We just raised a $30M Series A: Read our story

Tenable Nessus Alternatives and Competitors

Get our free report covering Tenable Network Security, Rapid7, Qualys, and other competitors of Tenable Nessus. Updated: September 2021.
541,462 professionals have used our research since 2012.

Read reviews of Tenable Nessus alternatives and competitors

AbdulMohsin
Regional Sales Engineer at RedSeal, Inc.
Real User
Top 5Leaderboard
Rich vulnerability management that is controlled from a single pane of glass, but the network modeling capability needs improvement

Pros and Cons

  • "The most valuable feature is firewall management."
  • "The Network Assurance, which helps to create the network model, is not so rich."

What is our primary use case?

We are a system integrator and this is one of the products that we implement for our clients. This is one of the vendors that we focus on, from a security standpoint.

Skybox has an amazing portfolio that makes up the security solution. You can onboard your network devices with the network assurance module. This includes layer three, layer two switches, load balancers, and so on. This partially builds the network model for the infrastructure and the entire security platform is built off of that.

How has it helped my organization?

With the combination of the vulnerability management database and third-party integration, vulnerability management is very rich. When you add the network model, Skybox can tell you exactly which vulnerabilities in the infrastructure are exploitable. I have seen examples where there are 7,000 vulnerabilities exposed at one time. This includes highlighting things that are open, or exposed.

What is most valuable?

The most valuable feature is firewall management. It is excellent. It works by onboarding different firewall vendors and together with network assurance, builds a complete network model.

Vulnerability management is very good and it has its own vulnerability database. It gives you the ability to integrate with vulnerability management tools like Nessus, which is used by Tenable, Rapid7, and Qualys. The vulnerability software also integrates with endpoint software such as Symantec, Trend Micro, and McAfee. This is important because in this era, the biggest threat is from the endpoint. This is where most of the attacks are coming from these days.

Skybox integrates with patch management, which contributes to the broad functionality.

Everything is controlled from a single pane of glass.

The Skybox Suite includes change management, which makes up part of the complete security solution.

Skybox Horizon is a dashboard that shows you all of the modules. It is nice because it can show granularity at the level of interest for the NOC or SOC, but it can also give executive dashboarding for the VP or CTO at a business level that is not as concerned about the details.

The out-of-the-box compliance is very good, as it handles PCI and ISO.

What needs improvement?

The Network Assurance, which helps to create the network model, is not so rich. It tells you the best part, and it gives you the alternate routes that are available based on the configuration and the routing table, but it doesn't give you the analytics. One of the issues with security is that if the network model is incorrect then no matter what I add on top of it, it's going to be of no use. Network modeling is the foundation for vulnerability management, test management, firewall management, and change management.

The focus on risk analytics is not very good and should be improved. It relies on the CVSS (Common Vulnerability Security Score), which gives you a vulnerability score based on the standard. The difficulty with this is that sometimes, risks are based on critical assets, and these can differ between environments. My critical assets, for example, may be different than those of my customers. As such, it doesn't give you a fully-fledged risk score. On top of this, it doesn't give you the flexibility to configure a set of weights to adjust the criticality of the assets, the users, and the entities within the infrastructure.

Another area where Skybox lacks is the calculation for combinations and permutations of traffic from each interface. For example, in RedSeal, if traffic comes in from one interface and doesn't go out the desired interface, you can see what is vulnerable, what the vulnerability is, what is exposed, what is exploitable, whether it is subject to an insider threat or an outside threat, what the criticality is, and so on. It is all related to network modeling and seeing what happens when an interface goes down. In general, it needs to be enhanced.

They have to improve their integration with vulnerability management tools. It is good with some products, such as Tenable, but not really good with Rapid7.

Technical support can be improved in some regards because certain teams are better than others.

There is no dashboard for ISR compliance or NESA compliance.

For how long have I used the solution?

I have been working with Skybox for more than a year.

What do I think about the stability of the solution?

Skybox Suite is a stable solution.

What do I think about the scalability of the solution?

This is a scalable solution.

In the region that I am working in, the director has indicated that we want to target organizations with a minimum of 15 firewalls and 500 devices. Essentially, the networks are very big, the firewalls and devices might be from different vendors, and the operations teams are having trouble managing them.

Skybox, from a scalability perspective, is only for customers with a very large environment that is complex.

