Tenable One Foundation / Tenable One Advanced Licensing

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

This topic breaks down the licensing process for Tenable One Foundation and Tenable One Advanced, and lists the versions and components you can purchase.

Important! Legacy Tenable One customers with licensing that may include ratios use the Legacy Tenable One Licensing structure.

To learn how to use and deploy Tenable One platform and its applications, see the Tenable One Deployment Guide.

Components

Tenable offers two versions of Tenable One: Tenable One Foundation and Tenable One Advanced. Each version includes a set of out-of-the-box applications, features, and capabilities. You can further customize these products by purchasing additional components.

The table below highlights the products included with purchase and their available add-on components:

Platform	Included with Purchase	Additional Purchase
Tenable One Foundation	Tenable Vulnerability Management Tenable Security Center+ companion license AI Discovery (AI Aware) Tip: This AI solution exists to help you find rogue AI usage within your environment and take control. Cloud Workload Protection (CWP) Tenable Attack Surface Management Tenable Web App Scanning on-premises OT Security On-Prem Solutions for VM & OT Third-party Connectors Dashboards and Reporting Inventory Integrated Intelligence Ticketing	Identity Security (charged per identity) Tenable AI Exposure CNAPP
Tenable One Advanced	Everything in Tenable One Foundation, plus: Risk Scores & Benchmarking in the Analytics section, including: Cyber Exposure Score, Asset Exposure Score, and Asset Criticality Rating scores Exposure View Workflow & Mobilization Exposure Signals AI Infra Protection Tip: This AI solution exists to help you find misconfigured agents, data stores, etc. within your approved AI applications. Attack Path Analysis CSPM, KSPM, AI-SPM	Identity Security (charged per identity) Tenable AI Exposure CNAPP

Platform

Included with Purchase

Additional Purchase

Tenable One Foundation

Tenable Vulnerability Management
Tenable Security Center+ companion license
AI Discovery (AI Aware)

Tip: This AI solution exists to help you find rogue AI usage within your environment and take control.
Cloud Workload Protection (CWP)
Tenable Attack Surface Management
Tenable Web App Scanning on-premises
OT Security
On-Prem Solutions for VM & OT
Third-party Connectors
Dashboards and Reporting
Inventory
Integrated Intelligence
Ticketing

Identity Security (charged per identity)
Tenable AI Exposure
CNAPP

Tenable One Advanced

Everything in Tenable One Foundation, plus:

Risk Scores & Benchmarking in the Analytics section, including:
- Cyber Exposure Score, Asset Exposure Score, and Asset Criticality Rating scores
- Exposure View
Workflow & Mobilization
Exposure Signals
AI Infra Protection

Tip: This AI solution exists to help you find misconfigured agents, data stores, etc. within your approved AI applications.
Attack Path Analysis
CSPM, KSPM, AI-SPM

Identity Security (charged per identity)
Tenable AI Exposure
CNAPP

Key Use Cases

Tenable One Foundation

Your business demands moving from siloed, fragmented estate vulnerability management to a state of unified visibility across the entire attack surface. For this use case, Tenable One Foundation includes:

AI Discovery — Ensure no AI asset operates outside awareness—internally or externally.
Vulnerability Management — Identify and prioritize remediation on vulnerabilities and misconfigurations.
Cloud Workload Protection — Hybrid cloud vulnerability management.
Unify Vendor Asset & Security Data — Single, unified source of truth across your hybrid environment.

Tenable One Advanced

Your business needs risk measurement, context, prioritization of complex attack vectors, and remediation speed. For this use case, Tenable One Advanced includes:

AI Workload & Agent Protection — Protect the systems that power AI, close attacker exploits.
Risk-Based Vulnerability Management — Prioritize vulnerabilities based on richer business & threat context.
Holistic Cloud Security Posture Management — Cloud risk management, consolidates workload, K8 & AI.
Exposure Mobilization — Orchestrate remediation business workflows across tools & technology.

Tenable One Asset Values

Tenable uses a "count once" approach for asset values to ensure you are never charged more than once for the same asset. This is a complex, hierarchical algorithm to match and deduplicate assets coming from its native scanners, such as Nessus Scanners, Nessus Agents, and Tenable Vulnerability Management sensors.

Unlike third-party data, which relies on a specific connector merge logic, native asset matching is strictly defined by a property hierarchy known as Identification Attributes (IA). Tenable ranks these attributes from "Authoritative" (100% confidence) to "Speculative".

