We just raised a $30M Series A: Read our story

Tenable Nessus OverviewUNIXBusinessApplication

Tenable Nessus is #1 ranked solution in top Vulnerability Management tools. IT Central Station users give Tenable Nessus an average rating of 8 out of 10. Tenable Nessus is most commonly compared to Rapid7 InsightVM:Tenable Nessus vs Rapid7 InsightVM. Tenable Nessus is popular among the large enterprise segment, accounting for 61% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a computer software company, accounting for 26% of all views.
What is Tenable Nessus?

Nessus Professional is the industry’s most widely deployed assessment solution for identifying the vulnerabilities, configuration issues, and malware that attackers use to penetrate your, or your customer's network. With the broadest coverage, the latest intelligence, rapid updates, and an easy-to-use interface, Nessus offers an effective and comprehensive vulnerability scanning package for one low cost.

Tenable Nessus Buyer's Guide

Download the Tenable Nessus Buyer's Guide including reviews and more. Updated: November 2021

Tenable Nessus Customers

Bitbrains, Tesla, Just Eat, Crosskey Banking Solutions, Covenant Health, Youngstown State University

Tenable Nessus Video

Pricing Advice

What users are saying about Tenable Nessus pricing:
  • "Nowadays, your vulnerability applications are going to be kind of pricey because lots of them, including Rapid7, are based upon a base price, but then they add in the nodes. That's where they get you. If you're a big network, obviously, you need to scan everything. Therefore, it's going to be costly. The risk and insurance money associated with having ransomware on my networks is going to cost me more money, time, and marketing than the price of the tool. That's why I'm speaking only as an information security officer to security operations. This is the tool that is there in my toolbox to say whether we vulnerable or not. At this point, I don't care about how much it costs my company to have it because if I wasn't able to report it and we got ransomware, then who cares? I'm probably going to be out of business because it happened. That's why I don't care about the price. I have it, and I could use it effectively and do my report. At the end of the day, even if we get ransomware, as long as I reported it, followed my protocol, and put in the change, irrespective of whether it was ignored or denied, I did my job."
  • "We incurred a single cost for a perpetual license, although I cannot comment on the price as this is above my management level."

Tenable Nessus Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
MH
Owner at a tech services company with 1-10 employees
Real User
Top 5
Easy to use, good support, and gives full reports of what's vulnerable per device

Pros and Cons

  • "I like its ease of use. It has the script that is pre-built in it, and you just got to know which ones you're looking for."
  • "The price could be more reasonable. I used the free Nessus version in my lab with which you can only scan 16 IP addresses. If I wanted to put it in the lab in my network at work, and I'm doing a test project that has over 30 nodes in it, I can't use the free version of Nessus to scan it because there are only 16 IP addresses. I can't get an accurate scan. The biggest thing with all the cybersecurity tools out there nowadays, especially in 2020, is that there's a rush to get a lot of skilled cybersecurity analysts out there. Some of these companies need to realize that a lot of us are working from home and doing proof of concepts, and some of them don't even offer trials, or you get a trial and it is only 16 IP addresses. I can't really do anything with it past 16. I'm either guessing or I'm doing double work to do my scans. Let's say there was a license for 50 users or 50 IP addresses. I would spend about 200 bucks for that license to accomplish my job. This is the biggest complaint I have as of right now with all cybersecurity tools, including Rapid7, out there, especially if I'm in a company that is trying to build its cybersecurity program. How am I going to tell my boss, who has no real budget of what he needs to build his cybersecurity program, to go spend over $100,000 for a tool he has never seen, whereas, it would pack the punch if I could say, "Let me spend 200 bucks for a 50 user IP address license of this product, do a proof of concept to scan 50 nodes, and provide the reason for why we need it." I've been a director, and now I'm an ISO. When I was a director, I had a budget for an IT department, so I know how budgets work. As an ISO, the only thing that's missing from my C-level is I don't have to deal with employees and budgets, but I have everything else. It's hard for me to build the program and say, "Hey, I need these tools." If I can't get a trial, I would scratch that off the list and find something else. I'm trying to set up Tenable.io to do external PCI scans. The documentation says to put in your IP addresses or your external IP addresses. However, if the IP address is not routable, then it says that you have to use an internal agent to scan. This means that you set up a Nessus agent internally and scan, which makes sense. However, it doesn't work because when you use the plugin and tell it that it is a PCI external, it says, "You cannot use an internal agent to scan external." The documentation needs to be a little bit more clear about that. It needs to say if you're using the PCI external plugin, all IP addresses must be external and routable. It should tell the person who's setting it up, "Wait a minute. If you have an MPLS network and you're in a multi-tenant environment and the people who hold the network schema only provide you with the IP addresses just for your tenant, then you are not going to know what the actual true IP address that Tenable needs to do a PCI scan." I've been working on Tenable.io to set up PCI scans for the last ten days. I have been going back and forth to the network thinking I need this or that only to find out that I'm teaching their team, "Hey, you know what, guys? I need you to look past your MPLS network. I need you to go to the edge's edge. Here's who you need to ask to give me the whitelist to allow here." I had the blurb that says the plugin for external PCI must be reachable, and you cannot use an internal agent. I could have cut a few days because I thought I had it, but then when I ran it, it said that you can't run it this way. I wasted a few hours in a day. In terms of new features, it doesn't require new features. It is a tool that has been out there for years. It is used in the cybersecurity community. It has got the CV database in it, and there are other plugins that you could pass through. It has got APIs you can attach to it. They can just improve the database and continue adding to the database and the plugins to make sure those don't have false positives. If you're a restaurant and you focus on fried chicken, you have no business doing hamburgers."

