to implement the solution, I'd advise working with Tenable engineers during the process, and even afterward, in order to ensure everything is set up appropriately.

I'd rate the solution at an eight out of ten We've had a largely very positive experience with the solution so far.

The reporting vulnerability is very helpful when you link it with the people who close it with the admin and support team, giving them the criticality to find how to close each item.  And it's up to date with all the vulnerabilities on the market thanks to prompt updates from the cloud.

In the next release, we would like to see the inclusion of external IPs and simplified reporting that's easier to deal with.

We have been using this solution for about two years.

The solution has been very stable up till now. I would give it nine or 10 out of 10 for scalability

For our size, it's scalable. It covers all the bank infrastructure and all that we have.

Two or three people from the security team manage the solution, but they extract it for the IT team to take action in different areas, including infrastructure and domain support. So 10 or more people assess the reports to fix the issues.

We are happy with the support from the Tenable side. But sometimes the vendor's people move between areas too often, causing occasional shortages on technical issues inside the country. When you raise tickets, the vendor sometimes takes some time to respond, but they are always helpful. 

Positive

Previously we used Rapid7, but we switched after comparing it with the solution because it had some additional features that we needed.

Overall, the initial setup was smooth and easy. Later we had to integrate it with other solutions in the system, but it didn't take long.

We had a consultant for two weeks at the beginning but in the end, we completed it, doing most of the work ourselves and gaining valuable experience. And, of course, we had to set up our systems inside the bank and the structure of the scope of the vulnerability, so that made it about a month.

Four people were involved in the deployment, two from the vendor and two from our team.

We're happy with the licensing cost and find it affordable.

We paid for three years, mostly for the finances and sourcing, but all features are inclusive.

I would rate our licensing cost as eight on a scale of one to ten.

I would give the product an overall rating of nine out of 10.

The product is a very good solution. I would advise potential users to look at other solutions. The product is our second solution, and we are happy that it meets our requirements.

We had a requirement to connect multiple branches into one console. We installed Nessus at multiple locations and then connected Nessus. We did the service scan and got the report on the central site with Tenable SC.

Previously, we were using Nessus, which required a lot of manual work in terms of reporting. We do a lot of customization, and Tenable SC has been very helpful. Reporting is just a click away in Tenable SC, whereas it used to take a long time to create a similar report and customize it in Nessus. 

Tenable SC is good for reporting and alerting. The filtering feature is also very valuable.

Its integration with multiple vendors is quite good. It can be integrated with SIEM solutions and PAM solutions such as Thycotic, which is very helpful.

There is not much room for improvement. However, there should be a guide that describes the step-by-step procedures for doing tasks. Otherwise, training is required from a senior guy to a junior guy.

Our usage is the same. Currently, no increment is required in terms of the license.

They are good.

We used to use Rapid7, but there were too many false positives. So, we switched to Nessus, but in Nessus, we faced the challenge of reporting. Nessus required a lot of manual work in terms of reporting. Tenable SC has been quite helpful for reporting. 

It is not straightforward. When you do integrations, it turns into a complex solution, but this complexity is required. If security is a priority, then complexity will be there for enterprise security.

It didn't take a long time. In one month, we were able to configure and run the reports. Everything was done within a month. We were in desperate need of such a solution, and this solution came. We already knew about integrations from the white papers and documents available on the Tenable website. They were very helpful. So, doing integration was not an issue. We did it without much effort. 

I was heading this project as a project manager.

It is a much better solution than other competitors. It provides almost everything that is required in terms of vulnerability management. If you are looking for overall enterprise security in terms of integrations and vulnerability management, you should go for Tenable SC or Tenable SCCV.

I would rate Tenable SC a nine out of ten. 

I primarily use Tenable SC for vulnerability management i.e. to detect vulnerabilities in servers, workstations, and some IoT, produce, prioritize, and validate a mitigation strategy, and keep the mitigation on track so the CISO can detect changes in the posture. 

Tenable SC's most valuable features are the low number of false positives and the strong capability of providing prioritization for the vulnerabilities detected.

