Tenable Identity Exposure Licensing
This topic breaks down the licensing process for Tenable Identity Exposure as a standalone product. It also explains how assets are counted and describes what happens during license overages or expirations.
Licensing Tenable Identity Exposure
Tenable Identity Exposure has two versions: a cloud version and an on-premises version. Tenable also offers subscription pricing in some cases.
To use Tenable Identity Exposure, you purchase licenses based on your organizational needs and environmental details. Tenable Identity Exposure then assigns those licenses to your assets: enabled users in your directory services.
When your environment expands, so does your asset count, so you purchase more licenses to account for the change. Tenable licenses use progressive pricing, so the more you purchase, the lower the per-unit price. For prices, contact your Tenable representative.
How Assets are Counted
Each Tenable Identity Exposure license you purchase entitles you to scan one unique identity or digital representation of a user. Tenable does not double count identities. For example, enabled user accounts for the same identity in both Microsoft Active Directory and Microsoft Entra ID count as one Tenable license.
Use this PowerShell script to trace enabled user accounts in AD:
(Get-ADuser -Filter 'enabled -eq $true').count
Use this PowerShell script to trace enabled user accounts in Entra ID:
(Get-MgUser -All -Filter "accountEnabled eq true" -Property onPremisesSyncEnabled | where { $_.onPremisesSyncEnabled -ne $true }).Count
Tenable Identity Exposure Components
Both versions of Tenable Identity Exposure come with the following components:
-
Trail Flow
-
Topology
-
Indicators of Exposure
-
Indicators of Attacks
-
Attack Paths
-
Exposure Center
-
Microsoft Entra ID Support
Reclaiming Licenses
When you purchase licenses, your total license count remains static for the length of your contract unless you purchase more licenses. However, Tenable Identity Exposure reclaims licenses in real time when you delete enabled users from your environment’s directory service.
Exceeding the License Limit
To allow for usage spikes due to hardware refreshes, sudden environment growth, or unanticipated threats, Tenable licenses are elastic. You can temporarily exceed your licensed identity count by 10%. However, when you scan more identities than you have licensed, Tenable clearly communicates the overage and then reduces functionality in three stages.
Scenario | Result |
---|---|
You have more enabled identities than are licensed for three consecutive days | A message appears in Tenable Identity Exposure. |
You have more enabled identities than are licensed for 15+ days | A message and a warning about reduced functionality appears in Tenable Identity Exposure. |
You have more enabled identities than are licensed for 45+ days | A message appears in Tenable Identity Exposure and you cannot use the Indicator of Exposure feature in the user interface or API. |
Expired Licenses
The Tenable Identity Exposure licenses you purchase are valid for the length of your contract. 30 days before your license expires, a warning appears in the user interface. During this renewal period, work with your Tenable representative to add or remove products or change your license count.
After your license expires, you can no longer sign in to the Tenable platform.