Managed Credentials

Note: This section describes creating and maintaining managed credentials. For more information about scan-specific or policy-specific credentials, see Credentials in Tenable Vulnerability Management Scans or Credentials in Tenable Web App Scanning Scans.

Managed credentials serve as a secure, centralized storage location for the authentication strings required to perform vulnerability scans.

Unlike scan-specific credentials, where you manually enter usernames and passwords into individual scan definitions, managed credentials allow you to define an asset's identity once and reference it securely across multiple scans.

For information on managing managed credentials, see Manage Managed Credentials.

Governance and Risk Reduction

From a compliance perspective (for example, PCI DSS or NIST), managed credentials provide a critical layer of control compared to ad-hoc credential use:

  • Reduced Attack Surface — By centralizing credentials, you prevent scattered credentials. You store high-privilege passwords (such as Domain Admin) in one secure location rather than in hundreds of different scan definitions.

  • Simplified Rotation — When you change a password in your environment, you only need to update the single managed credential object. Tenable Vulnerability Management instantly updates all scans that reference that object, which prevents authentication failures and locked accounts.

Access Control and Least Privilege

Managed credentials support separation of duties through granular permission levels. This ensures that operational staff can perform their duties without exposure to sensitive data.

  • Can Edit — The user can view and modify the sensitive data (password or key). You should restrict this permission to high-level administrators.

  • Can Use — The user can select the credential to launch a scan but cannot view the password or key. This capability allows analysts to run scans without knowing the Domain Admin password.

Integration with Scans

Once defined, a managed credential becomes a reusable object within Tenable Vulnerability Management.

  • Decoupled Configuration — Scans reference the credential object, not the raw data. This keeps scan configurations clean and audit-ready.

  • Supported Types — You can manage various authentication types, including SSH keys, Windows passwords (Kerberos/NTLM), SNMP community strings, and database credentials.