Tenable Security Center dashboards

Vulnerability Management Program Health Dashboard

John Thounhurst — Thu, 16 Apr 2026 01:56:17 -0400

Vulnerability management infrastructure itself becomes a critical attack surface when security tools remain unpatched, scanning coverage gaps persist undetected, or credential failures silently erode assessment quality. Organizations often focus exclusively on remediating vulnerabilities within business applications while overlooking the health of the security ecosystem responsible for discovering those exposures. The blind spot created when scanning agents fail to update or authentication mechanisms degrade introduces a dangerous asymmetry where defenders believe comprehensive assessment coverage exists when substantial portions of the environment operate without proper evaluation. The Tenable Vulnerability Management Dashboard solves this issue by providing centralized monitoring of scanning infrastructure health, authentication success rates, credential validation outcomes, and assessment coverage completeness to ensure vulnerability detection capabilities maintain operational effectiveness. This proactive approach transforms vulnerability management from a reactive patching exercise into a disciplined lifecycle management discipline grounded in verified scanning quality and comprehensive asset visibility.

Assessment depth varies dramatically across the enterprise based on whether scans leverage authenticated access, privileged credentials, or merely perform network-level reconnaissance without enumeration capabilities. Distinguishing between assets receiving comprehensive credentialed evaluation and those subjected only to limited discovery scans reveals the true scope of vulnerability visibility across the infrastructure. Temporal analysis tracking scanning patterns over 90-day periods exposes consistency trends, identifies periods of reduced coverage, and validates whether asset population growth remains proportional to scanning capacity expansion. Operating system fingerprinting accuracy directly impacts vulnerability correlation effectiveness, with low-confidence identifications indicating the need for enhanced credential deployment or policy configuration improvements. Scan duration patterns provide capacity planning intelligence by revealing performance outliers that may indicate inefficient plugin selections, network latency issues, or targets requiring extended enumeration periods.

Authentication failure patterns concentrate remediation attention on hosts experiencing recurring credential validation problems that prevent thorough vulnerability assessment. Diagnostic plugins reporting 23 distinct error conditions—spanning authentication failures, connection timeouts, insufficient privileges, and protocol restrictions—enable systematic troubleshooting rather than broad infrastructure interventions disconnected from actual failure modes. Aggregating scanning problems across the complete affected population quantifies the percentage of assets experiencing assessment impediments versus those achieving successful evaluation, establishing key performance indicators for program health measurement. Recent scan metadata filtered to 14-day windows ensures operational monitoring reflects current infrastructure performance rather than historical conditions no longer representative of present capability. Matrix visualizations correlate multiple quality dimensions simultaneously, revealing which assessments combine credentialed access, thorough plugin execution, and error-free completion versus those exhibiting deficiencies requiring investigation.

The gap between asset discovery and comprehensive vulnerability assessment represents a critical visibility deficiency where network-connected endpoints lack the authenticated evaluation necessary for accurate risk quantification. Assets observed within recent timeframes but subjected only to uncredentialed scanning methods reveal the scope of credential deployment initiatives required to achieve proper vulnerability enumeration. Scan information metadata validates that assessment execution complies with organizational standards for plugin coverage, safe check configurations, and credential utilization patterns defined in security policies. Licensing and discovery statistics track newly observed assets integrated into the vulnerability management program, ensuring coverage expands proportionally with infrastructure growth rather than allowing unassessed populations to accumulate. Stale asset identification surfaces endpoints not observed for extended periods, enabling age-out policies that prevent decommissioned systems from distorting reporting and consuming assessment resources.

Upstream scanning problems manifest through specific plugin detections indicating firewall interference, rate limiting, session concurrency restrictions, or misconfigurations preventing successful credential-based assessment. Scan duration segmentation across seven distinct time bands from 0-120 seconds through assessments exceeding 3600 seconds enables optimization of scheduling policies and capacity allocation to prevent extended-duration targets from impacting overall program cadence. Authentication status correlation between verification plugins and baseline scanning activities distinguishes coverage gaps requiring infrastructure intervention from credential failures necessitating identity management remediation. Risk acceptance workflow integration allows documentation of business justifications when applications must remain operational despite known vulnerabilities due to compatibility constraints, operational dependencies, or formal exception processes. Consolidated exposure intelligence eliminates duplicate scanning efforts by providing security teams with an authoritative source for vulnerability data grounded in verified assessment quality rather than assumptions about coverage completeness.

Exposure management maturity requires organizations to see scanning infrastructure health across multiple operational dimensions—authentication success rates, credential validation outcomes, assessment cadence adherence, and coverage completeness metrics. Predictive capacity planning leverages scan duration distributions, asset population growth trends, and authentication failure patterns to act proactively before degradation substantially compromises vulnerability detection effectiveness. Machine learning-enhanced anomaly detection helps predict what operational issues will emerge by identifying gradual drift in scanning regularity, fingerprinting confidence degradation, or expanding populations of unassessed assets requiring credential deployment. This unified vision consolidates infrastructure health signals into coherent operational intelligence, while unified insight connects scanning quality metrics with vulnerability detection confidence to validate that risk quantification reflects thorough assessment rather than incomplete evaluation, and unified action mobilizes coordinated response between security operations, infrastructure teams, and credential management personnel to address the systematic issues preventing comprehensive vulnerability visibility across the Organization.

