Linked Scanners

"Linked scanners" refers to the on-premises scanning infrastructure that you deploy, manage, and link to Tenable Vulnerability Management. Unlike cloud scanners (which Tenable manages), linked scanners allow you to scan assets inside your corporate firewalls, secure enclaves, and air-gapped networks.

Available Scanner Types

Tenable Vulnerability Management supports three distinct types of linked scanners. You should choose a scanner based on the asset type and network constraints of the segment you want to secure.

Scanner Type	Information
Tenable Nessus Scanner (Active Network Scanning) This scanner operates actively. It sends packets to targets to identify open ports, services, and vulnerabilities.	Best for — Traditional IT infrastructure (servers, workstations, and network devices). Network requirement — Standard network reachability (TCP/IP) to the target assets. This is the most common scanner. It serves as the primary engine for the majority of your vulnerability assessments.
Tenable Network Monitor (NNM) (Passive Monitoring) This scanner operates in passive mode. Tenable Network Monitor inspects network traffic packets in real time. It does not send packets to your assets, which makes it safe for sensitive environments.	Best for — Continuous monitoring (detecting new assets when they join the network), sensitive systems (devices that may fail if you actively scan them), and encrypted traffice (identifying SSL/TLS versions and expiring certificates. Network requirement — Requires a SPAN port, mirror port, or network TAP to feed the scanner a copy of the network traffic. If you install NNM on a standard server without a traffic feed, the scanner collects no data.
Tenable Web App Scanning (Application Layer) This scanner operates by crawling applications. Unlike Tenable Nessus (which checks the server running the website), Tenable Web App Scanning logs in to the web application itself to test the code, forms, and logic.	Best for — Modern web applications (HTML5, AJAX, SPAs) that require Dynamic Application Security Testing (DAST). Network requirement — HTTP or HTTPS access to the web application.

Scanner Type

Information

Tenable Nessus Scanner (Active Network Scanning)

This scanner operates actively. It sends packets to targets to identify open ports, services, and vulnerabilities.

Best for — Traditional IT infrastructure (servers, workstations, and network devices).
Network requirement — Standard network reachability (TCP/IP) to the target assets.
This is the most common scanner. It serves as the primary engine for the majority of your vulnerability assessments.

Tenable Network Monitor (NNM) (Passive Monitoring)

This scanner operates in passive mode. Tenable Network Monitor inspects network traffic packets in real time. It does not send packets to your assets, which makes it safe for sensitive environments.

Best for — Continuous monitoring (detecting new assets when they join the network), sensitive systems (devices that may fail if you actively scan them), and encrypted traffice (identifying SSL/TLS versions and expiring certificates.
Network requirement — Requires a SPAN port, mirror port, or network TAP to feed the scanner a copy of the network traffic. If you install NNM on a standard server without a traffic feed, the scanner collects no data.

Tenable Web App Scanning (Application Layer)

This scanner operates by crawling applications. Unlike Tenable Nessus (which checks the server running the website), Tenable Web App Scanning logs in to the web application itself to test the code, forms, and logic.

Best for — Modern web applications (HTML5, AJAX, SPAs) that require Dynamic Application Security Testing (DAST).
Network requirement — HTTP or HTTPS access to the web application.

Deployment Options: Tenable Core

To simplify deployment, Tenable offers Tenable Core—a hardened, pre-configured operating system (based on Oracle Linux) that comes with these scanners pre-installed.

Appliance Approach — Instead of provisioning your own Linux server and installing the Tenable Nessus RPM, you deploy the "Tenable Core + Tenable Nessus" virtual machine image.
Security — Tenable Core is hardened according to Center for Internet Security (CIS) benchmarks. This reduces the maintenance burden on your operating system administrators.

Scaling and Management

Scanner Groups (Load Balancing) — For large environments, avoid assigning scans to individual Tenable Nessus scanners. Instead, organize your scanners into scanner groups. When you assign a scan to a group, Tenable Vulnerability Management automatically balances the load across all available scanners in that group, which significantly reduces scan time.
Scanner Profiles (Configuration) — Use Scanner Profiles to standardize settings across your scanner fleet.
Linking Keys — All linked scanners require a linking key to authenticate with your specific cloud instance. This key acts as the bridge between your on-premises infrastructure and the Tenable platform.

Before you can use linked scanners in Tenable Vulnerability Management scans, you must:

Install the appropriate Tenable product on the sensor or the host you want to scan.

Scanner Type	Related Documentation
Tenable Nessus	Environments Install Tenable Nessus in the Tenable Nessus User Guide Deploy or Install Tenable Core + Tenable Nessus in the Tenable Core User Guide Note: If a Tenable Nessus scanner has multiple NICs/interfaces, you may see multiple IPv4/IPv6 addresses for the scanner.
Tenable Network Monitor	Environments Install Tenable Network Monitor in the Tenable Network Monitor User Guide Deploy or Install Tenable Container Security + Tenable Network Monitor in the Tenable Core User Guide
Tenable Web App Scanning	Environments Deploy or Install Tenable Core + Tenable Web App Scanning in the Tenable Core User Guide

Scanner Type