Tenable Cloud Platform Licensing Policy

The Tenable Cloud Platform Licensing Policy provides customers an understanding of Tenable product definitions and their licensing policies. This policy may be updated periodically at Tenable’s sole discretion.

Platform Licensing Breakdown

The Tenable Cloud Platform consists of multiple products. Products on the platform can be purchased via Tenable One or, alternatively, some may be purchased a-la-carte.

Tip: For more information about how Tenable products are licensed, see the Tenable Licensing Quick Reference Guide.

  • Tenable One: Single License structure for accessing all platform applications (a simplified “per asset” model).

  • Tenable Vulnerability Management: Licensed per asset.

  • Tenable Web App Scanning: Licensed per FQDN scanned.

  • Tenable Cloud Security: Licensed per cloud resource/asset.

  • Tenable Identity Exposure: Licensed per user.

  • Tenable Attack Surface Management: Licensed per observable objects.

  • Tenable PCI ASV: single license for unlimited scans/unlimited attestations (requires Tenable Vulnerability Management minimal license).

Definitions

The Tenable Master Agreement defines “Scan Target(s)” as the targets or subjects of a Scan. The purpose of this Policy is to set forth how Tenable defines, differentiates, and counts different types of Scan Targets for licensing purposes. For purposes of this Policy, an Asset is considered a Scan Target. For the purposes of this policy, an asset is considered a Scan Target.

An asset is defined as:

  • A physical or virtual device with an operating system connected to a network.

  • An active (non-terminated) cloud resource (including but not limited to containers, virtual devices, applications, native services, IaC etc.) that is monitored for policy violations and security risk.

  • A web application with an FQDN.

  • A user, under the constructs of Identity Security Products.

Example assets may include, but are not limited to:

  • Laptops

  • Desktops

  • Servers

  • Routers

  • Firewalls

  • Switches

  • IoT Devices

  • Mobile phones

  • Virtual machines

  • Software containers

  • IaC

  • Operational technology devices

  • Cloud resources, including but not limited to AWS, GCP or MS Azure compute, database and networking services.

  • User Accounts

An “assessed asset” is any asset that has been scanned for a vulnerability, configuration, or state.

A “discovered asset” is any asset that has been identified by discovery plugins, but not scanned for vulnerability, configuration or state.

A “licensed asset” is any asset that has been assessed within the product's specified metered billing term. Only billable cloud run time resources are considered as licensed assets and counted as such. Licenses are calculated by the number of scanner type(s) applied per resource.

An “unlicensed asset” is any asset that has not been assessed within the metered billing term, and is within the data retention period noted in the Tenable Master Agreement. The Tenable Cloud Platform discovers ALL Resources in cloud accounts (Cloud Runtime) and in repositories/pipelines (IaC/Container Images). Local Scan/Repository/Pipelines (IaC, local container images) resources are NOT billable.

If an asset is terminated in a cloud platform, it is automatically terminated in Tenable Vulnerability Management via cloud connector. While the asset is not permanently deleted, it is flagged as “terminated”. Vulnerability data is permanently deleted and falls off of the license the next day (via a nightly job). Asset termination is known as a soft deletion.

Deleted assets are permanently removed from the Tenable Platform. Deleted assets and associated data cannot be restored. When deleting assets manually through the user interface or API (including bulk asset deletion), the asset is flagged as “DELETED” and remains licensed for the remainder of the specified metered billing term, and need to age-out to be reclaimed. Review the Tenable Vulnerability Management Scan Tuning Guide to ensure the assets that are counted as licensed are aligned with a scan and assessment strategy. The Asset age out feature deletes assets for hygiene purposes. If aged-out, both the asset and vulnerability data is permanently deleted.

Tenable Web App Scanning determines asset count by the number of fully qualified domain names (FQDNs) that Tenable Web App Scanning successfully scans for your user account. An asset does not count against your license limit until Tenable Web App Scanning has successfully scanned the asset for vulnerabilities.

License size references the number of assets you have purchased and that can be assessed or scanned. Tenable allows temporary elasticity to exceed the license, but for no more than 30-days before it is considered a violation of the license agreement.

Elastic Licensing

On a temporary basis, customers can exceed their contracted license size. However, customers must true-up when license counts continue to be exceeded.

The primary benefits of Elastic Asset Licensing are:

  • Compensates for imperfect scan hygiene

  • Allows for temporary asset increases from activities such as hardware refreshes or sudden environment growth

  • Compensates for modern cloud environments and ephemeral assets that don't have traditional life-spans

  • Adapts to and is reflective of dynamic customer environments

If the license size is exceeded for more than 30 days, review the Tenable Overage Process.