Use Tenable Hexa AI via MCP Server

Required User Role: Scan Operator, Standard User, Scan Manager, Administrator, or Custom Role with appropriate privileges

Important! To use Tenable Hexa AI, you must have a Tenable One Foundation or Tenable One Advanced license. For more information, see Tenable One Foundation / Tenable One Advanced Licensing in the Tenable Licensing Quick Reference Guide.

Note: You must have valid Tenable Vulnerability Management API keys to perform these steps.

The Tenable Hexa AI MCP Server is a Tenable-hosted interface that exposes 90 structured tools from Tenable's Exposure Data Fabric to any MCP-compatible AI client. It acts as a secure, universal adapter between your preferred Large Language Model and Tenable's exposure management platform — transforming exposure intelligence into coordinated action to reduce cyber risk.

With the MCP server, you can connect AI clients such as Claude Desktop, Claude Code, or Cursor directly to your Tenable environment. Your AI assistant can then discover and invoke Tenable tools to search assets, investigate vulnerabilities, create dashboards, tag assets, launch scans, and build custom workflows — all using your actual exposure data.

The MCP server enables you to bring your own LLM while leveraging Tenable's ground truth: structured tools backed by twenty years of vulnerability research and exposure context from over 40,000 customer environments. Your choice of model, our ground truth.

Important: The MCP server does not include its own LLM. You provide the AI client; Tenable provides the tools and data.

Tip: Review the Tenable Hexa AI Prompt Cookbook for more information on how to get started with Tenable Hexa AI prompting!

Prerequisites

Before you connect to the Tenable Hexa AI MCP Server, ensure you have the following:

A Tenable One account with API key access.
Tenable Vulnerability Management API Keys (Access Key and Secret Key).

Tip: To generate or retrieve your API keys, navigate to Settings > My Account > API Keys. See Generate API Keys for more information.
An MCP-compatible AI client, such as:
- Claude Desktop
- Claude Code
- Cursor
- Any client that supports the Model Context Protocol over HTTP

Important: To use Tenable Hexa AI, an administrator must enable the feature for your user account. For more information, see Custom Roles and Custom Role Privilege Application. Additionally, administrators can configure Tenable Hexa AI settings on the Tenable Hexa AI Settings page.

Note: You do not need to install local software or set up a server. Tenable fully hosts the MCP server.

Connect to the MCP Server

The Tenable Hexa AI MCP Server is available as an HTTP MCP endpoint. To connect, configure your MCP client with the server URL and your Tenable API credentials.

Server URL: https://cloud.tenable.com/mcp/
Authentication: All requests are authenticated using the X-ApiKeys HTTP header with your Tenable Vulnerability Management Access Key and Secret Key:

X-ApiKeys: accessKey=<YOUR_ACCESS_KEY>;secretKey=<YOUR_SECRET_KEY>

Claude Desktop

Claude Desktop connects to remote MCP servers using the mcp-remote npm package as a local stdio-to-HTTP bridge.

Prerequisites

You must have Node.js installed:

macOS: brew install node
Windows: nodejs.org installer

To add the Tenable Hexa AI MCP server to Claude Desktop:

Open your Claude Desktop configuration file:
- macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
- Windows: %APPDATA%\Claude\claude_desktop_config.json

Add the following entry to the mcpServers section:

Copy

{
  "mcpServers": {
    "tenable": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://cloud.tenable.com/mcp/",
        "--header",
        "X-ApiKeys: accessKey=<YOUR_ACCESS_KEY>;secretKey=<YOUR_SECRET_KEY>"
      ]
    }
  }
}

Replace <YOUR_ACCESS_KEY> and <YOUR_SECRET_KEY> with your Tenable One API keys.

Restart Claude Desktop (Cmd+Q on macOS or Quit from system tray on Windows — closing the window is not enough).

Claude Desktop discovers the available Tenable tools automatically. You can verify the connection by asking Claude to list your scans or search for assets.

Note: The first launch may take approximately 30 seconds while npx downloads mcp-remote.

Troubleshooting:

If the connector does not appear on the Settings > Connectors page, ensure you fully quit and relaunched Claude Desktop. Check logs at:

macOS: ~/Library/Logs/Claude/mcp-server-tenable.log
Windows: %APPDATA%\Claude\logs\mcp-server-tenable.log

Claude Code

To add the Tenable Hexa AI MCP server to Claude Code:

In your terminal, run the following command. Replace <YOUR_ACCESS_KEY> and <YOUR_SECRET_KEY> with your Tenable One API keys:
Copy
```
claude mcp add 
    --transport http tenable https://cloud.tenable.com/mcp 
    --header "X-ApiKeys: accessKey=<YOUR_ACCESS_KEY>;secretKey=<YOUR_SECRET_KEY>"
```
Claude Code discovers the available Tenable tools automatically on the next session.

Cursor

To add the Tenable Hexa AI MCP server to Cursor:

Open your Cursor Settings:
- macOS: Cmd+
- Windows: Ctrl+,
Navigate to MCP Servers > Add Server.
Configure the following settings. Replace <YOUR_ACCESS_KEY> and <YOUR_SECRET_KEY> with your Tenable One API keys::
- Transport: HTTP
- URL: https://cloud.tenable.com/mcp/
- Headers: X-ApiKeys: accessKey=<YOUR_ACCESS_KEY>;secretKey=<YOUR_SECRET_KEY>

VS Code / GitHub Copilot

GitHub Copilot in VS Code supports MCP servers via the chat agent mode.