What is our primary use case?

We use it for vulnerability management. We have the latest version because we're using it in the cloud right now. I have a public cloud and a private cloud version.

How has it helped my organization?

When we do our scans, I'm able to give full reports of what's vulnerable per device. I could group them and say, "Hey, here's a vulnerability in the infrastructure. Here's all the host that needs to be addressed," by showing the report. When I give a report or a request for change, I would include the report so that they are undisputed. Instead of the sys admins giving the excuse of, "Hey, we don't have enough time," or, "We've already done it," or some other poor excuse, now I have a report behind it that says, "Hey, you're vulnerable with this. Here's the CVE, and here's the POC of the CVE," and then if I want to be a little bit more obnoxious, I provide them the POC that I ran with the proof that the POC is there, and then I'm able to say, "Hey, you need to patch this now."

My executives now are able to say, "Hey, you know what? The ISO gave you a directive to patch this with proof. Why haven't you done it?" Because now, as we know, all C-levels are ultimately responsible. If you have an ISO that is interfacing with sys admins saying, "Hey, here's a change that you need to patch it. Here's my proof that even has POC with proof and the report," then there is no benign, "Why haven't you done it?"

What is most valuable?

I like its ease of use. It has the script that is pre-built in it, and you just got to know which ones you're looking for.

What needs improvement?

The price could be more reasonable. I used the free Nessus version in my lab with which you can only scan 16 IP addresses. If I wanted to put it in the lab in my network at work, and I'm doing a test project that has over 30 nodes in it, I can't use the free version of Nessus to scan it because there are only 16 IP addresses. I can't get an accurate scan. The biggest thing with all the cybersecurity tools out there nowadays, especially in 2020, is that there's a rush to get a lot of skilled cybersecurity analysts out there. Some of these companies need to realize that a lot of us are working from home and doing proof of concepts, and some of them don't even offer trials, or you get a trial and it is only 16 IP addresses. I can't really do anything with it past 16. I'm either guessing or I'm doing double work to do my scans. Let's say there was a license for 50 users or 50 IP addresses. I would spend about 200 bucks for that license to accomplish my job. This is the biggest complaint I have as of right now with all cybersecurity tools, including Rapid7, out there, especially if I'm in a company that is trying to build its cybersecurity program. How am I going to tell my boss, who has no real budget of what he needs to build his cybersecurity program, to go spend over $100,000 for a tool he has never seen, whereas, it would pack the punch if I could say, "Let me spend 200 bucks for a 50 user IP address license of this product, do a proof of concept to scan 50 nodes, and provide the reason for why we need it." I've been a director, and now I'm an ISO. When I was a director, I had a budget for an IT department, so I know how budgets work. As an ISO, the only thing that's missing from my C-level is I don't have to deal with employees and budgets, but I have everything else. It's hard for me to build the program and say, "Hey, I need these tools." If I can't get a trial, I would scratch that off the list and find something else.

I'm trying to set up Tenable.io to do external PCI scans. The documentation says to put in your IP addresses or your external IP addresses. However, if the IP address is not routable, then it says that you have to use an internal agent to scan. This means that you set up a Nessus agent internally and scan, which makes sense. However, it doesn't work because when you use the plugin and tell it that it is a PCI external, it says, "You cannot use an internal agent to scan external." The documentation needs to be a little bit more clear about that. It needs to say if you're using the PCI external plugin, all IP addresses must be external and routable. It should tell the person who's setting it up, "Wait a minute. If you have an MPLS network and you're in a multi-tenant environment and the people who hold the network schema only provide you with the IP addresses just for your tenant, then you are not going to know what the actual true IP address that Tenable needs to do a PCI scan."

I've been working on Tenable.io to set up PCI scans for the last ten days. I have been going back and forth to the network thinking I need this or that only to find out that I'm teaching their team, "Hey, you know what, guys? I need you to look past your MPLS network. I need you to go to the edge's edge. Here's who you need to ask to give me the whitelist to allow here." I had the blurb that says the plugin for external PCI must be reachable, and you cannot use an internal agent. I could have cut a few days because I thought I had it, but then when I ran it, it said that you can't run it this way. I wasted a few hours in a day.

