WAS Licenses

Your Tenable.io Web Application Scanning instance has a licensed asset limit that determines the number of web application assets you can scan for vulnerabilities. If you exceed your limit, you can temporarily continue to use Tenable.io Web Application Scanning to scan your assets before adjusting your license as needed.

You can view your license information to see how many assets are currently counted against your Tenable.io Web Application Scanning license. You can use this information to evaluate how effectively you are using your asset licenses.

How Assets are Counted

Tenable.io Web Application Scanning determines asset count by the number of fully-qualified domain names (FQDNs) that Tenable.io Web Application Scanning successfully scans for your user account. An asset does not count against your license limit until Tenable.io Web Application Scanning has successfully scanned the asset for vulnerabilities.

FQDNs appear on your license as complete URLs. Per the RFC-3986 internet standard, each FQDN includes the following components and format:

hostname.parent domain.top-level domain

When you specify a web application target in a scan, Tenable.io Web Application Scanning counts that target as a separate asset if any component of the FQDN differs from that of another scanned target or previously scanned asset. Multiple targets with different paths appended to the FQDN count as a single asset, as long as all components of the FQDNs match.

The following targets would count toward a single asset in Tenable.io Web Application Scanning:

hostname.parent domain.top-level domain/path1

hostname.parent domain.top-level domain/path2

hostname.parent domain.top-level domain/path2/path3

Note: When a licensed target has not been scanned for 90 days, it ages out of the licensed count.


In this example, Tenable.io Web Application Scanning successfully scans the following target and counts it toward your licensed asset limit.


In the following table, targets in the first column would count as the same asset as the example asset, and targets in the second column would count as separate assets from the example.

Same Asset

(all FQDN components match)

Separate Assets

(FQDN components do not all match)

  • https://example.com/welcome
  • https://example.com/welcome/get-started
  • https://example.com/welcome/get-started/create-new-user
  • https://en.example.com (different hostname)
  • https://www.ex-ample.com (different parent domain)
  • https://www.example.org (different top-level domain)