Tenable Nessus Reviews

I use it for performing vulnerability scans for both my environment and for clients. I provide fractional CISO consulting services. As such, I will perform a vulnerability scan on an environment before I say "yes."

Everybody has to have a vulnerability scan. You should do them periodically which, to me, is monthly. It's just good practice to perform that scan monthly and whenever there's a major change, to make sure that you don't have any open environment. 

I monitor web servers, database servers, app servers, desktops; everything you'd find on a network, besides switches and routers. I don't have that, but I monitor any Windows- and Linux-based nodes.

I went to a client's site and I ran the report. They had a number of fives, fours, and threes. With that information, we were able to remediate the fives, fours, and threes down to a couple of threes.

It also helps to prioritize based on risk. If it provides a notification that you have an older operating system out there, for example, obviously you would have that as a higher risk and wish to remediate that above any and all other risks. It details what that the risk is and what you should do about it.

The solution helps to limit cyber exposure. By running it on a monthly basis, you tighten the window of opportunity for any nefarious individual to get into your environment. Industry standards say that you have to do it quarterly or yearly and I do it monthly, so I think I'm in a better position to secure the environment.

The solution reduces the number of critical and high vulnerabilities which need to be patched first. In terms of a percentage reduction, it's more of a detective control, along with the preventative control. I can't give you a percentage. It reduces the risks by providing the information that you can react to, quicker than finding out that you've been breached.

Nessus is good at finding out what nodes you have in place. It will then provide you a report, by node, of what the vulnerabilities are. It does it quickly and stealthfully. 

It also has an executive report where you don't have to provide the client all the detail for them to sift though. But if they wish to dig through the detail they can.

The predictive prioritization features are spot-on. I enjoy how it actually gives me a prioritization that I can address and it associates it with a known vulnerability. I like that.

One area with room for improvement is instead of there just being a PDF format for output, I'd like the option of an Excel spreadsheet, whereby I could better track remediation efforts and provide reporting off of that. Or, if they change the product itself for you to add comments of remediation efforts and allow you to sort on that and report on it, that would be helpful. Most of us would rather not have that information out in the cloud. We'd rather have it in-house. It would be better if you could provide it in an Excel spreadsheet for us to work with.

I've been using it for four years.

It's very stable. It hasn't aggravated my environment, so I'm happy with that. It's up and running. It runs all the time.

Scaling is easy because it goes out and examines the network and identifies all the nodes that are out there. You don't have to worry about scalability, per se. It's just another node that it adds to the list, so it's easy.

It's being used for under 500 nodes. I would like to increase it if possible, but I have no plans to do so.

Before Nessus, I used Qualys. I switched because the reporting in Nessus is better. The reporting in Nessus is more executive-friendly. When giving information to clients, I don't need to repackage it. It is fine the way it is.

The level of visibility Nessus provides, compared to a solution like Qualys, from an executive standpoint, is better. From a technical standpoint, it does not provide you that documentation capability that I would like. Having said that, from my standpoint, for my client base, the executive reporting is better.

The initial setup was straightforward. It was easy-peasy. I just said, "Run," and it set it up. After that, it was a matter of putting in my company's information and setting up a scan. It wasn't hard at all. It was very intuitive, very easy.

It took about half-an-hour.

All I had to do was download the software, install it, and run it. That was it.

If you're going to employ this product, it's the better one for smaller to medium businesses because of the executive documentation. I would not try to sell it as a technical tool for a technical group. As a consultant it would be best for you to run it and manage it for clients. With that, you're a one-stop shop for them. I would remind clients that most auditing requirements state that you need a third-party individual to do an assessment of your environment. As a consultant you would do that for them. Keep it in-house. I wouldn't sell it.

The priority rating is an industry-standard rating, so it's not like it pulls it out of a hat. It's a known rating, so that's good.

The solution is used to check vulnerabilities.

The product has good features. It gives us a view of the vulnerabilities like open ports and different issues with software. It is a mature tool.

The product must be more comprehensive. It must catch all the issues.

I have been using the solution for a few years.

I rate the tool’s stability a nine out of ten. The stability could be improved.

The tool is scalable. We have three users. We need a team to maintain the product.

The deployment can be done in-house.

I recommend the solution to others. I rate the solution a nine out of ten.

We use Tenable to scan all the workstations in our government environment for vulnerabilities and outdated software. The Tenable agents installed on the PCs enable us to detect any potential security risks or applications that are not up-to-date, malicious, or suspicious. This helps us ensure that all the PCs are secure and are in good posture.

The most valuable feature is the installation of Tenable which is incredibly easy. Even those without extensive technical knowledge can do it. All we need is the license and a few clicks through the installation process which is simple. Once the program is installed on all PCs and servers, we're good to go!