To add the Tenable Hexa AI MCP server to VS Code / GitHub Copilot:

Open your VS Code User Settings (JSON):
- macOS: Cmd+Shift+P
- Windows: Ctrl+Shift+P,
and select Preferences: Open User Settings (JSON).

Add the following to your settings.json. Replace <YOUR_ACCESS_KEY> and <YOUR_SECRET_KEY> with your Tenable One API keys:

Copy

{
  "mcp": {
    "servers": {
      "tenable": {
        "type": "http",
        "url": "https://cloud.tenable.com/mcp/",
        "headers": {
          "X-ApiKeys": "accessKey=<YOUR_ACCESS_KEY>;secretKey=<YOUR_SECRET_KEY>"
        }
      }
    }
  }
}

Alternatively, create or edit an .vscode/mcp.json file in your workspace root:

Copy

{
  "servers": {
    "tenable": {
      "type": "http",
      "url": "https://cloud.tenable.com/mcp/",
      "headers": {
        "X-ApiKeys": "${input:tenableApiKeys}"
      }
    }
  },
  "inputs": [
    {
      "id": "tenableApiKeys",
      "type": "promptString",
      "description": "Tenable API Keys (format: accessKey=...;secretKey=...)",
      "password": true
    }
  ]
}

Tip: The .vscode/mcp.json approach uses VS Code input variables to prompt for credentials at runtime, avoiding hardcoded secrets. Add .vscode/mcp.json to your .gitignore if you prefer not to share the configuration.

To use the tools, open the Copilot chat panel (Ctrl+Shift+I / Cmd+Shift+I), switch to Agent mode, and ask Copilot to interact with Tenable. For example: "List my recent scans in Tenable."

Note: Ensure you are running VS Code 1.99 or later and have the GitHub Copilot extension installed. MCP support requires Agent mode — it is not available in inline or edit mode.

Other MCP Clients

Note: The specific configuration method varies by client. Refer to your MCP client's documentation for specific details on adding HTTP MCP servers.

To add any other MCP-compatible client that supports HTTP transport:

Add a new MCP server with the following settings. Replace <YOUR_ACCESS_KEY> and <YOUR_SECRET_KEY> with your Tenable One API keys:
- Transport type: HTTP
- URL: https://cloud.tenable.com/mcp/
- Headers: X-ApiKeys: accessKey=<YOUR_ACCESS_KEY>;secretKey=<YOUR_SECRET_KEY>

Example Workflows

The following examples illustrate common tasks you can accomplish by interacting with your AI client after connecting to the Tenable Hexa AI MCP server.

Tip: You can combine the Tenable Hexa AI MCP server with other MCP servers (e.g., Okta, ServiceNow) to build cross-platform workflows. For example, you could find high-risk assets in Tenable, look up their owners in a directory service, and tag them with ownership information all in a single conversation.

Tag All Windows Devices

Ask your AI client:

"Find all Windows devices in my environment and tag them with the category 'Operating System' and value 'Windows'."

The AI uses tenable_one_search_assets to find Windows assets, tagging_create_tag to create the tag if needed, and tagging_add_tags_assets to apply the tag, presenting each write action for your confirmation before execution.

Build a Risk Dashboard

Ask your AI client:

"Create a dashboard called 'Current Risk Overview' using the Vulnerability Management Overview template."

The AI uses dashboard_list_dashboard_templates to find the appropriate template and dashboard_create_dashboard_from_template to create it. You can then ask it to add additional widgets or apply context filters.

Investigate Critical Vulnerabilities

Ask your AI client:

"Show me all vulnerabilities with a critical severity in my environment, and list the affected assets."

The AI uses workbenches_list_vulnerabilities with severity filters, then workbenches_list_assets_with_vulnerabilities to identify affected hosts, providing a consolidated view of your highest-risk exposures.

Launch a Targeted Scan

Ask your AI client:

"Create and launch a scan called 'Weekly Perimeter Check' targeting 10.0.1.0/24 using the Basic Network Scan template."

The AI uses scan_create with the specified targets and template, then scan_launch to start the scan; each step requires your explicit confirmation.

Trust, Safety & Governance

The Tenable Hexa AI MCP Server is designed to give you complete control and transparency over all actions.

Important: Because the MCP server uses a Bring Your Own LLM model, the server sends your data to the LLM provider you choose. Select an LLM provider whose data handling practices meet your organization's security and compliance requirements.

Control	Description
Authentication	All API calls are authenticated using your existing Tenable One API keys. Credentials are transmitted securely via the X-ApiKeys HTTP header.
RBAC & Permissions	All actions are performed on behalf of the authenticated user using their existing Tenable permissions. The MCP server does not have elevated privileges. Requests are routed through the same permission validation as standard Tenable API requests.
Data Flow	Your external AI client sends tool invocation requests to the Tenable Hexa AI MCP server. The MCP server executes the request against Tenable's API and returns structured results. Your data traverses to the external LLM as part of this flow — this is under your control based on your choice of LLM provider.

Custom Roles

The MCP server respects Tenable's role-based access control. The actions available to your AI client depend on the permissions of the API key used to authenticate. For more information about role-based access control, see Access Control.

Note: A user's access to resources may be further limited by their permissions, regardless of their role. For more information on configuring custom roles, see Custom Roles.

Privilege Level	MCP Capabilities
Read	Search and retrieve assets, vulnerabilities, scan results, dashboards, plugins, and reports.
Write	All Read capabilities, plus: launch scans, add tags to assets, add widgets to dashboards, and modify scan schedules.
Manage	All Write capabilities, plus: create and delete scans, dashboards, policies, tags, and reports. Configure scan policies and agent settings.