TTechclick ⚡ XP 0% All lessons
Tenable · Vulnerability Management · SensorsInteractive · L1 / L2 / L3

Tenable Agents & NNM Sensors — Placement, Linking & Scan Strategy

Tenable Vulnerability Management gives you three sensor types to cover every asset: authenticated Nessus scanners for reachable targets, lightweight Nessus Agents for laptops and cloud workloads that drift off the network, and Nessus Network Monitor (NNM) for passive discovery of devices that refuse active scanning. This lesson maps all three, shows when and why to choose each, and walks through agent groups, scanner placement, linking, and a scan strategy that leaves no blind spots.

📅 2026-06-20 · ⏱ 18 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Deep dive into Tenable Nessus Agents and Network Monitor sensors for 2026: when to deploy agents vs scanners, passive NNM discovery, scanner placement, linking, agent groups, and scan strategy for full coverage.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Three sensor types

Agent, scanner, NNM — what each one is.

 2

Nessus Agents deep dive

When, why, groups, offline scan, linking.

 3

NNM passive discovery

Traffic-based fingerprinting, what it finds.

 4

Placement & scan strategy

Segments, linking, coverage gaps, tuning.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can a Nessus Agent scan a laptop that is off the corporate network?

Answered in Nessus Agents deep dive.

2. What does Nessus Network Monitor actually inspect?

Answered in NNM passive discovery.

3. Why does scanner placement matter in a segmented network?

Answered in Placement & scan strategy.

Most engineers think…

Most people assume Tenable VM is 'just Nessus running authenticated scans'. That works fine on a flat, always-on server estate — and almost nowhere else.

Modern environments have laptops that leave the office, cloud workloads that spin up and down, IoT and OT devices that reject active scans, and segmented networks with firewall rules that block scanner traffic. Tenable's answer is a three-sensor model: Nessus Agents for hosts that drift or sit behind firewalls, Nessus Network Monitor (NNM) for passive discovery of what you cannot or should not touch with an active scan, and Nessus Scanners for authenticated deep scanning of reachable targets. Linking all three to a central console (Tenable.io or Security Center) is what gives you the unified, deduplicated asset inventory that makes VM work at scale.

① Three sensor types — Agent, Scanner and NNM

Tenable Vulnerability Management is built around three complementary sensor types, each filling a gap the others cannot. A Nessus Agent lives on the host, scans locally and uploads results. A Nessus Scanner sits on the network and fires authenticated plugin checks at remote targets it can reach. Nessus Network Monitor (NNM) never sends a probe — it watches a mirror of your traffic and infers asset existence and vulnerability from observed protocols.

The key interview insight: no single sensor type gives full coverage. Agents catch the transient laptop and the cloud workload. NNM catches the unmanageable printer and the OT controller. The scanner catches the stable server with rich plugin output. All three report back to Tenable.io (cloud) or Tenable Security Center (on-prem) to form a deduplicated asset inventory.

Figure 1 — Three sensors, one Tenable console
All three sensor types report to the same Tenable console, forming a unified, deduplicated asset and vulnerability inventory.Three sensors, one Tenable consoleTenable.io/ Security CenterNessus ScannerNessus AgentNNM (passive)Cloud ConnectorOT Security feed
All three sensor types report to the same Tenable console, forming a unified, deduplicated asset and vulnerability inventory.
Quick check · Q1 of 10 · Understand

Which Tenable sensor type never sends a probe packet to any host?

Correct: c. NNM is a purely passive sensor — it inspects a mirror copy of network traffic via SPAN or TAP and infers asset and vulnerability data from observed protocols, without sending any probe to the targets.
👉 So far: Three sensor types: Nessus Agent (host-local, offline-capable), Nessus Scanner (active, authenticated, reach-dependent), NNM (passive, traffic-mirror, no probes) — all reporting to one Tenable console.

② Nessus Agents — when, why, groups & linking

Deploy a Nessus Agent when any of these apply: the host leaves the corporate network (a salesperson's laptop), the host sits in a cloud VPC behind a security group that blocks inbound scan traffic, the host is in a network segment with no scanner and punching firewall rules is impractical, or you need offline scan results for a system that is rarely online during scheduled windows. The agent checks in on a schedule, runs the full plugin set locally against the host itself, and uploads a compressed result package — no inbound TCP to the host required.

