Scan Template Selection

Tenable Nessus provides various Scanner templates that meet different business needs. Tenable Nessus provides three template categories: Discovery, Vulnerabilities, and Compliance. You can view the complete offering of Nessus scan templates when you Create a Scan in the user interface.

Click the following scan template categories to view the descriptions. For information about specific scan templates, see Scan and Policy Templates.

Tenable recommends using discovery scans to see what hosts are on your network, and associated information such as IP address, FQDN, operating systems, and open ports, if available. After you have a list of hosts, you can choose what hosts you want to target in a vulnerability scan.

Tenable recommends using vulnerability scan templates for most of your organization's standard, day-to-day scanning needs. Tenable also publishes vulnerability scan templates that allow you to scan your network for a specific vulnerability or group of vulnerabilities. Tenable frequently updates the Nessus scan template library with templates that detect the latest vulnerabilities of public interest.

Some of the most notable vulnerability scan templates are:

  • Basic Network Scan — Use this template to scan an asset or assets with all of Nessus's plugins enabled. This scan provides a quick and easy way to scan assets for all vulnerabilities.

  • Advanced Network Scan — The most configurable scan type that Nessus offers. You can configure this scan template to match any policy or search any asset or assets. This template has the same default settings as the Basic Network Scan, but they allow for additional configuration options.

    Note: Advanced scan templates allow Nessus experts to scan more deeply using custom configuration, such as faster or slower checks, but misconfigurations can cause asset outages or network saturation. Use the advanced templates with caution.

  • Advanced Dynamic Scan (Nessus Scanner only) — An advanced network scan that you can configure dynamic plugin filters for instead of manually selecting plugin families or individual plugins. As Tenable releases new plugins, Nessus adds any plugins that match your filters to the scan or policy automatically. This allows you to tailor your scans for specific vulnerabilities while ensuring that the scan stays up to date as new plugins are released.

  • Credentialed Patch Audit (Nessus Scanner only) — Use this template with credentials to give the scanner direct access to the host, scan the target hosts, and enumerate missing patch updates.

Tenable recommends using configuration scan templates to check whether host configurations are compliant with various industry standards. Compliance scans are sometimes referred to as configuration scans. For more information about the checks that compliance scans can perform, see Compliance and SCAP Settings.