Sensor Selection

Tenable Vulnerability Management allows you to scan with one of three sensor types: Tenable's cloud scanners, Nessus scanners, or Nessus Agents.

If you need to scan assets that are external to your network, Tenable recommends using the cloud scanners. The cloud scanners are managed by Tenable, and do not require any upkeep from your organization. For more information, see Cloud Sensors.

To scan assets within your network, you can choose between scanning with Nessus scanners or Tenable Nessus Agents. The following table describes the key differences between scanning with Nessus scanners and Nessus Agents:

Nessus scanners
  • Tenable Nessus scanners can scan entire networks, while Tenable Nessus Agents can only scan the asset they are installed on.

  • Tenable Nessus scanners allow you to perform external and remote security checks.

  • Unlike Tenable Nessus Agents, Nessus scanners provide an "outside view" of your network through features such as port scanning. Nessus scanners can also provide an "inside view" of your network if you configure them with credentials.

  • Unlike Tenable Nessus Agents, you have to update Nessus scanner credentials manually. This can cause permission and login issues if your organization does not actively update the credentials.

  • Network scanning with Nessus scanners usually takes longer than scanning individual assets with Tenable Nessus Agents.

Tenable Nessus Agents
  • Tenable Nessus Agents are installed directly on the target assets, so unlike Tenable Nessus scanners, they do not require managed credentials.

  • Unlike Nessus scanners, you do not have to worry about the geographical placement of Tenable Nessus Agents.

  • Generally, scanning individual assets with Tenable Nessus Agents is much faster than scanning the entire network.

  • Tenable Nessus Agents can collect and send asset data to Tenable Vulnerability Management as the agent has internet access. In other words, Tenable Nessus Agents allow you to scan assets that are not connected to your corporate network.

  • Tenable Nessus Agents are not designed to perform network checks, so certain plugin items cannot be checked if you only run agent scans.

  • Tenable Nessus Agents cannot perform security checks that require remote connectivity, such as logging into a DB server, trying default credentials, or traffic-related enumeration.

  • Unlike Tenable Nessus scanners, Tenable Nessus Agent scans cannot account for any assets that do not have a Tenable Nessus Agent installed.

Ultimately, Tenable recommends using whichever sensor best suits your environment and business requirements. In many circumstances, you should use both agents and network assessments for different types of systems and parts of your network. To learn more about the benefits and limitations of agent scanning, see Benefits and Limitations in the Nessus Agent User Guide.