Agent groups and scan strategy

Agent groups let you apply different scan policies to different asset classes — for example, 'Windows Workstations', 'Linux Cloud Instances', 'CI/CD Runners'. An agent registers by downloading an install package, running the nessuscli agent link command with a linking key, and completing the linking workflow. After linking, the agent checks in at regular intervals (configurable, typically every few minutes), receives its scan schedule, runs locally, and posts results to the manager.

Figure 2 — Agent lifecycle — link to results upload
From install to result, a Nessus Agent needs no inbound network access — only outbound HTTPS to the manager.Agent lifecycle — link to results uploadInstallpackage on hostLinklinking key + groupCheck-inschedule & policyLocal scanplugins run on hostUploadcompressed results
From install to result, a Nessus Agent needs no inbound network access — only outbound HTTPS to the manager.
🤖
Nessus Agent
tap to flip

A lightweight daemon on the target host. Scans locally, uploads results. No inbound network access needed. Ideal for laptops, cloud, and segmented hosts.

📡
Nessus Scanner
tap to flip

An active scanner that fires authenticated plugin checks at reachable targets. Needs credentials and network access. Delivers the deepest plugin coverage per host.

👁️
NNM (passive)
tap to flip

Receives a SPAN/TAP copy of traffic. Discovers assets and vulnerabilities from protocol banners and flow patterns — no probe packets ever sent.

🔗
Agent linking key
tap to flip

A token used during agent registration (nessuscli agent link) to pair the agent with a manager or group. Determines which scan policy the agent receives.

Agent groups = scan policies, not just labels

Agent groups do more than organise assets — they determine which scan policy (plugin set, schedule, scan window) an agent receives. Create groups by asset class (Windows Workstation, Linux Server, CI/CD Runner) so plugin sets stay relevant and you avoid running Windows-only checks on Linux hosts.

Quick check · Q2 of 10 · Apply

A salesperson's laptop leaves the office network for two weeks. Which sensor ensures vulnerability data is still collected?

Correct: b. A Nessus Agent scans locally on the host regardless of network location and uploads results when it can reach the manager — offline or remote laptops are exactly the use case agents are designed for.
👉 So far: Agents are for hosts that drift, sit behind firewalls, or need offline scans. They link with a key, join a group that sets their policy, scan locally, and upload results outbound — no inbound access needed.

③ Nessus Network Monitor (NNM) — passive discovery

NNM is Tenable's passive sensor. It receives a copy of network traffic via a SPAN port or network TAP, inspects the protocols flowing through it (HTTP, TLS banners, SMB, FTP, SIP, modbus, and many more), and uses that traffic fingerprint to detect asset existence, software versions, and known-vulnerable protocol behaviours — without sending a single probe packet to any host.

What NNM finds that active scans miss: transient devices that are online only briefly, IoT and OT controllers that crash or misbehave under active scanning, rogue assets talking on the wire that are not in any CMDB, and cleartext credential use or deprecated protocols (Telnet, SNMPv1) detected in traffic. NNM findings are vulnerability data too — they appear in the Tenable console alongside active-scan results and contribute to the asset inventory. NNM does not replace agents or scanners; it adds the dimension of what is actually on the wire.

Figure 3 — What NNM discovers from traffic
NNM layers passive findings from protocol banners, flow metadata, and known-vulnerable behaviour patterns.What NNM discovers from trafficAsset existenceIP, MAC, hostname from observed trafficSoftware versionsHTTP, TLS, SMB, SIP, Modbus bannersVuln behaviourdeprecated protocols, cleartext creds, CVE-matched bannersRogue & transientdevices on-wire but absent from CMDB
NNM layers passive findings from protocol banners, flow metadata, and known-vulnerable behaviour patterns.
'NNM is enough for OT networks' is dangerous

NNM's passive approach is safe for fragile OT/ICS devices, but passive-only coverage means you only know about vulnerabilities that manifest in observable traffic. Silent, unpatched hosts that are not actively communicating may never be fingerprinted. Supplement NNM with agents on any OT host that has a supported OS and can run the agent safely.

▶ Watch a Nessus Agent scan and upload results

Step through the agent lifecycle end-to-end: link, check-in, local scan, upload. Press Break it to see what happens when the linking key is wrong.

① LinkThe agent runs 'nessuscli agent link' with the linking key and manager hostname, registering with Tenable.io and joining the assigned agent group.
② Check-inAt the scheduled interval the agent checks in, downloads its scan policy (plugin set, scan window, settings) from the manager.
③ Local scanThe agent runs Nessus plugins locally against the host — no network probes outbound, all checks are self-directed on the local OS.
④ UploadThe agent compresses and uploads the scan result over outbound HTTPS to Tenable.io. Results appear in the console within minutes.
Press Play to step through the healthy agent lifecycle. Then press Break it.
Quick check · Q3 of 10 · Analyze

NNM detects Telnet sessions on the wire. What is this an example of?