The solution can be annoyingly slow.

The pricing is a bit high. 

We would like to see the inclusion of penetration testing capabilities if possible.

Tenable has been mostly used in the on-premise environment, so it would be great if they could improve the transition to the cloud.

The accuracy of the vulnerability assessment needs improvement as false alarms and false positives occur often. Applications are often flagged as critical when they are actually benign. To improve user experience, there needs to be an upgrade in the accuracy of the results and a more user-friendly interface.

Sometimes it can be difficult to adjust the policies. When the solution has been previously installed. Making changes to policies requires navigating multiple steps. This process can be time-consuming and potentially confusing. Expert knowledge may be necessary in certain cases.

I have been using the solution for four years.

There has been an improvement over the years and the solution is now extremely stable.

We can easily scale up our license to support more devices. By increasing our license, we can add more workstations.

The technical support is outstanding. We encountered some difficulties during our initial deployment, yet they persisted in helping us all day long. Their support team is very competent.

Positive

The initial setup is straightforward. 

The deployment took us two days to install the SoC on all 100 of our workstations.

The solution is expensive. We lost bids to competing companies due to the pricing; there are cheaper alternatives to Tenable such as Rapid7 InsightVM.

I give the solution an eight out of ten.

We have 100 workstations that all use the solution.

Every month, I had this Windows Gold image scan. I would obtain some IP addresses, create some rules, and then run them. 

Then there were the automatic automated jobs that I and my colleagues would arrange to execute. 

They would run at night so they wouldn't interrupt the systems. 

Enter some IP addresses for workstations and servers. Some were in a highly secure zone, while others were in a separate subnet, we enter those IP addresses in and run them, scheduling them to run biweekly or weekly.

The most valuable aspect of this solution is that you receive the entire report, which details the breakdown, especially in terms of critical, high, low, and mediums. It also informs you exactly what was wrong with it. Then I believe it copies the CVS's score as well.

To be honest, I haven't used it much to tell you that these are the things that should be improved. But I believe the UI should be enhanced somewhat.

For example, there are two ways to find a report, and people are frequently confused as to which is the correct method for locating a full report. Sometimes they go in the opposite direction, so this is an area that may be improved.

I have been using Tenable Nessus for quite some time.

Tenable Nessus is pretty stable.

Tenable Nessus is a scalable product.

I did not deal with technical support at all.

I used Nessus from JSON for a Gold image and vulnerability scans in my previous role.

I'm also seeking the same type of tenant for internal vulnerability scans like Qualys. 

We now use Qualys, but we haven't fully utilized its features, but I'm searching for something specialized for our internal vulnerability scan program.

I did not set it up myself, to begin with.

It is a good tool. It's not difficult to understand. It shouldn't be an issue as long as you know what you're doing.

I would rate Tenable Nessus a seven out of ten.

We use it predominantly for vulnerability scanning and compliance scanning as part of the vulnerability and compliance protocols in one of our programs.

The ease of use is the primary valuable feature. This specific version is very straightforward. I like the ability to modify it and configure it based on the different policies.

I also like the number of plugins. It has quite a lot of plugins that keep it up to date with the different vulnerabilities coming out.

Multiple user access would be an area for improvement from a user-access perspective. A role-based access control feature would be great because at present, there is a limitation with only one account. If that account gets compromised or gets locked, then we will encounter problems.

It would be good to have a way to store filters from searches so that you don't have to recreate them from scratch every time. To be able to have them saved as a list of filters would be really useful.

It would be really useful to have a way to assess the risk of a specific vulnerability based on a number of factors which could be tailored. It could be a tailored set of factors you introduce to see a potential risk score or a different view of the CVSS score.

A lot of organizations do this manually, and some of them have some other ways of identifying or assessing the risk of vulnerabilities. It would be really useful to have a framework which allows you to create a way to assess the risk of vulnerabilities on the platform and potentially prioritize them or provide information as a report to management or to other teams for resolution.

It would be really nice to have a way to visualize the different results from the scans. For example, if you scan a Windows 2016 Server and you have a number of vulnerabilities, it would be nice to somehow show the vulnerabilities in a graphical format and potentially combine some of the outcomes into a graphical representation showing trending. Trending is quite important, especially when I speak to my senior management stakeholders and try to show the security posture and status. It would help to provide a long and wide view of where the vulnerabilities are and what kind of aging is present.

I've used it for three and a half years.

Nessus Manager is very stable; I haven't had any problems. I'd give the stability of the product a five out of five.

The product itself is not scalable by design. It is a single-user product, so it doesn't allow you to have multiple users at the same time. You have only one account. The type of product that we're using is not really meant for huge enterprises, and it's a bit more limited in terms of usage.

