Coming October 25: PeerSpot Awards will be announced! Learn more
2018-08-29T19:26:00Z
Julia Frohwein - PeerSpot reviewer
Senior Director of Delivery at PeerSpot (formerly IT Central Station)
  • 0
  • 96

What needs improvement with Tenable Nessus?

Please share with the community what you think needs improvement with Tenable Nessus.

What are its weaknesses? What would you like to see changed in a future version?

37
PeerSpot user
37 Answers
LO
Founder & CEO at a tech services company with 1-10 employees
Real User
Top 5
2022-07-29T14:24:10Z
29 July 22

Tenable Nessus could improve the reporting.

Md. Shahriar Hussain - PeerSpot reviewer
Cyber Security & Compliance Lead Engineer at Banglalink
Real User
Top 5Leaderboard
2022-07-29T08:07:23Z
29 July 22

There is very little to improve but cloud security tests would be something helpful to have. Tenable could also offer some penetration testing-related services, which would be beneficial.

Wessam Altoumi - PeerSpot reviewer
Chief Commercial Officer at Yamamah Information Technology & Communication Systems LLC
Real User
Top 5
2022-07-14T06:48:15Z
14 July 22

Technically, it is an excellent and the best solution available in Libya. My only concern is related to its pricing. They are an emerging company in Libya, and they need to put in some effort to provide us with very good prices so that customers can go with the best solution. Chinese companies are getting into the market here, and they're providing very cheap solutions.

JK
CBO at a security firm with 11-50 employees
Reseller
Top 5
2022-06-16T15:24:35Z
16 June 22

I would like to have a management option after the network scanning.

BE
Security Analyst at PJM Interconnection
Real User
Top 20
2022-05-19T17:46:25Z
19 May 22

Tenable Nessus could improve reporting and information sharing. It would be helpful if we could share the reports and have a little bit better flexibility in the reporting of the data. In the next release, they should add some more integration with other security solutions that would be helpful.

JF
Security Engineer at a media company with 10,001+ employees
Real User
2022-04-04T23:29:32Z
04 April 22

Tenable Nessus could improve by having more steady updates which will reduce the vulnerabilities.

Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
632,779 professionals have used our research since 2012.
JR
Information Security Manager at a transportation company with 1,001-5,000 employees
Real User
2022-02-16T17:53:17Z
16 February 22

The interface is a little bit clunky, and the reporting is not marvelous. There should be better integration of reporting between instances. Currently, the instance stands alone, and it produces a report. Being able to amalgamate those reports with another instance will be useful.

PK
Independ consultant
Consultant
2022-01-26T00:10:30Z
26 January 22

The reports should be improved in Tenable Nessus. For example, when you are auditing compliance with CIS standards. It provides very poor reports.

Dhananjay-Naldurgkar - PeerSpot reviewer
Senior Consultant - Cyber Security Services at Coforge
Real User
Top 20
2021-12-21T09:16:00Z
21 December 21

While Tenable Nessus is a good enterprise solution, the high price would likely make it prohibitive to smaller organizations. We feel the licensing cost to be too high for our customers and us. EQA's and dashboards should be addressed in the next release.

LO
Founder & CEO at a tech services company with 1-10 employees
Real User
Top 5
2021-12-08T22:52:56Z
08 December 21

I'd like to see a dashboard for this product because the report for counters is too simple. There needs to be something better for the client.

MK
Manager Information Security at a financial services firm with 51-200 employees
Real User
Top 5
2021-11-15T20:55:00Z
15 November 21

In terms of what could be improved, I would say that the reporting feature needs to be improved. Additionally, although it has the features, the enterprise edition is very limited. They need to add multiple reporting features in the enterprise edition.

VK
Information Technology Security Specialist at a tech services company with 201-500 employees
Real User
Top 5
2021-10-06T11:18:42Z
06 October 21

Some things in the user interface could be better. The user interface could allow more adjustments to plugins. The price could also be better.

