Tenable Identity Exposure Licensing

This topic breaks down the licensing process for Tenable Identity Exposure as a standalone product. It also explains how assets are counted and describes what happens during license overages or expirations.

Licensing Tenable Identity Exposure

Tenable Identity Exposure has two versions: a cloud version and an on-premises version. Tenable also offers subscription pricing in some cases.

To use Tenable Identity Exposure, you purchase licenses based on your organizational needs and environmental details. Tenable Identity Exposure then assigns those licenses to your assets: enabled users in your directory services.

When your environment expands, so does your asset count, so you purchase more licenses to account for the change. Tenable licenses use progressive pricing, so the more you purchase, the lower the per-unit price. For prices, contact your Tenable representative.

Tip: To view your current license count and available assets, in the Tenable top navigation bar, click and then click License Information. To learn more, see License Information Page.
Note: Tenable offers simplified pricing to managed security service providers (MSSPs). To learn more, contact your Tenable representative.

How Assets are Counted

Each Tenable Identity Exposure license you purchase entitles you to scan one unique identity or digital representation of a user. Tenable does not double count identities. For example, enabled user accounts for the same identity in both Microsoft Active Directory and Microsoft Entra ID count as one Tenable license.

Use this PowerShell script to trace enabled user accounts in AD:

Copy
(Get-ADuser -Filter 'enabled -eq $true').count

Use this PowerShell script to trace enabled user accounts in Entra ID:

Copy
(Get-MgUser -All -Filter "accountEnabled eq true" -Property onPremisesSyncEnabled | where { $_.onPremisesSyncEnabled -ne $true }).Count

Tenable Identity Exposure Components

Both versions of Tenable Identity Exposure come with the following components:

  • Trail Flow

  • Topology

  • Indicators of Exposure

  • Indicators of Attacks

  • Attack Paths

  • Exposure Center

  • Microsoft Entra ID Support

Reclaiming Licenses

When you purchase licenses, your total license count remains static for the length of your contract unless you purchase more licenses. However, Tenable Identity Exposure reclaims licenses in real time when you delete enabled users from your environment’s directory service.

Exceeding the License Limit

To allow for usage spikes due to hardware refreshes, sudden environment growth, or unanticipated threats, Tenable licenses are elastic. However, when you scan more assets than you have licensed, Tenable clearly communicates the overage and then reduces functionality in three stages.

Scenario Result
You have more enabled identities than are licensed for three consecutive days A message appears in Tenable Identity Exposure.
You have more enabled identities than are licensed for 15+ days A message and a warning about reduced functionality appears in Tenable Identity Exposure.
You have more enabled identities than are licensed for 45+ days A message appears in Tenable Identity Exposure and you cannot use the Indicator of Exposure feature in the user interface or API.

Expired Licenses

The Tenable Identity Exposure licenses you purchase are valid for the length of your contract. 30 days before your license expires, a warning appears in the user interface. During this renewal period, work with your Tenable representative to add or remove products or change your license count.

After your license expires, you can no longer sign in to the Tenable platform.