License Requirements

This topic breaks down the licensing process for Tenable Security Center as a standalone product. It also explains how assets are counted, lists add-on components you can purchase, and describes what happens during license overages or expirations.

Tenable Security Center Versions

Tenable Security Center has two versions:

  • Tenable Security Center — Includes Tenable Nessus Network Monitor in discovery mode and unlimited Tenable Nessus scanners.

  • Tenable Security Center+ — Includes all of the above plus Tenable Nessus Network Monitor with vulnerability detection and metrics such as Asset Exposure Score (AES) and Asset Criticality Rating (ACR).

Tenable Security Center Director is available for both versions. Tenable Security Center Director is an add-on with which you can manage multiple Tenable Security Center instances from one location. For more information, see the Tenable Security Center Director User Guide.

Note: You cannot upgrade a Tenable Security Center license to a Tenable Security Center Director license or downgrade a Tenable Tenable Security Center Director license to a Tenable Security Center license.

Licensing Tenable Security Center

To use any version of Tenable Security Center, you purchase licenses based on your organizational needs and environmental details. Tenable Security Center assigns those licenses to your assets, which are assessed hosts from Tenable Cloud Security or imported from other Tenable products.

When your environment expands, so does your asset count, so you purchase more licenses to account for the change. Tenable licenses use progressive pricing, so the more you purchase, the lower the per-unit price. For prices, contact your Tenable representative.

Note: Tenable offers simplified pricing to managed security service providers (MSSPs). To learn more, contact your Tenable representative.

How Assets are Counted

Tenable Security Center licenses are valid for specific hosts and a maximum number of active assets identified by IP address or UUID. Assets count towards your license depending on how Tenable Security Center discovers them. In general, assets do not count unless they have been assessed for vulnerabilities.

For example, if you purchase a 500 asset license, you can perform host discovery on your network, but you cannot assess more than 500 assets. For more information about discovery and assessment scanning, see Scanning Overview in the Tenable Security Center User Guide.

The following table explains when assets count towards your license.

Counted Towards Your License

Not Counted Towards Your License

  • Assets from active scans.

  • Assets from Log Correlation Engine instances.

  • Assets from Tenable Nessus Network Monitor instances not in discovery mode.

  • UUIDs from OT Security instances.

  • Assets in offline or remote repositories that you downloaded using the same Tenable Security Center instance or license.

Note: In agent or IPv4 repositories, each single IP address or UUID counts once toward your license, even if it was scanned via multiple methods or stored in multiple repositories.

In universal repositories, each asset with a UUID is counted toward your license. For example, if an asset in an IPv4 repository does not have a UUID, and the same asset is stored in a universal repository with a UUID, the asset is counted twice.

Note: If you use an alternative port scanner, Tenable Security Center counts the detected IP addresses against your license.

  • Assets present only from imports to offline or remote repositories.

  • Assets present only from Tenable Nessus Network Monitor instances in discovery mode.

  • Assets in offline or remote repositories that you downloaded using the same Tenable Security Center instance with a different license.

  • Assets in offline or remote repositories that you downloaded using a different Tenable Security Center instance and license.

  • In the latest versions of Tenable Security Center and Tenable Security Center Director, the following excluded plugins:

    Tenable Nessus — 10180, 10287, 10335, 11219, 11933, 11936, 12053, 14272, 14274, 19506, 22964, 33812, 33813, 34220, 34277, 45590, 54615, 87413, 112154, 161455, 179042, and 209654.

    Tenable Nessus Network Monitor — 0, 12, 18, 19, 20, 113, and 132.

    Tenable Log Correlation Engine — 800000 through 800099.

Note: In the context of this table, assets are differentiated by the type of repository the data is stored in. For example:

  • in IPv4 and IPv6 repositories, assets are IP addresses.

  • in agent repositories, assets are agents.

  • in universal repositories, assets are hosts.

For more information, see Asset Tracking in Tenable Security Center.

Tenable Security Center Components

You can customize Tenable Security Center for your use case by adding components. Some components are add-ons that you purchase.

Version Included with Purchase Add-on Component
Tenable Security Center

  • One console (or more with additional IP addresses).

  • Tenable Nessus Network Monitor in discovery mode.

  • Tenable Nessus scanners.

  • Vulnerability Probability Rating (VPR).

  • (Subscription-only) The same number of on-premises Tenable Nessus Agents as your licensed assets, provided on request.

  • Vulnerability Intelligence.

  • Cloud Tenable Nessus Agents.

  • Tenable Nessus Network Monitors in high-performance mode.

  • (Subscription-only) Additional consoles.

  • (Subscription-only) Security Center Lab License.

  • (Subscription-only) Tenable Lumin connector.

    Note: The standalone Tenable Lumin SKU's will reach End of Sale (EOS) on March 31, 2025. Customers currently using Tenable Lumin and Tenable Lumin Connector will be upgraded to the Tenable One Platform for both new and renewal purchases. Contact your CSM if you want to migrate before this date to take advantage of all Tenable One capabilities. For more information, see the Tenable Lumin End of Sale Bulletin.

  • Tenable Web App Scanning, to scan web applications with a Tenable Nessus scanner in Tenable Security Center. Scan up to your number of licensed fully qualified domain names (FQDNs). For more information, see Web App Scans in the Tenable Security Center User Guide.

    Note: If you already have a Tenable Security Center license and you upgrade to Tenable Security Center version 6.2.x or later, there are two ways to enable web application scans. Either update your Tenable Web App Scanning plugins manually in Tenable Security Center or wait for the nightly plugin update to run.

  • (Subscription-only) Tenable Security Center Director.

  • (Perpetual-only) On-Premises Tenable Nessus Agents, which Perpetual customers must purchase separately.

