TTechclick ⚡ XP 0% All lessons
Tenable · Vulnerability Management · Security CenterInteractive · L1 / L2 / L3

Tenable Security Center — On-Prem Architecture, Repos & ARCs

Tenable Security Center is the on-premises vulnerability management platform built on Nessus — one central console that aggregates scanner results into repositories, drives compliance dashboards, and delivers Assurance Report Cards so CISOs can answer 'are we secure?' in plain language. This lesson maps the architecture, explains repositories and ARCs, and helps you decide when SC beats the cloud option.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Tenable Security Center (2026): SecurityCenter architecture, scan repositories, dashboards, Assurance Report Cards, and when to choose on-prem SC over cloud Tenable Vulnerability Management.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What SC is

On-prem VM platform, Nessus-powered, one console.

 2

Architecture

Console, scanners, repositories and data flow.

 3

Dashboards & ARCs

From raw vulns to CISO-ready pass/fail cards.

 4

SC vs cloud & deploy

On-prem choice, sizing, air-gap and hybrid.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is Tenable Security Center a cloud SaaS product?

Answered in What SC is.

2. What does SC store scan results in?

Answered in Architecture.

3. What is an Assurance Report Card (ARC)?

Answered in Dashboards & ARCs.

Most engineers think…

Most people picture Tenable as 'just Nessus' — you run a scan, get a CSV of CVEs, done. That mental model misses the whole point of Security Center.

Tenable Security Center is a management platform, not a scanner. The scanner is Nessus. SC is the central console that collects results from many scanners, organises them into repositories, drives dashboards, and generates Assurance Report Cards (ARCs) — configurable pass/fail statements that let a CISO answer 'are we patched?' or 'are we PCI-compliant?' without reading a 500-row spreadsheet. Understanding the SC layer — and why you would choose it over the cloud option — is what separates a junior VM analyst from an architect.

① What Tenable Security Center actually is — on-prem VM with Nessus at the core

Tenable Security Center (SC) is Tenable's on-premises vulnerability management platform. At its core, Nessus scanners run credentialed or uncredentialed scans against hosts; SC is the management layer above them — the console where you schedule scans, store results, build reports and set policy.

The key identity: SC lives entirely on infrastructure you control. Your data never leaves your network. That makes it the right choice for organisations with strict data residency rules, air-gapped environments, or compliance mandates that prohibit cloud-hosted vulnerability data. In contrast, Tenable Vulnerability Management (formerly Tenable.io) is the SaaS alternative hosted in Tenable's cloud.

SC's licence model is typically IP-based and perpetual (plus annual maintenance), whereas Tenable Vulnerability Management uses a subscription. Both use the same underlying Nessus scan engine and plugin library — the difference is where the management console and data live.

Figure 1 — SC scan-to-insight loop
Every vulnerability finding in SC follows a five-step loop from scheduled scan to ARC policy answer.SC scan-to-insight loopSchedulescan policy + targetsScanNessus active/agentIngestresults to repositoryAnalysedashboard + reportsARCpass/fail for CISO
Every vulnerability finding in SC follows a five-step loop from scheduled scan to ARC policy answer.
Quick check · Q1 of 10 · Understand

Tenable Security Center is best described as…

Correct: b. SC is the on-premises management layer above Nessus scanners — the console, repositories, dashboards and ARCs all live on infrastructure you control.
👉 So far: Tenable SC = on-premises VM platform powered by Nessus — data stays on your infrastructure, unlike cloud Tenable Vulnerability Management.

② SecurityCenter architecture — console, scanners and repositories

The SC architecture has three logical tiers. At the bottom are Nessus scanners (and optionally Nessus Network Monitor for passive traffic analysis, or Nessus Agents for offline endpoints). Above them is the Security Center console — a Linux-based appliance or VM that orchestrates scans, receives results and stores them. At the top are the users and integrations — security analysts, CISO dashboards and SIEM feeds.

Repositories — the heart of the data model

Repositories are the key architectural concept. A repository is a logical data store inside SC that holds scan results for a defined IP range. You create separate repositories for different segments — production, DMZ, OT, cloud-migrated hosts — and assign RBAC to each. Active-scan repositories hold results from Nessus active scans; passive repositories hold data from Nessus Network Monitor; agent repositories hold results from Nessus Agents on endpoints that scan themselves. Repositories are also the unit of data retention and trending — SC keeps historical snapshots so you can track patch velocity over time.

