Platform Performance and Fair Use
The Tenable Cloud Platform uses a multi-tenant architecture with shared scanner and processing pools. To ensure equitable service quality, Tenable may activate rate and concurrency maximums if a customer's activity negatively impacts the platform or other tenants. Performance varies based on region and traffic and is provided without guarantee.
API Maximums
The platform performs rate limiting on API requests to ensure stability. The platform calculates the number of API requests it can accept based on its current processing load. Exceeding these limits results in a 429 Too Many Requests response. Users are identified by the API key used in every request, and each user can have only one valid API key at a time. For more information, see API Rate Limiting.
Export Maximums
The platform limits the number of concurrent export requests. Users are allowed a maximum of 10 active concurrent export requests per customer container, depending on the endpoint. The maximum storage capacity for export job files is 500 MB or 50 GB, depending on your license. For more information, see Export Concurrency Limiting.
Cloud Scanner Maximums
Unless otherwise specified, each customer container has the following cloud scanner defaults:
-
The maximum number of simultaneous cloud scanner jobs is 25. No additional cloud scanner scans launch or queue beyond this limit.
-
Users receive a warning if any scan target list exceeds 10 times the license count. This warning minimizes mistakes in target definitions that may produce results exceeding your license. You can tune scan target lists to remove warnings.
-
A scan job terminates when returned billable assets exceed 1.1 times your license.
-
Linked non-cloud scanners and agents retry and are processed independently of the cloud scanner concurrency limit, in line with API maximums.
Contact your Customer Success Manager to discuss your scan maximum needs or stagger jobs over time to reduce conflicts. For more information, see Scan Concurrency Limiting and Scan Limitations.
Web Application Scan Maximums
The platform limits the number of concurrent web application scans. By default, each customer instance can have a maximum of five ongoing web application scans, unless stated otherwise. The limit is based on your purchased license size but can be expanded as needed.
Plugin Search Maximums
The platform maintains a plugin output index to support plugin output search. This index retains the previous 35 days of data. This feature is disabled by default. When enabled, if a container doesn't use the index for more than 35 days, it's disabled. Administrators can re-enable this feature at any time for all new scan data going forward.
Key Service Descriptions and Maximum Values
The Tenable Cloud Platform provides the following key services in support of Tenable products:
| Category Service | Service Component | Maximum Value | Additional Information |
|---|---|---|---|
| Cloud Hosted Nessus Scanner | Scan Job |
25 active, concurrent scans per container |
Each container can have up to 25 active concurrent scans. For more information and the definition of an active scan, see Concurrent Active Scan Limits. |
| 10,000 scheduled scans per container | The maximum number of scheduled scans is 10,000 per container. For best practices on managing scans via the API, see Manage Scans. | ||
| Target IP addresses and hostnames up to 1,000 times your licensed asset count per discovery scan | For example, if your organization has a licensed asset count of 1,000, the platform does not allow you to target more than 1,000,000 IP addresses or hostnames in a single discovery scan (for more information, see Discovery Scans vs. Assessment Scans in the Tenable Vulnerability Management User Guide). | ||
| Live host scan results for up to 1.1 times your licensed assets per scan |
A scan job aborts when it generates live host scan results for more than 1.1 times your licensed asset count. Note: Tenable Vulnerability Management evaluation licenses limit each scan to 265 targets. |
||
| Dead host scan results for up to 100 times your licensed assets per scan | A scan job aborts when it generates dead host scan results for more than 100 times your licensed asset count. | ||
| 10,000 mobiles devices per scan | The maximum number of mobile devices that can be retrieved in a single scan is 10,000. | ||
| 300,000 targeted IP addresses or ranges per scan | You cannot specify more than 300,000 comma-separated IP addresses or ranges when configuring a scan’s targets. | ||
| 10,000 hosts, 150,000 findings, or 7 GB in total size per scan chunk | If a scan chunk exceeds any of the maximum values, Tenable Vulnerability Management does not process the scan and eventually aborts it. Note: This limits items like MDM assessments, importing Nessus files, and very large Auto Discovery scenarios (for example, VMware) to individual scans with less than 10,000 assessed targets. |
||
| Cloud Hosted Web Application Scanner | Scan Jobs | 8 hours, 5-10 concurrent scans based on container license | Web Application scan jobs may take up to 8 hours to complete. Scans will run for a maximum time of 48:00:00 before aborting. Concurrency limits vary from 5-10, based on your container license. |
| Agentless Scanners | Scan Jobs | 24-hour scan completion | Agentless scan jobs may take up to 24 hours to complete. |
| CSPM scans | 6-hour max duration | CSPM scans, required by Agentless scans, have a maximum duration of 6 hours. | |
| Bulk Delete | Query Endpoint | 1,000 conditions in query object | Currently, Tenable supports up to 1,000 conditions (filters) within the query object. |
| Bulk Delete Assets | 1,000 filters per query | Currently, Tenable supports up to 1,000 conditions (filters) within the query object of the Bulk Delete Asset endpoint. | |
| Export | CVE Rate Limits | 15 requests over 60 seconds | CVE Exports are limited to 15 requests over 60 seconds. |
| Scan DB | 45 days | Currently, Tenable purges Scan DB exports 45 days after scan completion. | |
| Scan Results | 5,000 rows | Number of shown rows in the Vulns by Asset table is limited to 5,000. | |
| 45 days | Archived scan results older than 45 days are limited export types of .nessus and .csv files. | ||
| 400,000 individual scan results | Currently, Tenable can not export PDF files with more than 400,000 individual scan results. | ||
| Concurrent Jobs | 10 concurrent exports per container | For more information, see Concurrency Limiting. | |
| Filtering | Filtering an Explore Table | Number of filters is limited to 35 | Currently, the maximum number of filters that can be applied to any Explore > Findings or Assets views (including Group By tables) to 35. |
| IPv4 Address filter on the Findings workbench | Number of IPv4 addresses limited to 256 | On the Findings workbench, when using the IPv4 Address filter, the number of IPv4 addresses is limited to 256. | |
| Filtering a Report | Number of Custom Asset filter IP addresses you can specify is limited to 100 | When filtering a report using the Custom Asset report filter, you can filter by no more than 100 individual IP addresses. | |
| Number of filters you can apply to a Findings Report is 5 | When filtering findings to generate a Findings Report, you can apply a maximum of 5 filters to each report. | ||
| Imports | Import Assets | Up to 50 individual assets per request | Currently, Tenable supports a maximum of 50 individual asset objects per request message with a total size limit of 15 MB. |
| Tags | Create Tag Rules | 35 rules per tag |
Tenable Vulnerability Management supports a maximum of 35 rules per tag. This limit means that you can specify a maximum of 35 and or or conditions for a single tag value. |
| Create Tag Rules | 25 values per individual rule/1,024 per individual tag rule | Tenable Vulnerability Management supports a default maximum of 25 values per individual tag rule. For IPv4, IPv6, and FQDNs, Tenable Vulnerability Management supports a maximum of 1,024 values per individual tag rule. | |
| Recast/Accept Rules | Adding hosts to recast/accept rules | 1,000 hosts per rule | Tenable limits the number of individual hosts you can target as part of a recast/accept rule to 1,000. |
| Activity Logs | Log Retention | 3 years | Currently, Tenable retains activity log data for 3 years, after which it is deleted from the Tenable database. |