Tenable Security Center Reviews

The product is useful for vulnerability management. The Auto-Remediate feature is good. The tool enables centralized vulnerability management.

The product should provide risk-based vulnerability management. It is a popular feature. Large environments can have a lot of vulnerabilities. We need to prioritize them for remediation. So, risk-based vulnerability management is useful for large enterprises.

I have been using the solution for almost ten years.

We don't face many challenges with the product’s stability. We have two or three issues in a year.

The tool is easy to scale. Almost 1,800 users are using the tool in our organization.

The technical support is good. When we raise the issues to Tenable’s support persons, they respond well.

The initial setup was easy. One engineer is required to deploy the solution in two hours. We do not face challenges in maintaining the product.

The tool provides competitive pricing. We pay a yearly license fee. There are no additional costs associated with the tool.

We explored other products, but Tenable was more user-friendly. Tenable has better accuracy, too.

We are satisfied with the solution. Overall, I rate the product a nine out of ten.

We use it to scan both our workstations and servers for vulnerabilities. This includes vulnerabilities related to software, operating systems, and package vulnerabilities. It helps us gain an overview of our organization's security status, which in turn guides our patching strategies and decision-making. 

We use agents for scanning and authenticated logins, but we do not utilize the scanner part that performs web scanning.

We've got better insights into our vulnerabilities and weaknesses. This has led us to a better situation where we have better control. Our ability to manage the situation has improved. 

Previously, we lacked a good overview, but now we possess detailed reports. We generate these reports internally and disseminate them to other responsible teams. Now, we have made it a part of our daily workflow and it helps us monitor vulnerabilities and related matters. It aids us in pinpointing weaknesses and facilitates more effective updates. If something slips, it becomes visible.

However, this is a significant feature, although it could potentially offer even more assistance. 

The scanning part, the agent part – that's the valuable aspect. The agent and plugin components function reasonably well. But setting up scans, those tasks are working decently. 

There are some logical elements that require consideration to understand their functionality, but they perform their function. 

Certain aspects require effort. The solution's built-in reporting components are somewhat clumsy. So, this is an area of improvement. 

Therefore, we export data and integrate it with our other reporting tools - the Elastic Stack, also known as Elasticsearch. We find it more comfortable to generate reports from Elasticsearch because we're well-versed in creating those dashboards there. It's more convenient for us to extract and integrate information in the same manner.

We've been in discussions with Tenable regarding a specific enhancement. It is a concept known as VPR, which stands for Vulnerability Priority Rating. This is related to the CVSS (Common Vulnerability Scoring System) value, which rates vulnerabilities on a scale from one to ten. However, the CVSS alone doesn't accurately determine the severity of a vulnerability; it doesn't indicate how exploitable it is. The VPR takes into account additional factors, such as how widely the vulnerability is being exploited in the wild and the volume of reports from affected sites. 

And if we want to have it on our dashboard, this is something that doesn't work well for us in that sense. We cannot extract it from the Tenable system; we're restricted to using Tenable's own dashboard and reports. However, there's certainly some logic or rationale behind it. It's not directly tied to the CVSS, but rather some other factors. So, it's not a one-to-one correlation with the CVSS, although CVSS is a metric commonly employed in various other systems for assessing vulnerabilities. 

Aligning these metrics and incorporating an additional feature indicating the early harmfulness of a vulnerability is lacking. We're hopeful that the CVSS framework is undergoing changes. I've heard that version four, while not specifically linked to Tenable, is likely to introduce more meaningful values. These values won't be solely focused on severity but also on the level of exploitability. For instance, if exploiting a vulnerability requires local access and specific conditions, it might not merit a higher score like ten; it could be lower due to limited feasibility. Thus, certain developments could be anticipated in this regard. Tenable is also working on its own approach, known as CPR (Cyber Exposure Priority), but this feature is not exportable, unfortunately.

In future releases, I would like to see a feature that provides insight into the actual degree of harm associated with certain vulnerabilities. Ideally, I'd want this information to be exportable to align it with other vulnerabilities. It's possible that I might have the same CVSS value from another source, not necessarily Tenable. We're not using Tenable IO for container security, where we have a separate collection of CVs for containers. However, it's challenging to compare them directly due to the differing numbers and systems. If we could implement this VPR concept for other CVs as well, we could customize it to better suit our needs.