  • Tenable Attack Surface Management.

  • Tenable Lumin, if you want to view your data in Tenable Vulnerability Management.

    Tip: Synchronized assets that count toward your Tenable Security Center license also count toward your Tenable Vulnerability Management license.

  • Log Correlation Engine.

    Note: Tenable no longer supports Log Correlation Engine and will deprecate it at the end of 2024.
Tenable Security Center+

  • One console (or more with additional IP addresses).

  • Tenable Nessus Network Monitor in discovery mode.

  • Tenable Nessus Network Monitors with vulnerability detection.

  • Tenable Nessus scanners.

  • Asset Exposure Score (AES).

  • Asset Criticality Rating (ACR).

  • Vulnerability Priority Rating (VPR).

  • (Subscription-only) The same number of on-premises Tenable Nessus Agents as your licensed assets, provided on request.

  • Vulnerability Intelligence.

  • Cloud Tenable Nessus Agents.

  • Tenable Nessus Network Monitors in high-performance mode.

  • (Subscription-only) Additional consoles.

  • (Subscription-only) Security Center Lab License.

  • (Subscription-only) Tenable Lumin connector.

    Note: The standalone Tenable Lumin SKU's will reach End of Sale (EOS) on March 31, 2025. Customers currently using Tenable Lumin and Tenable Lumin Connector will be upgraded to the Tenable One Platform for both new and renewal purchases. Contact your CSM if you want to migrate before this date to take advantage of all Tenable One capabilities. For more information, see the Tenable Lumin End of Sale Bulletin.

  • Tenable Web App Scanning, to scan web applications with a Tenable Nessus scanner in Tenable Security Center. Scan up to your number of licensed fully qualified domain names (FQDNs). For more information, see Web App Scans in the Tenable Security Center User Guide.

    Note: If you already have a Tenable Security Center license and you upgrade to Tenable Security Center version 6.2.x or later, there are two ways to enable web application scans. Either update your Tenable Web App Scanning plugins manually in Tenable Security Center or wait for the nightly plugin update to run.

  • (Subscription-only) Tenable Security Center Director.

  • (Perpetual-only) On-Premises Tenable Nessus Agents, which Perpetual customers must purchase separately.

  • Tenable Attack Surface Management.

  • Tenable Lumin, if you want to view your data in Tenable Vulnerability Management.

    Tip: Synchronized assets that count toward your Tenable Security Center license also count toward your Tenable Vulnerability Management license.

  • Log Correlation Engine.

    Note: Tenable no longer supports Log Correlation Engine and will deprecate it at the end of 2024.

Reclaiming Licenses

Tenable Security Center's license count updates when you delete a repository, run a license report, or upload a new license. If you set assets to age out, they are removed during nightly cleanup. If you configure your scan settings to remove unresponsive hosts, they are removed at scan import.

For more information, see License Count in the Tenable Security Center Best Practices Guide.

Exceeding the License Limit

You can temporarily exceed your licensed IP address count to accommodate usage spikes from hardware refreshes, sudden environment growth, or unanticipated threats. As you approach or exceed your license limit, a warning appears in the Tenable Security Center interface. If you continue to exceed your limit, Tenable disables your access to Tenable Security Center. To monitor your license limit, use the Licensing Status widget, as described in Overview Dashboard. To upgrade your license, contact your Tenable representative.

Expired Licenses

The Tenable Security Center licenses you purchase are valid for the length of your contract. 30 days before your license expires, a warning appears in the user interface. During this renewal period, work with your Tenable representative to add or remove products or change your license count.

After your license expires, your Tenable products and components are affected as follows:

  • Tenable Security Center Console (Perpetual license) — The software remains fully functional. All user data is accessible.

  • Tenable Security Center Console (Subscription license) — To access the console, you must enter a new license key. Once you enter a new license key, normal operation resumes.

  • Tenable Nessus (Perpetual license) — When your maintenance period expires, plugin updates are no longer available. After 90 days, Tenable Nessus stops working and you cannot perform new scans. Because Tenable Security Center stops receiving feeds, the Tenable Nessus scanners managed by Tenable Security Center no longer receive updates and also stop working.

  • Tenable Nessus Network Monitor (Perpetual license) — After 30 days with no updates, new data is no longer processed.

  • Tenable Log Correlation Engine — On the day of license expiration, new logs are no longer processed.

Working with License Keys

The following sections explain how to work with Tenable license keys and link to additional details.

Get a Tenable Security Center License Key

To get a Tenable Security Center license key, enter the hostname of the installation machine in a form on the Tenable Community site, as described in the Tenable Community Guide. You can also email the key to licenses@tenable.com. In both cases, you receive a Tenable Security Center license key to use when activating your products.

Tip: To obtain the hostname of the installation machine, in a system shell prompt, type hostname.

You can also use the install UUID in place of the hostname. The install UUID appears on the license activation page of the initial setup wizard, and is also available on disk in the install log and in the install-uuid.txt file.

Add or Update a Tenable Security Center License Key

In most cases, adding a license key to Tenable Security Center or its attached products requires the Tenable Security Center console to contact a product registration server. The server connection is encrypted, as described in Encryption Strength.

Tip: To learn which Tenable sites to allow through your firewall, see the Tenable Knowledge Base.

Note: For instructions to use in offline or air-gapped environments, see Offline Plugin and Feed Updates for Tenable Security Center.

See the following topics for instructions to upload a new license key or update an existing one:

  • Quick Setup — Upload a new Tenable Security Center license and add activation codes for any attached products.

  • Apply a New License — Upload a new license for attached Tenable products only.

  • Update an Existing License — Update an existing Tenable Security Center license or existing attached Tenable product licenses.