Figure 2 — SC architecture layers
Tenable SC is three logical layers: scan engines at the bottom, the SC console in the middle, and users and integrations at the top.SC architecture layersUsers & IntegrationsAnalysts, SIEM, ticketing, exec dashboardsSecurity CenterConsole, repositories, ARCs, RBACScan EnginesNessus, NNM passive, Nessus Agents
Tenable SC is three logical layers: scan engines at the bottom, the SC console in the middle, and users and integrations at the top.
🖥️
SC Console
tap to flip

The central management layer — schedules scans, stores results in repositories, hosts dashboards, ARCs and reports. Runs on Linux on-prem.

🔍
Repository
tap to flip

A logical data store inside SC for a defined IP range. Separate repos per segment (prod, DMZ, OT). The unit of RBAC, retention and trending.

📊
Dashboard
tap to flip

Real-time component-based views of repository data. Hundreds of framework-aligned templates (PCI, NIST, CIS). The daily SOC analyst tool.

Assurance Report Card
tap to flip

A set of pass/fail policy statements answered automatically from live repository data. The CISO-facing layer — business-language questions, no raw CSV needed.

Repos are your segmentation unit

In an interview, be specific: repositories are not just storage — they are the unit of RBAC, data retention and trending in SC. One repo per network segment (prod, DMZ, OT, cloud subnet) lets you give different teams visibility into their own data without cross-polluting findings.

Quick check · Q2 of 10 · Remember

What is a repository in Tenable Security Center?

Correct: c. A repository is the core data model in SC: a logical container for scan results scoped to an IP range, with its own RBAC, retention and trending.
👉 So far: Repositories are SC's core data model: one per network segment, each with its own RBAC, retention and historical trending for patch velocity.

③ Dashboards and Assurance Report Cards — turning data into answers

Raw vulnerability data is useless without context. SC's dashboards are customisable views built from dashboard components — widgets that query the repository data in real time. Tenable ships hundreds of pre-built dashboard templates aligned to frameworks (PCI DSS, NIST, ISO 27001, CIS Controls) and you can build custom ones. Dashboards are the daily tool for the SOC analyst.

Above dashboards sit Assurance Report Cards (ARCs) — SC's executive layer. An ARC is a collection of policy statements that each return a simple pass or fail based on live repository data. A CISO writes the questions in business language — 'Are all critical-severity vulnerabilities remediated within 30 days?' — and SC answers them automatically every time the dashboard loads. ARCs were the industry's first such feature and remain the headline SC differentiator for compliance-driven organisations.

Reports are the third tier — scheduled PDF or HTML exports from dashboards or ARCs. They cover audit evidence, executive summaries and asset-level detail, and can be distributed automatically by email.

Figure 3 — SC console — one hub, many data feeds
The SC console is the central hub: it receives data from all scanner types and serves dashboards, ARCs and reports to all consumer roles.SC console — one hub, many data feedsSC ConsoleRepositories + RBACNessus (active)NNM (passive)Nessus AgentsDashboardsARCsSIEM / tickets
The SC console is the central hub: it receives data from all scanner types and serves dashboards, ARCs and reports to all consumer roles.
'SC is just Nessus with a UI' undersell

Interviewers catch people who conflate the scanner with the platform. Nessus is the scan engine; SC is the management layer: repositories, multi-scanner orchestration, RBAC, dashboards, ARCs and scheduled reports. Always separate the two layers.

▶ Watch a credentialed scan become an ARC pass/fail result

How one scheduled scan flows from Nessus through a repository to an ARC policy statement. Press Play for the healthy path, then Break it to see the classic failure.

① Scan runsSC triggers a credentialed Nessus scan against the production repository IP range on schedule.
② Results ingestNessus sends scan results to the SC console; they are stored and indexed in the production repository.
③ Dashboard updatesReal-time dashboard components query the repository and show current critical/high/medium counts.
④ ARC evaluatesThe ARC policy statement 'All criticals patched within 30 days' queries the repo, finds zero overdue criticals and marks the statement PASS.
Press Play to step through the healthy scan-to-ARC path. Then press Break it.
Quick check · Q3 of 10 · Apply

A CISO wants to see 'Are all critical vulnerabilities patched within 30 days?' answered automatically. Which SC feature delivers this?

