Tenable Nessus Reviews

We are using the product for CIS benchmarking on our systems.

Our primary use case is basically understanding whether our systems are compliant with the CIS benchmarks in terms of system hardening. What Tenable Nessus does is it can run a scan on the systems and it gives us a report in terms of what properties or settings on the systems are in compliance and what are not in compliance. Then we can review that and go back and improve the systems in terms of those settings.

What I like about it is the fact that it can figure out what changes we need to make on our systems to ensure that they're hardened properly.

The initial setup is not difficult. 

Once you get past the initial implementation, the solution is very stable. 

It's scalable. 

So far, it has been fulfilling the requirements. From that perspective, there is not a lot that I would want to improve in the features that we are using it.

They could make their reporting a little better. Maybe they could do some more integrations with certain other tools to extend it or make the reporting better in the sense that it could probably generate some alerts or something of that sort. It could do some real-time reporting. If there are any policies that are changing or getting violated, they could probably generate some alerts, which could involve the on-call on my side so that I could take immediate action. That could probably be one thing that they could introduce.

We've used the solution for about a year now. It hasn't been that long. 

Initially, we had some issues. Initially, we were not very confident about how to configure certain things. Once we had integrated and deployed the product, we needed a few support calls to fix the system properly in our environment and since then it has been smooth, I would say. The stability is now good.

The solution can scale. 

We have very few users. It's basically based on the number of systems that we need to install it on in terms of scaling. That's something that probably is more than the number of users who actually access the system. It's largely used by the security team.

We do have plans to increase the usage of Tenable Nessus organically. As the number of systems that we use is dynamic in nature, it likely will keep going up and down over time.

We've dealt with technical support on and off I would say. We keep talking to the technical support at times to get some insights on any new features that are coming in or in terms of how to use a certain feature that we are probably trying to introduce or something of that sort.

We were not using any other products before this.

For the initial setup, I need to deploy an agent on my systems. It's pretty straightforward. It's not very difficult.

I'm not really sure about how long it took, however, my understanding is it didn't take too long for our system. It was maybe a few minutes per system or maybe half an hour per system. Not more than that.

We did not use a consultant or any integrator for the deployment. We did it in-house. 

There were a couple of people on my team who were able to set it up for us.

I'm not aware of the licensing cost.

I'd recommend the product to others. If a company wants to use it for system analysis as part of the benchmarking of the systems or if a company wants to do security benchmarking, they can use this. They should be able to use the tool.

I'd rate the solution eight out of ten. 

We use it for servers, domain controllers, application servers, Oracle servers, SQL servers, as well as network devices, like routers. For PCs that are used for services such as credit cards and ATMs, we usually do a vulnerability assessment, including Windows Servers, Linux servers, SQL servers, and database servers. We scan everything except basic PCs because it would require a lot of time to check all those reports. Our system administrators use another solution to check regular PCs for Windows and MS updates.

We're checking things every month. We created a schedule and it checks automatically. From time to time, we'll use it to check things if something unusual has happened. For example, if a stranger was on a computer, we'll check if is there a vulnerability there. 

We also use it to prepare reports when the agency asks for them.

One thing that is important for us is that when the regulation agency is asking for something. we can send them reports from Nessus and they're very satisfied. If they're satisfied, and they don't have any problem or additional requests, that's most important.

In the past, before we implemented Nessus, we used several products that were doing vulnerability assessments for different machines. For instance, we were using an antivirus/anti-malware and end-point security application for vulnerability assessments for Windows machines. We were using free tools for vulnerability checking for Linux machines. And we were \using Qualys' free version for external IP addresses, because Qualys allows you to check something like three IP addresses for free. I created a report for our regulation agency by combining three or four reports. I spent two weeks making that report. Now, I can create that report in one day. Nessus provides me reports within two to three hours for all our Windows machines. For Linux machines, it's half an hour; for the network, it takes about one hour. So in one day, I have everything ready for the agency. 

