Tenable Cloud Security Quick Reference Guide: Agentless Assessment

This Quick Reference Guide provides information about using Agentless Assessment in Tenable Cloud Security.


Agentless Assessment allows you to scan and analyze short-lived cloud instances on your cloud environments. You can scan both online and offline systems with Agentless Assessment. Agentless Assessment relies on API data and volume snapshots and does not depend on data from Tenable or other cloud-vendor agents.

Agentless Assessment supports the following:

  • AWS EC2 Instances.

  • Azure Virtual Machines.

The following are the key benefits of vulnerability scanning using Agentless Assessment:

  • No need for any software installation on scan targets.

  • No impact on system resources.

  • No need for any system credentials to perform the scans. Agentless Assessment requires read-only access to your AWS EBS.

  • Live Results feature that always give you the latest Tenable threat updates without running a new scan.

Agentless Assessment is based on Amazon EBS snapshots of your workload EC2 instances. For Azure, Agentless assessment is based on snapshots of your virtual machines. When you trigger a cloud scan in Tenable Cloud Security, along with detecting your cloud resources and misconfigurations, Tenable Cloud Security also detects vulnerabilities in your AWS EC2 workload instances and Azure virtual machines. You can view these vulnerabilities on the Findings > Vulnerabilities page in Tenable Cloud Security and the Findings page in Tenable Vulnerability Management.

The following image shows a high-level overview of Agentless Assessment:

Note: Agentless Assessment supports only root volume scanning and scans software installed at the operating system level.

Why Agentless Assessment

Agentless Assessment makes it easier to onboard and manage cloud accounts and is best suited for cloud-native environments. Key benefits include:

  • Agentless is Region Agnostic: Agentless does not require any deployment in any cloud region. Agentless Assessment requires no SSM agents, Azure runbooks, or local commands and their associated performance costs; and it provides more detailed visibility into the cloud inventories.

  • Agentless Assessment is API Based: Agentless Assessment uses APIs to gather data from block storage snapshots. As a result, Agentless Assessment collects more data, allows lighter-weight cloud instances, and can automatically discover new workloads.


Use the following workflows and steps to set up and run Agentless Assessment:

Learn More About Agentless Assessment