Tenable Nessus Agent CLI Commands

Use the Agent nessuscli utility to perform some Tenable Nessus Agent functions through a command line interface.

Note: You must run all Agent nessuscli commands as a user with administrative privileges.

Nessuscli Syntax

Operating System



C:\Program Files\Tenable\Nessus Agent\nessuscli.exe <cmd> <arg1> <arg2>


# sudo /Library/NessusAgent/run/sbin/nessuscli <cmd> <arg1> <arg2>


# /opt/nessus_agent/sbin/nessuscli <cmd> <arg1> <arg2>

Nessuscli Commands

Command Description
Informational Commands

# nessuscli help

Displays a list of nessuscli commands.

# nessuscli -v Displays your current version of Tenable Nessus Agent.
Bug Reporting Commands

# nessuscli bug-report-generator

Generates an archive of system diagnostics.

If you run this command without arguments, the utility prompts you for values.

Optional arguments:

  • --quiet — Run the bug report generator without prompting user for feedback.

  • --scrub — The bug report generator sanitizes the last two octets of the IPv4 address.

  • --full — The bug report generator collects extra data.

Image Preparation Commands
# nessuscli prepare-image

Performs pre-imaging cleanup, including the following:

  • Unlinks the agent, if linked.

  • Deletes any host tag on the agent. For example, the registry key on Windows or tenable_tag on Unix.

  • Deletes any UUID file on the agent. For example, /opt/nessus/var/nessus/uuid (or equivalent on MacOS/Windows).

  • Deletes plugin dbs.

  • Deletes global db.

  • Deletes master.key.

  • Deletes the backups directory.

Optional arguments:

  • --json=<file> — Validates an auto-configuration .json file and places it in the appropriate directory.

Local Agent Commands

Used to link, unlink, and display agent status

# nessuscli agent link --key=<key> --host=<host> --port=<port>

Using the Tenable Nessus Agent Linking Key, this command links the agent to the Tenable Nessus Manager or Tenable Vulnerability Management.

Required arguments:

  • --key — The linking key that you retrieved from the manager.
  • --hostTo link to Tenable Nessus Manager: The static IP address or hostname you set during the Tenable Nessus Manager installation.
    To link to Tenable Vulnerability Management: sensor.cloud.tenable.com (for Tenable Nessus Agents 8.0.x and earlier, cloud.tenable.com)

    Note: Starting with Tenable Nessus Agent 8.1.0, Tenable Vulnerability Management-linked agents communicate with Tenable Vulnerability Management using sensor.cloud.tenable.com. If agents are unable to connect to sensor.cloud.tenable.com, they use cloud.tenable.com instead. Agents with earlier versions continue to use the cloud.tenable.com domain.
  • --port — To link to Tenable Nessus Manager, use 8834 or your custom port.
    To link to Tenable Vulnerability Management, use 443.

Tenable Vulnerability Management arguments:

  • --cloud— To link to Tenable Vulnerability Management, pass the argument --cloud.

    The --cloud argument is a shortcut to specifying --host=sensor.cloud.tenable.com --port=443. If you use --cloud, you do not need to set --host and --port.

Optional arguments:

  • --auto-proxy — (Windows-only) When set, the agent uses Web Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC) file for proxy settings. This setting overrides all other proxy configuration preferences.
  • --name —  A name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.
  • --groups — One or more existing agent groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list. For example: "Atlanta,Global Headquarters"

    Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").

  • --ca-path — A custom CA certificate to use to validate the manager's server certificate.
  • --offline-install — When enabled (set to "yes"), installs Tenable Nessus Agent on the system, even if it is offline. Tenable Nessus Agent periodically attempts to link itself to its manager.

    If the agent cannot connect to the controller, it retries every hour. If the agent can connect to the controller but the link fails, it retries every 24 hours.

  • --network — For Tenable Vulnerability Management-linked agents, adds the agent to a custom network. If you do not specify a network, the agent belongs to the default network.

  • --profile-uuid — The UUID of the agent profile that you want to assign the agent to (for example, 12345678-9abc-4ef0-9234-56789abcdef0). For more information, see Agent Profiles in the Tenable Vulnerability Management User Guide.

  • --proxy-host — The hostname or IP address of your proxy server.
  • --proxy-port — The port number of the proxy server.
  • --proxy-password — The password of the user account that you specified as the username.
  • --proxy-username — The name of a user account that has permissions to access and use the proxy server.
  • --proxy-agent — The user agent name, if your proxy requires a preset user agent.

# nessuscli agent unlink

Unlinks agent from the Tenable Nessus Manager or Tenable Vulnerability Management.

# nessuscli scan-triggers --list

Lists details about the agent's rule-based scans:

  • Scan name

  • Status (for example, uploaded)

  • Time of last activity (shown next to the status)

  • Scan description

  • Time of last policy modification

  • Time of last run

  • Scan triggers

  • Scan configuration template

  • Command to launch the scan (nessuscli scan-triggers --start --UUID=<scan-uuid>)

# nessuscli scan-triggers --start --UUID=<scan-uuid>

(Tenable Vulnerability Management-linked agents only)

Manually executes a rule-based scan based on UUID.

