What was the Tenable Vulnerability Management cloud platform formerly called?

Correct: a. Tenable Vulnerability Management is the renamed cloud platform formerly known as Tenable.io. Nessus is the scanner engine; Tenable.sc is the on-prem console.

Which scan type best covers laptops that frequently roam off the corporate network?

Correct: c. Tenable Agents run on the endpoint itself and report back regardless of connectivity, so they cover roaming and off-network devices a scanner can't reliably reach. Network scans need the host to be reachable.

A plugin like 10394 (Windows SMB) or 12634 (Linux SSH) fires in your scan results. What does that tell you?

Correct: b. Those are authentication-success plugins. Their presence confirms the credentialed scan actually logged in, so you can trust the deeper local-check results. If they're absent, you effectively ran an uncredentialed scan.

Why does Tenable VPR change over time while a CVSS base score does not?

Correct: c. VPR is dynamic: Tenable recalculates it daily using current threat and exploit context, so a flaw's urgency rises or falls with the real-world landscape. CVSS base is a static, one-time third-party severity score.

Two findings: (A) CVSS 9.8 on a decommissioned lab VM, (B) VPR 8.5 on a high-ACR production database. Which first?

Correct: d. Priority = urgency (VPR) on a valuable target (ACR), summed as AES. A high-VPR flaw on a business-critical asset outranks a high-CVSS flaw on a throwaway lab box. CVSS alone misleads.

What proves a vulnerability has actually been remediated?

Correct: a. Remediation is verified by re-scanning: the finding must clear (the plugin stops firing) and the asset's exposure score should fall. Self-reported patching and closed tickets are not proof.

Tenable Vulnerability Management — Nessus, Scanning, Plugins, CVSS vs VPR & Remediation (2026)

Q: Tenable Vulnerability Management is best described as…

Correct: a. Tenable frames VM as a continuous five-stage loop. Nessus and agents collect, plugins detect, and the cloud platform scores and reports — it is never a one-and-done scan.

Q: You need the deepest, most accurate view of a Windows server's missing patches. Which scan?

Correct: b. A credentialed scan logs in and runs local checks against installed software and patch levels — far deeper and more accurate, with fewer false positives. Uncredentialed only sees the outside attacker view.

Q: Why is raw CVSS a poor way to choose what to remediate first?

Correct: c. CVSS is static severity and rates about 60% of CVEs High or Critical, so it gives no real priority. VPR adds live threat and exploit context to surface the small slice that actually matters.

Q: Which finding should a team remediate first?

Correct: d. Prioritize by urgency and target value: a high VPR (likely exploited) on a high-ACR (business-critical) asset gives the highest Asset Exposure Score — fix that first, not every Critical CVSS equally.

Most engineers think…

Most people picture vulnerability management as 'run Nessus, get a PDF full of Criticals, send it to IT'. That mental model drowns the team and fails you in an interview.

Tenable Vulnerability Management is a continuous lifecycle: Nessus scanners and Tenable Agents collect data, plugins from the feed detect each flaw, and the cloud platform (formerly Tenable.io) turns findings into prioritized work. The skill is choosing the right scan type and then prioritizing with VPR and asset criticality — not raw CVSS — so you fix the small slice that actually matters.

① What Tenable VM actually is — one continuous lifecycle

The single most important idea: Tenable Vulnerability Management is a continuous loop, not a one-off scan. Tenable frames it as five stages — discover, assess, prioritize, remediate, measure — and the platform runs that loop forever against everything it can see.

The moving parts are simple. Nessus is the scanner engine that probes hosts. Tenable Agents are lightweight software installed on endpoints that scan locally and report back. Plugins are the detection logic. And the Tenable Vulnerability Management cloud — formerly Tenable.io — is the brain that stores assets, findings, dashboards and scoring. You scan, it scores, you fix, you measure the trend.

