The Cadillac of Vulnerability Management
Updated January 21, 2020

The Cadillac of Vulnerability Management

Randy Munroe | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source

Overall Satisfaction with Tenable.io

We're using Tenable.io across all IT controlled infrastructure assets to find and patch vulnerabilities. It allows us to find outdated, unsupported and unpatched software no matter the OS or its location(cloud or on-premises.) Once found, it also generally has very easy to follow instructions on remediating the vulnerabilities found.
  • Scans using on-site and cloud scanners, giving you visibility from different angles.
  • The best in the business when it comes to plugin accuracy and coverage.
  • Expensive - You do pay a slight premium for the best product in the space.
  • Asset management is difficult to work with if you have a lot of asset turnover, the license can be ''held'' for 3-6 months after the asset is gone from your environment.
  • We're able to mitigate over 90% of our vulnerability risk without too much effort. It helps find where automated patching fails and we can plan a fix from the findings.
  • A side effect of our scanning reveals new devices on our network that aren't cleared to be.
Tenable.io was a clear winner in regards to features and capability when compared to OpenVAS, Qualys, and Nexpose. OpenVAS is a fork of an older version of Nessus Scanner(from Tenable) and has been updated over the years to a great free alternative. It takes a lot more manual work than most people are probably ready to commit to, and it doesn't have linked cloud scanners for AWS/Azure/GCP. Qualys and Nexpose I've only used intermittently in testing and seemed capable, but Tenable.io was the only solution I actually trusted with my organization's reputation.
Support is usually really great at walking you through any steps you need to take when you get stuck on something. There are a few false positives and errors that have come up over the years that required their help to get through. Unfortunately, the steps required to diagnose some problems are more tedious than I think should be necessary. (IE: SQL instances can throw errors that clog up your logs because one plugin affects it in a certain way. The process to diagnose this is to watch timestamps of plugins in a log while monitoring the SQL logs at the same time and using your best guess as to what is causing it.)

Do you think Tenable.io delivers good value for the price?

Yes

Are you happy with Tenable.io's feature set?

Yes

Did Tenable.io live up to sales and marketing promises?

Yes

Did implementation of Tenable.io go as expected?

Yes

Would you buy Tenable.io again?

Yes

Tenable.io works in almost any scenario imaginable. It can scan your cloud environments with pre-configured AWS/Azure scanners. It can give you an external view of your infrastructure, or scan internally. There are also agents you can deploy for assets on a network you don't have access to scan over. I imagine that per asset licensing would be prohibitive for extremely large environments when you could do a Nessus Professional or Security Center deployment instead, but I haven't researched those options much since we're at 800 assets total.