Special Use Templates

Note: For more information about performing custom audits with Nessus, see the Custom Auditing video.


You can configure Nessus compliance auditing using one or more of the following Scanner and Agent templates:

  • Audit Cloud Infrastructure
  • MDM Config Audit
  • Offline Config Audit
  • SCAP and OVAL Auditing
  • Policy Compliance Auditing

Mobile Device

With Nessus Manager, the Nessus Mobile Devices plugin family allows you to obtain information from devices registered in a Mobile Device Manager (MDM) and from Active Directory servers that contain information from Microsoft Exchange Servers.

  • To query for information, the Nessus scanner must be able to reach the Mobile Device Management servers. Ensure no screening devices block traffic to these systems from the Nessus scanner. In addition, you must give Nessus administrative credentials (for example, domain administrator) to the Active Directory servers.
  • To scan for mobile devices, you must configure Nessus with authentication information for the management server and the mobile plugins. Since Nessus authenticates directly to the management servers, you do not need to configure a scan policy to scan specific hosts.
  • For ActiveSync scans that access data from Microsoft Exchange servers, Nessus retrieves information from phones that updated in the last 365 days.

Payment Card Industry (PCI)

Tenable offers two Payment Card Industry Data Security Standard (PCI DSS) templates: one for testing internal systems (11.2.1) and one for Internet facing systems (11.2.2). Also, you can use these scan templates to complete scans after significant changes to your network, as required by PCI DSS 11.2.3.

Template Product Description

PCI Quarterly External Scan

Tenable.io Only

The PCI Quarterly External Scan template is only available in Tenable.io. Using this template, Tenable.io tests for all PCI DSS external scanning requirements, including web applications.

You can only submit the scan results obtained using the PCI Quarterly External Scan template to Tenable, Inc. (an Approved Scanning Vendor) for PCI validation.

Refer to the Scan Results section for details on creating, reviewing, and submitting PCI scan results.

PCI Quarterly External Scan (Unofficial)

Nessus Manager

Nessus Professional

For Nessus Manager and Nessus Professional versions, Tenable provides the PCI Quarterly External Scan (Unofficial) template.

You can use this template to simulate an external scan (PCI DSS 11.2.2) to meet PCI DSS quarterly scanning requirements. However, you cannot submit the scan results from the Unofficial template to Tenable, Inc. for PCI Validation.

The PCI Quarterly External Scan (Unofficial) Template performs the identical scanning functions as the Tenable.io version of this template.

PCI Quarterly External Scan (Unofficial)

Nessus Manager

Nessus Professional

You can use the Internal PCI Network Scan template to meet PCI DSS Internal scanning requirement (11.2.1).


The National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) is a set of policies for managing vulnerabilities and policy compliance in government agencies. It relies on multiple open standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.

  • SCAP compliance auditing requires sending an executable to the remote host.
  • Systems running security software (for example, McAfee Host Intrusion Prevention), may block or quarantine the executable required for auditing. For those systems, you must make an exception for either the host or the executable sent.
  • When using the SCAP and OVAL Auditing template, you can perform Linux and Windows SCAP CHECKS to test compliance standards as specified in NIST’s Special Publication 800-126.

Collect Inventory

Note: The Collect Inventory template is only available in Tenable.io.

The Collect Inventory agent scan template uses Frictionless Assessment to provide faster scan results and a reduced system footprint. It does so by performing vulnerability checks via Frictionless Assessment, while the agent only performs checks that collect asset information (for example, installed software and IP addresses). This scanning method is sometimes referred to as inventory scanning in the Tenable.io user interface and documentation.

Collect Inventory scans provide coverage for:

  • RedHat local security checks

  • CentOS local security checks

  • Amazon Linux local security checks

  • Debian local security checks

  • Fedora local security checks

  • SUSE local security checks

  • Ubuntu local security checks

  • Windows/Microsoft bulletin checks (All Windows roll-up checks since 2017)

Collect Inventory scans do not currently provide coverage for:

  • Malware and compliance checks

  • Third-party Linux application detection (for example, Apache HTTP or Postgres) for instances not installed via dpkg or rpm

  • Third-party Windows applications (for example, Google Chrome or Mozilla Firefox)

  • Microsoft product Patch Tuesday updates (for example, Exchange or Sharepoint)

Note: Nessus Agents running on MacOS and Nessus Agents older than version 10.1.2 do not execute inventory scans, and are excluded from the scan results.

For more information, see Tenable-Provided Agent Templates in the Tenable.io User Guide.