In terms of new features, it doesn't require new features. It is a tool that has been out there for years. It is used in the cybersecurity community. It has got the CV database in it, and there are other plugins that you could pass through. It has got APIs you can attach to it. They can just improve the database and continue adding to the database and the plugins to make sure those don't have false positives. If you're a restaurant and you focus on fried chicken, you have no business doing hamburgers.

For how long have I used the solution?

I've been using Nessus for about eight years.

What do I think about the stability of the solution?

Internally, it is stable. Externally also, from what I've seen, it is stable. The only problem that I've had with it was if you have a network and internet blip, you get disconnected, but that happens with anything. Right now, I would say that a lot of cloud companies are having problems because COVID has got a lot of people working from home remotely in VPN. This is the biggest problem we have. You went from 35 people using VPN to over 2,000 people using VPN. You're trying to go to a cloud that wasn't set up for VPN, or you don't have the necessary routes or bandwidth to it. The average person is going to say, "This cloud application sucks." It doesn't really suck. It means that you don't have enough bandwidth in your infrastructure.

What do I think about the scalability of the solution?

We haven't had to scale it yet. We haven't scaled internal Nessus because we have our own version of it. I'm not sure how many IP addresses we're feeding, but I know we only have one server. I looked at the processes, and it's only doing 50% of the process.

We have 13 people who are capable or licensed to use it, which would be all of our risk management information, information security, and risk management office, but I would say only half or about six of us are actually using it daily.

How are customer service and technical support?

I've used the tech support a couple of times. I would say they are very good because they were able to say, "Hey, let's stop the chatting. Let's get on a Webex, and we will Webex you and ask the questions directly." They were able to get to the engineers on the Webex at the same time, and within 30 minutes, they solved our problem. I would rate them a ten out of ten.

How was the initial setup?

If I was installing Nessus just by itself, it is straightforward simply because I've done it before. If you're setting up Nessus from the cloud version, there's a little bit more to it because, for one, it's in the cloud version, and you got to open up ports for your network. You got network people who get all scary because they don't understand what you're doing. Other than that, once you get it set up, then it is pretty much straightforward.

What's my experience with pricing, setup cost, and licensing?

Nowadays, your vulnerability applications are going to be kind of pricey because lots of them, including Rapid7, are based upon a base price, but then they add in the nodes. That's where they get you. If you're a big network, obviously, you need to scan everything. Therefore, it's going to be costly.

The risk and insurance money associated with having ransomware on my networks is going to cost me more money, time, and marketing than the price of the tool. That's why I'm speaking only as an information security officer to security operations. This is the tool that is there in my toolbox to say whether we vulnerable or not. At this point, I don't care about how much it costs my company to have it because if I wasn't able to report it and we got ransomware, then who cares? I'm probably going to be out of business because it happened. That's why I don't care about the price. I have it, and I could use it effectively and do my report. At the end of the day, even if we get ransomware, as long as I reported it, followed my protocol, and put in the change, irrespective of whether it was ignored or denied, I did my job.

What other advice do I have?

The advice would be definitely doing your proof of concept because that's what you're going to need for your buy-in for your upper management because it is going to cost some money. I would do a hybrid version, where your own Nessus is internal, and then you have your cloud. If you lose connection to the internet, you could still run an internal Nessus scan to save the scan and then input the scan into Tenable.sc. Do your proof of concepts, get your reports, and use your proof of concepts when you do your presentation to upper management to purchase. If you use your own nodes and your own network as your proof of concept, it gives them an eye view of, "Hey, we're vulnerable because of this, and here's the tool that did it." To me, that was a better selling point because it was real. It wasn't the demo data. Once you have purchased it and get it all set up, use it continuously, meaning include your scanned reports with your change control. This way, it shuts all the administrators who have been there over 20 years and say, "Hey, I don't want to patch right now because it takes the network down." Yes, it's going to take the network down. However, the longer you wait, the more vulnerable you are because if I'm doing change requests every week, and I'm calling on more and more risk and you start to find the same nodes in the same reports, then somebody up high is going to say to the network administrator guy to fix it.