Components:

Track Host Discovered, Scanned and Scanned With Local Checks Summary: This matrix visualizes scanning depth across discovered assets, distinguishing between network-level discovery and credentialed scans. It tracks the progression from basic discovery to authenticated assessment, revealing gaps in comprehensive vulnerability coverage.

Hosts Discovered Trend Summary: This line chart tracks asset discovery patterns across multiple mechanisms over 90 days, combining passive, active, and credentialed scanning data. It reveals coverage consistency, scanning lapses, and asset population growth trends to support capacity planning.

OS Identification, Cadence & Confidence Level Summary: This matrix evaluates operating system fingerprinting accuracy with confidence scores ranging from 11-100%, segmented by assets seen within 30 days versus older identifications. It reveals OS identification gaps and low-confidence detections requiring enhanced scanning or credential deployment.

Hosts with the Most Vulnerability Scanning Issues: This table identifies assets with the highest occurrence of scanning problems by filtering 23 plugin IDs representing authentication failures, connection errors, and configuration issues. It prioritizes remediation efforts on hosts with the most severe scanning impediments, sorted by problem frequency.

Assets with Local Check Scan Results within 30 Days: This table inventories assets receiving credentialed scanning within the last 30 days, validating that scanning cadence meets organizational requirements. It enables calculation of the percentage of assets receiving authenticated assessment and supports compliance validation for regular vulnerability scanning requirements.

Summarize Local Checks Status: This matrix aggregates authentication verification results across multiple validation mechanisms, distinguishing scanning gaps from authentication failures. It reveals credential effectiveness patterns and enables root cause analysis for credential versus infrastructure issues.

Percentage of Hosts within Specific Host Scan Times: This matrix analyzes scan duration patterns across seven time bands (0-120 seconds to 3600+ seconds), identifying performance outliers and inefficiencies. It supports scanning efficiency analysis, capacity planning, and optimization of scan schedules for extended-duration assets.

Scan Information Summary: This table presents detailed scanning metadata from 25 informational plugins, reporting scan configurations, methodologies, credential utilization, and assessment thoroughness. It validates scanning compliance with organizational standards and supports audit requirements.

Vulnerability Scanning Issues: This table consolidates all hosts experiencing scanning problems using the same 23-plugin filter set, presenting the complete affected population. It provides comprehensive visibility into every asset with authentication failures, connection errors, or configuration impediments for systematic remediation planning.

Nessus Scanning Status: This matrix monitors scanning infrastructure health across multiple quality dimensions: recency (14 days), error conditions, scan duration, thorough test execution, and credentialed check success. It distinguishes high-quality comprehensive scans from incomplete or problematic assessments, providing early warning of scanning degradation.

Summarize Authentication Status: This matrix correlates authentication verification plugins with baseline scanning plugins to create a comprehensive view of credential validation outcomes. It distinguishes successful authentication from credential failures or insufficient privileges, enabling targeted credential management improvements and tracking authentication success rates.

Assets Seen in Last 30 days but Not Assessed by Vulnerability Management: This table identifies the gap between asset visibility and vulnerability assessment, exposing hosts seen within 30 days with uncredentialed scans only. It reveals assets requiring credential deployment to achieve comprehensive vulnerability assessment and supports targeted remediation planning.

Database Application Visibility & Exposures One-Stop-Shop

John Thounhurst — Tue, 17 Mar 2026 16:25:35 -0400

A benefit of an effective database security program is that organizations are better positioned to safeguard against the risks of compromise, and to thwart attacks such as malware and ransomware. Steps to building such a program include following best practices and regulatory requirements. Key initiatives include conducting and reviewing vulnerability assessments, and compliance audits.

Databases typically contain sensitive material such as financial data, personnel information, business intelligence, client information, and more. Organizational secrets were once contained in a locked file cabinet, within secure rooms, or entombed deep within an organization. Access was controlled with a key requiring on-site access, and copying or removing files was difficult at best. Today this information is commonly stored in a database that is connected to a wider network. Configuration errors can inadvertently provide access to a global audience. This practice makes a database a primary target of threat actors. Compromised databases are a common element of most data breaches, resulting in the exfiltration or loss of massive amounts of privileged information.

Information that is collected and stored in a database is important, and safeguarding that data is critical to business continuity. Costs associated with damages, fees, legal considerations and loss of reputation resulting from damaged and corrupt databases can be a financial burden for any organization. Depending on the type of data being stored, many established regulations and standards exist, which reduce the risk that information will be mishandled. Successful implementation means that customer confidence is maintained and organizations avoid costly financial ramifications.

Organizations are obligated to protect sensitive data, and many times comply with laws and regulations regarding the data being stored. To best accomplish this, database teams require vulnerability details which easily identify the most significant vulnerabilities, and provide guidance towards mitigation. The ability to act quickly in mitigating database vulnerabilities requires information to be presented in a manner which focuses on findings that should be prioritized and mitigated first. As a result, vulnerability remediation is more successful, the attack surface is reduced, and efforts can be visually tracked and measured against established goals.