Attila Mate Kovacs - PeerSpot reviewer
Senior Cyber Security Expert at a security firm with 11-50 employees
Real User
Top 5Leaderboard
2021-09-09T15:45:48Z
09 September 21

The price could be improved. They need more flexible pricing. If they had a very creative idea, maybe they could add a special feature. Even extending functions, or exploring new areas. If they were able to integrate it with the existing solution, that would be fine. I would like to see more integrations, more ideas or services, and functions offered. It's about wider functionality and not a question of integration. It's more a question of, creativity. If they have other ideas such as what could be added to the vulnerability management.

JV
Cyber Security Engineer at a manufacturing company with 5,001-10,000 employees
Real User
Top 5
2021-08-03T16:22:52Z
03 August 21

Unfortunately, the solution consumes more system resources when it's being run and I'd like that to be reduced.

Muhammad NavaidZafar Ansari - PeerSpot reviewer
Assistant Manager of Information Security at a pharma/biotech company with 1,001-5,000 employees
Real User
Top 20
2021-06-19T08:51:47Z
19 June 21

While the solution is great for scanning servers, its features are limited when it comes to scanning network devices for vulnerabilities.

NagarajSheshachalam - PeerSpot reviewer
Lead Cyber Security engineer at a tech services company with 201-500 employees
Real User
Top 5
2021-05-19T12:15:00Z
19 May 21

The solution should have a more in-depth level of scanning, with features to meet the developers. Other points that should be addressed involve the understanding of issues by the users and the need for improvising the reporting structure. The reports should also be more attractive and user-friendly. This is how Tenable Nessus occasionally works when drawing up something on the field. Additional features I wish to see addressed in the next release include customer support and ease of understanding of vulnerabilities and how they can be fixed. In contrast to Tenable Nessus, we have found Veracode to be more user-friendly, with a greater in-depth understanding of the details and how things can be fixed. Other points in its favor include study cases, customer support, training and e-learning. The solution is sort of down the mid range, so we are more happy with Veracode.

Kai Boon Giam - PeerSpot reviewer
Director at Data Connect Technologies Pte Ltd
Real User
Top 5Leaderboard
2021-04-06T11:59:58Z
06 April 21

The price could be reduced.

AB
Chief Hacking Officer at a security firm with 1-10 employees
Real User
Top 20
2021-02-19T09:45:24Z
19 February 21

The reporting interface is in need of improvement. The reports are okay, but the interface is a bit difficult to navigate in some cases. Nessus is not very good at identifying web application vulnerabilities, which means that we need to buy another product like Acunetix or EMC Networker to handle that part. This is an area that could be enhanced because we would prefer to have these capabilities in one application.

SP
VP - Risks, Audits & InfoSec at a tech services company with 501-1,000 employees
Real User
2021-02-09T16:13:00Z
09 February 21

In terms of what could be improved, I would say its reporting portion. Additionally, we have the on-prem version, but sometimes we want to have an on-cloud deployment as well for certain projects, although not so many. The people who used it on cloud didn't find it as good as the version they were using on-prem. Overall, the cloud version could be improved.

DG
CSSP Manager at a tech services company with 51-200 employees
MSP
Top 5
2021-01-13T19:38:19Z
13 January 21

The reporting is a bit cumbersome. A lot of times you have got to, if you want to test things, go in and then back all the way out, and then try something else, and that just becomes cumbersome. The testing functionality could be better. The way they had set up the scan sometimes is difficult as well. It's partly due to how it's set up where I am. It's not necessarily a Tenable thing, however, the user, how they assign users and roles, is strange. Sometimes if a coworker sets up a scan, I can't start it or stop it. That's just something that may be an issue on our set-up and not a Tenable issue.

FF
IT Security Operations Analyst at a manufacturing company with 10,001+ employees
Real User
2020-12-13T06:30:07Z
13 December 20

The only thing that I don't like is KBs information. For example, if we scan our workstation and you go to the results report that Nessus provides, we are going to see a lot of KBs as remediation. But in most cases, the KBs are always superseded. Also, we are not able to apply those because Microsoft has already released a new TB. Nessus is not doing a good job in updating its remediation section of the reports. Remediation needs improvement. They are providing a lot of superseded KBs as remediation. For example, when you share that with several team members or with one individual, and you ask them to work on this, they reply with Microsoft already has something new.