# nessuscli agent status

Displays the status of the agent, rule-based scanning information, jobs pending, and whether the agent is linked to the server.

Optional arguments:

  • --local — (Default behavior) Provides the status, current jobs count, and jobs pending. This option prevents the agent from contacting its management software to fetch the status. Instead, it shows the last known information from its most recent sync.

  • --remote — Fetches the job count from the manager and displays the status.

    Note: Tenable does not recommend running frequent status checks with the --remote option (for example, when using automation).

  • --offline — Provides the most recently cached agent status when it cannot connect to Tenable Nessus Manager or Tenable Vulnerability Management.

  • --show-token — Displays the agent's token that is used to identify and authenticate with its manager.

  • --show-uuid — Displays the agent's Tenable UUID.

Update Commands
# nessuscli agent update --file=<plugins_set.tgz>

Manually installs a plugin set.

# nessuscli fix --set agent_update_channel=<value>

(Tenable Vulnerability Management-linked agents only)

Sets the agent update plan to determine what version the agent automatically updates to.


  • ga — Automatically updates to the latest Agent version when it is made generally available (GA). Note: This date is usually one week after the version is made generally available. For versions that address critical security issues, Tenable may make the version available immediately.

  • ea — Automatically updates to the latest Agent version as soon as it is released for Early Access (EA), typically a few weeks before general availability.

  • stable — Does not automatically update to the latest Tenable Nessus Agent version. Remains on an earlier version of Tenable Nessus Agent set by Tenable, usually one release older than the current generally available version, but no earlier than 7.7.0. When Tenable Nessus Agent releases a new version, your agent updates software versions, but stays on a version prior to the latest release.

Note: For agents linked to Tenable Vulnerability Management, you need to run the agent_update_channel command from the agent nessuscli utility. For agents linked to Tenable Nessus Manager, you need to run the agent_update_channel command from the Tenable Nessus Manager nessuscli utility.

# nessuscli fix --set maximum_scans_per_day=<value>

(Tenable Vulnerability Management-linked agents only)

Sets the maximum number of scans an agent can run per day. The minimum amount is 1, the maximum amount is 48, and the default amount is 10.

Fix Commands
# nessuscli fix --list Displays a list of agent settings and their values.
nessuscli fix --set <setting>=<value> Set an agent setting to the specified value.

For a list of agent settings, see Advanced Settings.

# nessuscli fix --set update_hostname="<value>"

Updates agent hostnames automatically in Tenable Vulnerability Management or Tenable Nessus Manager 7.1.1 or later.

You can set the update_hostname parameter to yes or no. By default, this preference is disabled.

Note: Restart the agent service for the change to take effect in Tenable Nessus Manager.

# nessuscli fix --set max_retries="<value>"

Sets the maximum number of times an agent should retry in the event of a failure when executing the agent link, agent status, or agent unlink commands. The commands retry, the specified number of times, consecutively, sleeping increasing increments of time set by retry_sleep_milliseconds between attempts. The default value for max_retries is 0.

For example, if you set max_retries to 4 and set retry_sleep_milliseconds to the default of 1500, then the agent will sleep for 1.5 seconds after the first try, 3 seconds after the second try, and 4.5 seconds after the third try.

Note: This setting does not affect offline updates or the agent's normal 24 hour check-in after it is linked.
# nessuscli fix --set retry_sleep_milliseconds="<value>"

Sets the number of milliseconds that an agent sleeps for between retries in event of a failure when executing the agent link, agent status, or agent unlink commands. The default is 1500 milliseconds (1.5 seconds).

# nessuscli fix --set niap_mode=enforcing

Enforces NIAP mode for Tenable Nessus Agent. For more information about NIAP mode, see Configure Tenable Nessus Agent for NIAP Compliance.

# nessuscli fix --set niap_mode=non-enforcing

Disables NIAP mode for Nessus Agent. For more information about NIAP mode, see Configure Tenable Nessus Agent for NIAP Compliance.

Fix Secure Settings
# nessuscli fix --secure --set <setting>=<value>

Set secure settings on the agent.

Caution: Tenable does not recommend changing undocumented --secure settings as it may result in an unsupported configuration.

For a list of supported secure settings, see Advanced Settings.

# nessuscli fix --secure --get agent_linking_key

(Nessus versions 10.4.0 and later only) Retrieve your unique agent linking key.

Note: You can only use this linking key to link an agent. You cannot use it to link a scanner or a child node.
Resource Control Commands  

# nessuscli fix --set process_priority="<value>"

# nessuscli fix --get process_priority

# nessuscli fix --delete process_priority


Set, get, or delete the process_priority setting.

You can control the priority of the Tenable Nessus Agent relative to the priority of other tasks running on the system by using the process_priority preference.

For valid values and more information on how the setting works, see Agent CPU Resource Control.