Tenable One Foundation / Tenable One Advanced Licensing: Frequently Asked Questions

This topic highlights frequently asked questions regarding Tenable One Foundation / Tenable One Advanced Licensing.

Q: Why do web applications and servers count as separate assets for licensing? For example, if I scan a web application (e.g., app.example.com) and the server it runs on (e.g., web-server-01), these count as 2 assets instead of 1.

A: Web applications and servers (hosts/devices) are different asset classes in the Tenable platform:

Application asset class: The web application itself (for example, app.example.com as scanned by Tenable Web App Scanning or Tenable Attack Surface Management)
Device (Host) asset class: The server or computing device the application runs on (for example, web-server-01 as scanned by Tenable Vulnerability Management)

The platform does not merge assets across different asset classes. This means:

The web application counts as 1 asset
The underlying server counts as 1 asset
Total: 2 assets for licensing purposes

Why? These represent different aspects of your security posture:

The web application may have vulnerabilities specific to the application code, APIs, or web-specific misconfigurations
The server/host may have OS-level vulnerabilities, network misconfigurations, or infrastructure issues

Even though they are related, they are assessed separately and each consumes a license.

Note: Asset matching only occurs within the same asset class. For example, if multiple sensors (Nessus Scanner, Nessus Agent, Cloud Connector) observe the same server, those observations are merged into a single asset. However, a web application asset will never merge with a host asset, even if they share IP addresses or domain names.