Enumerating and securing your databases across the modern attack surface is especially critical related to 3-Tier Web Applications and AI. Nearly every Web Application has some flavor of database on the backend and internal and cyber criminal usage of GenAI and Agentic AI significantly raise the stakes for data security. GenAI prompts can be tied to your internal data and AI agents can be granted a significant range of autonomy. AI agents can operate constantly and adversaries can leverage low-and-slow attacks via these AI Agents and GenAI prompt-based crescendo attacks to gain access to your sensitive data. In this new world of AI, a strong database security program is not just about checking a box for compliance. It is a fundamental requirement to protect an organization's reputation and ensure AI remains an asset instead of a liability.

Tenable Security Center provides a risk-based view of your IT, security and compliance posture, allowing database teams to analyze findings, remediate identified risk, track progress, and measure success. Designed with the principles of the Cyber Exposure Lifecycle in mind, this dashboard assists database teams in maintaining a high level of awareness and vigilance. The dashboard is tailored to guide the database team in detecting, predicting, and acting to reduce risk across their entire attack surface. The components provide a glance over detected Databases. From supported databases to unsupported databases, and exploitable databases that have been active for a long time, this dashboard allows a Database team prioritize which assets/databases to patch first. The dashboard also includes a database compliance components that assist database teams by presenting pass/fail compliance results. It is important to note that the severity fields in the components can either be based on CVSS or VPR, depending on what the user selected in the settings. The dashboard components do not require specific asset list filters to be applied prior to use. However, organizations that have teams that do focus on a specific group of assets will benefit from using custom asset lists. Database teams can visualize findings against database assets within the organization using this method.

Components

Most Prevalent Database Application Installs - This table displays the most prevalent Database applications across your environment enabling the user to have a quick glance at detected databases and their counts.
Database One-Stop-Shop - Exploitable Vulnerabilities (Sorted by VPR) - This table presents the top new exploitable database vulnerabilities present in the environment that have been published in the last 30 days.
Severity Breakout for Database Vulnerabilities - This table displays breakout of your Low, Medium, High and Critical Severity Database Vulnerabilities based upon CVSS Severity. Tenable highly recommends that you focus on the Exploitability of Vulnerabilities.
Top Active, Exploitable Database Vulns First Seen More Than 365 Days Ago - This table displays the most prevalent exploitable Database exposures across your environment that are still active, but first seen on assets more than a year ago.
Database One-Stop-Shop - Unsupported Database Software - This table displays all unsupported database software by name, sorted by severity. Displayed are the name, severity, and the total number of vulnerabilities.
Database One-Stop-Shop - 10 Most Vulnerable Database Assets - This table provides information on the Top 10 most vulnerable database assets, providing the total number of vulnerabilities, score, IP address, DNS Name and OS CPE.
Other Useful Database Findings such as Database Credential Failures - This table displays additional database assessment findings that you may find useful, including instances of Database credential failures.
Audit Benchmarks Collected using Database Checks - This table displays these results and provides a quick view into which benchmarks are prevalent in the organization.

Java Visibility and Exposures

John Thounhurst — Tue, 17 Mar 2026 16:15:34 -0400

Hidden weaknesses in unpatched Java installations expand the organizational attack surface and expose the environment to severe operational disruptions. Visualizing impacted assets allows the organization to grasp how unmanaged applications increase overall risk exposure. A resilient defense posture requires continuous awareness of deployed infrastructure to prevent adversaries from exploiting network vulnerabilities. The Java Visibility and Exposures dashboard resolves these challenges by transforming complex scanning data into accessible visual formats, guiding the risk manager to proactively identify hidden flaws and secure vulnerable assets.

A strong software asset management program serves as the foundation for identifying unauthorized or end-of-life applications across the network. Without a robust software asset inventory, the security operations team cannot properly evaluate network health. The dashboard enables the risk manager to map out deployed applications, revealing potential blind spots within the infrastructure. Mapping such installations ensures the organization proactively identifies unsupported environments where vendors no longer supply security patches. Modern adversaries frequently leverage artificial intelligence to exploit unmanaged cyber risks, meaning accurate visibility into the asset landscape remains paramount for preventing unauthorized access.

Once assets are identified, prioritizing risk effectively ensures the security operations team addresses the most critical Java vulnerabilities first. Relying solely on traditional static scoring often creates overwhelming workloads. Conversely, utilizing dynamic Vulnerability Priority Ratings (VPR) focuses organizational resources on exposures associated with active threat intelligence and the highest likelihood of exploitation. Addressing high-risk exposures proactively prevents attackers from launching successful campaigns against vulnerable infrastructure. Implementing a robust vulnerability management strategy guided by threat intelligence ensures maximum risk reduction and creates a strengthened security posture.

Identifying and mapping network exposures empowers the risk manager to direct remediation efforts across affected subnets and individual host environments. Cybersecurity has evolved into a global security imperative, requiring a strategic shift toward risk-based, outcome-focused governance that elevates cyber risk discussions to the boardroom. By targeting the highest-priority threats, the organization can neutralize Server-Side Request Forgeries (SSRF) in the Java transport layer handshakes, before they can be exploited to disrupt operations. Resolving highly targeted vulnerabilities efficiently builds collective defense capabilities. Mastering detailed network visibility ultimately strengthens organizational security maturity and reduces overall cyber exposure.