MH
Owner at a tech services company with 1-10 employees
Real User
Top 5
2020-12-07T21:15:00Z
07 December 20

The price could be more reasonable. I used the free Nessus version in my lab with which you can only scan 16 IP addresses. If I wanted to put it in the lab in my network at work, and I'm doing a test project that has over 30 nodes in it, I can't use the free version of Nessus to scan it because there are only 16 IP addresses. I can't get an accurate scan. The biggest thing with all the cybersecurity tools out there nowadays, especially in 2020, is that there's a rush to get a lot of skilled cybersecurity analysts out there. Some of these companies need to realize that a lot of us are working from home and doing proof of concepts, and some of them don't even offer trials, or you get a trial and it is only 16 IP addresses. I can't really do anything with it past 16. I'm either guessing or I'm doing double work to do my scans. Let's say there was a license for 50 users or 50 IP addresses. I would spend about 200 bucks for that license to accomplish my job. This is the biggest complaint I have as of right now with all cybersecurity tools, including Rapid7, out there, especially if I'm in a company that is trying to build its cybersecurity program. How am I going to tell my boss, who has no real budget of what he needs to build his cybersecurity program, to go spend over $100,000 for a tool he has never seen, whereas, it would pack the punch if I could say, "Let me spend 200 bucks for a 50 user IP address license of this product, do a proof of concept to scan 50 nodes, and provide the reason for why we need it." I've been a director, and now I'm an ISO. When I was a director, I had a budget for an IT department, so I know how budgets work. As an ISO, the only thing that's missing from my C-level is I don't have to deal with employees and budgets, but I have everything else. It's hard for me to build the program and say, "Hey, I need these tools." If I can't get a trial, I would scratch that off the list and find something else. I'm trying to set up Tenable.io to do external PCI scans. The documentation says to put in your IP addresses or your external IP addresses. However, if the IP address is not routable, then it says that you have to use an internal agent to scan. This means that you set up a Nessus agent internally and scan, which makes sense. However, it doesn't work because when you use the plugin and tell it that it is a PCI external, it says, "You cannot use an internal agent to scan external." The documentation needs to be a little bit more clear about that. It needs to say if you're using the PCI external plugin, all IP addresses must be external and routable. It should tell the person who's setting it up, "Wait a minute. If you have an MPLS network and you're in a multi-tenant environment and the people who hold the network schema only provide you with the IP addresses just for your tenant, then you are not going to know what the actual true IP address that Tenable needs to do a PCI scan." I've been working on Tenable.io to set up PCI scans for the last ten days. I have been going back and forth to the network thinking I need this or that only to find out that I'm teaching their team, "Hey, you know what, guys? I need you to look past your MPLS network. I need you to go to the edge's edge. Here's who you need to ask to give me the whitelist to allow here." I had the blurb that says the plugin for external PCI must be reachable, and you cannot use an internal agent. I could have cut a few days because I thought I had it, but then when I ran it, it said that you can't run it this way. I wasted a few hours in a day. In terms of new features, it doesn't require new features. It is a tool that has been out there for years. It is used in the cybersecurity community. It has got the CV database in it, and there are other plugins that you could pass through. It has got APIs you can attach to it. They can just improve the database and continue adding to the database and the plugins to make sure those don't have false positives. If you're a restaurant and you focus on fried chicken, you have no business doing hamburgers.

Daniel Durante - PeerSpot reviewer
Senior Manager at a security firm with 201-500 employees
Real User
2020-10-28T20:22:37Z
28 October 20

Currently, they don't have all of the features that I am looking for. I am looking for a technology that installs agents into the machines to perform complicated scanning. That's a good feature that I'm looking for. Our issues are not all due to Tenable Nessus; we have more than one console that we administrate.

