Nessus
Widely deployed vulnerability scanner by Tenable with over 200,000 plugins for identifying vulnerabilities and compliance gaps.
Continue your mission
Widely deployed vulnerability scanner by Tenable with over 200,000 plugins for identifying vulnerabilities and compliance gaps.
# Nessus
Nessus is a proprietary vulnerability scanner developed and maintained by Tenable, Inc. It exists to answer a fundamental operational question: what weaknesses are present in an environment right now, and how severe are they? Without systematic scanning, security teams operate on assumption rather than evidence, leaving known exploitable conditions undetected for months or years. Nessus solves this by performing automated, plugin-driven inspection of network assets, comparing observed configurations and software states against a continuously updated library of known vulnerabilities, misconfigurations, and compliance failures. The result is a prioritized list of remediable findings that feeds patch management, configuration hardening, and risk reporting workflows across organizations of every size and industry.
---
Nessus is a host and network vulnerability scanner that identifies security weaknesses in operating systems, network devices, web servers, databases, hypervisors, cloud infrastructure, and industrial control systems. It operates by dispatching a series of scripted checks, called plugins, against target assets and comparing observed states to known vulnerability signatures mapped to CVEs, CVSS scores, and vendor advisories.
Nessus is not a penetration testing framework. It does not exploit vulnerabilities to achieve code execution or lateral movement. It detects the conditions under which exploitation is likely possible. This distinction matters operationally: Nessus produces a list of attack surface exposures, but confirming actual exploitability and business impact requires manual analysis or dedicated exploitation tooling such as Metasploit.
Nessus is also not a static analysis tool, a SIEM, or an endpoint detection and response platform. It does not monitor live traffic, detect active intrusions, or analyze code for defects. Its role is point-in-time or scheduled assessment of configuration and patch state.
Tenable offers Nessus in several variants. Nessus Essentials is a free tier limited to 16 IP addresses, designed for students and small-scale personal use. Nessus Professional is the commercial standalone product intended for consultants and small security teams conducting ad hoc assessments. Nessus Expert adds cloud infrastructure scanning and external attack surface enumeration. At enterprise scale, the underlying Nessus engine is embedded within Tenable.io (now rebranded under the Tenable One platform) and Tenable Security Center (formerly Tenable.sc), which add centralized management, asset tracking, risk scoring, and SLA monitoring across distributed scanner deployments.
---
Nessus scanning proceeds through a structured sequence of discovery, service identification, vulnerability testing, and reporting. Understanding each phase is necessary to configure scans that produce accurate, actionable results rather than noisy, incomplete output.
Phase 1: Host Discovery
Before testing for vulnerabilities, Nessus determines which targets are alive and reachable. It sends ICMP echo requests, TCP SYN packets to common ports, and UDP probes to identify responsive hosts. In environments where ICMP is blocked by firewall rules, configuring Nessus to treat all specified IP addresses as alive prevents missed coverage. For internal network scans this setting is commonly enabled because network perimeters already restrict external access.
Phase 2: Port Scanning and Service Detection
Nessus scans TCP and UDP ports to identify open services. The default scan profile covers the most common 4,500 TCP ports. Full port coverage (all 65,535 TCP ports) extends scan duration but prevents missed services running on non-standard ports, a tactic commonly used by attackers to hide services. After ports are identified, Nessus performs service detection using banner grabbing and protocol handshakes to determine what application is listening, not just which port is open.
Phase 3: Plugin Execution
The plugin library, exceeding 200,000 individual checks as of 2024, is the core of Nessus's detection capability. Each plugin is written in NASL (Nessus Attack Scripting Language), a domain-specific language designed for network security testing. Plugins are organized by family: operating system patches, web application issues, database configurations, network devices, policy compliance, and others. The scan policy controls which plugin families are active, allowing teams to focus checks on relevant asset types and reduce scan duration.
Plugins operate in two modes depending on scan type:
Non-credentialed scanning (also called unauthenticated or remote scanning) probes targets from the network without supplying credentials. It detects open ports, exposed service banners, outdated protocol versions, and vulnerabilities detectable through network interaction alone. For example, a non-credentialed scan can detect an Apache HTTP Server exposing its version number in response headers and flag known CVEs affecting that version. However, it cannot inspect installed package lists, local file permissions, or registry settings, so it systematically misses vulnerabilities in software that does not expose itself through the network.
Credentialed scanning authenticates to targets using SSH (Linux and network devices), WMI or SMB (Windows), SNMP, or database credentials. Once authenticated, Nessus queries the operating system directly: it reads installed package databases on Linux systems using tools like dpkg or rpm, queries the Windows registry for installed software and patch states, inspects file permissions, and reads configuration files. Credentialed scans produce dramatically more accurate results with substantially fewer false positives. A credentialed Windows scan, for instance, can confirm exactly which Microsoft security updates are installed, mapping gaps directly to the CVEs those patches address.