Components

Java Installation Visibility - This table provides visibility into where Java applications are installed across your environment that you have scanned with Tenable.
Top Java Exposures Sorted by Tenable VPR - This table reports on all Java vulnerabilities uncovered across the environment.
Java Exposure Counts per Severity Level - Java Exposure Counts per CVSS Severity Level table displays a severity breakdown of the detected Java plugins across the scanned environment.
Unsupported Versions of Java - This table provides visibility into the unsupported versions of Java across your environment.
Prioritize Hosts - Top Hosts with Java Vulnerabilities - This table displays the top hosts on the network that have actively or passively detected Java vulnerabilities.
Hosts with the Most Java Installation Detections - This table displays the hosts with the most java installation detections across the scanned environment.

Operating System and Application Inventory with Data Troubleshooting

Josef Weiss — Fri, 13 Feb 2026 15:20:43 -0500

Security practitioners need full visibility of all vulnerabilities within the organization. By leveraging the continuous asset scanning and automated risk prioritization capabilities of Tenable Security Center (formerly Tenable.sc), the practitioner is able to discover operating system and application instances, software vulnerabilities, misconfigurations and other exposure details. This dashboard provides a high-level summary of asset counts per operating system and discovered applications, with the added benefit of helpful queries to identify troublesome areas in scan fidelity.

A key first step in establishing an exposure management program is to separate findings by operating systems and applications. This discovery process helps to assess the technology in the environment and discover gaps in exposure management. The components in the dashboard focus on either operating system vulnerabilities or application vulnerabilities by leveraging the CPE (Common Platform Enumeration) strings that are defined by NIST (National Institute of Standards and Technology) and provide a unique, standardized name for IT products. Using this comprehensive approach to data analysis, the risk manager is able to obtain visibility into the network and prioritize mitigation efforts accordingly.

Once the vulnerabilities are known to the risk managers the risk prioritization begins. In cases where a vendor supplied patch is available, patch management solutions are able to increase efficiency by distributing and applying the patches. However, there are many cases where unsupported operating systems or patches have not been released yet. Oftentimes unpatchable vulnerabilities are identified as exploitable, and to remediate the risk requires a configuration change such as a registry key change, disabling insecure or deprecated protocols, and upgrading to a supported operating system version or new operating system.

As the exposure management program matures, the security operations team needs to begin to measure data collection and the remediation processes. To allow for accurate measurements, the fidelity of the scanning program needs to be reviewed and monitored. To assist in this process the dashboard has several components that enable the understanding of scan health by identifying gaps in the scan activities. Organizations that utilize both agent scans and network scans are able to benefit from each method and begin to close the gaps in scan coverage. The dashboard helps to show the health of credentialed network scan, also known as an authenticated scan (which provides a deeper insight into the risk posture of the asset), as compared to discovery scanning. If credentialed network scans are not available, the organization can leverage the Tenable Agent to collect vulnerability data. While agents are not designed to perform network checks, certain settings cannot be checked or obtained, therefore combining network scans with agent-based scanning eliminates this gap. The key thing to keep in mind is that scanning with credentials will provide the best and most complete asset info, vulnerability and patch auditing picture with a regular scanning cadence and depth. Local Check Scans with the Tenable Agent or working credentials will provide the more complete and hi-fidelity data set that is needed and ensure the good data passes downstream for reporting, workflows and stakeholders.

Tenable Security Center provides the ability to Know the vulnerabilities on the network and provides full visibility with continuous asset scanning and automated risk prioritization capabilities. The data on this dashboard helps to Expose gaps and facilitate the process in which the risk manager is able to quickly find highly exploitable, business-impacting vulnerabilities using risk-based threat intelligence and critical asset identification. As the risk mitigations efforts increase their affection, the CISO is able to Close the critical exposures and make rapid, decisive decisions that direct actions to mitigate high-risk vulnerabilities and communicate leadership and stakeholders as the current state of the exposure management program.

Components

PCI-DSS - Scan Health Trending (50 Day trend) - This chart provides a trend analysis about authentication status and the scan process.
PCI-DSS - Scan Health - The Scan Health component provides details about authentication status and the scan process.
Tenable Agent - This table provides details related to Tenable Agents. Details include informational data, such as the detection of Tenable Agent installations, as well as Tenable Agent vulnerability data, such as out-of-date or software end-of-life (SEoL) Tenable Agents, including potential third-party induced vulnerabilities to Tenable Agents from products such as OpenSSL.
Scan Health By Subnet - The Scan Health component provides a summary about authentication status and the scan process per subnet.
Top Installed Operating Systems - The table provides a list of operating systems detected over the last 30 days by using Nessus, Tenable Agent or Nessus Network Monitor.
Security End of Life - Operating Systems - The Security End of Life - Operating Systems table displays all SEoL operating systems, associated severity, and is sorted by count.
Operating System Exposure Breakout per Subnet - The table provides a list of operating system vulnerabilities by subnet, detected over the last 30 days by using Nessus, Tenable Agent or Nessus Network Monitor.
Exploitable Operating System Exposure Breakout per Subnet - The table provides a list of operating system exploitable vulnerabilities by subnet, detected over the last 30 days by using Nessus, Tenable Agent or Nessus Network Monitor.
Unpatchable - Exploitable Operating System Exposure Breakout per Subnet - The table provides a list of operating system exploitable vulnerabilities by subnet which do not have a patch published, detected over the last 30 days by using Nessus, Tenable Agent or Nessus Network Monitor.
Top Installed Applications - The table displays the vulnerabilities related to applications last observed over the last 30 days, displays the plugin name and count of found on the network.
Security End of Life - Applications - The Security End of Life - Applications table displays all SEoL applications, associated severity, and is sorted by count.
Application Exposure Breakout per Subnet - The table provides a list of application vulnerabilities by subnet, detected over the last 30 days by using Nessus, Tenable Agent or Nessus Network Monitor.
Exploitable Application Exposure Breakout per Subnet - The table provides a list of exploitable application vulnerabilities by subnet, detected over the last 30 days by using Nessus, Tenable Agent or Nessus Network Monitor.
Unpatchable Exploitable Application Exposure Breakout per Subnet - The table provides a list of exploitable application vulnerabilities by subnet which do not have a patch published, detected over the last 30 days by using Nessus, Tenable Agent or Nessus Network Monitor.