Correct: b. NNM identifies deprecated or insecure protocol use (Telnet, SNMPv1, cleartext creds) from observed traffic patterns — a passive vulnerability finding that active scanners may miss if the host is not in scope.
👉 So far: NNM watches a SPAN/TAP copy of traffic and discovers assets, software versions, rogue devices, and insecure protocols without sending a single probe — the safety net for unmanageable and transient hosts.

④ Scanner placement, linking & full-coverage strategy

In a segmented network, a Nessus Scanner can only reach hosts in segments it has a routed and firewall-permitted path to. The standard placement model: one scanner (or a clustered pair for HA) per network zone, each scanner linked to Tenable.io via an outbound HTTPS connection — no inbound firewall holes required. Scanners with no direct path to Tenable.io can chain through a linked scanner relay.

Full-coverage recipe

Combine all three sensors: Agents on every managed endpoint (laptop, cloud VM, container host where the OS is accessible), one NNM sensor per SPAN-capable switch segment for passive discovery, and authenticated Nessus Scanners in each zone for deep server-class checks. Set agent groups by asset class so plugin sets stay relevant and scan windows do not collide with production change freezes. Review the asset inventory weekly for NNM-only hosts (no agent, no scanner result) — those are your blind spots to address next sprint.

Figure 4 — Nessus Agent vs authenticated Scanner
Choose by asset mobility, firewall posture, and whether the host can receive inbound connections from a scanner.Nessus Agent vs authenticated ScannerNessus AgentRuns locally on the hostNo inbound firewall rule neededScans offline or transient hostsBest for laptops, cloud VMsLighter per-host network impactNessus ScannerScans from network to targetNeeds reachability + credentialsFull plugin depth on serversBest for stable, on-net hostsCovers hosts without agent install
Choose by asset mobility, firewall posture, and whether the host can receive inbound connections from a scanner.

Priya at a Mumbai fintech firm faces this

Tenable.io shows a large cloud VPC with hundreds of EC2 instances all marked 'never scanned'. The scheduled Nessus Scanner sits on the on-prem network and cannot reach the VPC because the security group allows only outbound traffic from the instances.

Likely cause

The Nessus Scanner is placed on-prem with no routed, permitted path into the cloud VPC, so active scans never reach the EC2 hosts.

Diagnosis

Check Tenable.io ▸ Assets — filter by 'last scan source = none'. Confirm scanner logs show connection refused or timeout for the VPC IP range. The security group only permits outbound, not inbound from scanner IP.

Tenable.io ▸ Settings ▸ Sensors ▸ Agents & Scanners + AWS EC2 Security Group
Fix

Deploy Nessus Agents on the EC2 instances via a user-data bootstrap or AWS Systems Manager. Assign the agents to a 'Cloud-Linux' agent group with an appropriate plugin policy. Agents check in outbound to Tenable.io — no inbound security group rule needed.

Verify

After next check-in cycle, the EC2 instances appear in Tenable.io with agent scan results and a 'last scan = today' timestamp. The 'never scanned' filter returns zero results for that VPC.

Prove coverage with the asset inventory filter

After deploying sensors, filter Tenable.io Assets by 'scan source'. Hosts with only an NNM entry need an agent or scanner. Hosts with no entry at all are completely invisible — check your CMDB against the inventory and add sensors to every segment that shows a gap.

Quick check · Q4 of 10 · Evaluate

Your audit shows hundreds of NNM-only assets — hosts with no agent and no scanner result. What is the right next step?

Correct: c. NNM-only hosts are a coverage gap — you have passive evidence they exist but no authenticated scan data. The goal is to close the gap by deploying agents or adding scanner reachability to those segments.
👉 So far: Full coverage = agents on every managed endpoint + one NNM per SPAN-capable segment + authenticated scanners in every reachable zone. NNM-only assets in the inventory are blind spots to close next sprint.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which command is used to register a Nessus Agent with a manager?

Correct: b. The correct command is 'nessuscli agent link' with the linking key and manager hostname. This registers the agent, assigns it to a group, and initiates the first check-in for policy download.
Q6 · Understand

Why is NNM described as 'safe for OT and ICS devices' while active scanners are not?