We've been using this solution for close to five years. We probably use the latest version.

I would rate the stability an eight out of ten. Occasionally, there are some maintenance tasks that might cause a slight uptick in activity, but we have monitoring mechanisms in place. Fortunately, it hasn't experienced any major breakdowns. 

Sometimes we encounter issues with resources, like logs populating hard drives, which require manual or semi-manual cleanup. Overall, it maintains a relatively stable performance level. I would rate it at around an eight out of ten in terms of stability.

It is hard to tell because the size of our organization is not very big. Our license covers a range of assets, from 500 to 1000 assets, which we monitor. From their perspective, this falls within a very low scale. 

So, we haven't encountered any scalability issues. Our scale is relatively small; we're not dealing with tens of thousands of assets.

The Security Center is actively scanning every day, targeting different resources with varying scanning frequencies. It operates on a daily basis, generating reports intermittently – some on a daily basis and others weekly. The usage is consistent and spans almost around the clock. 

Certain tasks are scheduled during nighttime, while others are executed during the day. Essentially, there's a continuous level of activity distributed over time to avoid creating spikes in network usage. 

We use it to its maximum potential but ensure it doesn't overly strain our network resources. There was a problem. When initially setting it up, we needed to be cautious. There's the potential to generate substantial network noise, especially if the agent and scanner tasks are simultaneously active. We had to significantly scale it down and task the settings from their defaults. Perhaps it's partly due to our network's capacity, but we encountered initial challenges in managing the traffic.

It is not super good and could do some improvements. I've had interactions with different parties, and while it's not exceptional, we were able to resolve issues with some effort. 

We encountered certain challenges. Initially, the local distributor downplayed the situation, claiming that upgrading to a new version would instantly resolve the issue. However, it wasn't that simple. It took time to resolve the matter. I had expected better support, especially since we had informed them in advance about the downgrade we were planning. I had hoped for proactive support detailing what to expect and what actions to take. Instead, we received assurances that everything would work seamlessly after the version change, which didn't prove to be accurate.

There was a miscommunication or misunderstanding in that regard. It was quite frustrating at the time.

Neutral

The initial setup is somewhere in the middle. It's not very easy. Assistance is needed, especially when dealing with version changes. For instance, when we transitioned from Tenable Plus to the regular Tenable, there were complexities in changing the licensing. It was not so easy to change. 

It might even lean a bit toward the difficult side, so I would rate my experience maybe a three out of ten, where ten is easy and one is difficult. 

We had the support of a third party. We had to use the help of our reseller and also find an engineer from Tenable. 

In certain cases, such as upgrades or downgrades, the documentation isn't always well-defined. You might encounter challenges that require external guidance. For instance, we faced a two-week period of difficulty this year due to a change we were making. It might not be an annual occurrence, but when significant changes are made, it can be far from a straightforward upgrade. Putting new versions in place doesn't guarantee seamless operation; there can be quite a bit of hassle around it.

This wasn't the initial deployment. This occurred when we were switching back from Tenable Plus to regular Tenable at the beginning of this year. It took us around two weeks to ensure that everything was properly transitioned. It's important to note that this was not a continuous two weeks; it involved time periods over the span of around two weeks. This change involved a transition to a simplified licensing structure. We opted to revert to Tenable without the Plus version, as it fulfilled our requirements and was also more cost-effective, approximately a quarter less. This process took place during that time, and it was a hassle.

Only one person was involved in the deployment. We don't have a big team.  We have a dedicated engineer who oversees this service. He took the lead in managing the deployment. He also engaged with relevant contacts internally and externally, including the local distributor and partners, but overall, it was primarily handled by this one engineer.

For maintenance, the same engineer who handled the deployment also manages the ongoing maintenance.

We purchase the solution through a local distributor, but we also directly communicate with representatives at Tenable. So, we acquire the license from their distributor, but we are direct users as well.

I would rate the pricing a nine out of ten, where ten is expensive.