Similarly, for my upper management, it's my responsibility to provide security reports on a monthly basis about viruses, malware, attacks, etc. Now, it is easier for me to prepare that kind of report. The reports are also more lavish than before. In the past, I had to prepare tables and sheets by myself. Now, everything is prepared for me. If I want to play around with reports I can export to Excel and I can filter the report. Nessus makes everything easier than it was before.

Nessus gives me a good preview of vulnerabilities and good suggestions for remediation. It's easy to find a description of a given vulnerability and solutions for it.

One area that has room for improvement is the reporting. I'm preparing reports for Windows and Linux machines, etc. Currently, I'm collecting three or four reports and turning them into one report. I don't know if it is possible to combine all of them in one report, but that would be helpful. If the scans which I have already prepared could be used to combine the results into one report, it would save me additional work.

Also, when a new machine is brought into the domain, when it's first connected by the system administrator, it would be good to have some kind of automatic, basic vulnerability scan. Of course, I would have to enter my credentials if I wanted something additional, but it would be useful if, the first time, if that basic process happened. Otherwise, it can be problematic for me when, for example, a new Oracle Database is brought on. I may only be notified after 10 days that it has been connected and only then can I do a vulnerability assessment and I may find a lot of vulnerabilities. It would be better to know that before they put it into production. It would be great to have something automatically recognize a new server, a new PC, and do a basic vulnerability assessment.

I have been using Nessus for about half a year.

We haven't any problems so far.

A few days ago, I was scanning a range, three or subnets, the whole domain. That was something like 1,000 IP addresses. The first time I did it, things were a little bit slow. I was thinking that it was stuck or blocked. But I left it overnight and checked it in the morning. Everything had finished, correctly, after three or four hours. 

That was the only case where I had any issue but it was a problem because I was a little bit lazy. Instead of creating multiple jobs, I put everything together. I didn't know for sure which IP addresses in which segments were being used. That's the reason I wanted Nessus to scan them. I didn't want to check with the system administrator regarding IP addresses because every time I get such information, I usually find IP addresses with computers that the system administrator didn't tell me about. This way, I was sure to get a full vulnerability assessment. And I found two or three computers which had not been updated for two or three months. That was very important for me to find out.

In May, the guys from Alem Systems came to my office and we finished everything for the installation. They showed me how to configure it, how to add new assets, how to check networks, Linux machines, Windows machines, etc.

We bought a one-year license. We are now preparing a new budget for next year and, given our experience with Nessus, we plan to continue with it for next year. We are satisfied with it. It's the best option for small banks. For us, here in Bosnia, a small bank would have about 150 to 250 employees, with 20 to 30 branches throughout the country. The biggest bank here has more than 2,000 and maybe as many as 3,000 employees.

I didn't have a lot of experience with this type of product. I heard and knew that vulnerability assessment is most important. We paid a company to do a pen-test in our bank. That was the first time I heard about vulnerability assessment and about Nessus, Qualys, and Guardium. At that moment, I started to think about it and to search for the best option for us.

In the past, it was tricky to find money for this kind of application. But recently, a new director started with our company. He understands what security actually means and that it's important for a bank. He gave me a bigger budget.

I started, one year ago, checking all products on the market for vulnerability checking and scanning. The first option was Qualys because everybody here, my colleagues, were saying that Qualys is the best. But there were two problems with Qualys for me. First, there is no on-premise version, only a cloud version. And the second issue was the price. The first issue, that Qualys is only connected to the cloud, was most important because I must prepare documents for our regulation agency in banking. With Qualys in the cloud, I would have to prepare risk assessments, etc., and that would be a lot of work for me. And then I would have to wait for that agency's approval, which could take some three months. Finally, when I started thinking, "Okay, I'll go that route and will prepare everything," when I asked about the price of Qualys here in Bosnia, I realized it was too much for us because we are a small bank.

I also checked an IBM solution, Guardium, because there are a lot of companies working with IBM here. It's easier to find solutions for IBM. The reason I didn't go with Guardium was its price.