Correct: c. Active scanning sends probe traffic to targets. Many OT/ICS PLCs and controllers crash or misbehave when they receive unexpected TCP connections. NNM observes a traffic mirror and sends nothing to any host, making it safe for these fragile devices.
Q7 · Apply

You have 500 EC2 instances in a VPC with an outbound-only security group. Which sensor covers them?

Correct: a. Agents only need outbound HTTPS to Tenable.io — they match the outbound-only security group perfectly. NNM needs a SPAN mirror which is not available in standard VPC configurations. An inbound-allowed scanner would require security group changes that break the outbound-only posture.
Q8 · Analyze

The Tenable asset inventory shows a host with vulnerability data sourced only from NNM. What does this mean?

Correct: d. An NNM-only host means passive traffic analysis detected it, but no agent or authenticated scanner has ever scanned it. This is a coverage gap — you have limited and potentially inaccurate vulnerability data. The right action is to deploy an agent or add scanner coverage to that segment.
Q9 · Evaluate

What is the strongest reason to create separate agent groups for Windows workstations and Linux servers?

Correct: c. Agent groups assign the scan policy, plugin set and schedule. Windows-only plugins on Linux waste scan time and add noise; Linux checks on Windows miss Windows-specific vulnerabilities. Groups also let you stagger scan windows to avoid colliding with production change freezes — the primary operational reason to separate asset classes.
Q10 · Evaluate

A scanner in Zone A cannot reach hosts in Zone B due to firewall rules. What is the correct architectural fix?

Correct: b. Adding a scanner inside Zone B (which can reach Zone B hosts directly) or deploying agents (which need only outbound HTTPS) is the correct placement fix. Opening all firewall rules between zones is a security anti-pattern. NNM-only coverage is a gap, not a solution. Add sensors where they can reach their targets.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does a three-sensor model (agent + scanner + NNM) give better coverage than any one sensor alone? Then compare with the expert version.

Expert version: Agents cover hosts that drift off-network or sit behind firewalls that block inbound scans; scanners give the deepest authenticated plugin coverage for stable, reachable hosts; and NNM passively discovers transient, unmanageable, and rogue devices that neither agents nor scanners can see. Each sensor fills the blind spots of the other two, and all three report to a single console for a unified, deduplicated asset inventory.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Nessus Agent
A lightweight daemon installed on the target host that runs Nessus vulnerability checks locally and uploads results to the manager — requires no inbound network access.
Nessus Network Monitor (NNM)
A passive sensor that receives a mirror copy of network traffic (via SPAN or TAP) and fingerprints assets and vulnerabilities from observed protocol behaviour, without sending any probe.
Agent group
A logical collection of Nessus Agents sharing a scan policy, plugin set and schedule. Created per asset class (Windows, Linux, cloud) to ensure relevant checks and controlled scan windows.
Linking key
A token used during 'nessuscli agent link' to register an agent with a Tenable manager and assign it to an agent group. Must be current and match the target manager.
SPAN port / TAP
A Switched Port Analyzer port or hardware TAP that mirrors network traffic to a monitoring sensor like NNM, giving it a read-only copy of all packets on a segment.
Scanner placement
The decision of where to deploy Nessus Scanners in a segmented network so they have routed, firewall-permitted access to the target hosts they need to scan.
Passive discovery
The NNM technique of inferring asset existence and vulnerability from observed network traffic, without actively probing targets.
Coverage gap
An asset that appears in the Tenable inventory with NNM-only data (or no data at all) — meaning no agent or authenticated scanner has ever scanned it.

📚 Sources

  1. Tenable — Nessus Agent deployment and linking guide. docs.tenable.com/nessus/Content/NessusAgents.htm
  2. Tenable — Nessus Network Monitor (NNM) overview and deployment. docs.tenable.com/nnm
  3. Tenable — Tenable.io sensor types: scanners, agents and NNM. docs.tenable.com/tenableio/Content/Sensors.htm
  4. Tenable — Agent groups: creating, managing and assigning scan policies. docs.tenable.com/tenableio/Content/AgentGroups.htm
  5. Tenable — Scanner placement and linked scanner relay architecture. docs.tenable.com/tenableio/Content/ScannerDeployment.htm
  6. Tenable — Tenable Security Center sensor management and coverage best practices. docs.tenable.com/security-center

What's next?

Got the sensor landscape? Next, go deep on Tenable plugin families, CVSS scoring, and how Tenable prioritises vulnerabilities using VPR and Asset Criticality Ratings so your remediation team tackles the right risks first.

Next · All interview lessons → Practice on exam.techclick.in →