VP
Vulnerability Management Analyst at a financial services firm with 10,001+ employees
Real User
Top 20
2020-10-04T06:40:14Z
04 October 20

It wasn't very clear how the scripts are running the scans. There's information about the script but it's not straightforward. The script information for each of the plugins should be available, but it doesn't give us straightforward direct information about how it was executed. That needs to be more clear. We find that the solution causes several issues due to the fact that it runs even before it calculates, the asset in prevention. I can't think of any features that are lacking.

MadhavanSrinivasan - PeerSpot reviewer
CEO at Screenit Labs Pvt Ltd
Real User
Top 10
2020-09-21T06:33:15Z
21 September 20

Some of our customers are operating on the cloud as well as on-premises. We would like to have the option of using the solution for the cloud as well as on-premises with the same license at the same time. That would be very helpful.

Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
Real User
Top 5Leaderboard
2020-08-06T15:26:00Z
06 August 20

- Add the possibility to customize attributes that define the assets critical level based on the company's "business sense". - Improve integration and tests for OT platforms, OT application, OT hardware, and non-Ethernet protocols. - Improve the exchange of info/insights/attributes with RM (Risk Management) domain. - Offer a more flexible strategic and high-level dashboards based on previous comments (minus technical and more business-oriented) - Model OS costs (and its segregation schema for individual modules).

NM
CISO at a financial services firm with 201-500 employees
Real User
2019-11-27T05:42:00Z
27 November 19

One area that has room for improvement is the reporting. I'm preparing reports for Windows and Linux machines, etc. Currently, I'm collecting three or four reports and turning them into one report. I don't know if it is possible to combine all of them in one report, but that would be helpful. If the scans which I have already prepared could be used to combine the results into one report, it would save me additional work. Also, when a new machine is brought into the domain, when it's first connected by the system administrator, it would be good to have some kind of automatic, basic vulnerability scan. Of course, I would have to enter my credentials if I wanted something additional, but it would be useful if, the first time, if that basic process happened. Otherwise, it can be problematic for me when, for example, a new Oracle Database is brought on. I may only be notified after 10 days that it has been connected and only then can I do a vulnerability assessment and I may find a lot of vulnerabilities. It would be better to know that before they put it into production. It would be great to have something automatically recognize a new server, a new PC, and do a basic vulnerability assessment.

JH
Network Security Engineer at a construction company with 1,001-5,000 employees
MSP
2019-11-18T07:22:00Z
18 November 19

We use credentialed scans. They need more permissions and more changes or settings on Windows and Linux. Also, Agent scanning is more efficient than credential scanning but Agent scanning is more expensive than credential scanning. I prefer, mainly, the Agent scan over the credential scan, it's better. But we will continue to use the credential scan. I would like to see Tenable make some improvements to the credential scanning; more vulnerabilities, because most of the problems have occurred on Windows Server. We have some scanning issues.

Keith S. Crumpton - PeerSpot reviewer
President and Sr CISO Consultant at CISO Consulting Inc.
Consultant
2019-11-14T06:34:00Z
14 November 19

One area with room for improvement is instead of there just being a PDF format for output, I'd like the option of an Excel spreadsheet, whereby I could better track remediation efforts and provide reporting off of that. Or, if they change the product itself for you to add comments of remediation efforts and allow you to sort on that and report on it, that would be helpful. Most of us would rather not have that information out in the cloud. We'd rather have it in-house. It would be better if you could provide it in an Excel spreadsheet for us to work with.

JK
Security Architect at C. H. Robinson Worldwide, Inc.
Real User
2019-11-13T05:29:00Z
13 November 19

There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product. There is also room for improvement in some of the reporting and the role-based access. They have a pretty defined roadmap. They know where the gaps are, but it's a totally different product and so there's a lot of work that they have to do to get it to match.

JK
Senior Systems Administrator at Government Scientific Source
Real User
2019-11-07T10:35:00Z
07 November 19

The Nessus predictive prioritization feature is very nice, the way it displays. The interface could look better, but it has everything it needs. It could do a better grouping of the workstations and run a better schedule. But it was sufficient in what it provided. There is room, overall, for improvement in the way it groups the workstations and the way it detects, when the vulnerability is scanned. Even when we would run a new scan, if it was an already existing vulnerability, it wouldn't put a new date on it.