The pricing might deter some companies from adopting this solution, especially in our region, which includes countries like Estonia and neighboring Eastern European nations. For us, the cost is a significant consideration, and we often face challenges when budgeting for it each year.

There's on-premise hosting, which incurs some costs, but it's not a major factor. Additionally, we have an engineer providing support, but that's a shared responsibility across multiple tasks. So, licensing is the primary cost driver, and there aren't any other major expenses.

There are positives and negatives, but despite looking at other options, we haven't found anything better suited for us. So, we continue to use it and have plans to keep using it in the near future.

I would suggest running a proof of concept to evaluate the product's suitability. Test it on a smaller scale over a period of one to two months to see how it works. 

It's essential to assess whether the solution aligns with the organization's specific needs. Our approach involves using agent-based scanning, but this varies based on individual requirements.

Be aware of the network "noise" it might produce. Default scanning intensity might be too much and you might need to alter it in order to prevent network problems (DoS yourself).

My advice would be to give it a trial run before committing. It's hard to tell if it fits without firsthand experience. Additionally, the fact that Nessus, the scanning component of the security center, has been around for decades and even had open-source iterations in the early 2000s provides some confidence in its longevity and reliability. However, for newcomers, I would recommend testing it out on a smaller scale before making a decision.

Overall, I would rate the solution a seven out of ten.

Tenable Security Center is aimed at IT environments. It can receive vulnerability information from Tenable OT and integrate it into a unified report covering both IT and OT environments.

The BPR prioritizes vulnerabilities. The ARCs and compliance reports are very helpful in complying with regulations and standards.

The valauble feature is compliance reporting system.

It does not natively support industrial protocols needed for OT environments. The reporting system is very powerful, though it could be more user-friendly for creating custom reports.

I have been using Tenable Security Center as a partner for five years.

It's very stable.

I rate the solution's stability an eight out of ten.

We cater the solution to medium and enterprise. We haven't seen issues with scalability.

I rate the solution's scalability an eight out of ten.

Deployment takes probably a couple of days. it can either be done for one person.

It requires the installation of its tools and console server, which can be either virtual or physical. You need to activate the licenses and update the tool for the latest plugins. Typical deployments may involve multiple scanners linked to the main console, depending on the customer's network. Additionally, customers might need to deploy agents which require a separate Center manager machine. While, there is a lot to set up, it can be done within a couple of days.

I rate the initial setup an eight out of ten.

It's very affordable.

Continuous monitoring is essential because new vulnerabilities are discovered every day, and even existing vulnerabilities can evolve. As new malware emerges, a vulnerability that seemed minor today might become critical tomorrow. The malware, and malicious activities are constantly changing. 

We cannot rely solely on the hardware or servers required to run Tenable Security Center because it is an on-premise solution.

It provides essential tools for vulnerability management and operates on-premises. This allows customers with requirements or audio restrictions to run Security Center on their premises. Additionally, the reporting system is highly advanced, and the compliance dashboards are extremely useful for meeting regulatory requirements. For example, banks and financial institutions prefer Security Center due to its robust reporting capabilities and on-premises operation.

I advise them to look into Tenable Security Center instead because it not only provides vulnerability management but also include other modules of Tenable, such as Tenable Identity, Tenable Cloud, etc. This allows for a single pane of view for the entire company, covering more than vulnerabilities and offering a comprehensive.

Overall, I rate the solution a nine out of ten.

Our customers use the product for scanning their network for vulnerabilities.

Tenable is the leading product for vulnerability scanning. Most of the customers use Tenable in our region. The customers are happy with the product.

People do not prefer the solution for web applications. They prefer Acunetix or Netsparker over Tenable for web applications. The solution should provide better web application features and support. It could provide some add-ons to customers.

I have been using the solution for the past six months.

I rate the tool’s stability a ten out of ten.

We have 15 to 25 customers who use the solution. I rate the tool’s scalability a nine out of ten.

The support team was helpful. Usually, we don't contact the support team because our engineers do the installation. It's not so complicated.

Positive

The initial setup is easy. We have certified engineers of the product.

Two engineers are needed to maintain the solution. The time taken for deployment depends on the prerequisites of the customers. If the customers provide all details to us at the proper time, we can deploy the solution in two to three days.

