Tenable Vulnerability Management Licenses

This topic breaks down the licensing process for Tenable Vulnerability Management as a standalone product. It also explains how assets are counted, lists add-on components you can purchase, explains how licenses are reclaimed, and notes plugins whose output is excluded from your license count.

Licensing Tenable Vulnerability Management

To use Tenable Vulnerability Management, you purchase licenses based on your organizational needs and environmental details. Tenable Vulnerability Management then assigns those licenses to your assets: assessed resources from the past 90 days, either identified on scans or imported with vulnerabilities (for example, servers, storage devices, network devices, virtual machines, or containers).

When your environment expands, so does your asset count, so you purchase more licenses to account for the change. Tenable licenses use progressive pricing, so the more you purchase, the lower the per-unit price. For prices, contact your Tenable representative.

Tip: To view your current license count and available assets, in the Tenable top navigation bar, click and then click License Information. To learn more, see License Information Page.
Note: Tenable offers simplified pricing to managed security service providers (MSSPs). To learn more, contact your Tenable representative.

How Assets Are Counted

When Tenable Vulnerability Management scans an asset, it compares it to previously discovered assets. In general, if the new asset does not match a previously discovered asset and has been assessed for vulnerabilities, it counts towards your license.

Tenable Vulnerability Management uses a complex algorithm to identify new assets without creating duplicates. The algorithm looks at the asset’s BIOS UUID, MAC address, NetBIOS name, fully qualified domain name (FQDN), and more. Authenticated scanners or agents also assign a Tenable UUID to each asset to mark it as unique. For more information, see the Tenable Vulnerability Management FAQ.

The following table describes when assets count towards your license.

Counted Towards Your License Not Counted Towards Your License

  • An asset identified by an active scan.

  • An asset identified by an agent scan.

  • An asset import containing vulnerabilities (for example, a scan result from Tenable Nessus Professional).

  • Host and Tenable Web App Scanning asset types, if the last licensed scan was within the past 90 days.

  • An asset identified by a scan with plugin debugging enabled. To prevent such assets from counting against your license, delete them.

  • A scan configured with the Host Discovery template or configured to use only the discovery plugins.

  • An asset import containing no vulnerabilities (for example, ServiceNow data).

  • A linked instance of Tenable Nessus Network Monitor running in discovery mode.

  • A discovery-only connector, until and unless the asset is scanned for vulnerabilities Scanned Mobile Device Management assets.

  • Some plugin output, as described in Excluded Plugin Output.

Tenable Vulnerability Management Components

You can customize Tenable Vulnerability Management for your use case by adding components. Some components are add-ons that you purchase.

Included with Purchase Add-on Component

  • Unlimited Tenable Nessus scanners.

  • Unlimited Tenable Nessus Agents.

  • Unlimited Tenable Nessus Network Monitors with vulnerability detection.

  • Access to the Tenable Vulnerability Management API.

  • Tenable PCI ASV.

  • Tenable Attack Surface Management.

Reclaiming Licenses

When you purchase licenses, your total license count is static for the length of your contract unless you purchase more licenses. However, Tenable Vulnerability Management reclaims licenses under some conditions—and then reassigns them to new assets so that you do not run out of licenses.

The following table explains how Tenable Vulnerability Management reclaims licenses.

Asset Type License Reclamation Process
Deleted assets Tenable Vulnerability Management removes deleted assets from the Assets workbench and reclaims their licenses within 24 hours.
Aged out assets

In Settings > Sensors > Networks, if you enable Asset Age Out, Tenable Vulnerability Management reclaims assets after they have not been scanned for a period you specify.
Assets from connectors

Tenable Vulnerability Management reclaims assets from connectors the day after they are terminated. You can observe this event in each connector.
All other assets Tenable Vulnerability Management reclaims all other assets—such as those imported from other products or assets with no age-out setting—after they have not been scanned for 90 days.

Exceeding the License Limit

To allow for usage spikes due to hardware refreshes, sudden environment growth, or unanticipated threats, Tenable licenses are elastic. However, when you scan more assets than you have licensed, Tenable clearly communicates the overage and then reduces functionality in three stages.

Scenario Result
You scan more assets than are licensed for three consecutive days. A message appears in Tenable Vulnerability Management.
You scan more assets than are licensed for 15+ days. A message and warning about reduced functionality appears in Tenable Vulnerability Management.
You scan more assets than are licensed for 45+ days. A message appears in Tenable Vulnerability Management; scan and export features are disabled.
Tip: Improper scan hygiene or product misconfigurations can cause scan overages, which result in inflated asset counts. To learn more, see Scan Best Practices.

Expired Licenses

The Tenable Vulnerability Management licenses you purchase are valid for the length of your contract. 30 days before your license expires, a warning appears in the user interface. During this renewal period, work with your Tenable representative to add or remove products or change your license count.

After your license expires, you can no longer sign in to the Tenable platform.

Excluded Plugin Output

The plugins listed in this section do not count towards your license limit.

Note: Plugin IDs are static, but Tenable products may sometimes update plugin names. For the latest information on plugins, see Tenable Plugins.

Tenable Nessus Plugins in Discovery Settings

Configure the following Tenable Nessus plugins in Discovery Settings. These plugins do not count towards your license.

Tenable Nessus Plugin ID Plugin Name
10180 Ping the remote host
10335 Nessus TCP scanner
11219 Nessus SYN scanner
14274 Nessus SNMP Scanner
14272 Netstat Portscanner (SSH)
34220 Netstat Portscanner (WMI)
34277 Nessus UDP Scanner

Tenable Nessus Plugins on the Plugins Page

Configure the following Tenable Nessus plugins on the Plugins page. These plugins do not count towards your license.

Tenable Nessus Plugin ID Plugin Name
45590 Common Platform Enumeration (CPE)
54615 Device Type
12053 Host Fully Qualified Domain Name (FQDN)
11936 OS Identification
10287 Traceroute Information
22964 Service Detection
11933 Do not scan printers
87413 Host Tagging
19506 Nessus Scan Information
33812 Port scanners settings
33813 Port scanner dependency
209654 OS Fingerprints Detected

Tenable Nessus Network Monitor Plugins

The following Tenable Nessus Network Monitor plugins do not count towards your license.

Tenable Nessus Network Monitor Plugin ID Plugin Name
0 Open Ports
12 Host TTL discovered
18 Generic Protocol Detection
19 VLAN ID Detection
20 Generic IPv6 Tunnel Traffic Detection
113 VXLAN ID Detection
132 Host Attribute Enumeration