I'm not satisfied with the reporting structure. We cannot do much customization. We can do it in Tenable.sc. We need to maintain two different solutions. We need the on-premise tool for reporting purposes. We would like to have it all as a SaaS-based solution.

If we need to check for a zero-day vulnerability, we must run the scans manually to get the information. It is time-consuming. We need to do a traditional scan regularly to get zero-day information. It would be great if the zero-day vulnerabilities were published.

The reporting capabilities for compliance are bad. I can get the compliance reporting on certain cases, but it is not detailed. We do not have a clear understanding of the Cyber Exposure Score. I am unable to drill down and understand the Cyber Exposure Score.

The one drawback that we have found is the reports. We are still getting reports from Tenable.sc since the maturity levels on the reports are lacking. They need to improve the reporting in this solution. We just aren't seeing that many features or options.

I believe that Tenable.io is currently the best vulnerability management system. Compared to other vulnerability systems such as Rapid7 InsightVM, I find Tenable.io to be one of the best. However, Tenable.io lacks a platform to exploit or test the vulnerabilities it identifies. For example, if I identify a critical vulnerability, I cannot use Tenable.io to determine the risk of exploitation. Unfortunately, Tenable.io does not have a platform to test this.

The initial setup is complex and has room for improvement.

It's a fantastic product, but there are some things to consider. One is the price. Compared to on-prem solutions, the SaaS model can be expensive. 

Price is definitely a concern and needs improvement, especially for the Indian market. While it's a fantastic product, it should be more accessible to small and medium-sized businesses (SMBs). 

Currently, only larger enterprises seem to be able to afford and evaluate it thoroughly.

So, pricing can be improved and be more affordable for the Indian market, specifically for SMBs.

Another area of improvement is customer service and support. Tenable needs to include support in the pricing/license. Currently, they push clients to get support from partners or channel distributors, who often charge a lot. 

Even for a simple one-time setup, they may charge three to four lakhs, and then additional annual charges for ongoing support. We have the technical skills to handle basic tasks, but relying on Tenable itself often results in just receiving emails or being redirected back to channel partners.

So, support should be bundled with the product cost.

Tenable could improve visibility into assets, including automated asset tagging. You should be able to automatically tag assets based on location, function, ownership, etc. That would help us because we spend a lot of time identifying and tagging assets by hand. 

I didn't work a lot with the solution. My experience was pretty smooth. I don't have any recommendations for improvement. Maybe it's because I don't use it a lot.

The only drawback of the solution is that it is expensive. The pricing should be kept lower.

I would like the solution to cover the whole cycle of mitigation since it's an area where the solution currently lacks.

Nessus was created and, like, covered afterward. All the system is built around a basic unit that is mitigation, not the vulnerabilities. You don't have all the vulnerabilities where you build all the processes and all the reports that you have around it. Vulnerability is not like you have this problem. They say to you. Basically, you have a problem, but you don't have the patch. And the patch, inside of it, you have fifteen vulnerabilities, and it appears as a vulnerability. You are missing a patch, but it's not a vulnerability. All the system is built around missing mitigation. As a basic unit that everything is built around, and so this part is what you see when you do reports or when you build dashboards, and you have several databases inside that you can build reports around, but it's all beautiful, and you have a lot of reports, right, out of the box. But when you start creating something that you really need, like a new report, then you're, like, this data is in this database or downloaded database and this in another database of mitigations, and hence they cannot easily be connected, so each report can be all around this database because they have, like, two, three databases. I don't remember exactly, but they have separate databases inside, and you need to build the reports around one database, and it's not easy to connect two databases into one meaningful report. So, this is a hard part.

In short, I would like to see the databases seamlessly connected while doing a report.

The tool is okay, but, like I said, to cover the whole cycle and is like connecting the unconnectable things because they are built this way which I don't think they can change right now.

They can add things like brand reputation monitoring because it's the system that needs to identify all the vulnerabilities and infrastructure vulnerabilities. They can take it to add code vulnerabilities, like, if it's an R&D company that creates software, they have vulnerabilities of other types, like application-level vulnerabilities in the things that they are developing. And if it's a cloud, then it needs to be covered in a good way, considering the cloud infrastructure. Also, it works on the IP level. On the cloud, you can do it around EC2 instances. You can do the same in Tenable.io but then all the part of the cloud layer that is cloud-based but not on the EC2 level. Let's say it's CloudWatch logs and all the con configurations that are at a cloud provider level. So, there can be vulnerabilities there not at the EC2 level of the machine itself. So these are also vulnerabilities, and it can be good if they are shown and covered by the system.

In general, brand reputation and external CTI are needed in the solution.