Post Quantum Ciphers Analysis

Josef Weiss — Thu, 29 Jan 2026 12:54:26 -0500

Public-key cryptography is the invisible trust fabric which secures web browsing, VPN connectivity, cloud authentication, software updates, and identity verification. For decades, the global economy, national security apparatus, and critical infrastructure have relied on asymmetric cryptography—specifically RSA and Elliptic Curve Cryptography (ECC)—to secure this data. Their security rests on the mathematical difficulty of factoring large integers or solving discrete logarithm problems within any realistic timeframe. Quantum computing changes that assumption. Quantum computers utilize qubits, which combined with quantum entanglement, allows for massive parallelism in calculation. Tenable’s Research team has developed a series of plugins to help identify an organization's progress in mitigating this future threat.

While quantum systems, capable of shattering current encryption standards may be years away, there is a significant threat operational today, through a strategic doctrine of "Harvest Now, Decrypt Later" (HNDL). Adversaries can identify and capture and store encrypted data now, awaiting for future decryption when quantum decryption becomes readily available, and the data can be decrypted retroactively. For security leaders this creates a familiar strategic problem. Public-key cryptography is embedded everywhere: certificate authorities, TLS stacks, VPN gateways, secure email, identity providers, firmware signing, code pipelines, and cloud key management. The implications are catastrophic for current standards:

RSA-2048 and RSA-4096: Completely broken.
ECDH and ECDSA (Elliptic Curve): Completely broken.
Diffie-Hellman: Completely broken.

Tenable has a number of plugins that assist organizations, including:

277650 - Remote Services Not Using Post-Quantum Ciphers.
277652 - Target Cipher Inventory.
277653- Remote Services Using Post-Quantum Ciphers.

Understanding the impact of the transition to using Post Quantum Ciphers is where security teams need actionable insight, understanding where vulnerable cryptographic algorithms are deployed across their infrastructure. To support this visibility, Tenable provides the Post Quantum Ciphers Dashboard. This Security Center dashboard is designed to help organizations identify systems relying on cryptographic algorithms that will be vulnerable in a post-quantum world. Key features are the identification where RSA and ECC are currently deployed across your infrastructure, supporting prioritization of modernization efforts. Information within the dashboard assists organizations identify remote services using/not using post-quantum ciphers, including the identification of ciphers in Web Application Scanning (WAS) environments, and identifies potentially vulnerable ciphers, certificates and assets.

Organizations need a coherent operational strategy to navigate the migration. Based on NIST SP 1800-38 and CISA guidance, the following phased approach is recommended.

Phase 1: Automated Discovery -> Phase 2: Prioritization and Risk Assessment -> Phase 3: Remediation and Crypto-Agility -> Phase 4: Continuous Verification

This approach begins with establishing the baseline. Tenable Plugin 277652 (Target Cipher Inventory) Extends detection capabilities to cover cryptographic ciphers and algorithms discovered during the scan as a machine parsable JSON file attachment. Tenable Plugins 277653 (Remote Services Using Post-Quantum Ciphers) and 277650 (Remote Services Not Using Post-Quantum Ciphers) help filter the signal from the noise. Identify systems with the highest risk and the most critical data, allowing organizations to move quickly into the remediation phase. Regression is prevented naturally with Tenable’s ability to provide Continuous Verification by incorporating this assessment into regular scanning intervals.

Bottom line, these tactics allow for the surfacing of cryptographic dependencies across the environment, security teams gain the operational intelligence needed to begin structured migration planning today. Organizations that begin assessing exposure now, establish migration roadmaps, and integrate post-quantum readiness into security strategy will move through this transition deliberately and safely.

This Dashboard contains the following components:

Remote Services Not Using Post-Quantum Ciphers - This chart provides a port summary of findings that utilize plugin 277650 which identifies network services that do not offer post-quantum ciphers. Tenable makes no attempt to determine whether the remote service would be vulnerable to a post-quantum attack.
Post-Quantum Ciphers - This line chart shows counts of three separate queries to provide a historic understanding of the organization's progress in mitigating Post-Quantum Cipher related issues. The first query displays the count over time of the Remote Services not using Post-Quantum Ciphers plugin by utilizing the Remote Services. The second query displays the count over time of the Post-Quantum Ciphers by utilizing the Remote Services plugin. Lastly, the third query displays the count over time of the Ciphers Inventory plugin. By monitoring these counts over time, the risk management team can easily track progress and related mitigation efforts.
Remote Services Using Post-Quantum Ciphers - This chart provides a port summary of findings that utilize plugin 277653 which identifies network services that offer post-quantum ciphers and enumerates the post-quantum ciphers that they offer.
Target Cipher Inventory - This table utilizes the Target Cipher Inventory plugin which collects cryptographic ciphers and algorithms discovered during a Nessus scan. Using the IP Summary tool, this widget provides a per asset inventory of ciphers and algorithms.
Encryption Ciphers Detected by WAS - This table displays all the SSL/TLS plugins which were detected by WAS. The component displays this information by using the plugin name filter to look at plugin names containing ‘SSL/TLS’ in the name.
SSH Algorithms Detected by Nessus - This component displays any detected SSH algorithm plugin that was seen by Nessus. The widget utilizes the Plugin Name filter that matches on 'SSH.*Algorithm' this ensures the plugin names displayed show detected SSH algorithms.
Encryption Ciphers Detected by Nessus - This component displays any detected Cipher plugins that were seen by Nessus. The widget utilizes the Plugin Name filter with a regex match on ‘(Cipher Suites)|(SSL Ciphers)|(Weak Kerberos)’ this ensures the plugin names displayed show detected Ciphers.
Certificate Information Detected by Nessus - The component displays any detected SSL Certificate plugins that were seen by Nessus. The widget utilizes the Plugin Name filter to match on plugin names that contain 'SSL Certificate'.

Microsoft Rollup Patch Status

Cody Dumont — Mon, 24 Nov 2025 09:35:04 -0500

Tracking Rollups applied to host instead of individual updates provides faster verification of host patching for security and stability. Monitoring the application of Microsoft Rollups can be extremely difficult if an organization is not continuously scanning the environment with credentialed scans. Microsoft Rollups are critical as they encompass important security and system updates. Rollups enable you to bring your systems up to date with fewer updates, and will minimize administrative overhead to install a large number of updates. Analysts should track the installation and application of Microsoft Rollups to hosts for a clear picture of how effective the patch management process is being completed and, most importantly, if hosts are being secured with the most recent rollup patches.

A Rollup is defined by Microsoft as “a tested, cumulative set of updates. They include both security and reliability updates that are packaged together and distributed over Windows Update, WSUS, System Center Configuration Manager and Microsoft Update Catalog for easy deployment. The Monthly Rollup is product specific, addresses both new security issues and non-security issues in a single update and will proactively include updates that were released in the past.”

Leveraging the ability of Tenable's Tenable Security Center to use regular expressions, this dashboard provides an analysis of the last installed Microsoft Rollups by month and year. A matrix showing a twelve-month breakdown is displayed on the dashboard for each year from 2016 through 2026. As Microsoft Rollups are detected on hosts, indicators are highlighted for the specific months and years. Information provided in this dashboard gives analysts a clear picture of how effective the patch management process is working and the most current rollup patch installed.

Components

Microsoft Rollups 2016 - 2026: This dashboard as series of matrices that present a yearly analysis by month of fore years 2016 - 2026 Microsoft Rollups applied to hosts. As hosts are discovered having the specific Rollup applied, the box is highlighted in purple. Clicking on a highlighted indicator brings up the analysis screen, allowing further investigation of the hosts.

Subnets Missing Rollup Patch before Nov 2025: This table identifies assets that have been found to be missing Microsoft Rollups applied starting in Nov 2025. The filter uses a negative lookup to identify assets with 93962 and missing the Latest effective update level starting with 11_2025. These assets have not had resent rollup patches and require immediate attention. To view the details, click on View Data, then click on Go to Vulnerability Detail, and the plugin output will show information about the installed rollup patches.

Monitoring Internal Scans for PCI 11.3.1

Cody Dumont — Mon, 20 Oct 2025 08:00:00 -0400

The Payment Card Industry Security Standards Council (PCI SSC) maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data across the globe. The PCI SSC provides technical and operational requirements for organizations accepting or processing payment transactions. The guidance also applies to software developers and manufacturers of applications and devices used in those transactions.

PCI DSS helps entities understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. The standards have historically been revised on a 2-3 year cycle, but the PCI SSC is transitioning to a posture of revising the PCI DSS as required based on changes to the current threat landscape. The current standard revision is PCI DSS Version 4.x. Any organization that handles payment card information must comply with the PCI DSS and must demonstrate compliance annually. Tenable Security Center is able to help organizations monitor ongoing PCI DSS compliance.

As part of the PCI DSS version 4.x the requirement for authenticated internal vulnerability scanning was introduced. Tenable has always emphasized that credentialed scanning is required to get the most accurate information, now the PCI Council requires credentialed scanning where possible. The Council recognizes that all systems may not be accessible as part of a credentialed vulnerability scan, but those systems must be clearly documented. As part of the vulnerability scanning, Tenable uses two methods to perform elevated vulnerability scans, Nessus and Nessus Agents. Nessus vulnerability scans access the system over a network protocol such as SMB, SSH, and etc, while the Nessus Agents run a local version of the Nessus scan engine as a system level service. (Note: When using Nessus Agent, uncredentialed port scans are still required to identify open ports) There are benefits to each method, however each provides the ability to enumerate vulnerabilities based on the operating system, system configurations, and installed software.