I would rate Tenable Nessus a ten out of ten right now. If you had asked me last year, Rapid7 would have been the same and on top, but now that I've been using Tenable and I'm comparing the jobs that I'm doing right now, Tenable is cut and clear to what the report is saying. My favorite report is the VPR report. Instead of just looking at CVS numbers, it has a VPR report that ranks, whereas, in Rapid7, it's just focused on CVS. It is CVS version 2 or 3, which kind of gets confusing. For example, in Tenable, I can run a scheduled scan and have my report, but let's say, for instance, I did patching in the middle before my scheduled scan. I could kick off a new scan specifically for that vulnerability and get a report, whereas, in Rapid7, you could not easily do that. Therefore, you were stuck waiting for the scan to go again and to see if your mitigation efforts fixed it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
NM
CISO at a financial services firm with 201-500 employees
Real User
Saves me significant time when putting together reports for compliance agencies

Pros and Cons

  • "Nessus gives me a good preview of vulnerabilities and good suggestions for remediation. It's easy to find a description of a given vulnerability and solutions for it."
  • "One area that has room for improvement is the reporting. I'm preparing reports for Windows and Linux machines, etc. Currently, I'm collecting three or four reports and turning them into one report. I don't know if it is possible to combine all of them in one report, but that would be helpful."

What is our primary use case?

We use it for servers, domain controllers, application servers, Oracle servers, SQL servers, as well as network devices, like routers. For PCs that are used for services such as credit cards and ATMs, we usually do a vulnerability assessment, including Windows Servers, Linux servers, SQL servers, and database servers. We scan everything except basic PCs because it would require a lot of time to check all those reports. Our system administrators use another solution to check regular PCs for Windows and MS updates.

We're checking things every month. We created a schedule and it checks automatically. From time to time, we'll use it to check things if something unusual has happened. For example, if a stranger was on a computer, we'll check if is there a vulnerability there. 

We also use it to prepare reports when the agency asks for them.

How has it helped my organization?

One thing that is important for us is that when the regulation agency is asking for something. we can send them reports from Nessus and they're very satisfied. If they're satisfied, and they don't have any problem or additional requests, that's most important.

In the past, before we implemented Nessus, we used several products that were doing vulnerability assessments for different machines. For instance, we were using an antivirus/anti-malware and end-point security application for vulnerability assessments for Windows machines. We were using free tools for vulnerability checking for Linux machines. And we were \using Qualys' free version for external IP addresses, because Qualys allows you to check something like three IP addresses for free. I created a report for our regulation agency by combining three or four reports. I spent two weeks making that report. Now, I can create that report in one day. Nessus provides me reports within two to three hours for all our Windows machines. For Linux machines, it's half an hour; for the network, it takes about one hour. So in one day, I have everything ready for the agency. 

Similarly, for my upper management, it's my responsibility to provide security reports on a monthly basis about viruses, malware, attacks, etc. Now, it is easier for me to prepare that kind of report. The reports are also more lavish than before. In the past, I had to prepare tables and sheets by myself. Now, everything is prepared for me. If I want to play around with reports I can export to Excel and I can filter the report. Nessus makes everything easier than it was before.

What is most valuable?

Nessus gives me a good preview of vulnerabilities and good suggestions for remediation. It's easy to find a description of a given vulnerability and solutions for it.

What needs improvement?

One area that has room for improvement is the reporting. I'm preparing reports for Windows and Linux machines, etc. Currently, I'm collecting three or four reports and turning them into one report. I don't know if it is possible to combine all of them in one report, but that would be helpful. If the scans which I have already prepared could be used to combine the results into one report, it would save me additional work.

Also, when a new machine is brought into the domain, when it's first connected by the system administrator, it would be good to have some kind of automatic, basic vulnerability scan. Of course, I would have to enter my credentials if I wanted something additional, but it would be useful if, the first time, if that basic process happened. Otherwise, it can be problematic for me when, for example, a new Oracle Database is brought on. I may only be notified after 10 days that it has been connected and only then can I do a vulnerability assessment and I may find a lot of vulnerabilities. It would be better to know that before they put it into production. It would be great to have something automatically recognize a new server, a new PC, and do a basic vulnerability assessment.

For how long have I used the solution?

I have been using Nessus for about half a year.

What do I think about the stability of the solution?

We haven't any problems so far.

A few days ago, I was scanning a range, three or subnets, the whole domain. That was something like 1,000 IP addresses. The first time I did it, things were a little bit slow. I was thinking that it was stuck or blocked. But I left it overnight and checked it in the morning. Everything had finished, correctly, after three or four hours. 

That was the only case where I had any issue but it was a problem because I was a little bit lazy. Instead of creating multiple jobs, I put everything together. I didn't know for sure which IP addresses in which segments were being used. That's the reason I wanted Nessus to scan them. I didn't want to check with the system administrator regarding IP addresses because every time I get such information, I usually find IP addresses with computers that the system administrator didn't tell me about. This way, I was sure to get a full vulnerability assessment. And I found two or three computers which had not been updated for two or three months. That was very important for me to find out.

How was the initial setup?

In May, the guys from Alem Systems came to my office and we finished everything for the installation. They showed me how to configure it, how to add new assets, how to check networks, Linux machines, Windows machines, etc.

