Top 8 Vulnerability Management Tools

Tenable NessusRapid7 InsightVMQualys VMTenable SCSkybox Security SuiteAcunetix Vulnerability Vulnerability ManagementRapid7 Metasploit
  1. leader badge
    The reports are pretty nice and easy to understand.Out of the box, the product works well for us, so it's not a tool that we need to customize very much.
  2. leader badge
    I have been in contact with technical support and they are not bad.When you connect any new device to the network, Rapid7 has the ability to detect the new device immediately. It can scan that device to detect if it has any vulnerability. It tells you what is vulnerable and what has been misconfigured. It also tells you what is the risk of that misconfiguration or lack of patches and how to resolve the problem.
  3. Find out what your peers are saying about Tenable Network Security, Rapid7, Qualys and others in Vulnerability Management. Updated: May 2021.
    502,104 professionals have used our research since 2012.
  4. leader badge
    The prioritization feature is great. I think it has all of the advanced features that we need. I like Qualys because it is a very complete product, more so than Tenable.
  5. leader badge
    Tenable SC is good for reporting and alerting. The filtering feature is also very valuable. Its integration with multiple vendors is quite good. It can be integrated with SIEM solutions and PAM solutions such as Thycotic, which is very helpful.
  6. Skybox deployment is simple, and it's very useful.It's very supportive and very user-friendly.
  7. Overall, it's a very good tool and a very good engine.Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden.
  8. report
    Use our free recommendation engine to learn which Vulnerability Management solutions are best for your needs.
    502,104 professionals have used our research since 2012.
  9. They are on a good trajectory as a company and investing in R&D in the right ways.The initial setup is very straightforward.
  10. All of the features are great.The reporting on the solution is good.

Advice From The Community

Read answers to top Vulnerability Management questions. 502,104 professionals have gotten help from our community of experts.
Ludwing Caviedes
I'm a VP Innovation and Development at a small Tech Services company. Is it possible that a single vulnerability analysis software does not detect the entire spectrum of threats?
author avatarVladimir Jirasek
Real User

Short answer: No. Long one: start with vulnerability assessment for your key systems. These are: a) anything accessible to the Internet, b) your end-user devices (PC, laptops, mobile). To cover these two (and more), I can recommend Qualys which we have been using, designing and managing for 20 years now. Additionally, to really get your external perimeter clean (that includes DNS and email), I strongly recommend Hardenize. 

Happy to discuss in more detail as needed. 

author avatarRam Balaji
Real User

No. I think products work on vulnerability analysis have 2 streams, web application and endpoints/appliances. They don't concentrate on both at the same level. For application you can look into fortify and for endpoints/appliances you can try qualys, tenable and rapid7.

author avatarMilton Rodriguez

It depends on the capabilities and reliability of the vulnerability analysis tool. In case of the tool has a high reliability and a low percentage of false positives and false negatives, it may be appropriate to have a single tool.

author avatarGeorge Fyffe

You wont find a single tool that will report on all the vulnerabilities that can crop up in your infrastructure. Such a tool would need to cover too many areas (On-Prem or Cloud, Network, Database(s)....). A better approach is to start by assessing what you absolutely must protect to protect your business. Work out what is critical and how it can be compromised. Then select tools to help you mitigate the risks. I would also recommend using tools that give you a Risk Assessment in an easily understood format. Some tools give pages and pages of data and leave you to figure out what it all means. If your are Public Cloud based, I would suggest you use a specialist tool such as SecureCloudDB to keep track of assets as they can spin up and down very quickly in the Cloud... so they can be part of your infrastructure without your knowledge. Equally, if you're not careful, they can come and go before you have had a chance to spot them.

author avatarKimeangSuon

If such as vulnerability analysis on software or application as static code analysis or purpose of SDLC review, I think currently Checkmarx , Micro Focus or Veracode should consider to this. if this is your requirement.

author avatarStuart Berman
Real User

What kind of 'vulnerability analysis' tool are you referring to? Static code analysis for code? If so there are a couple tools that cover most languages pretty well, Checkmark and Veracode. Or are you looking for vulnerability management tools like Qualys, Tenable or Rapid7?

Is continuous vulnerability scanning necessary? Are there other approaches to vulnerability management that do not involve continuous scanning?
author avatarGeorge Fyffe

As data increasingly moves from on-prem to Public Cloud, we need a complete rethink about how we view and protect our critical databases. It is common for Cloud databases to be spun up, data ingested and then the database taken down again very quickly. In this situation its clear that continuous scanning to keep your database inventory up to date and vulnerabilities remediated is essential. An hourly, daily, weekly or monthly scan will not keep you updated on whats happening to your most precious resource... your data. However, this can only be achieved by using a product designed specifically for securing Cloud databases on a continuous cycle. Trying to re-purpose an on-prem tool to handle Cloud databases wont work. Ask an auditor if its ok to punch a hole in your VPC to allow your current database security tool to assess your security posture!! You can imagine the answer. Its also worth remembering that the Cloud Infrastructure is essentially handled by the Service Providers... so AWS, Microsoft, Google.... that's not where the problems will come from. The old days of keeping patches updated are largely gone with our move to the Public Cloud. Its far more likely that issues will appear from the Customers side of things. So continuous scanning for Inventory changes, for Vulnerabilities, for Misconfigurations... is absolutely essential in my view. If anyone is interested in more detail on this, we have written a short whitepaper describing the issues and solutions. You can find it on our website at

author avatarGilbert-Kabugi
Real User

I believe vulnerability scanning is usually a scheduled activity where you can vary the frequency of the scans according to your needs and impact on performance of the target resources. Regular scans ensure you discover any new vulnerabilities while measuring your progress in addressing/remediating previously highlighted weaknesses. Continuous scans may involve un-authenticated scans to which the alternative would be to use authenticated scans/probes that result in more accurate data or less false positives.

author avatarVladimir Jirasek
Real User

The vulnerability management consists of multiple phases, one of them is vulnerability posture acquisition (basically scanning for vulnerabilities). There are clear advantages in obtaining vulnerability information very frequently (i.e. almost continually) and this is best done with an agent-based solution. 

That said, there is no point in doing continually scanning if the process cannot handle the data in the same cadence. For example, there should be the automation of Triage to categorise detected vulnerabilities immediately and march against VM policy to derive action needed. 

Our best practice is to process vulnerabilities in our platform that can be configured with very granular policies. The key is, however, not to overload IT organisation with requests to fix a vulnerability. Use the trust capital carefully and only push for emergency fixes when the risk warrants it. 

author avatarreviewer1050960 (CISO at a retailer with 1,001-5,000 employees)
Real User

Because the Technology landscape is constantly changing, the Thread landscape is also constantly changing, and we as humans cant be perfect, continuous vulnerability scanning is a must

See more Vulnerability Management questions »
Find out what your peers are saying about Tenable Network Security, Rapid7, Qualys and others in Vulnerability Management. Updated: May 2021.
502,104 professionals have used our research since 2012.