Figure 1 — The VM lifecycle — discover, assess, prioritize, remediate, measure

Tenable runs the same five-stage loop continuously across your whole estate.

Figure 2 — The Tenable stack — engine, agent, plugins, cloud

Scanners and agents collect, plugins detect, the cloud scores and reports.

Quick check · Q1 of 10 · Understand

Tenable Vulnerability Management is best described as…

a) A continuous discover→assess→prioritize→remediate→measure lifecycleb) A single one-off Nessus scanc) Only a cloud dashboardd) An antivirus agent

Correct: a. Tenable frames VM as a continuous five-stage loop. Nessus and agents collect, plugins detect, and the cloud platform scores and reports — it is never a one-and-done scan.

👉 So far: Tenable VM = a continuous loop (discover, assess, prioritize, remediate, measure): Nessus/agents collect, plugins detect, the cloud (ex Tenable.io) scores and reports.

② Scan types and plugins — how detection actually works

Choosing the right scan type is half the job. A network (uncredentialed) scan reaches out from a Nessus scanner and sees a host the way an outside attacker would — open ports, services and banner-based flaws. A credentialed (authenticated) scan is given valid login credentials, logs in, and runs local checks — far deeper and more accurate, with fewer false positives.

Agents and web apps

Agent-based scans run on the host itself, so they cover laptops that roam off-network and avoid sharing credentials — but they miss network-only checks like brute-forcing a login. Web application scanning crawls and tests live web apps for issues like injection. Every check is a plugin pulled from the plugin feed; plugins like 10394 (Windows SMB) and 12634 (Linux SSH) even confirm a credentialed scan truly authenticated.

Figure 3 — Uncredentialed vs credentialed scan

Same scanner, very different depth — outside-attacker view vs deep local checks.

Figure 4 — Many scan types, one platform

Network, credentialed, agent and web app data all flow into the same Tenable VM cloud.

🔍

Nessus scanner

tap to flip

The engine that probes hosts over SSH/SMB/HTTPS/SNMP. Runs network (uncredentialed) and credentialed (authenticated) scans.

💻

Tenable Agent

tap to flip

Software on the endpoint that scans locally and reports back — covers roaming laptops and off-network assets, no credential sharing.

🧩

Plugins & the feed

tap to flip

Each plugin detects one flaw or config. Downloaded from the Tenable plugin feed; some plugins confirm a scan actually authenticated.

📊

VPR

tap to flip

Vulnerability Priority Rating — a dynamic 0.1–10 score, updated daily with threat intelligence, that says what to fix first (vs static CVSS).

Prove the credentialed scan actually logged in

A 'credentialed' scan that silently failed auth gives shallow, misleading results. Check the authentication-success plugins (e.g. 10394 for Windows SMB, 12634 for Linux SSH) before you trust the depth. No success plugin = you really ran an uncredentialed scan.

Quick check · Q2 of 10 · Apply

You need the deepest, most accurate view of a Windows server's missing patches. Which scan?

a) An uncredentialed network scanb) A credentialed (authenticated) scanc) A ping sweep onlyd) A web application scan

Correct: b. A credentialed scan logs in and runs local checks against installed software and patch levels — far deeper and more accurate, with fewer false positives. Uncredentialed only sees the outside attacker view.

👉 So far: Scan types: network/uncredentialed = outside view; credentialed = deep local checks; agents = roaming endpoints; web app = live sites. Plugins from the feed do the detecting.

③ CVSS vs VPR — static severity vs live priority

This is the interview centrepiece. CVSS is a static, third-party score from the NVD describing how bad a flaw could be. The problem: CVSS labels roughly 60% of CVEs High or Critical, so it can't tell you what to fix first.

Tenable's VPR (Vulnerability Priority Rating) fixes this. VPR is a dynamic score from 0.1–10 that Tenable updates daily, blending the CVSS impact with live threat intelligence: exploit-code maturity, threat recency and intensity, age of the vulnerability, and product coverage. The result focuses you on the small slice — Tenable says around 1.6% — likely to be exploited soon. One-liner: CVSS = how bad it could be; VPR = how urgently it actually threatens you right now.

