Tenable Vulnerability Management Licenses

Your Tenable Vulnerability Management instance has a licensed asset limit, which determines the number of assets you can scan for vulnerabilities. If you exceed your license limit, you can temporarily continue to use Tenable Vulnerability Management to scan your assets before adjusting your license as needed.

You can view your license information to see how many assets are currently being counted against your Tenable Vulnerability Management license. In addition, you can use the Licensed filter on the Assets workbench to view assets that count against your Tenable Vulnerability Management license. For more information, see Asset Filters.

Note: On the Settings > Licenses page in Tenable Vulnerability Management, License Overview and Licensed Assets by Scan Source widgets display real-time counts for different types of licensed assets. The Licensed Assets Trend wizard reflects the total counts for Tenable Vulnerability Management, Tenable Web App Scanning, and Tenable Container Security licensed assets, available in date ranges you select up until one day prior to present day.

How Assets are Counted

Tenable Vulnerability Managementanalyzes multiple asset attributes, not just IP addresses, to identify an asset. For more information on how Tenable Vulnerability Management identifies an asset, see the Tenable Vulnerability Management FAQ.

Assets are counted towards your license limit depending on how Tenable Vulnerability Management discovers, or sees, the asset. In general, an asset does not count against your license limit unless it has been assessed for vulnerabilities.

Assets Counted Assets Not Counted

Conditions where an asset counts towards your license limit include:

  • An active scan.
  • An agent scan.
  • An import of asset data that contains information on vulnerabilities (for example, a scan result from Tenable Nessus Professional).
  • Host and Tenable Web App Scanning asset types are licensed if the last licensed scan was within the past 90 days.

Conditions where an asset does not count towards your license limit include:

  • A scan configured with the Host Discovery template or configured to use only the discovery plugins.
  • An import of asset data that does not contain information on vulnerabilities (for example, ServiceNow data).
  • A linked instance of Tenable Nessus Network Monitor running in discovery mode.
  • A discovery-only connector, until and unless the asset is scanned for vulnerabilities.
  • Scanned Mobile Device Management assets.

In general, assets scanned by both network and agent-based scans are not double counted towards your license. Tenable Vulnerability Management determines whether an asset is unique by matching Identification Attributes (IAs) such as Network UUID or Fully Qualified Domain Name (FQDN). For a complete list of Identification Attributes used by Tenable Vulnerability Management, see How Does Tenable Vulnerability Management Identify an Asset as Unique.

Reclaiming Licenses

When an asset is deleted, it is removed from the Assets workbench in the Explore section of Tenable Vulnerability Management. It can take up to 24 hours for the asset deletion to be reflected in your license count.

When Tenable Vulnerability Management reclaims a license, that license becomes available for a different asset. Tenable Vulnerability Management reclaims licenses in the following scenarios:

  • When a licensed asset is deleted or has not been scanned for a period of time, the asset ages out of your license count.
  • If the asset is an Explore asset, then Tenable Vulnerability Management removes the asset from your asset count within 24 hours. All other assets remain on your license count until 90 days after Tenable Vulnerability Management last sees the asset in a scan.

    Note: If an asset is part of a network with an Asset Age Out setting, this setting overrides these default settings. For more information, see View or Edit a Network.

  • If an asset is discovered through connectors and is then licensed, the asset license is reclaimed the day after the asset is terminated. You can observe this event via the connector.

Plugins Excluded from the License Limit

The following plugins do not count towards your license limit.

Note: Plugin IDs are static, but Tenable Vulnerability Management occasionally updates plugin names. For the latest information on plugins, see Tenable Plugins.

Tenable Nessus Plugins set through Discovery Settings:

Tenable Nessus Plugin ID Plugin Name
10180 Ping the remote host
10335 Nessus TCP scanner
11219 Nessus SYN scanner
14274 Nessus SNMP Scanner
14272 Netstat Portscanner (SSH)
34220 Netstat Portscanner (WMI)
34277 Nessus UDP Scanner

Tenable Nessus Plugins set through Plugins:

Tenable Nessus Plugin ID Plugin Name
45590 Common Platform Enumeration (CPE)
54615 Device Type
12053 Host Fully Qualified Domain Name (FQDN)
11936 OS Identification
10287 Traceroute Information
22964 Service Detection
11933 Do not scan printers
87413 Host Tagging
19506 Nessus Scan Information
33812 Port scanners settings
33813 Port scanner dependency

Tenable Nessus Network Monitor Plugins:

Tenable Nessus Network Monitor Plugin ID Plugin Name
0 Open Ports
12 Host TTL discovered
18 Generic Protocol Detection
19 VLAN ID Detection
20 Generic IPv6 Tunnel Traffic Detection
113 VXLAN ID Detection
132 Host Attribute Enumeration