What's my experience with pricing, setup cost, and licensing?

We bought a one-year license. We are now preparing a new budget for next year and, given our experience with Nessus, we plan to continue with it for next year. We are satisfied with it. It's the best option for small banks. For us, here in Bosnia, a small bank would have about 150 to 250 employees, with 20 to 30 branches throughout the country. The biggest bank here has more than 2,000 and maybe as many as 3,000 employees.

Which other solutions did I evaluate?

I didn't have a lot of experience with this type of product. I heard and knew that vulnerability assessment is most important. We paid a company to do a pen-test in our bank. That was the first time I heard about vulnerability assessment and about Nessus, Qualys, and Guardium. At that moment, I started to think about it and to search for the best option for us.

In the past, it was tricky to find money for this kind of application. But recently, a new director started with our company. He understands what security actually means and that it's important for a bank. He gave me a bigger budget.

I started, one year ago, checking all products on the market for vulnerability checking and scanning. The first option was Qualys because everybody here, my colleagues, were saying that Qualys is the best. But there were two problems with Qualys for me. First, there is no on-premise version, only a cloud version. And the second issue was the price. The first issue, that Qualys is only connected to the cloud, was most important because I must prepare documents for our regulation agency in banking. With Qualys in the cloud, I would have to prepare risk assessments, etc., and that would be a lot of work for me. And then I would have to wait for that agency's approval, which could take some three months. Finally, when I started thinking, "Okay, I'll go that route and will prepare everything," when I asked about the price of Qualys here in Bosnia, I realized it was too much for us because we are a small bank.

I also checked an IBM solution, Guardium, because there are a lot of companies working with IBM here. It's easier to find solutions for IBM. The reason I didn't go with Guardium was its price.

After that, I started checking other products. Nessus was one of the options. I had a friend working for Alem Systems and spoke with him over a coffee. We spoke about solutions and he said, "Why don't you use Nessus? Nessus is good." He explained everything to me, and he showed me a demo and how it works in a particular company. I said, "Okay, if Nessus is good enough for me, who will sell it to me?" He said, "I will do that."

We are a small bank. I don't need to take care of 100 or 200 servers or many switches and routers and PCs. Nessus is easy to configure and it's easy to add additional searching and scanning for new assets, like a new router. I had seen Qualys at conferences, but I hadn't used it myself. A presenter showed how it worked, but I didn't have hands-on experience. My friend showed me Nessus and he gave me an idea of how to work with it. When I first used it by myself — I created a scheduled job for a server — when I got the report, I realized that it was easy for me, and that was great. Maybe Qualys has better graphics, but I didn't have experience with it. Nessus, now, is perfect.

Finally, I decided that the price was good enough for me and for my bosses. So I finally found a solution after six months.

I didn't need it to be something complicated, to have some NASA-level product. I needed it to work properly and simply, to show me what I need to do. I had to be able to explain to my system administrators what they should do. When I get a report I explain it and give it to my system administrators to solve the problem.

What other advice do I have?

If I were to speak to someone who works with IBM Guardium they would probably tell me, "Ah, Nessus is too simple for me. Guardium is better." But I can recommend Nessus to anyone who wants a good product for a "small amount of money." It's the best buy.

When I speak with my colleagues we usually share our experiences. I know that some of my colleagues are thinking about Nessus for next year because they don't have any solution, but they need one, according to regulations. When I explain how it works they usually say that they will check into it. Probably, in Bosnia, there will be two more banks using Nessus in the next year.

Alem, as a company, is very friendly and that's most important. They come to our office to explain things. They spent three or four hours here with me, explaining everything about Nessus. They suggested a free trial. It's important to have that kind of support. I know that if I need something, I can ask them without any problems, at any time.

Overall, Nessus is working well.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Learn what your peers think about Tenable Nessus. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
553,954 professionals have used our research since 2012.
Jairo Willian Pereira
Information Security Manager at a financial services firm with 5,001-10,000 employees
Real User
Top 5Leaderboard
Tests against cloud providers, database profiles, several types of telecom devices, and other highly customizable scans

Pros and Cons

  • "Scanners and reports using CIS templates ("de-facto" standard, easy to fix and to locate correction tips at documentation), tests against cloud providers, database profiles, several types of telecom devices, and others highly customizable scans."
  • "Model OS costs (and its segregation schema for individual modules)."

What is our primary use case?

Over 15.000 active assets|inside 10 companies belonging to the group, the biennium recurrent project mapped the real situation, in parallel with photography of IT/Security maturity through three main domains: processes, people, and technology. 5 TOEs: Infrastructure, Databases (SQL and Oracle in deep), AWS Cloud, Connectivity (Routers, Switches, and Firewalls against/based CIS) and Web Application instances (partial tests). 

How has it helped my organization?