After that, I started checking other products. Nessus was one of the options. I had a friend working for Alem Systems and spoke with him over a coffee. We spoke about solutions and he said, "Why don't you use Nessus? Nessus is good." He explained everything to me, and he showed me a demo and how it works in a particular company. I said, "Okay, if Nessus is good enough for me, who will sell it to me?" He said, "I will do that."

We are a small bank. I don't need to take care of 100 or 200 servers or many switches and routers and PCs. Nessus is easy to configure and it's easy to add additional searching and scanning for new assets, like a new router. I had seen Qualys at conferences, but I hadn't used it myself. A presenter showed how it worked, but I didn't have hands-on experience. My friend showed me Nessus and he gave me an idea of how to work with it. When I first used it by myself — I created a scheduled job for a server — when I got the report, I realized that it was easy for me, and that was great. Maybe Qualys has better graphics, but I didn't have experience with it. Nessus, now, is perfect.

Finally, I decided that the price was good enough for me and for my bosses. So I finally found a solution after six months.

I didn't need it to be something complicated, to have some NASA-level product. I needed it to work properly and simply, to show me what I need to do. I had to be able to explain to my system administrators what they should do. When I get a report I explain it and give it to my system administrators to solve the problem.

If I were to speak to someone who works with IBM Guardium they would probably tell me, "Ah, Nessus is too simple for me. Guardium is better." But I can recommend Nessus to anyone who wants a good product for a "small amount of money." It's the best buy.

When I speak with my colleagues we usually share our experiences. I know that some of my colleagues are thinking about Nessus for next year because they don't have any solution, but they need one, according to regulations. When I explain how it works they usually say that they will check into it. Probably, in Bosnia, there will be two more banks using Nessus in the next year.

Alem, as a company, is very friendly and that's most important. They come to our office to explain things. They spent three or four hours here with me, explaining everything about Nessus. They suggested a free trial. It's important to have that kind of support. I know that if I need something, I can ask them without any problems, at any time.

Overall, Nessus is working well.

The platform is essential for vulnerability management tasks and integrates with various data management applications.

The product could have unique features similar to Qualys. 

We have been using Tenable Nessus for about a year to a year and a half. We are using the latest version to ensure access to all the latest features.

While Tenable offers a robust solution, the main competitor, Qualys, has some unique features. However, Tenable has a larger market share, indicating that it has undergone extensive testing and development based on customer feedback.

The complexity of deploying Nessus largely depends on the customer's operational environment. If the environment has diverse systems, implementation may be more complex, while a more uniform system allows for easier setup.

The timeline for implementation could range from one week to several months based on these factors.

The product pricing is dynamic and varies based on the specific needs of each project and customer.

Discounts can be offered based on competition and project requirements, making it a relative cost depending on the context.

The solution automates vulnerability checks, which is crucial for our customers who cannot dedicate a team to monitor security issues constantly. It notifies us of vulnerabilities as they arise, allowing us to respond quickly without manual intervention.

It automates the scanning process, allowing us to schedule regular scans, generate reports, and receive notifications about critical vulnerabilities via email. It enhances our ability to monitor the security landscape continuously.

Overall, I rate it a nine out of ten. 

I primarily use the solution for network scanning. I can use it when I want to see network scanning involved with the network devices and servers. 

I love everything about Nessus. I may be biased in my rating, biased in the sense that I love using Nessus.

The usability is okay. The pricing is okay. The costs are reasonable.

The level they give you is good. It depends on the kind of scan that you want to do. There are different options there. If I want to do a PCI scan, that is available. If I want to do a scan that involves checking to see if the system patching is up to date, that is available. If I want to scan against trending vulnerabilities, I can do that, too. They have so many different options. You can streamline it to what you want, and you do your scan. 

Nessus is flexible. It gives a holistic view of your entire environment. I would go for a Nessus any day, anytime.

They have a good reporting system. I love the reporting system. The references they made in terms of recommendations are great. They can give a recommendation on how to get a particular issue fixed. 

The setup is straightforward. 

It is stable and reliable.

We can scale the product. 

