Tenable Attack Surface Management Licensing

This topic breaks down the licensing process for Tenable Attack Surface Management as a standalone product. It also explains how assets are counted and describes what happens during license overages or expirations.

Tenable Attack Surface Management Versions

You can purchase standalone Tenable Attack Surface Management in two versions:

• Tenable Attack Surface Management Fortnightly Frequency

• Tenable Attack Surface Management Daily Frequency

Licensing Tenable Attack Surface Management

To use any version of Tenable Attack Surface Management, you purchase licenses based on your organizational needs and environmental details. Tenable Attack Surface Management then assigns those licenses to your assets: observable objects, which include domain names, subdomains, or IP addresses for internet-connected or internal network devices.

How Assets are Counted

All assets in all inventories are counted towards your license, except archived assets.

Reclaiming Licenses

Tenable Attack Surface Management's license count updates daily. The license count updates when you archive individual assets or remove asset sources—and it also updates when assets age out. Removed assets are only counted when restored.

Exceeding the License Limit

In Tenable Attack Surface Management, when your asset count exceeds your license limit, Tenable clearly communicates the overage as follows.

Scenario	Result
You add a source that is greater than your inventory limit.	A message appears in the Source column: “We could not add all of the subdomains for this domain because your inventory is full.”
You reach your inventory asset limit.	When you click the inventory, a message appears: “You have reached your limit of # assets. Please contact us to increase your limit.”
You reach your business limit, which is related to your licensed asset purchase.	A message appears in Tenable Attack Surface Management: “Business Asset limit reached. Please contact support to increase the Business Asset limit.”

Expired Licenses

The Tenable Attack Surface Management licenses you purchase are valid for the length of your contract. 30 days before your license expires, a warning appears in the user interface. During this renewal period, work with your Tenable representative to add or remove products or change your license count.

After your license expires, you can no longer sign in to the Tenable platform.

Guidance for Existing Customers

Tenable Attack Surface Management users who license Tenable One via the Foundation or Advanced Packaging will automatically have the ASM Tenable Vulnerability Management and Tenable Web App Scanning Integrations enabled. Tenable Attack Surface Management users who previously enabled these integrations will no longer be able to configure ingestion filters. This change was made to accommodate the new licensing model for Tenable One. For more information, see Tenable One Foundation / Advanced Licensing.

I am an existing user of Tenable Attack Surface Management. Will this change impact me?

This change will impact you if:

• You have the Tenable Vulnerability Management integration and/or the Tenable Web App Scanning integration enabled in Tenable Attack Surface Management.

• You have integration filters configured within Tenable Attack Surface Management.

This change means your filters will be removed, and all eligible Tenable Attack Surface Management assets will have corresponding assets in Tenable Vulnerability Management and Tenable Web App Scanning. These assets are licensed/managed assets. Without filters, you may notice more Tenable Attack Surface Management created assets in your Tenable Vulnerability Management interface.

Actions to Take

Consider the following options to help you adjust to the update:

Configure an Exclusion Rule

If you want to prevent specific external assets from being created in Tenable Vulnerability Management, you can configure an Exclusion Rule in Tenable Attack Surface Management to prevent the asset from being created in your ASM inventory. Exclusion rules are accessible via the configuration menu in the upper right corner of the user interface.

To configure an exclusion rule:

1. In the upper-right corner of the Tenable Attack Surface Management interface, click the button.

   A menu appears.

   

2. Click Exclusion rules.

3. Configure your exclusion rule as desired. You can configure exclusion rules for:

   • Hostnames

   • IP addresses

   • DNS record types

4. Click Save.

Configure Scanning by Tag

If you want to target Tenable Vulnerability Management scanning to the Tenable Attack Surface Management assets that matched your ingestion filter, you can reuse your ingestion filter to tag those ASM assets and configure Tenable Vulnerability Management to scan VM assets with those tags. Tags applied to Tenable Attack Surface Management assets will be automatically applied to Tenable Vulnerability Management assets.

To configure scans by tag:

1. In the upper-right corner of the Tenable Attack Surface Management interface, click the button.

   A menu appears.

   

2. Click Automation rules.

   A dialog appears.

   

3. Click Add Rule.

4. In the Choose Action Type section, select Modify Tags.

   The Add Automation Rule options appear.

   

5. Configure your automation rule as desired. Be sure to select the following options:

   1. From the If Asset matches drop-down menu, select Subscription.

   2. From the subsequent drop-down menu, select one of the following options:

      1. TVM Integration Ingestion Filter

      2. WAS Integration Ingestion Filter

6. Click Save.

7. Create a scan in Tenable Vulnerability Management based on the tag you created.