Nessus has more plugins/add-ons, tests, and templates than previous tools (OpenVas) and it is faster and customizable using CLI/API features. It offers enough resources for an interesting cost-benefit rating (for small and medium companies) and minus false-positive events per type of asset. 

It helped us to quickly produce a QuickWin report that guided the VulnerabilityMgmt actions and plans within the company's during the next 3-5 years using the same tool/investment/team for all companies inside the de group.  

What is most valuable?

Scanners and reports using CIS templates ("de-facto" standard, easy to fix and to locate correction tips in the documentation), tests against cloud providers, database profiles, several types of telecom devices, and other highly customizable scans. You can scale your environment to gradually increase the quality, depth, and quantity of the tests, enabling you to learn and gradually optimize your vulnerability management platform(s)/instance(s). The possibility of integration with other market tools (Kenna, Archer...) is another differential.

What needs improvement?

- Add the possibility to customize attributes that define the assets critical level based on the company's "business sense".

- Improve integration and tests for OT platforms, OT application, OT hardware, and non-Ethernet protocols.

- Improve the exchange of info/insights/attributes with RM (Risk Management) domain.

- Offer a more flexible strategic and high-level dashboards based on previous comments (minus technical and more business-oriented)

- Model OS costs (and its segregation schema for individual modules).

For how long have I used the solution?

7+ years with Tenable and more than 15y with others.

What do I think about the stability of the solution?

Excellent. No one problem during operation time.

What do I think about the scalability of the solution?

Enough (faster than OpenVAS engine).

How are customer service and technical support?

It SLA/support are enough. 

Which solution did I use previously and why did I switch?

OpenVAS. We reached the previous level/threshold/maturity using OpenVas (more limited tool when compared with Nessus). I/We believe that, the change to a better tool (in this and in others categories) should be carried out when these indicators are reached.

How was the initial setup?

Very simple and fast.

What about the implementation team?

In-house.

What was our ROI?

Good. Nessus Pro combined with other xLAP solutions to offer a presentation/grouping layer is great. Using SC this curve/point of ROI is slower.

What's my experience with pricing, setup cost, and licensing?

Start small, learn about your problems/fixing time and grow up gradually.

Which other solutions did I evaluate?

Several. OpenVas, Rapid7, Qualys, CORE*, and Retina.

What other advice do I have?

A cost/benefit interesting tool.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
MadhavanSrinivasan
CEO at Screenit Labs Pvt Ltd
Real User
Top 5
Easy to setup, and allows you to migrate applications safely to the cloud

Pros and Cons

  • "We have done code scanning for a long period because as a company, we do DevOps as part of our development life cycle."
  • "We would like to have the option of using the solution for the cloud as well as on-premises with the same license at the same time. That would be very helpful."

What is our primary use case?

We are a company that provides cloud migration services. We help companies to migrate to the public cloud. When our customers want to migrate applications, they're worried about the security aspect in the cloud. So we are trying to see how the application security that is on-premises can be migrated to the cloud.

We don't have any particular solution, we are working with a few options. The customer selects what best suits their needs. If we have a program, we work with that.

It's not specific to what we are working with.

What is most valuable?

We have done code scanning for a long period because as a company, we do DevOps as part of our development life cycle. We like scanning the ports and security as well as application-level security.

What needs improvement?

Some of our customers are operating on the cloud as well as on-premises.

We would like to have the option of using the solution for the cloud as well as on-premises with the same license at the same time. That would be very helpful.

For how long have I used the solution?

We have used this solution for three or four projects in the last two years.

We are always working with the latest version.

What do I think about the stability of the solution?

The stability varies on the version that you are using. 

We have not had any problems with stability with what we are using. It's been stable and we have never been faced with any stability issues.

What do I think about the scalability of the solution?

We have used this for an enterprise cloud application, which is much smaller with hundreds of users. It's pretty scalable. We have not had any challenges so far. 

I don't know the limits of scalability because we haven't trialed it fully. But for the enterprise application that we use, we didn't find any issue with scalability.

How are customer service and technical support?

We have contacted technical support, once or twice when we have had issues with respect to some plugin related clarification. 

There are times where the solution doesn't work out of the box, and we have to install some plugins. We needed some assistance with this.

They are good, but the response resolution takes a bit of time. It would say that it's still within an acceptable response time. Within a few hours, they will get back to you with a solution.

How was the initial setup?

The initial setup is pretty easy.

When we use the scales we find it to be easy.

In our experience a complete deployment and start-up, it takes only a few hours.

What other advice do I have?

In some cases, we deploy on-premises because the customer is still evaluating the readiness to go to the cloud. 

A few of our customers are already on the cloud, and others are migrating. We have deployed on both models.

