Scan Distribution

Overview

Tenable Vulnerability Management's scan distribution method improves scan efficiency for your organization’s scanners and the cloud scanners that Tenable provides. Tenable Vulnerability Management distributes scans as tasks across multiple scanners in the scanner group assigned to the scan, rather than assigning complete scan jobs to individual scanners. When you assign a scan to a single scanner, Tenable Vulnerability Management assigns the scanner tasks that can run in parallel, enabling the scanner to complete the job more efficiently.

Scan distribution allows multiple scan tasks to run simultaneously, reducing bottlenecks that would occur if scans ran sequentially on individual scanners. As your organization’s scanning needs grow, this distribution method makes it less likely for your overall scan performance to degrade.

How Tenable Vulnerability Management Distributes Scans

Scan Job Creation and Queuing

When you launch a scan, Tenable Vulnerability Management creates a scan job and sends it to the job queue of the scanner group or individual scanner defined in the scan configuration. Jobs are always sent from Tenable Vulnerability Management and queued in scanner groups or individual scanners in the order they are created.

Tenable Vulnerability Management determines where and what to send scan jobs based on three aspects of the target scanner or scanner group's capacity:

  • Target capacity — The number of assets a scanner can actively scan simultaneously. This value is by default based on the hardware resources of the scanner, including the number of processors and the amount of memory available.

  • Task capacity — The number of tasks (parts of a scan) that a scanner can perform simultaneously. A scanner's task capacity is determined based on the target capacity.

  • Job capacity — The number of different jobs a scanner can include tasks from at once. In this way, scans can be performed asynchronously, and a scanner that has available capacity can complete multiple tasks even if those tasks are not derived from the same scan. Job capacity is always determined to be less than equal to the task capacity so that when a scanner is at its job capacity, it will be able to complete tasks from every job.

For scanner groups, jobs are queued centrally, and the earliest job is held until the group has available capacity. For individual scanners, the job queue may include jobs assigned directly as well as jobs distributed from groups the scanner belongs to.

Scan Task Assignment

When a scanner or scanner group has available capacity, Tenable Vulnerability Management breaks the earliest job in its queue into scan tasks and dispatches them.

  • For scanner groups, Tenable Vulnerability Management distributes tasks across scanners in the group using a "round robin" method.

  • For individual scanners, tasks are pulled from the job queue and assigned in round robin order until the scanner's task capacity is full.

Each scan task accounts for up to 120 IP addresses. The last task in a job may contain fewer addresses. For example, Tenable Vulnerability Management splits a scan job of 300 IP addresses into two 120-address tasks and one 60-address task.

The way Tenable Vulnerability Management dispatches tasks depends on the scanning scenario. See the following examples for more information:

View Live Results

As scanners complete tasks, you can view live scan results in Tenable Vulnerability Management. Each time a task completes, the platform updates the scan results with new data. If a scan fails or is interrupted, Tenable Vulnerability Management retains all completed results, though the scan reflects an incomplete status. If a job is assigned to multiple scanners and one of those scanners fails, the remaining scanners continue processing tasks until completion.