Phase 4: Compliance and Configuration Checks
Beyond CVE-mapped vulnerability detection, Nessus includes audit files for compliance assessment against CIS Benchmarks, DISA STIGs, PCI DSS requirements, HIPAA controls, and other frameworks. These checks compare observed configuration settings to prescribed secure baseline values. For example, a CIS Level 1 audit for Windows Server 2022 checks whether account lockout policies, audit logging settings, and service configurations meet benchmark recommendations. Compliance scan results are reported separately from vulnerability findings and are directly useful for audit evidence generation.
Phase 5: Reporting and Integration
Scan results are presented in the Nessus interface with severity ratings (Critical, High, Medium, Low, Informational), CVSS base scores, affected asset details, remediation guidance, and cross-references to NVD entries, vendor advisories, and Metasploit module availability. The presence of a public exploit reference is a prioritization signal: a Critical-severity finding with an available Metasploit module demands faster remediation than a Critical finding with no known public exploit code.
Practical Scenario
A financial services organization runs a credentialed Nessus scan against its internal Windows server fleet every two weeks. After a Patch Tuesday cycle, the scan identifies 14 servers where a critical Microsoft vulnerability has not been patched, despite the organization's stated policy of patching within 30 days. The finding includes the CVE number, CVSS score, affected software version, and a direct link to the Microsoft Security Advisory. The security team exports the results in CSV format, tickets each unpatched server to the relevant system owner in the IT service management platform, and tracks closure through the next scan cycle. Without the scan, the patching gap would remain invisible until an attacker exploited it or an auditor discovered the deficiency during a manual review.
---
Unpatched vulnerabilities and misconfigured systems are the most consistently exploited initial access vectors in documented breaches. The Verizon Data Breach Investigations Report has repeatedly identified exploitation of known vulnerabilities as a primary attack path. Nessus directly addresses this risk class by making the exploitable surface visible and measurable on a recurring basis.
Without regular vulnerability scanning, organizations face several concrete failure modes. Patch management programs that rely on manual tracking or agent-based inventory tools alone frequently miss assets. Systems deployed outside normal provisioning processes, sometimes called shadow IT, are almost never captured in manually maintained asset registers. Nessus discovers these systems through network scanning, bringing previously invisible assets into the vulnerability management program.
Misconfigurations represent a comparable risk to unpatched software. The 2020 SolarWinds supply chain compromise was amplified in many victim environments by excessive service account permissions and insufficient network segmentation, conditions that credentialed Nessus scans and compliance audits are designed to surface. While Nessus would not have detected the SolarWinds trojanized update itself (that is a threat detection problem, not a vulnerability assessment problem), it would have identified the permissive configurations that allowed the attacker to move laterally once inside.
A common misconception is that running a scan equals having a vulnerability management program. A scan produces data. A vulnerability management program requires that data to flow into a prioritization process, remediation assignment, SLA enforcement, and validation rescanning. Nessus is the instrumentation layer; it does not manage remediation on its own. Organizations that run scans without acting on findings, or that scan only annually, achieve little measurable risk reduction.
Another misconception is that non-credentialed scans provide sufficient coverage. Security teams operating under the constraint that they cannot obtain credentials for production systems should treat non-credentialed results as a floor, not a ceiling. They will undercount vulnerabilities, sometimes by a factor of five or more compared to credentialed scanning of the same assets.
---
CDA approaches vulnerability scanning through the Planetary Defense Model with Nessus assigned to the VSD (Vulnerability Surface Detection) domain, where the operational mandate is continuous identification and reduction of exploitable conditions across client environments. The governing methodology is Continuous Surface Reduction (CSR), expressed operationally as: every surface you expose is a surface we eliminate.
In CDA engagements, Nessus is deployed as a credentialed scanner against all in-scope assets from the first week of an engagement. Non-credentialed scanning is treated as a supplementary check, used specifically to simulate what an attacker with no credentials would see from a network position, not as a substitute for authenticated assessment. CDA requires credentialed scan coverage because unauthenticated results create false confidence: an environment can appear to have few vulnerabilities in a non-credentialed scan while carrying hundreds of unpatched packages visible only to an authenticated inspector.
CDA distinguishes its scanning approach from common industry practice in three specific ways. First, scan schedules are risk-tiered rather than uniform. Internet-facing systems and systems holding sensitive data are scanned on a weekly cycle. Internal workstations and lower-criticality servers are scanned bi-weekly. The rationale is that the exposure window for a critical internet-facing system is far shorter than organizations typically budget for when running monthly scans.
Second, CDA integrates Nessus results directly into the client's ticketing and patch management workflow through API-based export, eliminating the manual step of translating scan reports into remediation tickets. This reduces the gap between finding identification and remediation assignment, which is where most vulnerability management programs lose time.
Third, CDA treats compliance audit findings and vulnerability findings as a unified risk register rather than managing them in separate tracks. A misconfiguration that enables privilege escalation is operationally equivalent to an unpatched CVE that enables privilege escalation. Both represent attack surface. Both get remediation owners, deadlines, and verification rescans under the CSR methodology.
The outcome CDA measures is not the number of scans run but the mean time to remediation for findings by severity tier, tracked week over week as the primary indicator that the surface is actually shrinking.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.