With my experience, I would definitely recommend it. This is the only tool we have used recently.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
SP
VP - Risks, Audits & InfoSec at a tech services company with 501-1,000 employees
Real User
I like its ability to collate a dependable output, where we are able to get the same vulnerability when we test manually

Pros and Cons

  • "The features of Tenable Nessus that I have found most valuable are its reliability and its ability to collate a dependable output, where we are able to get the same vulnerability when we test manually. The output is quite reliable."
  • "In terms of what could be improved, I would say its reporting portion."

What is most valuable?

The features of Tenable Nessus that I have found most valuable are its reliability and its ability to collate a dependable output, where we are able to get the same vulnerability when we test manually. The output is quite reliable.

What needs improvement?

In terms of what could be improved, I would say its reporting portion.

Additionally, we have the on-prem version, but sometimes we want to have an on-cloud deployment as well for certain projects, although not so many. The people who used it on cloud didn't find it as good as the version they were using on-prem. Overall, the cloud version could be improved.

For how long have I used the solution?

I have been using Tenable Nessus for about three years now. We are currently using the latest version.

What do I think about the stability of the solution?

In terms of stability, recently we are seeing many updates coming in and we are finding that the updating model with its latest releases may be a little buggy. So sometimes deployment may take a couple of times and Nessus takes its own time for updating, thereby delaying the deployment time. Of late is, we are seeing updates coming in very frequently. So when we deploy it, it just updates again and again and that almost doubles the time.

What do I think about the scalability of the solution?

Tenable Nessus is scalable. That's not an issue.

How are customer service and technical support?

We did reach out to technical support. I think it was just once, but it took them a long time to respond. Maybe it was case specific, but they took a few days to get back to us and we didn't expect that. Now they've completely changed the model to email support, so we send the email and we'll have to wait until the guys answer us back.

How was the initial setup?

The initial setup on-prem and on-cloud did not have any issues. It just took a couple of hours.

What other advice do I have?

On a scale of one to ten, I would give Tenable Nessus an eight.

What happens is Nessus keeps on updating and this becomes a showstopper. We are unable to proceed with the vulnerability scans or testing if we do not update to the latest available patch. We can understand the risk if it's maybe one version earlier, meaning, we understand something was updated with XYZ patch but there should be something which gives us an option so that not all of our deployments need to have the latest patch. This would save the deployment time because of frequent updates.

I would recommend Tenable Nessus. Especially the commercial model. We operate in small and medium enterprises and for them, Nessus is becoming expensive. Because of this I may not buy Nessus this year and I might switch to Qualys, for example. Overall, Tenable Nessus is not so price pocket friendly for small and medium users.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
VP
Vulnerability Management Analyst at a financial services firm with 10,001+ employees
Real User
Top 20
Scalable with good VPR scores and great plug-in text information

Pros and Cons

  • "The plug-in text information is quite useful."
  • "It wasn't very clear how the scripts are running the scans. There's information about the script but it's not straightforward. The script information for each of the plugins should be available, but it doesn't give us straightforward direct information about how it was executed. That needs to be more clear."

What is our primary use case?

We primarily use the solution for vulnerability management. We also use it during our IP scans.

What is most valuable?

The VPR scores are the solution's most valuable aspects.

The plug-in text information is quite useful.

The solution can scale well.

We've found the solution to be quite stable.

What needs improvement?

It wasn't very clear how the scripts are running the scans. There's information about the script but it's not straightforward. The script information for each of the plugins should be available, but it doesn't give us straightforward direct information about how it was executed. That needs to be more clear.

We find that the solution causes several issues due to the fact that it runs even before it calculates, the asset in prevention. 

I can't think of any features that are lacking.

For how long have I used the solution?

I've been using the solution for one to two years at this point.

What do I think about the stability of the solution?

It's stable. I don't have any major complaints. It doesn't have bugs. It isn't affected by glitches. It doesn't crash or freeze on us. It's reliable.

What do I think about the scalability of the solution?

We have about 100 direct users who are logging onto the solution on a daily basis.

We don't plan on increasing usage at this time.

We have been able to scale it in the past, however, and a company that needs to expand it should not face too many issues doing so.

How are customer service and technical support?

We've worked with technical support in the past, and we've found them to be quite efficient. They are knowledgable and responsive.

Which solution did I use previously and why did I switch?

We previously used McAfee and switched over completely at the end of May.

How was the initial setup?

We had some help with the initial setup. We were able to use our vendor's expertise and have them walk us through any issues we had.

However, we completely handle the maintenance now that is it up and running. We have admins who deal with any upkeep.

What about the implementation team?

The vendor assisted us in the initial implementation.

What's my experience with pricing, setup cost, and licensing?

I don't have any information when it comes to the cost of the solution. It's not part of my job to deal with billing or payments, so I don't have any visibility on the cost structure.

What other advice do I have?

We are simply customers. We don't have a business relationship with Tenable.