As part of the requirement 11.3.1.2 (Internal vulnerability scans are performed via authenticated scanning), the internal systems located within the Cardholder Data Environment (CDE) are to be documented as accessible with and without credentials. Using Nessus to scan devices on the network will provide the necessary information as to the accessibility of a system using the defined protocols and supplied credentials. Nessus will report on the success of authentication and the status of collecting vulnerabilities. Once authenticated, Nessus will enumerate vulnerabilities found on the system. The vulnerabilities detected are identified using industry-recognized vulnerability databases and our research teams.

As directed in the 11.3.1 (Internal vulnerability scans are performed), the organization must conduct internal scans every three months and perform rescans to confirm all high and critical vulnerabilities are resolved. Tenable Security Center supports the scheduling of scans, allowing the assessment teams to continuously monitor the CDE accordingly. The dashboard consists of widgets that provide an overview of how internal scanning is being performed. These information based queries provide authentication, scan health, and diagnostic information to assist risk managers with ability to drill down into the appropriate data and better understand the problems that need to be addressed to mitigate risks or solve scan heath related issues. While the vulnerability based queries are filtered for high and critical severity vulnerabilities, along with other attributes such mitigation status, risk categories, and risk accepted; allowing assessors to focus on vulnerabilities of particular concerns identified during the scans. Identified vulnerabilities are tracked by time, severity, and host in order to provide multiple perspectives into the vulnerability status of the organization.

Tenable provides several solutions for organizations to better understand vulnerability management. Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable Vulnerability Management (formerly Tenable.io) discovers and analyzes assets continuously to provide an accurate and unified view of an organization's security posture. The requirements for this report are: Tenable Vulnerability Management.

Widgets

PCI-DSS - Scan Health: This component provides details about authentication status and the scan process. The details include the most recent scan and the health of the scan. System and network devices must be routinely scanned to ensure they are operating in compliance with organizational and regulatory requirements for vulnerability and configuration management.
PCI-DSS - Scan Health Trending (50 Day trend): This chart provides a trend analysis about authentication status and the scan process. The evidence of scanning activities is often required by regulatory frameworks and Service Level Agreements (SLAs). The lines within the chart provide a historic view of how effective the scanning process has been over the past 50 days.
Understanding Risk - Details by Severity: This matrix presents details by severity on vulnerabilities found to exist in the environment. At each severity level, the number of vulnerabilities is displayed, along with three percentage columns and the number of hosts affected. The percentage columns show the percentages of the vulnerabilities that are exploitable, that were published more than 90 days ago, and that have had a patch available for more than 30 days. Ideally, all of these percentages should be 0%, because all exploitable vulnerabilities, old vulnerabilities, and vulnerabilities with patches available should have been mitigated already. If more details are desired (for example, what are the specific critical vulnerabilities that are exploitable?), click on the appropriate matrix cell to display more information.
InfoSec Team - Track Accepted and Recast Risk: This matrix tracks currently Accepted Risk and Recast Risk items. The Accepted Risk row displays vulnerabilities based on the associated Accepted Risk Workflow. The Recast Risk row displays vulnerabilities based on the associated Recast Risk Workflow. The accepting or recasting of risk has does not have any effect on VPR or CVSS scores. Both rows display the vulnerabilities by total, severity, exploitability, number of hosts, patch, or vulnerability being published. Workflow actions allow organizations to accept or recast risk and configure alerting. These functions allow organizations to be set rules on how notifications should occur so incoming vulnerabilities can be handled properly.
Mitigated Patch Rates - Remediation Rates: The matrix component displays vulnerabilities across categories of interest to analysts. The rows relate to time and assist analysts with context of vulnerability remediation efforts. Many organizations remediate vulnerabilities approximately every 30 days in line with vendor patch releases. The rows approximate the last two "patch cycles" to display efforts of vulnerability remediation within the organization.
Qualitative Risk Analysis - Vulnerabilities by Subnet: The Vulnerabilities by Subnet table provides a cumulative number of medium, high, and critical vulnerabilities for the top most vulnerable subnets. For each subnet, the total number of vulnerabilities is displayed, along with a bar chart of the vulnerabilities by severity (red = critical, orange = high, and yellow = medium). By grouping all detected vulnerabilities by IP address into representative Class C subnets, this table can assist an organization both in identifying the weakest areas of the network and in understanding the scope of the network. This information can help an organization detect unauthorized subnets or rogue devices.
Executive Vulnerability Metrics - Vulnerability Trend: This component presents a trend chart of both current and previously mitigated vulnerabilities over the last seven days. Information presented within this component can provide organizations with a comprehensive view into how often systems are being scanned, patched, and rescanned. Current vulnerabilities are identified and set to the “Never Mitigated” filter. When a vulnerability moves from the mitigated section to the active section, the mitigation status is set to "Previously Mitigated." Previously Mitigated or recurring vulnerabilities can be the result of systems not being restarted after a patch was applied, virtual systems reverting to previous snapshots, and services that were disabled or failed to restart. Organizations can use this component to focus efforts on remediating both current and previously mitigated vulnerabilities.