Tip: To ensure the best asset match, Tenable recommends running authenticated or credentialed scans wherever possible. Scans without credentials do not include the attributes necessary to match assets properly, which can result in duplicate asset counts.

The following breakdown details how this logic works for non-third-party data.

The "Authoritative" Hierarchy

When Tenable processes incoming scan data, it attempts to match the asset against existing records using the following attributes in descending order of priority. If Tenable finds a higher-level match, the application ignores the lower-level attributes for identification purposes.

Priority	Attribute	Confidence	Notes
1	Cloud Instance IDs	100%	IDs from AWS (EC2 Instance ID), Azure (VM ID), or GCP (Instance ID). If these match, it is definitively the same asset.
2	Tenable UUID	High	A unique ID generated by a Tenable Agent or credentialed scan.
3	BIOS UUID	High	The hardware or virtual hardware UUID.
4	MAC Address	Medium	The physical address of the network interface.
5	NetBIOS Name	Low	The legacy Windows computer name.
6	FQDN	Low	The Fully Qualified Domain Name (for example, server.corp.local).
7	IPv4 / IPv6 Address	Lowest	The IP address. Note: This is the least reliable method due to DHCP.

"Network" Scoping

Tenable implements a critical constraint for attributes ranked 4 through 7 (MAC, NetBIOS, FQDN, IP). Tenable considers these assets "Network Scoped."

How it Works

You can define "Networks" (logical groups of scanners) to handle overlapping IP ranges (e.g., two offices both using 192.168.1.x). For an asset to match based on MAC, FQDN, or IP, it must belong to the same network object.

Example: If Scanner A (in Network "Default") sees IP 10.0.0.5 and Scanner B (in Network "DMZ") sees IP 10.0.0.5, Tenable treats them as two separate assets, even if they share the same IP address.

Tenable UUID - The "Golden Key"

The most common cause of asset duplication is the failure to retrieve the Tenable UUID from the asset. This UUID is the bridge between different scan methods.

Tenable generates a UUID in the following scenarios:

Nessus Agents: The agent generates this UUID upon installation and reports it every time it checks in.
Nessus Scanners (Authenticated Only): If you provide credentials (SSH/SMB), the scanner logs into the system. If the Create unique identifier on hosts scanned using credentials option is enabled in the scan policy, the scanner reads (or writes) this UUID to the host system.

Merging

If you scan a host with an Agent and run a credentialed network scan, Tenable sees the same Tenable UUID from both sources and automatically merges them into a single asset record.

Troubleshooting Common Deduplication Errors

Scenario A: Doubled Asset (Agent vs. Uncredentialed Scan)

You have an agent on a laptop (reporting UUID A123). You then run a network scan without credentials against the laptop's IP.

Result: The Agent report matches via Tenable UUID. The network scan cannot see the UUID (due to no login), so it matches via IP Address. Because Tenable cannot confirm they are they same device, it creates a second asset.
Action: Use credentialed network scans or rely solely on Agent data for that segment.

Scenario B: DHCP Reassignment

A laptop at IP 10.0.0.5 leaves the network. A printer joins and gets 10.0.0.5.

Result: Tenable scans the printer. The IP matches the old laptop, but the MAC address and OS fingerprint are radically different. Tenable's recognizes this as a new asset taking over an old IP, rather than merging the printer data into the laptop record.
Action: No user action is required since Tenable recognizes the asset as new.

Scenario C: CI/CD & Cloned VMs

You clone a VM that already has a Nessus Agent installed.

Result: Both VMs report the same Tenable UUID and BIOS UUID but have different IPs or Hostnames. Tenable sees them as the same asset moving rapidly between IPs.
Action: Reset the ID on the cloned agent (nessuscli fix --reset) so it generates a new unique UUID.

Best Practices for Clean Asset Deduplication

To ensure Tenable deduplicates assets correctly:

Prioritize Credentialed Scans: This allows the scanner to see the BIOS UUID and Tenable UUID.
Enable Host Tagging: Enable the Create unique identifier setting in your scan policy.
Define Networks Correctly: Group scanners that scan the same physical subnet into the same network object.
Avoid Uncredentialed Scans on Agent Targets: If you cannot authenticate, consider excluding Agent-covered subnets from active network scanning to prevent "ghost" IP-based duplicates.

Licensing Tenable One Foundation / Tenable One Advanced

To use Tenable One, you purchase licenses for assets: resources identified by - or managed in - your Tenable products. Some Tenable One products use different asset types. For example, in Tenable Web App Scanning, an asset is a unique fully qualified domain names (FQDN), while in Tenable Identity Exposure, an asset is an enabled user within your directory service.

