Tenable Web App Scanning Licenses

This topic breaks down the licensing process for Tenable Web App Scanning as a standalone product. It also explains how assets are counted, lists add-on components you can purchase, and describes what happens during license overages or expirations.

Licensing Tenable Web App Scanning

Tenable Web App Scanning has two versions: a cloud version and an on-premises version. For the cloud version, Tenable offers a subscription model. For the on-premises version, Tenable offers a subscription model as well as perpetual and maintenance licenses.

Note: A Tenable Security Center license is required for the Tenable Web App Scanning on-premises version.

To use Tenable Web App Scanning, you purchase licenses based on your organizational needs and environmental details. Tenable Web App Scanning then assigns those licenses to assets in your environment: unique fully qualified domain names (FQDNs). If you only scan IP addresses, the system licenses those instead.

When your environment expands, so does your asset count, so you purchase more licenses to account for the change. Tenable licenses use progressive pricing, so the more you purchase, the lower the per-unit price. For prices, contact your Tenable representative.

Tip: To view your current license count and available assets, in the Tenable top navigation bar, click

and then click License Information. To learn more, see License Information Page.

How Assets are Counted

Tenable Web App Scanning determines your licensed asset count by scanning resources in your environment to identify FQDNs. FQDNs that have been scanned for vulnerabilities in the past 90 days count towards your license.

FQDNs are listed as complete URLs, as per the RFC-3986 internet standard. Under this standard, each FQDN has the following components and format:

hostname.parent-domain.top-level-domain

When you specify a web application target in a scan, Tenable Web App Scanning counts that target as a separate asset if any component of the FQDN differs from that of another scanned target or previously scanned asset. Multiple targets with different paths appended to the FQDN count as a single asset, as long as all components of the FQDNs match.

For example, the following targets count towards one asset:

hostname.parent-domain.top-level-domain/path1

hostname.parent-domain.top-level-domain/path2

hostname.parent-domain.top-level-domain/path2/path3

The following table shows when scan targets are considered to be the same asset and when they are considered to be separate assets, based on whether or not all the FQDN components match.

Same Asset	Separate Assets
https://example.com https://example.com/welcome https://example.com/welcome/get-started https://example.com/welcome/get-started/create-new-user http://example.com	https://en.example.com (different hostname) https://www.ex-ample.com (different parent domain) https://www.example.org (different top-level domain)

Tenable Tenable Web App Scanning Components

You can customize Tenable Web App Scanning for your use case by adding components. Some components are add-ons that you purchase.

Included with Purchase	Add-on Component
External scanning functionality. OWASP Top 10 Issues. HTML5 crawling. Integration with Tenable Vulnerability Management (if owned). Use of the API.	Additional cloud scan concurrency. Tip: Concurrency is based on your licensed assets and determines how many Tenable-managed cloud scanners you can run simultaneously.

Reclaiming Licenses

When you purchase licenses, your total license count is static for the length of your contract unless you purchase more licenses. However, Tenable Web App Scanning reclaims licenses under some conditions. You can also delete assets or set them to age out so that you do not run out of licenses.

The following table explains how Tenable Web App Scanning reclaims licenses.

Asset Type	License Reclamation Process
Deleted assets	Tenable Web App Scanning removes deleted assets from the Assets workbench and reclaims their licenses within 24 hours.
Aged out assets	In Settings > Sensors > Networks, if you enable Asset Age Out, Tenable Web App Scanning reclaims assets after they have not been scanned for a period you specify.
All other assets	Tenable Web App Scanning reclaims all other assets—such as those imported from other products or assets with no age-out setting—after they have not been scanned for 90 days.

Exceeding the License Limit

To allow for usage spikes due to sudden environment growth or unanticipated threats, Tenable Web App Scanning licenses are elastic by 10%. However, when you scan more assets than you have licensed, Tenable clearly communicates the overage and then reduces functionality in three stages.

Scenario	Result
You scan more assets than are licensed for three consecutive days.	A message appears in Tenable Web App Scanning.
You scan more assets than are licensed for 15+ days.	A message and warning about reduced functionality appears in Tenable Web App Scanning.
You scan more assets than are licensed for 45+ days.	A message appears in Tenable Web App Scanning; export features are disabled.

Tip: Improper scan hygiene or product misconfigurations can cause scan overages, which result in inflated asset counts. To learn more, see Scan Best Practices.

Expired Licenses

The Tenable Web App Scanning licenses you purchase are valid for the length of your contract. 30 days before your license expires, a warning appears in the user interface. During this renewal period, work with your Tenable representative to add or remove products or change your license count.

After your license expires, you can no longer sign in to the Tenable platform.