Correct: a. ARCs are exactly this: configurable pass/fail policy statements in business language, answered automatically by querying live repository data — no manual report reading needed.
👉 So far: Dashboards = daily SOC view of live repo data. ARCs = CISO-facing pass/fail policy statements answered automatically — no manual reporting needed.

④ SC vs Tenable Vulnerability Management — choosing and deploying right

The decision between SC and Tenable Vulnerability Management (cloud) is primarily about data residency and control, not features. Choose SC when: regulations require data on-premises (GDPR specific clauses, government mandates, defence sector); the environment is air-gapped or has limited internet access; your licence model suits perpetual IP-based billing; or you need deep custom repository segmentation with local RBAC. Choose Tenable Vulnerability Management when: faster onboarding matters; you scan ephemeral cloud assets (AWS, Azure, GCP) at scale; Tenable manages upgrades and HA; or you want Lumin (Tenable's risk-scoring layer) fully integrated.

Deploy SC sanely

Size the SC console VM with enough RAM and disk for your repository retention period — large estates scanning frequently fill disk fast. Place Nessus scanners inside each network segment (avoid scan traffic crossing firewalls when possible). Run credentialed scans (SSH/WMI) for deep coverage — uncredentialed scans miss most software vulnerabilities. Start with monitor-only mode on new segments, review false positives, tune plugin families, and build ARCs aligned to your compliance framework before going to a full board report.

Figure 4 — SC (on-prem) vs Tenable VM (cloud)
Same Nessus engine under the hood — the difference is where data and control live.SC (on-prem) vs Tenable VM (cloud)Tenable SC (on-prem)Console on your serversData never leaves your networkIP-based perpetual licenceBest for air-gap and dataTenable VM (cloud)SaaS console, Tenable-hostedEphemeral cloud asset scanningSubscription asset-based licenceBest for speed and SaaS scale
Same Nessus engine under the hood — the difference is where data and control live.

Ravi at a Mumbai bank faces this

The bank's new Tenable SC deployment produces thousands of critical findings, but the CISO cannot tell whether the patching programme is actually working — there is no trend data and board reports are raw CVE lists.

Likely cause

Repositories were set up as one single repo for all 10,000 IPs with no segmentation, dashboards were not configured, and no ARCs were created after deployment.

Diagnosis

Open SC ▸ Repositories — one repo with all assets; no component-level RBAC; no historical trending enabled. ARCs tab is empty.

SC Console ▸ Repositories ▸ Dashboards ▸ Assurance Report Cards
Fix

Split into segment repos (core banking, DMZ, ATM network). Enable trending on each. Build a 'PCI Compliance' ARC with policy statements for patch SLA, critical vuln count and scan coverage. Schedule a weekly board-facing report from the ARC.

Verify

ARC shows green pass/fail per statement; trending graph shows critical vuln count falling week-on-week; CISO signs off the board slide without touching a spreadsheet.

Prove compliance from the ARC, not a hunch

Never answer an auditor with 'we run Nessus scans'. Show the ARC policy statement, its pass/fail result, the repository it queries, and the scan schedule feeding it. That chain — scan ▸ repo ▸ ARC ▸ statement — is the audit evidence chain in SC.

Quick check · Q4 of 10 · Analyze

An organisation must keep all vulnerability scan data within its own national borders due to a government mandate. Which Tenable platform fits?

Correct: b. SC stores all data on-premises on infrastructure the organisation controls, satisfying data residency mandates. Tenable Vulnerability Management is cloud-hosted by Tenable and cannot satisfy strict on-prem data residency requirements.
👉 So far: Choose SC over cloud when data residency or air-gap is required; choose Tenable VM when cloud scale and fast onboarding matter. Both use the same Nessus engine.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which component in Tenable SC stores scan results for a defined IP range?