Somewhere outside in the open world that it was bridged, and it's there, and then maybe we can show it to you also that it was bridged. So it's now in the open world, and they don't want to be, you know, to be the open world and also on the external attack surface, but I think we saw that some module that they are doing that is in just the right direction. So, it's a good direction.

The asset identification has room for improvement. Since we are using a cloud-based scanner, we must scan devices based on their ID. However, we are encountering many issues with reporting. Assets are often being incorrectly merged or we encounter issues related to assets. If we had an agent with a scanning system, this issue may not have occurred, but it currently exists.

The UI has room for improvement. The previous version of the UI was better.

The technical support has room for improvement.

The solution is a bit slow. It should be faster. They could improve the performance. 

There is no good work assignment system in the product. Specifically, if an SQL patch needs to be applied, then that needs to go to the SQL team, but Tenable wants to assign the ticket to an individual and not a team.

The reporting was never great in Tenable Vulnerability Management, so, in my company, we imported all the data into Ivanti RiskSense to start using it for reporting.

The shortcoming of the solution that needs improvement is related to its capability to do vulnerability assessments on applications.

They need to have more dependable and faster support.

We'd like them to add more features surrounding the filtering of vulnerabilities. My understanding is that they are working on this already.

The user interface could be improved by being able to change the user interface to fit your position or your job. The graphs are set in stone and you can only print reports. 

The solution’s pricing could be improved.

Tenable.io Vulnerability Management could be improved with an increased number of dashboards and MSSP integration.

We'd like to see a bit more user-friendliness. They need to work on that aspect of the solution.

The product is a bit expensive.

I don't recommend Tenable.io Vulnerability Management for web scanning. 

Improvements should be made to the solution to make it easy to use. It's not a user-friendly tool since it has a complicated interface. The solution needs to have a more user-friendly interface.

The solution must be promoted more in the market. It will make the customers more aware of the product.

The product could be easier to set up on the cloud.

The price could be lower, and the grouping of platforms on the dashboard can be included in the next release of the product.

The solution creates vulnerability tickets within the VM profile but should also include them under the Remediation tab so the fixes can be viewed in the ticketing queue. 

Qualys is a competitor product and handles vulnerability tickets in this comprehensive manner. 

The solution must provide penetration testing.

Users get confused between VPR and CVSS ratings. 

The response times from the customer service and support team could be improved. Additionally, the pricing could be better.

The solution seems to focus too much on enterprises, and they really need a product that works for SMBs. The enterprise product is too expensive for smaller companies, however, they really are looking for a product like this in the market.

It's too technologically advanced for SMBs - Tenable is kind of a little bit like flying a 747. There's a lot of bells and whistles and switches and things like that, that quite frankly are not used or not understood largely by the average user. If they don't begin to cater to smaller organizations, they'll likely lose market share.

They could use a better user interface that could be developed a lot better than it is. It really could be more intuitive.

The stability has room for improvement.

I'd like to see them improve their support.

It would be great if there was more integration with other third-party products. They have a robust API, so it's possible to write a script in Python and extend or integrate with another solution, however, will be great if they had this integration automatically.

The pricing of the solution could be more reasonable.

They've been able to think about everything in terms of where the world is going and the type of assets that you've got. They've everything sorted out in that aspect, but you have to pay for most of the other components that they've got to give you complete visibility across your tech surface. If it already had those capabilities in-built, without having to add them on to take advantage of them, it would be a very compelling value proposition.

Their support needs to be improved in terms of turnaround time.

They can improve in the area of role management and compliance reporting.

They should include better customization of the dashboard and integration tools.

We had some challenges with the implementation because of Docker Version 2, although with help from the support team, we were able to proceed.

It would be helpful if Tenable could be more clear with regard to everything the solution can and cannot do with the particular license that you have. The information is not available on the web site and they should be more upfront about it.

The tool's reports are bad. They're not very customizable or flexible. During audits, we often have to exclude things that aren't relevant to our organization, but we can't do that easily with the reports. They come in HTML or PDF format, and we can't compare current results with previous ones in Excel because we never receive reports in Excel.

The dashboard and the main panel could be better. It's lacking right now. Sometimes it's hard to find what you need in the menus. There needs to be better dashboard navigation.

There needs to be more curation of core knowledge.

The documentation was hard to find. It's not all in one place. It's kind-of all over. You have to work to seek it out.

I can't recall any features that are lacking. I can't think of any additions we'd like to see in the next release.

It can have more integration.

An area of improvement for this solution is being able to customize the dashboard. For example, the dashboard does not allow us to view a previous months vulnerability results alongside current results to make comparisons.

I don't have any issues with the solution at this time, and I don't think there are any features that are missing or could be added.

The interface could be improved; right now it's running on two interfaces simultaneously.