They should try to create an all-in-one solution. When I say all in one, I mean something that would be cheap, where I can scan a lot in terms of web applications. Right now, this is available. However, it's a bit expensive. If users want to start scanning applications, networking devices, et cetera, they should also try and work on the pricing for those and have everything together. The web application module should be included in Tenable itself.

I've used the solution over the past 13 years. I've worked with it for a long time.

The stability is fine. There are no bugs or glitches, and it doesn't crash or freeze. 

The solution can scale as needed. 

I've not escalated anything to technical support. 

I'm aware of other solutions. 

What makes Nessus outstanding is the different options. There are so many scanning options. They give you the room to be flexible. You can scan your server how you want. Other options may just allow for a general scan of my system. With Nessus, I can streamline and customize my scan. 

It is an easy solution to set up. The deployment is not lengthy. Within two hours, I had it up and running. 

There is no crazy maintenance needed. Sometimes when there are new updates, it just alerts you the moment you log into your appliance. It just alerts you and gives you room to do the updates. Sometimes it may just set automatically, and it picks the updates. When you log in, it asks for you to reinitialize your system, and you're good to go.

The price is not bad. We are comfortable with the cost of the solution right now and with what we are paying for what we get in return. 

We just pay for the license and do not deal with any other additional fees. 

We're using the latest version of the solution. 

When you are doing a spot check, and something rescues you a lot from disaster, you really appreciate that service. The product has really worked for me.

I highly recommend the solution.

I'd suggest new users run a POC and exhaust all the functionality and test other solutions as well. At the end of the day, compare them. Don't forget to consider budgets. Ensure that it matches what your company needs and the budget that they have for that particular solution. 

Make sure that functionality is taken into account. Some people only look at the budget and go for something cheaper and then do not have the functionality they require. 

I'd rate the solution nine out of ten. 

Tenable Nessus can be deployed on-premise and in the cloud.

Tenable Nessus is a vulnerability scanner to find vulnerabilities. The solution finds the vulnerabilities in our environment and then we send those vulnerabilities that are found out to the SMEs to be fixed.

Tenable Nessus allows us to keep up on fixing the vulnerabilities that are either being exploited in the wild or the ones that we find most critical.

The most valuable feature of Tenable Nessus is vulnerability detection.

Tenable Nessus could improve reporting and information sharing. It would be helpful if we could share the reports and have a little bit better flexibility in the reporting of the data.

In the next release, they should add some more integration with other security solutions that would be helpful.

I have used Tenable Nessus for approximately 10 years.

The stability of Tenable Nessus is very good.

Tenable Nessus is highly scalable.

We have a couple of administrators and vulnerability analysts who run scans, and read-only accounts for the SMEs who fix vulnerabilities, and an executive role for management to view the data.

We use Tenable Nessus extensively, we have scheduled jobs running all the time. We do scans on all the systems on our network, and we are always making tweaks.

I rate the support of Tenable Nessus a four out of five.

I have not used another solution previously to Tenable Nessus.

For our deployment of Tenable Nessus, there are elements of complexity. However, the complexity depends on the use case. The solution is not that difficult to implement, the complexity comes from the many things that are involved. You do not need to be an expert there are many parts that need to be set up.

We had Linux servers built and the Tenable Nessus software was installed on top of that. It was relatively simple as far as that goes.

I rate the ease of setup of Tenable Nessus a three out of five.

We did the implementation in-house.

We have two administrators and one SME that does the supporting of Tenable Nessus.

It is difficult to show or rate ROI from a security standpoint, it is similar to having car insurance. When there are vulnerabilities out there, we can quickly look because we're scanning all the time at what our vulnerabilities are. Tenable Nessus is used for keeping our infrastructure safe.

Tenable Nessus needs to be licensed. We own a license for the security center and that license is charged by the number of IP addresses that you can scan. You're allowed to have as many scanners as you want and there's no license for the number of scanners. We have a bunch of Nessus scanners out there, and as long as we're comfortable with staying under that IP address limit, that's really all we have to be concerned about.

We pay a monthly maintenance fee, which is reoccurring.

We did evaluate other solutions before choosing Tenable Nessus, such as Rapid7. We choose Tenable Nessus because it was used by more customers and it seemed at the time to be more straightforward.

