Sensor Selection

Tenable Nessus scanners can scan entire networks, while Tenable Nessus Agents can only scan the asset they are installed on.

Tenable Nessus scanners allow you to perform external and remote security checks.

Unlike Tenable Nessus Agents, Nessus scanners provide an "outside view" of your network through features such as port scanning. Nessus scanners can also provide an "inside view" of your network if you configure them with credentials.

Unlike Tenable Nessus Agents, you have to update Nessus scanner credentials manually. This can cause permission and login issues if your organization does not actively update the credentials.

Network scanning with Nessus scanners usually takes longer than scanning individual assets with Tenable Nessus Agents.

Tenable Nessus Agents are installed directly on the target assets, so unlike Tenable Nessus scanners, they do not require managed credentials.

Unlike Nessus scanners, you do not have to worry about the geographical placement of Tenable Nessus Agents.

Generally, scanning individual assets with Tenable Nessus Agents is much faster than scanning the entire network.

Tenable Nessus Agents can collect and send asset data to Tenable Vulnerability Management as the agent has internet access. In other words, Tenable Nessus Agents allow you to scan assets that are not connected to your corporate network.

Tenable Nessus Agents are not designed to perform network checks, so certain plugin items cannot be checked if you only run agent scans.

Tenable Nessus Agents cannot perform security checks that require remote connectivity, such as logging into a DB server, trying default credentials, or traffic-related enumeration.

Unlike Tenable Nessus scanners, Tenable Nessus Agent scans cannot account for any assets that do not have a Tenable Nessus Agent installed.