We're using the latest version of the solution.

I would definitely recommend this solution. It's the best that I've used so far.

On a scale from one to ten, I'd rate it at an eight overall.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
FF
IT Security Operations Analyst at a manufacturing company with 10,001+ employees
Real User
Fast and easy to use, with good reporting and good support

Pros and Cons

  • "The most valuable features are that it's fast, it's easy to use and it provides good reports."
  • "Remediation needs improvement."

What is our primary use case?

I have been using Tenable Nessus for my personal use. It works well.

I am using this solution for testing.

What is most valuable?

The most valuable features are that it's fast, it's easy to use, and it provides good reports.

What needs improvement?

The only thing that I don't like is KBs information. For example, if we scan our workstation and you go to the results report that Nessus provides, we are going to see a lot of KBs as remediation. But in most cases, the KBs are always superseded.

Also, we are not able to apply those because Microsoft has already released a new TB. 

Nessus is not doing a good job in updating its remediation section of the reports.

Remediation needs improvement. They are providing a lot of superseded KBs as remediation.

For example, when you share that with several team members or with one individual, and you ask them to work on this, they reply with Microsoft already has something new.

For how long have I used the solution?

I have been using Tenable Nessus for approximately two years.

What do I think about the stability of the solution?

This solution is stable. I have not experienced any issues. It worked fine.

What do I think about the scalability of the solution?

It's a scalable solution. I have not had any problems.

I am the only person using this solution.

How are customer service and technical support?

Technical support is good. They provided information that is needed.

Which solution did I use previously and why did I switch?

Previously, I was not using another solution. I use Nessus through a course that I was taking in the security field.

How was the initial setup?

The initial setup was straightforward.

What about the implementation team?

We did not use a vendor or vendor team to implement this solution.

Which other solutions did I evaluate?

I have evaluated one other solution, but because of my company policies. I can't share that information.

Tenable has Tenable.io, and I believe that they have the remediation updated, but Tenable Nessus Professional does not. I don't think that they will continue to keep it available in the market. They should probably decommission it.

Remediation is better in other tools than with Nessus.

What other advice do I have?

For anyone who is interested in this solution, they should test the scan timing to see if it consumes a lot of time or not.

Research the remediation information to see if it is okay, or trust proof or not.

The reporting works well and it allows you to share. Also, support is important.

I would rate Tenable Nesuss an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
NagarajSheshachalam
Lead Cyber Security engineer at a tech services company with 201-500 employees
Real User
Top 5
Easy to understand but is lacking technical support

Pros and Cons

  • "A valuable feature of the solution is that it is easy to understand."
  • "We feel the solution's technical support to be very bad."

What is our primary use case?

We usually use the solution for infrastructure level and web application scanning, although mostly for the former. This is what we are doing at present. We were using the web application portion of Tenable Nessus for several months before switching to Veracode

What is most valuable?

A valuable feature of the solution is that it is easy to understand. When it comes to running a scan, the scanning mechanism is also easy, and it is quite fast compared to Veracode and Qualys.

What needs improvement?

The solution should have a more in-depth level of scanning, with features to meet the developers. Other points that should be addressed involve the understanding of issues by the users and the need for improvising the reporting structure. The reports should also be more attractive and user-friendly.

This is how Tenable Nessus occasionally works when drawing up something on the field.

Additional features I wish to see addressed in the next release include customer support and ease of  understanding of vulnerabilities and how they can be fixed.

In contrast to Tenable Nessus, we have found Veracode to be more user-friendly, with a greater in-depth understanding of the details and how things can be fixed. Other points in its favor include study cases, customer support, training and e-learning. 

The solution is sort of down the mid range, so we are more happy with Veracode.

For how long have I used the solution?

We have made use of Tenable Nessus over the past 12 months, and started doing so a couple of months before we got Veracode.

What do I think about the stability of the solution?

The solution is reliable and has good stability. 

What do I think about the scalability of the solution?

We have been in the web, so we have not tried to expand the solution.

How are customer service and technical support?

We feel the solution's technical support to be very bad.

While we do receive a response upon creating a ticket, it is not like that of Qualys or Veracode. That extensive support is not there.

How was the initial setup?

The initial setup was straightforward.

We deployed under the release plan of 8.11.

What's my experience with pricing, setup cost, and licensing?

We incurred a single cost for a perpetual license, although I cannot comment on the price as this is above my management level.

What other advice do I have?

There are at least ten people in our organization making use of the solution. 

Tenable Nessus is an appropriate solution for a small scale company, one with budgeting constraints and no complexities within the organization. It not that user-friendly.

I would rate Tenable Nessus as a seven out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Product Categories
Vulnerability Management
Buyer's Guide
Download our free Tenable Nessus Report and get advice and tips from experienced pros sharing their opinions.