Security is complicated a subject. There's a lot involved in Tenable Nessus, but the solution is easy to run and manage and we have had a lot of good success with it.

I rate Tenable Nessus a nine out of ten.

We use it for internal and external vulnerability scans.

Instead of just looking at high, medium or low risk for vulnerabilities, and having to remediate all of them, we can remediate in a more effective manner. We have limited resources for remediation work and we want to spend our time on the most critical issues.

It helps us focus resources on the vulnerabilities that are most likely to be exploited. It gives a higher VPR number where the things are more likely to be exploited, instead of just using the pure severity rating as a way to prioritize and decide to remediate.

The most valuable feature is the breadth of vulnerabilities that it finds. It's able to find across a lot of different platforms and operating systems. It's also able to combine local testing with network-based testing.

When it comes to vulnerability prioritization, Tenable's predictive features are off to a great start. It's definitely giving us more data to help prioritize, instead of just relying on straight CVSS. The vulnerability priority rating has been accurate and is helping us prioritize effectively, based on risk or based on the likelihood of being exploited. Based on what they say, and comparing it to what we are seeing with malware exploits, their predictions are lining up with what we are seeing being exploited.

There is room for improvement in finishing the transition to the cloud. We'd like to see them keep on improving the Tenable.io product, so that we can migrate to it entirely, instead of having to keep the Tenable.sc on-prem product.

There is also room for improvement in some of the reporting and the role-based access. They have a pretty defined roadmap. They know where the gaps are, but it's a totally different product and so there's a lot of work that they have to do to get it to match.

I have been using Nessus for three years at my current company. 

We monitor Windows, Linux, Mac, workstations, servers, and cloud resources.

It's very stable. We haven't had any issues. There has been no database corruption or anything like that. All we've had to do to the main Security Center is give it more disk space to save more data. That's it.

The scalability is okay. We would definitely run into issues if we wanted to save a longer history of the data. It would be terabytes and terabytes of data. But in terms of at least keeping all the data for all the assets that we have, it's good. We're good enough with the retention. It meets our requirements.

The issues would be storage and being able to search across it. If we needed to save five years of scan history, it would be operationally difficult to use all the data that would be saved. But it's not problematic to look at the current data or trends for the past six months. Stuff like that is fine.

We're at about 20,000 hosts and it's pretty stable. I don't think we're going to do a big increase.

Tenable's technical support is good, except for things that involve some of the custom development work that we've done using their API. Early on, that was problematic, but they've gotten better and released more API documentation and sample code, and that was fine.

It was nothing that was wrong with the product itself, but tech support is more designed for normal user interactions with the product, not doing development against the API. The problem with my code was because some documentation wasn't clear or there wasn't a sample for how to do this. That's where it was a little bit tougher. The normal, user function stuff was totally fine. It was really the developer-focused side.

We were on Rapid7. We switched because of scalability and performance.

We were looking for a solution that could handle and scan our volume of assets. It wasn't working with our previous solution. Nessus has scalability. Being able to scan in time and actually being able to report on that data were things we couldn't do with our old solution.

Also, the level of visibility that Tenable provides is much better than Rapid7 because we're able to actually see all of the data that was collected and we're able to scan for vulnerabilities and config issues and pull all the data together. We were having real trouble with that before.

The initial setup was straightforward. We were easily able to set up scan policies, asset groups, scan schedules, and start collecting data very quickly.

It wasn't complicated to define what we wanted to scan. It wasn't complicated to set up the credentialed scans, or to set up the different credentials for the different policies and different types of machines. Everything that that goes into building a scan policy was straightforward and we were able to get all of our assets scanned pretty quickly. Within 45 days of buying, we had good data and had done multiple scans already with all of our assets.

Our implementation strategy was that we wanted to set up credentialed scans for all of our machines as quickly as possible. We were working towards that and trying to get the coverage in Tenable as soon as possible.

We did it ourselves.

