Managed Risk FAQs

When you run a scan on customer assets, Tenable cloud scanners (for external assets) or internal scanning appliances evaluate your systems. They check open ports, identify services, and determine the operating system. Vulnerabilities are detected using Tenable plugins, which test for specific security issues.

Scans don't assess web application and API-level vulnerabilities.

Differences in scan results can arise for the following reasons:

• Different products use different rules or plugins, or different update cycles.

• Different types of scan are being run.

  • Unauthenticated scans simulate an external attacker and may detect fewer vulnerabilities.
  • Authenticated scans simulate an insider or compromised account, allowing deeper access, and typically detect more vulnerabilities.

Managed Risk leverages Tenable's Vulnerability Management capabilities, which are mainly covered by the "Nessus" product in these lists. Whether a plugin is tested depends on multiple factors like OS, open ports, and scan type.

For details, see the Tenable plugin database.

Tenable continuously updates plugins. See Tenable's newest plugins.

Tenable has a research team creating plugins for new vulnerabilities. Whether and when a new plugin is created depends on many factors, such as how critical the vulnerability is, how popular the impacted application is, and how likely it is that the vulnerability will be exploited in the wild.

You can create a Managed Risk case for the Managed Risk Operations team to investigate. See Create a case.