Tenable offers two versions of Tenable One: Tenable One Foundation and Tenable One Advanced. Determine which license type suits your business needs based on its included components before purchase. For more information, see Components.

To use Tenable One, you purchase licenses for assets. As your environment expands, your asset count increases; you must purchase more licenses to account for this change. Tenable licenses use progressive pricing, so the more you purchase, the lower the per-unit price. For prices, contact your Tenable representative.

Tip: To view your current license count and available assets, in the Tenable top navigation bar, click and then click License Information. To learn more, see License Information Page.

Note: Tenable offers simplified pricing to managed security service providers (MSSPs). To learn more, contact your Tenable representative.

Provision Licenses

To provision licenses for your Tenable One products:

Log into Tenable Account Management portal to provision Tenable One and its product suite.

Tip: For more information, see the Account Management User Guide.

Once the Tenable One instance is provisioned, you can find the activation code for each individual product under the Products tab in the Account Management Portal. You must log in to the portal and have product access to view the products and activation codes.

Note: If Tenable One is your only product suite and it is not provisioned, the Products tab is not visible until provisioning is complete.

If you cannot see the Products tab and believe this is in error, contact the Primary Contact (found in the Contacts tab) on your account. Request access to view or manage permissions for one or all of the products on the account.

If you are the Primary Contact and need help or are no longer able to access your account, contact your Tenable Representative.

Third-Party Connector Licensing

To connect to and ingest data from third-party connector assets, you must ensure you have available asset licenses for these assets. You can reallocate your Tenable One licenses or purchase additional licenses.

For more information about third party assets, see the following documentation resources:

Third-Party Connectors Quick Reference Guide
Third-Party Asset Retention in the Tenable Exposure Management User Guide
Third-Party Data Deduplication in the Tenable Exposure Management User Guide

Reclaiming Licenses

When you purchase Tenable licenses, your total license count is static for the length of your contract unless you purchase more licenses. However, Tenable One products reclaim licenses under some conditions—and then reassign them to new assets in the same product so that you do not run out of licenses.

The following table explains how each Tenable One product reclaims licenses.

Product	License Reclamation Process
Tenable Vulnerability Management	Tenable reclaims licenses from deleted assets within 24 hours. Tenable reclaims licenses for assets on a network with Asset Age Out enabled if they are not seen in a scan for the length of time you specify. Tenable reclaims licenses for all other assets if they are not seen in a scan for 90 days.
Tenable Web App Scanning	Tenable reclaims licenses from deleted assets within 24 hours. Tenable reclaims licenses for assets that age out after a length of time you specify, or after 90 days.
Tenable Security Center	Tenable reclaims licenses when you delete a repository, run a license report, or upload a new license. If you set assets to age out, Tenable reclaims licenses during nightly cleanup. If you configure your scan settings to remove unresponsive hosts, Tenable reclaims licenses at scan import. For more information, see License Count in the Tenable Security Center Best Practices Guide.
Tenable Identity Exposure	Tenable reclaims licenses for enabled users you delete in real time when the user gets removed from your environment’s directory service.
Tenable OT Security	Tenable reclaims licenses for hidden assets in real time, as are licenses for assets that have been offline for more than 30 days. Tenable also reclaims licenses for assets you remove or hide in the user interface.
Tenable Attack Surface Management	Tenable reclaims licenses when individual assets get archived, or when the asset sources is removed or ages out. Tenable updates your license count daily.

Exceeding the License Limit

To allow for usage spikes due to hardware refreshes, sudden environment growth, or unanticipated threats, Tenable One licenses are elastic. However, when you scan more assets than you have licensed, Tenable clearly communicates the overage and then reduces functionality in three stages.

Scenario	Result
You scan more assets than you have licensed for three consecutive days.	A message appears in Tenable Exposure Management.
You scan more assets than you have licensed for 15+ days.	A message and warning about reduced functionality appears in Tenable Exposure Management.
You scan more assets than you have licensed for 30+ days.	A message appears in Tenable Exposure Management; Tenable disables scan and export features.

Tip: Improper scan hygiene or product misconfigurations can cause scan overages, which result in inflated asset counts. To learn more, see Scan Best Practices.

Expired Licenses

The Tenable One licenses you purchase remain valid for the length of your contract. 30 days before your license expires, a warning appears in the user interface. During this renewal period, work with your Tenable representative to add or remove products or change your license count.

After your license expires, you can no longer sign in to the Tenable One platform.