Scalability is also a factor when a customer is migrating to the cloud. Specifically, when transitioning from on-premises to the cloud the customer will need cloud-based firewalls, load balancing, sandboxing, etc. This means that the network map in Skybox needs to include the cloud.

How are customer service and technical support?

When I am working on a deployment or on a PoC, and I see an issue with the software that is not related to the configuration, I open a ticket with the support team.

I am not always satisfied with the support that they provide. In general, I am satisfied, but there are different teams within Skybox that handle different modules. The firewall management team is the best, the network assurance team is very good, and the vulnerability and threat management team is not so good. Sometimes, I get the wrong person and I have to escalate the ticket to the highest priority and get the engineering team on it. With change management, I have only had technical support in regards to a single client.

How was the initial setup?

The initial setup is straightforward, as you have a template for the network assurance.

This solution can be installed on-premises or as a cloud-based deployment with the virtual edition. The architecture for the latter is very simple. In a small environment with less than 1,000 devices, you can use one server, install the software, and it has a database associated with it. You just have to make sure that it can be accessed by every device across the VLAN.

The tricky part of the configuration has to do with vulnerability management, threat management, and change management. When it comes to difficulty, change management is the hardest one when it comes to configuration. The reason for this is that customers normally have their own change management solution, such as ServiceNow and they are not very comfortable offloading the ITSM to do change management. It's a hard shift and a difficult sell. If it is done properly, however, it can automatically identify the vulnerabilities and threats and mitigate them as per the change management policy. Workflows need to be defined. For example, when a firewall change is needed then it needs to know the chain of approval. Since every customer has their own approval or rejection procedure, it has to be based on their requirements.

When it comes to deployment, we use a "Land and Expand" strategy. We land with network assurance and firewall management, which gives the customer a taste of the product. From there, we onboard vulnerability management and threat management. I don't recommend to anybody that they start with this solution full-fledged because it will not necessarily yield a better ROI.

For a network of perhaps a thousand network devices, if all of the ports are open and the permissions are in place, then it should not take longer than two days. You can take one extra day for fine-tuning, but three days is more than enough. After this, it will take another two days for firewall management. When we consider the vulnerability management and threat management modules, we have to take them on a case-by-case basis.

Sometimes, a customer will not have a vulnerability management tool like Tenable or Rapid7, so we rely solely on the Skybox vulnerability database. We also integrate with endpoint solutions because of the importance of protecting them. As an example, if the customer is using McAfee for the endpoint protection then it will take me around three days to complete the integration. Certain vendors do not provide out of the box integration, so we have to use the API, which adds to the time required for deployment. Often, it can be done in three days.

Finally, change management is a tough thing to do that depends on the use cases. Without this aspect considered, I would say that the deployment can be completed in 15 days. This is all for a typical deployment. If the customer needs customization then it will change the deployment date.

What about the implementation team?

A deployment engineer is a single person and I can do the deployment myself. It is not often very complex, as long as things are done correctly from the beginning. The checklist has to be complete, which means that the image has to be stable and the compute that you requested is there. You also need to ensure that the required port numbers for device accessibility are there from the server, and the database is there. Once all of that is in place, the configuration is not difficult.

When it comes to integration, the other vendor has to be available during the same period. It is sometimes difficult to schedule but it is necessary to complete the deployment in a specified timeframe.

What was our ROI?

The ROI would not be good for a smaller company, which is why Skybox is better for large networks. It may take three or four years for a small company to break even.

All of the firewall vendors have their own firewall manager. Fortinet, for example has FortiManager, whereas Palo Alto has Panorama. If a customer has only four firewalls and they are all from Fortinet then it makes more sense for them just to use FortiManager.

The value really comes in when there are a large number of firewalls and they are from different vendors. This is where 360-degree visibility really starts to help. When you see the amount of time it saves, this is where the ROI becomes obvious.

Which other solutions did I evaluate?

I have been evaluating other options including RedSeal, AlgoSec, Tufin, and FireMon. Each vendor has its own strengths and weaknesses. I think that the network modeling capability in RedSeal is far ahead of the rest. Also, in terms of vulnerability management, RedSeal is amazing.

FireMon is really lacking in terms of network modeling.