SD
Senior Infrastructure Project Manager at a energy/utilities company with 501-1,000 employees
Real User
2019-09-08T09:50:00Z
08 September 19

I would like to see an improvement in the ranking of high, medium and low vulnerability.

Miguel Angel Hernández Armas - PeerSpot reviewer
Implementation Engineer at GFx Soluciones
Real User
2019-01-16T20:28:00Z
16 January 19

* I think that the next versions could improve the graphical interface to make more intuitive the management of the reports. * Additionally, it could include better features in the vulnerability scan at the language level.

KalaiarasuSanthirasekeran - PeerSpot reviewer
Security Professional at a tech services company with 10,001+ employees
Real User
2019-01-10T08:22:00Z
10 January 19

The reporting functionality needs improvement. I think it would be beneficial to have a high level explanation for a particular user.

Thomas Kung - PeerSpot reviewer
Senior Consultant at Foris
MSP
2018-10-28T09:34:00Z
28 October 18

This is still a maturing product. Tenable is only a scanner for one ability, while other solutions like Rapid7 have more tools for verification. We still have to manually verify to see if the vulnerability is a false positive or not.

Ladislav Solc - PeerSpot reviewer
Managing partner at a tech services company with 51-200 employees
Consultant
2018-10-24T14:07:00Z
24 October 18

From my point of view, the solution basically is not for large enterprises. I also think there should be built-in plugins for the public cloud vendors.

AK
IT Manager at Medmen
User
2018-08-29T19:26:00Z
29 August 18

* They should improve the I/O reporting and the customized spreadsheet export feature. * Multiple steps to create an actionable plan will be a great addition to Nessus.

Related Questions
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Dec 15, 2021
Which is better and why?
See 1 answer
Janet Staver - PeerSpot reviewer
Tech Blogger
15 December 21
The thing I like most about Tenable Nessus is its ease of use. I also like that it has highly customizable scans. Compared to other tools I have used in the past, Nessus has more plugins/add-ons, tests, and templates. In addition to being easy to set up, it provides you with the ability to safely migrate applications to the cloud. Tenable Nessus scales well with good VPR scores too, and so far I haven’t experienced any challenges. Another feature I really like about it is the plug-in text information, which I find to be quite useful. Overall, from what I can tell, the solution is also very stable and fast. One downside is that I feel the technical support has been quite disappointing. Qualys VM is excellent. It successfully provides continuous monitoring, it is simple to install, easy to maintain, good for scaling, and has very helpful technical support. Qualys VM also includes asset tagging and asset grouping, which I really like. Their dashboard is also flexible, allowing you to customize it any way you need to. While Qualys VM is a great solution and is reasonably steady, it also has a lot of room for improvement. Although their dashboard is customizable, it would be better if it had different tabs that allowed you to see trending vulnerabilities so that the trend analysis is easier. It does not have any features for scanning SCADA, Industrial Control Systems, and IoT. And the solution itself is pretty generic and could benefit from the addition of more assets. Conclusion: Tenable Nessus was the right choice for me because it fulfilled my business requirements, but also because I felt Qualys VM still has a long way to go.
Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)
Feb 04, 2021
Let the community know what you think. Share your opinions now!
2 out of 5 answers
FN
User with 10,001+ employees
10 October 19
- Great dashboard - Reporting - Supports multiple formats (PDF, CSV, XML) - Ease of management
CP
Team Leader - Applications Consultant at a tech services company with 501-1,000 employees
09 December 19
It should support any or all platform, depends on where you will need to use it. - OS (Linux, Windows) - DB (Oracle, MS SQL, DB2, etc.) - Cloud (Azure, AWS, Google)
Related Solutions
Download Free Report
Download our free Tenable Nessus Report and get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
DOWNLOAD NOW
632,779 professionals have used our research since 2012.