Tenable SC could be improved with additional connectivity to external company postures and the capability of managing and sustaining agents in the systems directly without additional platforms in the middle.

I've been working with Tenable SC for seven years. 

In seven years, we haven't had any problems with Tenable SC's stability. Sometimes a specific update doesn't feed exactly as expected, but the problem is always covered quickly by Tenable, and with a stable version, it's very, very stable.

Tenable SC's system can be multiplied by different installations and have on-top management and a single pane of glass. So it can scale with only one system - almost to half a million assets. And with multiple systems, we can have more than a million assets without problems.

Tenable's American technical support is excellent, though the European version is not quite as good as it takes longer to provide the right information.

Positive

The initial setup is very, very easy, even with the on-prem version, and depending on the customer's size and the complexity of the infrastructure, it can be done in one day.

Tenable SC can cut manpower costs on manual scans and analysis by more than half within one or two years.

Tenable SC is priced per asset, with the basic solution starting around US$12,000 for 500 assets. There's an additional cost for advanced support.

Tenable SC is suitable for medium and large companies, but it's not feasible for small ones. If you're in the US, I advise buying services from Tenable to implement the system instead of trying to implement it yourself. There are always some tricks that come with knowledge of the product that will make for a faster and better installation. Similarly, if you're in EMEA or Asia, please choose a good integrator. I would give Tenable SC a rating of nine out of ten.

We use the solution for patch and vulnerability management. We scan our critical systems, keep track of any exploitable vulnerabilities, and prioritize their remediation efforts in terms of patching. 

In the future, we hope to extend the solution to our cloud services. We are moving to Azure Cloud and planning to start a DevOps initiative that might include container deployment. We know Tenable has the CI/CD pipeline security support so we will seek that solution when we are ready. 

The solution has a lean and easy-to-use interface that is not confusing to first-time users.

The solution should include compliance-based scanning. 

I have been using the solution for three weeks but my company has been using it for one year. 

The solution is very stable. 

The solution is scalable and we are happy with the way it is operating. 

We currently have forty users and a team of four for maintenance. 

Technical support has been excellent and provides a lot of support when needed. 

The company was using OpenVAS, an open-source solution that is miles apart from Tenable. 

At a previous job, I used Rapid7 which compares strongly to Tenable. 

I did not handle the initial setup but know from previous implementations that setting up a vulnerability management solution can be somewhat complex because it involves loading assets, configuring the network, and authenticating.

The ROI is almost guaranteed because there is a lot of value in using the product and reporting that to our company. 

The price is reasonable based on our scope of work and how we use the solution. 

The rule is always garbage in, garbage out. Be sure to configure the solution well and take advantage of technical support to understand how things should work. Mistakes are made when people assume they know how to do things. I believe in using technical support to confirm the process and ensure everything is done correctly. 

I rate the solution a ten out of ten. 

Tenable SC can be used in any company for vulnerability management life cycle.

It's a very useful tool.

Internal ticketing systems require improvement. 

The GUI could be improved to have all concerns and priorities use the same GUI, allowing them to see all tickets, assign vulnerabilities, and assign variation failures to each member of their team.

I have been working with Tenable SC for more than five years.                                                             

Tenable SC is very stable.

According to the sizing that we are dealing with in this first stage, it is very scalable.

We have not experienced any issues with the scalability of Tenable SC.

The information security team has access to the solution. The number of users varies from one environment to another. It ranges, from five users to ten users maximum.

The same number of users can easily deploy and maintain this solution, included the access manager, administrator, and anyone who can configure the policies they test.

Tenable technical support is very good. They are very helpful, and responsive.

We had experienced some delays in two or three tickets we started, but that may have been because of the client, they were very unresponsive.

Overall, the technical support is very good.

I have worked with Rapid 7 and Qualys.

The installation is very straightforward. It's the easiest solution that I have ever implemented.

The installation was quick, taking no more than one or two minutes.

I completed the installation myself. It can easily be installed by anyone.

The license is perpetual and is based on the number of IP addresses you want to scan in your organization.

The support comes with a different license.

Tenable SC is without a doubt a good choice.

I would rate Tenable SC a nine out of ten.