My second choice after RedSeal is Skybox. The area that Skybox excels in is firewall management, which is where RedSeal is behind.

What other advice do I have?

My advice to anybody who is implementing this product is to make sure that they utilize it. The usage of it should be mandated for the NOC and SOC. They should use a single dashboard to take care of all of your infrastructure components.

When a Skybox representative visits to discuss this solution, it is important to discuss the use cases properly. Have a good project plan and it is also very important to have the right partner. They should be certified, trained, and involved at all stages.

Overall, it is a pretty good product. When you use it, you will see the benefit of it.

I would rate this solution a seven out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
MH
Owner at a tech services company with 1-10 employees
Real User
Top 5
Understands and defends your network from vulnerabilities

Pros and Cons

  • "I liked the dashboard on it. I could customize my dashboard with different widgets and different heat maps."
  • "I would say that it improved our visibility, but it left things open."

What is our primary use case?

We used InsightVM mainly for vulnerability management. I thought it was a pretty interesting application. I'm a fan of Rapid7's Metasploit, so when I saw InsightVM I was like, "Let's see what else they have." I liked it up until we experienced some issues relating to scans. If I wanted to do mitigation, I needed to wait until the next scan was available or ran so that I could get to see if any indentations were made. 

While I was in there, if I was searching for a specific vulnerability, sometimes it was hard to find the specific ones. In the dashboard, it'll tell you the results from the scans, and it will also tell you the vulnerabilities and it will rank them for risk. I would have liked to have been able to click on the vulnerability and it would take me to another area that just has the vulnerability with all the hosts. It wouldn't let you do that. You had to come back out of that window and go into another window and search for it. Well, you wouldn't get the same results as the number of hosts. I had to work a little bit harder to find exactly what I needed.

Within our organization, there were two of us using it. Both of us were IT analysts. One was an IT analyst III (which was me), and the other one was the IT analyst manager.

How has it helped my organization?

I would say that it improved our visibility, but it left things open.

What is most valuable?

I liked the dashboard on it. I could customize my dashboard with different widgets and different heat maps. I liked that. That was a feature I liked. If your manager had a different dashboard that they liked, and you tried to go into a meeting and they say, "Well, I think your numbers are wrong because my dashboard says this" Well, you couldn't rapidly say, "Here's the default dashboard for this for risk." Whereas, with Tenable, you could go through a dashboard just for risks, and say, "Hey, let's switch to this dashboard so we're seeing the same numbers without customization."

What needs improvement?

They just need to fix it to make it more fluid. If it shows you vulnerabilities, I want to be able to click on the vulnerability and drill down into the vulnerability. If it's rating it as a 10 and it says it's got 30 hosts in it for this vulnerability, I want to click on that vulnerability and get a separate report that says, "Here's the vulnerability specific and here's the host involved." That way I could export it and say, "Hey, this vulnerability's out there, it matches a CVE number that is critical, that Microsoft, Cisco, whatever, has put a patch out there, and here guys, here's what it is and here's the proof. Here's your host that's vulnerable. Here's a change request, fix it, send me back the proof that you fixed it, then allow me to rerun a scan specific to that, on-demand, to say 'Yes, boss, we have mitigated it.'"

I want to be able to just drill down on the reports. If it showing me there's a vulnerability and there's a said number of nodes that's vulnerable to it, I want to be able to drill down and export that list without having to come back out of it, going into my assets, trying to find the name of the vulnerability, which doesn't match what the dashboard says. To me, that was backward.

For how long have I used the solution?

I have used this solution for one year.

What do I think about the stability of the solution?

It was pretty stable. We didn't have any real hiccups, but it was stable. We didn't have any real hiccups there.

What do I think about the scalability of the solution?

As far as I know, it says it's scalable. I'm not sure if that company I used to work for had to scale it up or down.

How are customer service and technical support?

The tech support was very helpful. Actually, I knew a couple of them so it was very helpful.

I would give their tech support a rating of 10 — I knew them from using Metasploit and some other products. It was more of a, "Hey, I got this issue, how can you help me with it?" They'd point me and say, "Hey, check this out."

How was the initial setup?

I wasn't involved in the initial setup, so I can't comment on that.

What other advice do I have?