The annual licensing fee of the product is $25,000. The pricing depends upon the number of IPs. There are no additional fees associated with the solution.

I am dealing with the latest version of the solution. It's a very good product to use. Overall, I rate the product a nine out of ten.

We use Tenable.sc to conduct vulnerability scanning for our networks, and applications, and for the data protection we need in our environment. We are customers of Tenable and I'm the assistant manager of network security.

It provides us with clear visibility across our environment.

The best feature is the advanced scanning for the network.

I think the web application should be improved because it's not very functional.

We've been using this solution for almost three years. 

The solution is stable.

We haven't had the need to test scalability.

The technical support is not very good. We didn't get a good response when we contacted them. We had to go through all their documentation and get the information we needed from external sources. 

Negative

The initial setup is not difficult, it's just a matter of downloading which takes around 25 minutes and then uploading the plugins which takes several hours. I'm the only one in the company that uses this product.

The licensing costs are not expensive. I think we pay around $9,000 USD for an annual subscription. There are no additional expenses.

My recommendation is to stick with the data scanning tool and not worry about downloading the other features. 

I rate this solution nine out of 10. 

Tenable.sc customers use when they need a complete in-house vulnerability management environment. It enables you to identify the applications and infrastructure within your organization, giving you greater control over your environment. Tenable.sc isn't on the cloud. Tenable.sc is deployed on a private cloud and used when regulations prevent keeping things on a public cloud. Two of my customers are using it currently. 

I like Tenable.sc's analytics and reporting. You can also configure your on-prem network monitors to talk to your Tenable.sc control panel.

I have used Tenable.sc for two years. 

The stability depends on your environment. It is typically stable, and I have not experienced any kind of issues. 

Tenable.sc is scalable, depending on your on-prem environment and how it is configured. You can scale as far as your configuration allows. 

I get the standard support that comes with all Tenable licenses. There isn't specialized support for Tenable.sc. It's decent.

Deploying Tenable.sc is highly complex because it's an on-prem solution, whereas Tenable.io is cloud-based, so you can go live as soon as you log in. Tenable.sc involves significant integration with other on-prem solutions, and the deployment takes about two to three weeks with the help of a system integrator

You need to set up your environment, including VMs or a physical server. If you have data centers spread across multiple sites and regions, you need to deploy a specific JPS at every location so the data can pass through the gateway and be captured in the central console on a private cloud or on-prem data center.

I rate Tenable.sc seven out of 10. I typically recommend Tenable.io instead, but Tenable.sc is an option if data regulations require you to use a private cloud or on-prem infrastructure. 

The reporting vulnerability is very helpful when you link it with the people who close it with the admin and support team, giving them the criticality to find how to close each item.  And it's up to date with all the vulnerabilities on the market thanks to prompt updates from the cloud.

In the next release, we would like to see the inclusion of external IPs and simplified reporting that's easier to deal with.

We have been using this solution for about two years.

The solution has been very stable up till now. I would give it nine or 10 out of 10 for scalability

For our size, it's scalable. It covers all the bank infrastructure and all that we have.

Two or three people from the security team manage the solution, but they extract it for the IT team to take action in different areas, including infrastructure and domain support. So 10 or more people assess the reports to fix the issues.

We are happy with the support from the Tenable side. But sometimes the vendor's people move between areas too often, causing occasional shortages on technical issues inside the country. When you raise tickets, the vendor sometimes takes some time to respond, but they are always helpful. 

Positive

Previously we used Rapid7, but we switched after comparing it with the solution because it had some additional features that we needed.

Overall, the initial setup was smooth and easy. Later we had to integrate it with other solutions in the system, but it didn't take long.

We had a consultant for two weeks at the beginning but in the end, we completed it, doing most of the work ourselves and gaining valuable experience. And, of course, we had to set up our systems inside the bank and the structure of the scope of the vulnerability, so that made it about a month.

Four people were involved in the deployment, two from the vendor and two from our team.

We're happy with the licensing cost and find it affordable.

We paid for three years, mostly for the finances and sourcing, but all features are inclusive.

I would rate our licensing cost as eight on a scale of one to ten.

I would give the product an overall rating of nine out of 10.