Correct: b. Repositories are the core data model in SC — logical containers that store scan results for a defined IP range with their own RBAC, retention and trending.
Q6 · Understand

What distinguishes an Assurance Report Card (ARC) from a regular SC dashboard?

Correct: c. ARCs evaluate configurable policy statements (e.g. 'Are all criticals patched within 30 days?') against live repository data and return pass/fail — the CISO executive layer. Dashboards are the analyst real-time view.
Q7 · Apply

A Nessus scanner runs an uncredentialed scan and the SC repository shows far fewer findings than expected. Most likely cause?

Correct: d. Most Nessus vulnerability plugins require local host access via SSH (Linux) or WMI (Windows). Without credentials the scanner only sees open ports and network services, missing the vast majority of software CVEs.
Q8 · Analyze

Why are separate repositories recommended per network segment in SC?

Correct: b. Repos are the unit of RBAC, retention and trending. Separate repos per segment (prod, DMZ, OT) let different teams see their own data, set their own retention, and track patch velocity independently.
Q9 · Evaluate

An interviewer asks why a defence contractor chose Tenable SC over Tenable Vulnerability Management. Best answer?

Correct: c. The primary SC differentiator over cloud Tenable VM is data residency and control: all data stays on-prem, satisfying air-gap and regulatory mandates. Both platforms use the same Nessus engine and plugin library.
Q10 · Evaluate

What is the audit evidence chain a security team should present to prove compliance using SC?

Correct: c. The SC audit evidence chain is: scan schedule (proves regularity) ▸ repository (stores the raw findings) ▸ ARC policy statement result (proves automated compliance evaluation). A raw CSV proves nothing about remediation SLAs; a licence certificate is administrative, not technical.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the difference between a Tenable SC repository and an Assurance Report Card? Then compare with the expert version.

Expert version: A repository is the on-disk data store inside SC that holds scan results for a defined IP range — it is where all Nessus findings live, with RBAC, retention and trending attached. An Assurance Report Card (ARC) is a set of business-language pass/fail policy statements that query one or more repositories to answer compliance questions automatically. The repository is the raw data layer; the ARC is the interpretation and executive presentation layer built on top of it.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Tenable Security Center (SC)
Tenable's on-premises vulnerability management platform — the management console above Nessus that hosts repositories, dashboards, ARCs and reports.
Repository
A logical data container inside SC holding scan results for a defined IP range, with its own RBAC, data retention and historical trending.
Assurance Report Card (ARC)
A set of configurable pass/fail policy statements in business language, answered automatically by querying live repository data — SC's executive compliance layer.
Nessus
Tenable's vulnerability scanner that performs active credentialed or uncredentialed scans and feeds results into SC repositories.
Nessus Network Monitor (NNM)
Passive traffic analysis component that monitors network flows without sending scan packets — its results feed passive repositories in SC.
Nessus Agent
A lightweight agent installed on endpoints that runs local scans without needing network access to the host — results feed agent repositories in SC.
Tenable Vulnerability Management
Tenable's cloud-hosted SaaS VM platform (formerly Tenable.io) — same Nessus engine as SC but console and data hosted by Tenable.
Credentialed scan
A Nessus scan that uses SSH or WMI credentials to gain local host access, enabling deep software and patch enumeration beyond network-visible services.

📚 Sources

  1. Tenable — Tenable Security Center architecture overview. docs.tenable.com/security-center/Content/Architecture.htm
  2. Tenable — Tenable Security Center 6.8.x User Guide (June 2026). docs.tenable.com/security-center
  3. Tenable — Assurance Report Cards overview and management. docs.tenable.com/security-center/Content/AssuranceReportCards.htm
  4. Tenable — Tenable Security Center dashboards and templates. tenable.com/sc-dashboards
  5. Tenable — Tenable Vulnerability Management vs. Tenable Security Center quick reference guide. docs.tenable.com/quick-reference/tenableio-vs-tenablesc
  6. Tenable — Tenable Security Center 2025 Release Notes. docs.tenable.com/release-notes/Content/security-center/2025.htm

What's next?

Got the architecture? Next, go deep on Nessus scan policies, plugin families, and how to tune credentialed scans so you find real vulnerabilities without wrecking network performance.

Next · All interview lessons → Practice on exam.techclick.in →