Do your proof of concepts if you can. Make sure you develop your risk strategy. That's important, because it's going to give you a risk number, it's going to give you critical: highs, mediums, but you need to understand what is the risk methodology that you're going to follow. Just because it says it's critical because of how many vulnerabilities you have, doesn't mean that you need to work on it right away.

For example, there was a vulnerability that had 2,000 nodes affected. It put it as a high-risk, whereby there was another vulnerability where there were only about 10 hosts affected — it put it at medium-risk. However, the high-risk one, because it had more nodes affected, did not have a POC associated with it. A novice person looking at it would say, "I need to work on these 1,000 vulnerabilities because it's a high-risk, and ignore the medium." Well, the medium one had an active POC on it. If you didn't have a person who understood how to read the report and what it's actually telling you, then you would say, "Hey, you know what, I'm going to use these, I'm going to cut my risk down because I got 1,000 nodes with this vulnerability and I'm going to put this chain out real quick and I'm going to reduce my risk real quick because of the numbers." Well, in my opinion, you didn't reduce your risk because you have 10 nodes out there with a vulnerability that's rated medium and it has a POC on it.

Overall, on a scale from one to ten, I would give this solution a rating of eight. I'm going to say that is because shame on Rapid7 for having such great applications, but then that little piece there that they know about hasn't been fixed. If I remember, if I go probably log back into the community, it's probably been asked a couple of times.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
TG
Program Manager at a tech services company with 201-500 employees
Real User
Top 20
Monitors our whole environment in real time and makes everything more secure

Pros and Cons

  • "The feature we've liked most recently was being able to take the YARA rules from FireEye and put them into Tenable's scan for the most recent SolarWinds exploit. That was really useful."
  • "I will say it's a lot slower compared to an MS scan. It takes so much longer, so the performance could definitely be worked on."

What is our primary use case?

At work we use the enterprise version of Tenable, Tenable.io, and I also use Tenable.sc — which I refer to as SecurityCenter — for local scanning.

I use Tenable SecurityCenter every day to scan our entire environment for vulnerabilities. I use a local license during the discovery process for penetration testing. So I'll do an en masse scan, and then also do a scan with Tenable to scan for IPs and vulnerabilities.

User-wise, with Tenable SecurityCenter, there's different roles. We have security analysts, admin, etc. I'd say there's probably four or five different roles from people that can just go in and view. Security analysts can upload manual scans and create dashboards and download reports. Then administrators can create accounts, assign roles and responsibilities, and things like that.

How has it helped my organization?

Tenable SecurityCenter has absolutely improved our organization, by making everything more secure and helping ensure solid vulnerability management.

What is most valuable?

The feature we've liked most recently was being able to take the YARA rules from FireEye and put them into Tenable's scan for the most recent SolarWinds exploit. That was really useful.

What needs improvement?

I'm pretty happy with it, but I do see a lot of stuff coming out about risk-based vulnerability management. And so I've been looking at that. I don't think we're using that as of yet and it seems like a newer feature they're talking about a lot that I'm interested in.

I will say it's a lot slower compared to an MS scan. It takes so much longer, so the performance could definitely be worked on.

There was also an issue with SecurityCenter once where we had agents deployed on each device, and while it was scanning we were collecting the data real time. During this process, we had an enclave that was not submitting. It didn't have the agent installed because it wasn't connected to the enterprise network.

They were scanning locally and submitting the scans and we would then upload them into SecurityCenter manually. Each time that there were any duplicates with host names or IPs, or that there were issues with the scanner device with authentication, it failed. But then you scanned it again and it was successful.

When you uploaded that, SecurityCenter was counting it as two devices. And when you ran your report for unauthorized devices, even though it was scanned a second time successfully, the first time would show as a failure. So it was throwing off reporting.

So we would run a report and say, "Okay, which device has failed scanning with authentication?" And it would give a device and we'd be like, "Well, here's the secondary scan showing that it was successful." And so we were having to manually go in there and delete the failed ones.

And that was a pain in the butt. We eventually got that enclave online so we fixed the problem, but I felt that was a limitation of Tenable SecurityCenter that it couldn't see that.

For how long have I used the solution?

I have been using Tenable SecurityCenter for the past few years now.

What do I think about the stability of the solution?

We have only run into one troublesome issue that I can remember. It had to do with the way SecurityCenter inaccurately reported real-time scan results whenever there was a transient problem such as with a duplicate host name or IP, or with authentication.