The product is a very good solution. I would advise potential users to look at other solutions. The product is our second solution, and we are happy that it meets our requirements.

We use the solution for patch and vulnerability management. We scan our critical systems, keep track of any exploitable vulnerabilities, and prioritize their remediation efforts in terms of patching. 

In the future, we hope to extend the solution to our cloud services. We are moving to Azure Cloud and planning to start a DevOps initiative that might include container deployment. We know Tenable has the CI/CD pipeline security support so we will seek that solution when we are ready. 

The solution has a lean and easy-to-use interface that is not confusing to first-time users.

The solution should include compliance-based scanning. 

I have been using the solution for three weeks but my company has been using it for one year. 

The solution is very stable. 

The solution is scalable and we are happy with the way it is operating. 

We currently have forty users and a team of four for maintenance. 

Technical support has been excellent and provides a lot of support when needed. 

The company was using OpenVAS, an open-source solution that is miles apart from Tenable. 

At a previous job, I used Rapid7 which compares strongly to Tenable. 

I did not handle the initial setup but know from previous implementations that setting up a vulnerability management solution can be somewhat complex because it involves loading assets, configuring the network, and authenticating.

The ROI is almost guaranteed because there is a lot of value in using the product and reporting that to our company. 

The price is reasonable based on our scope of work and how we use the solution. 

The rule is always garbage in, garbage out. Be sure to configure the solution well and take advantage of technical support to understand how things should work. Mistakes are made when people assume they know how to do things. I believe in using technical support to confirm the process and ensure everything is done correctly. 

I rate the solution a ten out of ten. 

I primarily use Tenable SC for vulnerability management i.e. to detect vulnerabilities in servers, workstations, and some IoT, produce, prioritize, and validate a mitigation strategy, and keep the mitigation on track so the CISO can detect changes in the posture. 

Tenable SC's most valuable features are the low number of false positives and the strong capability of providing prioritization for the vulnerabilities detected.

Tenable SC could be improved with additional connectivity to external company postures and the capability of managing and sustaining agents in the systems directly without additional platforms in the middle.

I've been working with Tenable SC for seven years. 

In seven years, we haven't had any problems with Tenable SC's stability. Sometimes a specific update doesn't feed exactly as expected, but the problem is always covered quickly by Tenable, and with a stable version, it's very, very stable.

Tenable SC's system can be multiplied by different installations and have on-top management and a single pane of glass. So it can scale with only one system - almost to half a million assets. And with multiple systems, we can have more than a million assets without problems.

Tenable's American technical support is excellent, though the European version is not quite as good as it takes longer to provide the right information.

Positive

The initial setup is very, very easy, even with the on-prem version, and depending on the customer's size and the complexity of the infrastructure, it can be done in one day.

Tenable SC can cut manpower costs on manual scans and analysis by more than half within one or two years.

Tenable SC is priced per asset, with the basic solution starting around US$12,000 for 500 assets. There's an additional cost for advanced support.

Tenable SC is suitable for medium and large companies, but it's not feasible for small ones. If you're in the US, I advise buying services from Tenable to implement the system instead of trying to implement it yourself. There are always some tricks that come with knowledge of the product that will make for a faster and better installation. Similarly, if you're in EMEA or Asia, please choose a good integrator. I would give Tenable SC a rating of nine out of ten.

I am using Tenable SC to detect vulnerabilities, and we are in the process of testing the solution.

The most valuable features of Tenable SC are the reports and the dashboards.

Tenable SC could improve by making the creation of the initial reports easier that correspond to our network.

I have been using Tenable SC for three months.

The stability of the solution is good. We have not had any problem.

We use the solution approximately 20 hours per week. We have three people that use the solution to do tests.

I have not used the support from Tenable SC.

I have used Nessus Professional previously. I prefer Tenable SC because it provides more information.

The setup of Tenable SC is easy.

We have a consultant in France that has helped us with the solution.

The price of Tenable SC is expensive, we pay approximately €70,000 for the license annually. We have to pay for each IP test. The cost of other solutions is far less, such as Nessus Professional, which is €3,000 annually.

This is a good solution for what I use it for. I would recommend it to others.

I rate Tenable SC a seven out of ten.