Cyber Essentials Section 5 - Patch Management

Josef Weiss — Wed, 17 Sep 2025 15:35:10 -0400

The Cyber Essentials is a UK government-backed framework which is designed to assist organisations in protecting themselves against common threats. The Cyber Essentials provides a basic cyber security foundation that can serve as a stepping stone to a more comprehensive zero-trust approach. The Cyber Essentials is built on 5 key components that, when implemented correctly, can reduce cyber risk. The five key components are:

Firewalls and Boundary Devices
Secure Configurations
Access Control
Malware Protection
Patch Management

Tenable has released a series of dashboards, that focuses on each of the five basic technical controls, which organisations can use to help strengthen their defences against the most common cyber threats.

The focus of this dashboard is Section 5 - Patch Management. Organisations which comply with Section 5 ensure they are actively fixing vulnerabilities before attackers can exploit them, reducing risk, and demonstrating responsible security practices. In addition to reducing risk, compliance demonstrates that organisations take security seriously, improving trust with customers, partners, and regulators.

This key component applies to all the following in scope devices: Boundary Firewalls, Desktop Computers, Laptops, Routers, Servers, Iaas, PaaS, and SaaS devices. Some items to focus on within this key component are:

Reducing exploitable weaknesses
Keeping devices and software secure
Limiting the window of risk (enforcing timely updates)

Components

Cyber Essentials (Patches Out of Compliance)- The table provides a detailed analysis of application vulnerabilities by comparing patch availability and release timelines for all identified application vulnerabilities where a vendor patch has been released over 14 days ago, with a CVSSv3 Score of 7.0 or greater.
Outstanding Remediations - Time Since Patch Publication (Assets) - The Outstanding Remediations - Time Since Patch Publication (Assets) component displays the total count of missing patches across the environment.
Application Patch Risk Summary - The Application Patch Risk Comparison component provides a detailed analysis of application vulnerabilities by comparing patch availability and release timelines between 'Most Targeted Apps' and 'Other Apps.'
Unsupported Product Summary - Unsupported Applications - The Unsupported Product Summary table displays all unsupported applications by name, sorted by count.
Unsupported Product Summary - Operating Systems - This indicator matrix reports on operating systems that are no longer supported.
Top 50 Missing MS Security Patches - This component displays the top 50 most common missing Microsoft security patches.
InfoSec Team - One-Stop-Shop Comprehensive Attack Surface - Mitigation SLAs - This matrix assists with InfoSec teams map mitigation progress and presents data to determine if organizational SLAs are being met.

Cyber Essentials Section 4 - Malware Protection

Josef Weiss — Wed, 17 Sep 2025 15:33:13 -0400

Firewalls and Boundary Devices
Secure Configurations
Access Control
Malware Protection
Patch Management

The focus of this dashboard is Section 4 - Malware Protection. Malware threats are one of the most common and damaging cyber threats. The primary objective is to defend against threats, such as malware, viruses, ransomware, and others. Section 4 ensures you have an active protection in place for protection. Active protection helps prevent business disruptions from downtime, and costly recovery efforts.

Compliance with Section 4 builds trust with customers and suppliers by demonstrating that your organisation takes cyber security seriously. Compliance also assists in meeting contractual and regulatory obligations, and may provide a competitive advantage.

Ensuring Anti-Malware software is in use
Ensuring Anti-Malware software is kept up to date
Ensuring applications are protected against malware and exploitation

Components

Exploitable by Malware - Exploitability Matrix - This component is an indicator matrix of exploitable vulnerabilities.
Anti-Virus Summary - Outdated Anti-Virus Clients - The Outdated Anti-Virus Clients component can assist organizations in monitoring the network for outdated anti-virus clients.
Anti-Virus Summary - Malware Protection Compliance Checks - The Malware Protection Compliance Checks component provides a summary of malware protection compliance checks.
Exploitable by Malware - Top 100 Malware Vulnerable Hosts - This component provides a host summary of systems with vulnerabilities that are known to be exploitable by malware.

Cyber Essentials Section 3 - Access Control

Josef Weiss — Wed, 17 Sep 2025 15:20:41 -0400

Firewalls and Boundary Devices
Secure Configurations
Access Control
Malware Protection
Patch Management

The focus of this dashboard is Section 3 - Access Control. This key requirement supports the goal of reducing an organisation’s risk from the most common cyber threats. The Cyber Essentials focuses on preventing high impact attacks, such as phishing, malware infection, and unauthorized access. Strong access control can limit the number of accounts which attackers can compromise, ensuring that individuals only have access which is required to perform job functions.

Administrative privileges are tightly controlled and monitored
No shared accounts, every user must have their own unique account for auditing
Access is granted on the principles of least privilege
- Users should have the minimum level of privileges to carry out their duties
Strong passwords must be enforced
Stale accounts are removed
- User accounts should be reviewed regularly
Use multi-factor authentication (MFA)

Components

Authentication and Access Control - Compliance Checks - This component displays compliance information in the areas of user access, least privilege, password and authentication requirements, and administrative/root account control.
Default Credentials Summary - Default Credentials - The Default Credentials table presents hosts with default account names, default passwords, or default credentials in use.
InfoSec Team - Insecure items, Weaknesses and Default Credentials - The matrix displays host counts based on the type of scan results collected for common security misconfigurations, including: security weakness, insecurity, cleartext disclosure, and password concerns.
Account Weakness - Top 50 Account Compliance Issues - This table displays the top 50 compliance issues with 'account' in their name. Note that in order for data to appear in this table, appropriate audit/compliance scans must first be run on the network.