Tenable Nessus Review

Tests against cloud providers, database profiles, several types of telecom devices, and other highly customizable scans

What is our primary use case?

Over 15.000 active assets|inside 10 companies belonging to the group, the biennium recurrent project mapped the real situation, in parallel with photography of IT/Security maturity through three main domains: processes, people, and technology. 5 TOEs: Infrastructure, Databases (SQL and Oracle in deep), AWS Cloud, Connectivity (Routers, Switches, and Firewalls against/based CIS) and Web Application instances (partial tests). 

How has it helped my organization?

Nessus has more plugins/add-ons, tests, and templates than previous tools (OpenVas) and it is faster and customizable using CLI/API features. It offers enough resources for an interesting cost-benefit rating (for small and medium companies) and minus false-positive events per type of asset. 

It helped us to quickly produce a QuickWin report that guided the VulnerabilityMgmt actions and plans within the company's during the next 3-5 years using the same tool/investment/team for all companies inside the de group.  

What is most valuable?

Scanners and reports using CIS templates ("de-facto" standard, easy to fix and to locate correction tips in the documentation), tests against cloud providers, database profiles, several types of telecom devices, and other highly customizable scans. You can scale your environment to gradually increase the quality, depth, and quantity of the tests, enabling you to learn and gradually optimize your vulnerability management platform(s)/instance(s). The possibility of integration with other market tools (Kenna, Archer...) is another differential.

What needs improvement?

- Add the possibility to customize attributes that define the assets critical level based on the company's "business sense".

- Improve integration and tests for OT platforms, OT application, OT hardware, and non-Ethernet protocols.

- Improve the exchange of info/insights/attributes with RM (Risk Management) domain.

- Offer a more flexible strategic and high-level dashboards based on previous comments (minus technical and more business-oriented)

- Model OS costs (and its segregation schema for individual modules).

For how long have I used the solution?

7+ years with Tenable and more than 15y with others.

What do I think about the stability of the solution?

Excellent. No one problem during operation time.

What do I think about the scalability of the solution?

Enough (faster than OpenVAS engine).

How are customer service and technical support?

It SLA/support are enough. 

Which solution did I use previously and why did I switch?

OpenVAS. We reached the previous level/threshold/maturity using OpenVas (more limited tool when compared with Nessus). I/We believe that, the change to a better tool (in this and in others categories) should be carried out when these indicators are reached.

How was the initial setup?

Very simple and fast.

What about the implementation team?


What was our ROI?

Good. Nessus Pro combined with other xLAP solutions to offer a presentation/grouping layer is great. Using SC this curve/point of ROI is slower.

What's my experience with pricing, setup cost, and licensing?

Start small, learn about your problems/fixing time and grow up gradually.

Which other solutions did I evaluate?

Several. OpenVas, Rapid7, Qualys, CORE*, and Retina.

What other advice do I have?

A cost/benefit interesting tool.

Which deployment model are you using for this solution?


If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Tenable Nessus reviews from users
...who work at a Financial Services Firm
...who compared it with Qualys VM
Add a Comment
1 Comment

author avatarJairo Willian Pereira
Top 5Real User

Authenticated users are a excellent way for you increase the quality and depth of your scanner. You can add/use cloud providers API-keys during tests, local or AD users/credentials with database, telecom devices and other types of digital assets. Normally, the difference between non/authenticated-scans is widely big.