It was a pain to deal with, because we kept having to go in and manually delete all the failed (but actually successful) scan results.

What do I think about the scalability of the solution?

When it comes to scalability, so far so good, and no issues. We've got the whole environment monitored right now and I don't see any significant increases in use anytime soon.

How are customer service and technical support?

Their technical support is good. Because I don't give out tens much for anything, I would say in the eight to nine range, out of ten.

Which solution did I use previously and why did I switch?

For vulnerability management, Tenable SecurityCenter is the only one I've used in the past six years. Though we do use other tools in conjunction with it.

We've pretty much used Nessus for scanning, vulnerability management, and reporting, and that's it. And it does it very well. And then I use different tools for other things. I'm sure Tenable had that on the plugins for other things, but we don't use those.

How was the initial setup?

The setup is straightforward.

What about the implementation team?

I personally implement SecurityCenter with a local license. And then we also have different roles like security analysts and administrators who can just go in and perform various functions such as uploading manual scans, creating dashboards, downloading reports, assigning accounts, and so on.

What's my experience with pricing, setup cost, and licensing?

I use a local license to perform penetration testing and I'm pretty happy with everything when it comes to pricing and licensing. 

What other advice do I have?

I can easily recommend Tenable SecurityCenter, and I have nothing really bad to say about it. I think it's a great tool for what it does. I enjoy the webinars, and the people that run the company seem very engaged with what's going on when you're into current events and the overall security climate, and they're continuously looking to improve.

I can't speak to every option that they have, but I have no reservations recommending them.

I would rate Tenable SecurityCenter an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
KD
AVP - Information Security at a financial services firm with 10,001+ employees
Real User
Top 20
Easy to use and scalable but needs to be priced more competitively

Pros and Cons

  • "It is very easy to use and there are lots of options. We can usually easily go through it and all of the things we want to configure, and we can configure everything to our specifications very easily."
  • "Sometimes we face a problem with accessing the tool and not getting an expected result. From a technology point of view, they need to look into this."

What is our primary use case?

We're primarily using the solution for vulnerability assessment of internal server as well as the external server.

What is most valuable?

The solution, overall, is very useful for our organization.

It is very easy to use and there are lots of options. We can usually easily go through it and all of the things we want to configure, and we can configure everything to our specifications very easily.

What needs improvement?

Sometimes we face a problem with accessing the tool and not getting an expected result. From a technology point of view, they need to look into this. 

They need to consider how they can improve tool usability and different scanning options. 

Sometimes we are facing issues while performing a scan and things are not correctly shown on the GUI. Even as we are doing a task, it may show up as completed, and then something is not visible. Sometimes we face other technical problems. For example, sometimes we can't go to the next page. It's limiting any positive results.

The solution needs to be easier to understand and configure.

The pricing is a bit on the higher side compared to other products in the industry.

For how long have I used the solution?

I've been dealing with the solution for the last five or six years now. It's been a while.

What do I think about the stability of the solution?

I haven't had any issues with stability. It's been okay.

What do I think about the scalability of the solution?

I don't see any issues with scalability. When we do multiple IP scans, when we require an increase in the number of IPs, we won't have any problem doing so.

How are customer service and technical support?

The technical support has been fine. We're getting the required support we need when we need it. I'd say we're pretty satisfied in that regard.

What's my experience with pricing, setup cost, and licensing?

I find the pricing to be a bit high, especially compared to the competition.

Which other solutions did I evaluate?

While we didn't evaluate other options previously, currently, we are looking at all sorts of vulnerability management solutions and that's including Kenna and RiskSense. 

Although Qualys has come up with the model, I've not really looked that far into their other offerings. There is the possibility of upgrading the model on the part of vulnerability management. We'll see if we change solutions or decide to upgrade instead.

We've also looked at Tenable, which is easier to understand and configure.

What other advice do I have?

We are a Qualys customer. We aren't a reseller or partner.

Overall I'd rate the solution seven out of ten.

We are currently looking at other options, to see if there's a better solution out there. This one has pretty good technical support and is easy to use, however, there are other issues associated with it.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Get our free report covering Tenable Network Security, Rapid7, Qualys, and other competitors of Tenable Nessus. Updated: September 2021.
541,462 professionals have used our research since 2012.