Tenable Exposure Management 2026 Release Notes

Recorded Future Threat Intelligence Connector

Tenable Exposure Management introduces the Recorded Future connector. This is the first integration in a new threat intelligence category that lets you ingest third-party threat intelligence directly into your Exposure Management workflow.

Use this integration to gain intelligence-driven context to set accurate remediation priorities. While a scanner might rate a vulnerability as High, Recorded Future risk scores reflect the true urgency of vulnerabilities actively exploited in the wild. This reduces the noise of theoretical CVSS-driven prioritization.

For more information, see Recorded Future Connector in the Tenable Exposure Management User Guide.

Microsoft TVM Connector License Support

The Microsoft TVM connector now supports specific license types. When you configure the connector, you must select the Cloud Environment and AuthentServer that matches your Microsoft licensing to ensure successful data ingestion.

If you are unsure which environment your organization uses, check your Microsoft 365 admin portal or contact your Azure AD administrator.

For more information, see Microsoft TVM Connector in the Tenable Exposure Management User Guide.

Tenable Hexa AI — the agentic engine of the Tenable One Exposure Management Platform — is now generally available. Tenable Hexa AI moves cybersecurity beyond the chatbot: instead of answering questions about your exposure data, it executes the complex, multi-step actions that allow security teams to begin operating at machine speed.

This GA release introduces two surfaces for the same agentic engine

• Hexa UI: Embedded directly into the Tenable One platform, with Tenable's out-of-the-box agents ready to act on day one.
• Hexa MCP: A Tenable-hosted Model Context Protocol (MCP) server that lets power users and AI-savvy teams bring their own LLM and orchestrate custom agents on top of the Tenable Exposure Data Fabric.

Both formats share the same foundation: Tenable's Exposure Data Fabric, the industry’s most comprehensive repository of contextualized exposure data.

Tenable Hexa AI Pre-Built Agents

Pre-built agents in the Tenable UI provide the agentic experience for the security practitioner who wants the outcome, not the plumbing. Tenable Hexa AI is embedded in the Tenable One platform and grounded in your live exposure data, so every recommendation reflects your environment and not a generic playbook.

The first generation of Tenable-built agents covers the areas where customers reported the highest administrative load:

• Contextual Asset Management: Organize and search your attack surface at machine scale instead of by spreadsheet.

• Dynamic Visualization: Turn raw exposure data into dashboards from existing Tenable templates and in-chat reports on request.

• Assessment Configuration: Take the mystery out of failed scans and risk adjustments so your data stays trustworthy.

• Risk Adjustment: Recast findings and their severity according to your internal guidelines.

• Remediation Workflows: Mobilize findings and create Exposure Initiatives, Combinations, and Jira tickets.

• Attack Path: Identify and investigate your top attack paths and other toxic combinations based on your entire attack surface.

Tenable will continue to expand this collection of capabilities. Customers should expect new agents to appear in-product without requiring action from administrators, as long as Tenable Hexa AI is enabled for that user.

Trust and Governance

• Tenable Hexa AI respects existing role-based access control (RBAC). It never operates with elevated privileges.

• Container administrators can enable or disable Tenable Hexa AI for the entire environment.

• Every Tenable Hexa AI action resulting in a state change is captured in the standard Tenable audit log.

• Human-in-the-loop confirmation is required before any state-changing operation.

For more information, see Use Tenable Hexa AI via User Interface in the Tenable Exposure Management User Guide.

Tenable Hexa AI Custom Agents via MCP

With Tenable Hexa AI, you can build custom agents via the MCP server to achieve unique security workflows. It exposes Tenable's Exposure Data Fabric as a set of structured, governed tools to any MCP-compatible AI client. It lets your team bring its own LLM and orchestrate bespoke agents that reflect your unique workflows, vocabulary, and priorities.

This is how Tenable customers can implement a tailored maturity model: your model, your prompts, Tenable ground truth. This includes:

• Universal AI adapter: A single, Tenable-hosted HTTPS endpoint at cloud.tenable.com/mcp/, compatible with Claude Desktop, Claude Code, Cursor, and any client that supports MCP over HTTP. No local install, no proxy, no infrastructure to maintain.

• Agentic command of your Tenable environment: Tools spanning scan management, asset and finding search across your Tenable One inventory, dashboards and widgets, tagging, reporting, policy, and agent operations.

• Bring your own LLM, keep our ground truth: Whichever model your organization standardizes on; your data is reasoned over by your model of choice, while every action is executed against the same governed Tenable MCP.

• Cross-platform orchestration: Combine Tenable Hexa AI via MCP with other MCP servers (ITSM, IdP, ticketing, patching) to compose end-to-end workflows that span Tenable and the rest of your stack.

Tenable Hexa AI is included at no additional cost with Tenable One Foundation and Tenable One Advanced licensing packages. Token-based limits apply per tier. You can view your consumption on the Account Details and Tenable Hexa AI Settings pages within your Tenable One workspace.

Trust and Governance

• Authentication uses standard Tenable Vulnerability Management API keys via the X-ApiKeys header. No new identity model to manage.