We are fulfilling our goals and able to deliver on the requirements that we have. It's hard for security to be a real ROI. We need to do vulnerability scanning, we need to know where the issues are and we need to be able to fix them. It is doing that.

Our licensing is on a yearly basis but we did a three-year deal. It is a fixed cost to cover a certain number of hosts or assets. There are no additional costs to the standard licensing fees.

Leverage authenticated scans if you can. That reduces the number of false positives compared to just network-based scanning. Leverage the Tenable Agents if you can, as well, because that will help reduce the scan time and make it easier to get data from machines that are all over your network.

The solution isn't really helping to reduce our exposure over time because there are always new vulnerabilities coming out. It's helping us keep track of what's out there better.

The next part is going to be convincing external auditors that VPR is a reasonable way to actually prioritize, in terms of whatever our policy statements say for what we fix and how quickly; to get that to line up. A lot of people are still in the, "You must patch criticals with this number of days, highs with this number of days." We want to be able to turn that into a more risk-based approach but haven't really been able to do that.

The users of the solution in our organization are really just the people on our security team, so the number is under ten people. They're really just using it to look at the vulnerabilities, analyze the vulnerabilities, and figure out where our risks are and what should get patched. For deployment and maintenance of the solution we have a quarter of an FTE.

I am using it for scanning and checking vulnerabilities. I am using the Azure version of Tenable Nessus.

I like this solution because it is complete. It can scan and check many types of vulnerabilities. It can also check for compliance.

It fits very well in my environment. It is very easy to use, and there is a very good cost-benefit of this solution. 

There should be a possibility to install agents on scanned machines. Tenable IO provides the capability of using local agents to check local problems, but this feature is not there in Tenable Nessus Professional. It would be nice to have something similar in Tenable Nessus Professional. We should have the capability to use local agents installed on the machines to locally check a problem.

It is stable.

It is, for sure, scalable. We have 10 or 12 people who use this solution.

We never have any kind of problem or lack of response. I would rate them a ten out of ten.

Positive

It is very easy. It is pretty straightforward.

It has a fair cost and very good cost-benefit ratio.

I would recommend it to others. It does everything that such a solution needs to do. It can check for vulnerabilities and compliance. It is also very easy to use. It is better than its competitors, such as Rapid7.

I trust Tenable solutions. I have worked with Tenable IO a few years ago, and with Tenable Nessus, I had the same feeling that I had with Tenable IO. It is a very good solution. It is more expensive than Tenable IO, but it is a complete solution. 

I would rate it a nine out of ten.

The valuable feature for me is being able to ping the computers to do the automated scan and to come back and be able to see everything. That's definitely a huge plus, but then there's also the ease of reviewing the scores, identifying vulnerabilities, and getting the information on the vulnerabilities; the ability to review all that within one tool has been phenomenal. When we're reviewing those Nessus scores, the solution works well.

I think there's still some things that need to be ironed out to ensure that we can have a one-stop shop to do both ACAS, SCAP automated assessments in. We've been trying to do that and they say you can, the capability is integrated into the system. But in most instances, especially when you're dealing with some systems that are standalone or a network that we built ourselves, we find that some devices aren't pinged and the scans aren't done properly. That also comes down to the hardening of the systems where the password or the privileges weren't taken, so therefore it didn't do the scan properly. 

I've been using this solution for the past six or seven years. 

The solution is stable. We haven't run into any issues other than some passwords that don't take, but that's the way we set up the system. If it's set up properly and configured appropriately, there won't be any issues.

We could definitely make the adjustment to scale it left, right, up and down, depending on what we're using it for and we haven't run into any issues on that. It's pretty flexible.

The setup itself is pretty straightforward. Because these are standalone systems, there are some additional steps that the IT team needs to do, but they pretty much have it down to where they could install the tools pretty easily and have it running reasonably quickly. 

I would recommend making sure that the solution meets your needs for automated scans and the SCAP. If you're looking for a one-stop shop, I think it's a great tool for that. I would recommend some form of training if you don't have experience with this kind of solution. There's a bit of a learning curve involved in terms of configuring and using Nessus. 

I rate this solution an eight out of 10.