Tenable Cloud Platform Licensing Policy

The Tenable Cloud Platform Licensing Policy provides customers an understanding of Tenable product definitions and their licensing policies. This policy may be updated periodically at Tenable’s sole discretion.

Platform Licensing Breakdown

The Tenable Cloud Platform consists of multiple products. Products on the platform can be purchased via Tenable One or, alternatively, some may be purchased a-la-carte.

Tip: For more information about how Tenable products are licensed, see the Tenable Licensing Quick Reference Guide.

  • Tenable One: Single License structure for accessing all platform applications (a simplified “per asset” model).

  • Tenable Vulnerability Management: Licensed per asset.

  • Tenable Web App Scanning: Licensed per FQDN scanned.

  • Tenable Cloud Security: Licensed per cloud resource/asset.

  • Tenable Identity Exposure: Licensed per user.

  • Tenable Attack Surface Management: Licensed per observable objects.

  • Tenable PCI ASV: single license for unlimited scans/unlimited attestations (requires Tenable Vulnerability Management minimal license).

Definitions

The Tenable Master Agreement defines “Scan Target(s)” as the targets or subjects of a Scan. The purpose of this Policy is to set forth how Tenable defines, differentiates, and counts different types of Scan Targets for licensing purposes. For purposes of this Policy, an Asset is considered a Scan Target. For the purposes of this policy, an asset is considered a Scan Target.

An asset is defined as:

  • A physical or virtual device with an operating system connected to a network.

  • An active (non-terminated) cloud resource (including but not limited to containers, virtual devices, applications, native services, IaC etc.) that is monitored for policy violations and security risk.

  • A web application with an FQDN.

  • A user, under the constructs of Identity Security Products.

Example assets may include, but are not limited to:

  • Laptops

  • Desktops

  • Servers

  • Routers

  • Firewalls

  • Switches

  • IoT Devices

  • Mobile phones

  • Virtual machines

  • Software containers

  • IaC

  • Operational technology devices

  • Cloud resources, including but not limited to AWS, GCP or MS Azure compute, database and networking services.

  • User Accounts

An “assessed asset” is any asset that has been scanned for a vulnerability, configuration, or state.

A “discovered asset” is any asset that has been identified by discovery plugins, but not scanned for vulnerability, configuration or state.

A “licensed asset” is any asset that has been assessed within the product's specified metered billing term. Only billable cloud run time resources are considered as licensed assets and counted as such. Licenses are calculated by the number of scanner type(s) applied per resource.

An “unlicensed asset” is any asset that has not been assessed within the metered billing term, and is within the data retention period noted in the Tenable Master Agreement. The Tenable Cloud Platform discovers ALL Resources in cloud accounts (Cloud Runtime) and in repositories/pipelines (IaC/Container Images). Local Scan/Repository/Pipelines (IaC, local container images) resources are NOT billable.

If an asset is terminated in a cloud platform, it is automatically terminated in Tenable Vulnerability Management via cloud connector. While the asset is not permanently deleted, it is flagged as “terminated”. Vulnerability data is permanently deleted and falls off of the license the next day (via a nightly job). Asset termination is known as a soft deletion.

Deleted assets are permanently removed from the Tenable Platform. Deleted assets and associated data cannot be restored. When deleting assets manually through the user interface or API (including bulk asset deletion), the asset is flagged as “DELETED” and remains licensed for the remainder of the specified metered billing term, and need to age-out to be reclaimed. Review the Tenable Vulnerability Management Scan Tuning Guide to ensure the assets that are counted as licensed are aligned with a scan and assessment strategy. The Asset age out feature deletes assets for hygiene purposes. If aged-out, both the asset and vulnerability data is permanently deleted.

Tenable Web App Scanning determines asset count by the number of fully qualified domain names (FQDNs) that Tenable Web App Scanning successfully scans for your user account. An asset does not count against your license limit until Tenable Web App Scanning has successfully scanned the asset for vulnerabilities.

License size references the number of assets you have purchased and that can be assessed or scanned. Tenable allows temporary elasticity to exceed the license size by 10%, but for no more than 45-days before it is considered a violation of the license agreement.

Asset Identification and Licensing

The Tenable Cloud Platform and associated workspaces are licensed by assets or Active Users (Tenable Identity Exposure). An asset is defined as:

  • A physical or virtual device with an operating system connected to a network

  • A web application with an FQDN

  • An active (not terminated) cloud resource

License Application

The Tenable Cloud Platform and its associated workspaces are licensed by asset count. When assessed, each unique asset is licensed for 90-days. Each subsequent assessment resets the 90-day license period. The license is reclaimed if the asset is inactive or not assessed for 90 consecutive days. Tenable Vulnerability Management is built to support elasticity to exceed license size on a temporary basis. For more information on licensing, see Tenable Vulnerability Management Licenses.

Count discrepancies occur when the Tenable Cloud Platform is not provided enough of the properties to assess uniqueness. In addition, algorithm assumptions are made to balance edge cases in false-positive and false-negative results. It is imperative that at least four of the asset characteristics are applied for proper deduplication. Where it exists, any variability is typically within the 10% elasticity margin the platform provides customers.

There are conditions where technology simply cannot prevent duplication, such as assets with multiple interfaces, or firewalls. We recommend viewing the Tenable Vulnerability Management User Guide for further information on how to remove and prevent duplicate assets.

Reclaiming Licenses

When Tenable Vulnerability Management reclaims a license, that license becomes available for a different asset. Tenable Vulnerability Management reclaims licenses in the following scenarios:

  • When a licensed asset has not been scanned for 90 days

  • If an asset was discovered through connectors and subsequently assessed and licensed, upon which the asset license is reclaimed the day after the asset is terminated through the connector

You can monitor licenses that are expected to be reclaimed in your License Information.

Elastic Licensing

On a temporary basis, customers can exceed their contracted license size. However, customers must true-up when license counts continue to be exceeded.

The primary benefits of Elastic Asset Licensing are:

  • Compensates for imperfect scan hygiene

  • Allows for temporary asset increases from activities such as hardware refreshes or sudden environment growth

  • Compensates for modern cloud environments and ephemeral assets that don't have traditional life-spans

  • Adapts to and is reflective of dynamic customer environments

If the license size exceeds 10% for more than 45 days, review the Tenable Overage Process.