• The MCP server has no elevated privileges. Every call is executed under the authenticated user's existing Tenable role and permissions.

• All actions are written to the standard Tenable audit log.

• The MCP server does not run autonomously, does not store conversation state, and does not make decisions on your behalf; every action originates from a user request through their AI client.

• Because Tenable Hexa AI via MCP is a Bring Your Own LLM model, customers select an LLM provider whose data-handling practices meet their compliance requirements.

For more information, see Use Tenable Hexa AI via MCP Server in the Tenable Exposure Management User Guide.

Tenable is thrilled to announce that we are shifting APA from a list of techniques to an actionable traceable list. This update enhances collaboration and empowers an "Inbox Zero" workflow. This update includes:

• Technique Statuses: Track real progress with To Do, In Progress, In Review, Done, and Accepted.

• Intelligent Path Logic: Introduce Attack Path statuses that are automatically calculated. Marking one technique as Done sets the entire path to Chain Prevented, helping you prioritize "breaking the chain" with minimal effort.

• Risk Acceptance: You can now Accept a risk with mandatory reason (e.g., False Positive, Compensating Control) the action will be recorded in a permanent Audit History Log and prevent duplicate investigation effort.

This means that default views now hide mitigated or accepted items, focusing you only on active exposure, which also helps enhance collaboration between team members.

Better Collaboration: No more investigating paths already blocked by team members.

For more information, see Attack Path and Technique Statuses in the Tenable Exposure Management User Guide.

Tenable Open Connector - Phase 2 (Automated Pull from Cloud Storage S3)

Building on the manual file upload capabilities introduced in Tenable Open Connector - Phase 1 (Upload Static File), phase 2 of the Tenable One Open Connector introduces automated data ingestion directly from AWS S3 buckets. This update allows you to establish continuous, scheduled data pipelines, ensuring that asset and vulnerability data from custom tools or third-party storage remains current without manual intervention.

This automation is critical for maintaining a comprehensive risk view in dynamic environments where manual uploads are not scalable. Once configured, the platform automatically correlates the Cloud Storage data with existing enterprise metadata, ensuring a unified security perspective across the entire attack surface.

For more information, see Tenable Open Connector in the Tenable Exposure Management User Guide.

PrismaCloud CSPM Third-Party Connector Availability

Tenable is excited to announce the addition of the PrismaCloud CSPM connector for use with Tenable Exposure Management. This integration allows you to automatically ingest cloud resources and security findings from PrismaCloud directly into Tenable Exposure Management for a unified view of your cloud security risk.

For more information, see PrismaCloud CSPM Connector in the Tenable Exposure Management User Guide.

Tenable is thrilled to introduce the following highly requested features to the Attack Path section of Tenable Exposure Management.

Attack Path Top Paths/Techniques Export

Full export capabilities for Attack Path are now generally available! This feature is designed to bridge the gap between high-level visualization and actionable offline intelligence.

So far, Attack Path data export was limited to selected rows or a single page to CSV through manual UI export only. This new feature allows to move beyond these limitations and extract full datasets for Top Attack Paths and Top Attack Techniques directly into CSV or JSON formats.

Flexibly Managed, Integrated by Design

Whether you prefer a hands-on approach or automated workflows,  this feature is engineered to fit modern security operations:

• Manual UI Control: A high-visibility global export button at the top-right of tables allows you to trigger background jobs for massive datasets without interrupting your current workflow.

• Granular Scope & Customization: Users can select between Selected Rows, the Current Page, or Entire Results matching their filters, while picking specific columns for the final export file.

• Asynchronous Performance: To prevent browser timeouts, the system performs a direct high-speed fetch from the database and uses "Toasty" notifications to alert you when your file is ready for automatic download.

• API-First Integration: Achieve full API Parity by using the Tenable Public API to programmatically extract path data directly into your SIEM, SOAR, or custom reporting tools.

• Audit Ready: To meet enterprise standards, every action is logged in the Tenable platform Activity Log, recording the user, timestamp, applied filters, and export scope.

This initiative aligns Attack Path with the Tenable Exposure Management platform standard, moving us closer to our vision of a unified, world-class leading product on the Tenable One platform.

For more information, see Top Attack Paths and Manage Techniques in the Tenable Exposure Management User Guide.

Support for AWS and Azure AI Services

As organizations increasingly integrate Generative AI and Machine Learning into their cloud infrastructure, the attack surface expands. This update introduces comprehensive support for AWS AI services and Azure AI services, specifically focusing on:

• Amazon Bedrock

• SageMaker

• Azure Cognitive Services

• Azure Machine Learning

By mapping these entities and their complex relationships with cloud storage and IAM, security teams can now visualize how an attacker might pivot from a standard identity to poisoning a custom model or exfiltrating sensitive training data.

For more information, see Attack Path in the Tenable Exposure Management User Guide.

