Scan Policy Templates

Tenable Security Center provides scan policy templates with pre-configured plugin settings and advanced directives for active scans. You can configure a Tenable-provided template or you can create a fully customized scan policy from all of the available scan policy options in Tenable Security Center.

Each Tenable-provided scan policy template contains a different set of scan policy options. You can only modify the settings included for that scan policy template type.

Custom scan policies, such as Advanced Scan, contain all scan policy options. You can modify any scan policy options for custom scans.

For more information, see Scan Policies and Scan Policy Options.

Note: If there is a Tenable-provided template that does not appear in this list, it may be a scan policy that is not supported by Tenable Security Center.

Template Description
Common
Advanced Agent Scan

The most configurable scan type. You can configure this scan template to match any policy. This template has the same default settings as the basic scan template, but it allows for additional configuration options.

Note: Advanced scan templates allow you to scan more deeply using custom configuration, such as faster or slower checks, but misconfigurations can cause asset outages or network saturation. Use the advanced templates with caution.

Advanced Scan

The most configurable scan type. You can configure this scan template to match any policy. This template has the same default settings as the basic scan template, but it allows for additional configuration options.

Note: Advanced scan templates allow you to scan more deeply using custom configuration, such as faster or slower checks, but misconfigurations can cause asset outages or network saturation. Use the advanced templates with caution.

Note: Tenable automatically updates this template with any newly-released plugin families in which plugins rely on network traffic for detection.

Basic Network Scan

Performs a full system scan that is suitable for any host. Use this template to scan an asset or assets with all of Nessus's plugins enabled. For example, you can perform an internal vulnerability scan on your organization's systems.

Credentialed Patch Audit

Authenticates hosts and enumerates missing updates.

Use this template with credentials to give Tenable Security Center direct access to the host, scan the target hosts, and enumerate missing patch updates.

Web Application Tests

Scan for published and unknown web vulnerabilities.

Compliance Configuration

Internal PCI Network Scan

Performs an internal PCI DSS (11.2.1) vulnerability scan.

This template creates scans that you can use to satisfy internal (PCI DSS 11.2.1) scanning requirements for ongoing vulnerability management programs that satisfy PCI compliance requirements. You can use these scans for ongoing vulnerability management and to perform rescans until passing or clean results are achieved. You can provide credentials to enumerate missing patches and client-side vulnerabilities.

Note: While the PCI DSS requires you to provide evidence of passing or "clean" scans on at least a quarterly basis, you must also perform scans after any significant changes to your network (PCI DSS 11.2.3).

PCI Quarterly External Scan

Performs quarterly external scans as required by PCI.

You can use this template to simulate an external scan (PCI DSS 11.2.2) to meet PCI DSS quarterly scanning requirements. However, you cannot submit the scan results from this template to Tenable for PCI Validation. Only Tenable Vulnerability Management customers can submit their PCI scan results to Tenable for PCI ASV validation.

Policy Compliance Auditing

Audits system configurations against a known baseline.

Note: The maximum number of audit files you can include in a single Policy Compliance Auditing scan is limited by the total runtime and memory that the audit files require. Exceeding this limit may lead to incomplete or failed scan results. To limit the possible impact, Tenable recommends that audit selection in your scan policies be targeted and specific for the scan's scope and compliance requirements.

The compliance checks can audit against custom security policies, such as password complexity, system settings, or registry values on Windows operating systems. For Windows systems, the compliance audits can test for a large percentage of anything that can be described in a Windows policy file. For Unix systems, the compliance audits test for running processes, user security policy, and content of files.

SCAP and OVAL Auditing

Audits systems using SCAP and OVAL definitions.

The National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) is a set of policies for managing vulnerabilities and policy compliance in government agencies. It relies on multiple open standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.

  • SCAP compliance auditing requires sending an executable to the remote host.
  • Systems running security software (for example, McAfee Host Intrusion Prevention), may block or quarantine the executable required for auditing. For those systems, you must make an exception for either the host or the executable sent.
  • When using the SCAP and OVAL Auditing template, you can perform Linux and Windows SCAP CHECKS to test compliance standards as specified in NIST’s Special Publication 800-126.
Other
Active Directory Starter Scan

Scans for misconfigurations in Active Directory.

Use this template to check Active Directory for Kerberoasting, Weak Kerberos encryption, Kerberos pre-authentication validation, non-expiring account passwords, unconstrained delegation, null sessions, Kerberos KRBTGT, dangerous trust relationships, Primary Group ID integrity, and blank passwords.

Find AI

Scans for artificial intelligence (AI), large language model (LLM), and machine learning (ML) related detections and vulnerabilities.

Host Discovery

Performs a simple scan to discover live hosts and open ports.

Launch this scan to see what hosts are on your network and associated information such as IP address, FQDN, operating systems, and open ports, if available. After you have a list of hosts, you can choose what hosts you want to target in a specific vulnerability scan.

Tenable recommends that organizations who do not have a passive network monitor, such as Nessus Network Monitor, run this scan weekly to discover new assets on your network.

Note: Assets identified by discovery scans do not count toward your license.

Malware Scan

Scans for malware on Windows and Unix systems.

Tenable Security Center detects malware using a combined allow list and block list approach to monitor known good processes, alert on known bad processes, and identify coverage gaps between the two by flagging unknown processes for further inspection.

Web Application Scanning

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

API A scan that checks an API for vulnerabilities. This scan analyzes RESTful APIs described via an OpenAPI (Swagger) specification file.
Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j.
PCI A scan that assesses web applications for compliance with Payment Card Industry Data Security Standards (PCI DSS) for PCI ASV.
Quick Scan

A high-level scan similar to the Config Audit scan policy template that analyzes HTTP security headers and other externally facing configurations on a web application to determine if the application is compliant with common security industry standards. Does not include scheduling.

If you create a scan using the Quick Scan scan policy template, Tenable Security Center analyzes your web application only for plugins related to security industry standards compliance.

Scan

A comprehensive scan that assesses web applications for a wide range of vulnerabilities.

The Scan scan policy template provides plugin family options for all active web application plugins.

If you create a scan using the Scan scan policy template, Tenable Security Center analyzes your web application for all plugins that the scanner checks for when you create a scan using the Web App Config Audit, Web App Overview, or SSL_TLS scan policy templates, as well as additional plugins to detect specific vulnerabilities.

A scan run with this scan template provides a more detailed assessment of a web application and take longer to complete that other web app scans.

SSL_TLS

A scan to determine if a web application uses SSL/TLS public-key encryption and, if so, how the encryption is configured.

When you create a scan using the SSL_TLS scan policy template, Tenable Security Center analyzes your web application only for plugins related to SSL/TLS implementation. The scanner does not crawl URLs or assess individual pages for vulnerabilities.

Web App Config Audit

A high-level scan that analyzes HTTP security headers and other externally facing configurations on a web application to determine if the application is compliant with common security industry standards.

If you create a scan using this scan policy template, Tenable Security Center analyzes your web application only for plugins related to security industry standards compliance.

Web App Overview

A high-level preliminary scan that determines which URLs in a web application Tenable Security Center scans by default.

This scan template does not analyze the web application for active vulnerabilities. Therefore, this scan policy template does not offer as many plugin family options as the Scan template.