At present, I use the personal version for the account I'm looking after, but we probably have less than five people using this platform.

The initial setup was easy.

We implemented it ourselves. The deployment was done by one engineer, and it did not take too long.

The project in which I have been using it, it has been great because we satisfy a very crucial requirement. We have brought around vulnerability management, so it's really good ROI for what we have.

Nessus Manager is not an expensive product. It has its limitations, but the pricing reflects that.

We have a yearly subscription.

I would recommend Nessus Manager and rate it at eight on a scale from one to ten.

We use this solution for information gathering and as an assessment tool.

Tenable Nessus is one of the best vulnerability assessment tools, that I know.

The price could be improved. They need more flexible pricing.

If they had a very creative idea, maybe they could add a special feature. Even extending functions, or exploring new areas. If they were able to integrate it with the existing solution, that would be fine.

I would like to see more integrations, more ideas or services, and functions offered.

It's about wider functionality and not a question of integration. It's more a question of, creativity. If they have other ideas such as what could be added to the vulnerability management. 

I have been using Tenable Nessus for five years.

Tenable Nessus is a stable product.

It's a scalable solution.

Nessus we either use Nessus for projects for ourselves in many situations, and they also deliver Nessus as a solution for at least five clients. We also have approximately 10 users in our organization.

My experience with technical support is very positive.

The installation was easy.

It took approximately six hours to install and deploy.

We need two for the deployment and maintenance, we have two or three people.

In general, it is extremely expensive. If they have a higher price, that's fine, but if there were one or two solutions where you can buy something for a cheaper price then that would make sense for many users.

I understand why it's expensive, but it would be good to have a limited solution with cheaper prices.

There are different solutions for purchasing Nessus, which is not possible with Datadog.

I would recommend this solution to others.

I would rate Tenable Nessus a nine out of ten because it has many dimensions.

We use Tenable Nessus to provide service to our bank.

I use it to provide our main service related to our big management.

Other than providing information security to our clients, it is our information security provider, service provider — we manage it. Using Nessus, we are able to scan and locate any potential vulnerabilities that our clients may have and point them out to them.

I am not sure how many users we have using this solution, but we have more than 100,000 assets distributed between roughly 40 clients.

Tenable Nessus is cheap and flexible.

Currently, they don't have all of the features that I am looking for. I am looking for a technology that installs agents into the machines to perform complicated scanning. That's a good feature that I'm looking for.

Our issues are not all due to Tenable Nessus; we have more than one console that we administrate.

I have been using this solution for 10 to 15 years.

I use this solution on a regular basis at my current company. I used it at my previous company as well.

This solution is quite stable.

The professional version is not very scalable. It's not really scalable considering the number of assets and clients that I have.

Many of our clients would like to switch to a better solution.

The technical support is great. We have called them a few times and they have always helped us.

The initial setup was pretty straightforward. Within a week we had set up all of the infrastructure and were ready to deploy.

We are a company that provides cloud migration services. We help companies to migrate to the public cloud. When our customers want to migrate applications, they're worried about the security aspect in the cloud. So we are trying to see how the application security that is on-premises can be migrated to the cloud.

We don't have any particular solution, we are working with a few options. The customer selects what best suits their needs. If we have a program, we work with that.

It's not specific to what we are working with.

We have done code scanning for a long period because as a company, we do DevOps as part of our development life cycle. We like scanning the ports and security as well as application-level security.

Some of our customers are operating on the cloud as well as on-premises.

We would like to have the option of using the solution for the cloud as well as on-premises with the same license at the same time. That would be very helpful.

We have used this solution for three or four projects in the last two years.

We are always working with the latest version.

The stability varies on the version that you are using. 

We have not had any problems with stability with what we are using. It's been stable and we have never been faced with any stability issues.

We have used this for an enterprise cloud application, which is much smaller with hundreds of users. It's pretty scalable. We have not had any challenges so far. 

I don't know the limits of scalability because we haven't trialed it fully. But for the enterprise application that we use, we didn't find any issue with scalability.

We have contacted technical support, once or twice when we have had issues with respect to some plugin related clarification. 

There are times where the solution doesn't work out of the box, and we have to install some plugins. We needed some assistance with this.

They are good, but the response resolution takes a bit of time. It would say that it's still within an acceptable response time. Within a few hours, they will get back to you with a solution.

The initial setup is pretty easy.

When we use the scales we find it to be easy.

In our experience a complete deployment and start-up, it takes only a few hours.

In some cases, we deploy on-premises because the customer is still evaluating the readiness to go to the cloud. 

A few of our customers are already on the cloud, and others are migrating. We have deployed on both models.

With my experience, I would definitely recommend it. This is the only tool we have used recently.

I would rate this solution an eight out of ten.