Tenable has streamlined the Attack Path section of Tenable Exposure Management to reduce noise and bridge the hybrid gap. These updates include:

• Hybrid Lateral Movement (On-Prem > GCP) — Attack Path now links on-prem JSON credential files to GCP Service Accounts, exposing real-world paths to cloud takeover.

• Exploitable CVEs Only — Using upgraded TVDB V3 intelligence, we now only map paths for verified exploitable CVEs.

  Note: You should expect a drop in path counts as we purge non-exploitable noise.

• Performance Boost — We've removed the "service" node to significantly speed up calculation times without impacting the risk coverage (this node was not used for technique or path calculations).

These updates ensure your team focuses on Choke Points that represent real, executable risk. For more information, see Attack Path in the Tenable Exposure Management User Guide.

Tenable has standardized the naming conventions for asset classification across Tenable Exposure Management (EM) and Tenable Vulnerability Management (VM). Previously referred to as Device Profiling, this feature is now universally titled Asset Classification. This alignment ensures that risk drivers and asset properties are labeled identically regardless of which platform or view you are using, providing a seamless experience for cross-platform analysis.

Key Terminology Updates:

• Asset Category: Replaces Device Class (VM) and Device Profile (EM).

• Asset Function: Replaces Device Subclasses (VM) and Device Functionality (EM).

• Categorization Confidence/Drivers: Replaces all Profile Confidence/Drivers labels.

• Unified Value Display: Data values are now standardized across the platform. For example, inconsistent labels like "Workload device" vs. "VM or Workload" have been unified into a single, clear naming convention based on the Tenable standard.

For more information, see the Asset Categorization Quick Reference Guide.

Tenable is excited to announce the following highly requested additions and updates to the Tenable Exposure Management application.

Widget to Inventory Drill Down

Gain deeper insights with the new Widget Drill Down capability. Users can now click directly on the dashboard’s widgets to view the underlying data in the Assets or Findings Inventory pages.

• Contextual Navigation: Redirection is intelligently mapped based on the widget’s specific measures.

• Persistent Filtering: Any filters currently applied to your dashboard will automatically carry over to the inventory view, ensuring you never lose your place during an investigation.

For more information, see Drill Down to Inventory Data in the Tenable Exposure Management User Guide.

Dashboard Grid Mode & Snap to Grid

Introducing a new Grid View to the dashboard creator and editor, providing a visual guide for precise widget placement.

• Toggleable Gridlines: Use the View menu to toggle gridlines on or off (off by default) to suit your design preference.

• Snap-to-Grid: Perfect your layout instantly. By selecting a widget and clicking Snap to Grid, the widget automatically aligns with the nearest grid lines for a clean, organized look.

For more information, see Create a Dashboard in the Tenable Exposure Management User Guide.

Orca Security Third-Party Connector Availability

Tenable is excited to announce the addition of the Orca Security connector for use with Tenable Exposure Management. This new integration allows you to automatically ingest assets and security findings from Orca’s agentless platform directly into Tenable.

By unifying Orca’s multi-cloud visibility with Tenable’s exposure analytics, you can now assess and prioritize cloud-native risks alongside your traditional infrastructure, ensuring comprehensive coverage of your entire attack surface.

For more information, see Orca Connector in the Tenable Exposure Management User Guide.

Multi-Instance Support for Tenable Vulnerability Management

Tenable Exposure Management now supports the ability to connect multiple, distinct Tenable Vulnerability Management accounts into a single workspace.

This "connector" approach is designed for large enterprises managing segmented environments, acquisitions, or regional instances. It allows you to aggregate asset and vulnerability data from separate Tenable Vulnerability Management tenants into one centralized view, ensuring a unified global risk assessment without needing to merge accounts manually.

For more information, see Tenable Vulnerability Management Connector in the Tenable Exposure Management User Guide.

Tenable Open Connector - Phase 1 (Upload Static File)

We are excited to introduce the Tenable Open Connector, a flexible new method to bring data from any source into theTenable platform.

This feature enables the manual ingestion of asset and vulnerability data via static file upload (e.g., CSV, JSON). This is critical for organizations that need to track assets from custom internal tools, manual pen-test reports, or air-gapped systems. Once uploaded, this "offline" data is fully correlated with your existing platform metadata, ensuring a comprehensive risk view that leaves no gaps.

For more information, see Tenable Open Connector in the Tenable Exposure Management User Guide.

Tenable is excited to announce the Tenable FedRAMP Moderate availability of mobilization services in Tenable Exposure Management. Unify teams and streamline remediation workflows by generating tickets from findings. Expose and close critical risks from a single platform across multiple domains, including third-party data.

For more information, see:

• Storylane demo for Tenable Mobilization

• Create a ServiceNow Ticket and Create a Jira Ticket in the Tenable Exposure Management User Guide

• Mobilization Quick Reference Guide

Tenable is excited to announce the addition of the ORDR third-party connector within Tenable Exposure Management. ORDR is an OT connector that pulls asset and findings data from the ORDR platform. Users can configure this connector directly within the Connectors section of Tenable Exposure Management.

For more information, see ORDR Connector in the Tenable Exposure Management User Guide.