Figure 5 — From a flaw to a fix — how a finding gets prioritized

A plugin detects, CVSS describes severity, VPR + ACR set urgency, then you remediate and verify.

'Just patch all the Criticals' trap

Treating every Critical CVSS as equal means patching ~60% of everything and burning out IT. CVSS is severity, not priority. Lead with VPR (live, daily-updated) plus asset criticality so you fix the small slice attackers will actually use.

▶ Watch a Windows server go from scan to verified fix

How one credentialed scan turns into a prioritized, verified remediation. Press Play for the healthy path, then Break it to see the classic failure.

① AssessA credentialed Nessus scan logs into a production Windows server and runs local-check plugins from the feed.

▼

② Detect + scoreA plugin flags a missing patch; the cloud attaches the CVSS severity and the daily-updated VPR.

▼

③ PrioritizeHigh VPR on a high-ACR server gives a high Asset Exposure Score — it jumps to the top of the queue.

▼

④ Remediate + verifyIT patches; a re-scan confirms the plugin no longer fires and the AES drops on the dashboard.

Press Play to step through the healthy scan-to-fix path. Then press Break it.

Quick check · Q3 of 10 · Analyze

Why is raw CVSS a poor way to choose what to remediate first?

a) CVSS is always wrongb) CVSS changes hourly and is unstablec) CVSS labels roughly 60% of CVEs High/Critical, so it can't separate urgent from the restd) CVSS only covers web apps

Correct: c. CVSS is static severity and rates about 60% of CVEs High or Critical, so it gives no real priority. VPR adds live threat and exploit context to surface the small slice that actually matters.

👉 So far: CVSS = static severity, ~60% of CVEs High/Critical. VPR = dynamic 0.1–10, updated daily with threat intel, focusing you on the ~1.6% likely to be exploited.

④ Prioritize, remediate, measure — running the cycle sanely

VPR ranks the vulnerability; asset context ranks the target. The Asset Criticality Rating (ACR) scores how important an asset is (1–10, based on business purpose, type, connectivity). Tenable combines ACR with the asset's VPRs into an Asset Exposure Score (AES) from 0–1000 — a single number for 'how exposed is this box'. High VPR on a high-ACR asset is what you fix first.

Remediate and measure

Route prioritized findings to patching, push fixes, then re-scan to verify the flaw is gone — remediation isn't done until a clean scan proves it. Dashboards and reporting in the cloud track the trend over time so you can prove risk is going down. The classic failure is treating every Critical CVSS as equal and patching 60% of everything; prioritize by VPR + ACR and you fix the right 2% first.

Vivek at a Pune fintech faces this

The first Tenable scan returns 4,000 'Critical' CVSS findings and management wants them all patched this week — IT pushes back, nothing gets fixed.

Likely cause

The team sorted by CVSS severity, which marks ~60% of CVEs Critical/High, and ignored threat context and asset value.

Diagnosis

Open the findings view — most Criticals have low VPR and sit on low-ACR test boxes; only a few have high VPR on production servers.

Tenable VM ▸ Findings ▸ sort by VPR, then by Asset Exposure Score (AES)

Fix

Re-rank by VPR and ACR, target the high-AES production assets first, route those to patching, and schedule the long tail.

Verify

Re-scan the patched assets: the high-VPR findings clear, AES drops, and the dashboard shows risk trending down — with a believable weekly workload.

Remediation isn't done until a re-scan is clean

Never close a vulnerability on 'IT says it's patched'. Re-scan the asset and confirm the plugin no longer fires. The clean finding — and a falling Asset Exposure Score — is your proof, not a hunch.

Quick check · Q4 of 10 · Evaluate

Which finding should a team remediate first?

a) High CVSS on a decommissioned test boxb) Low VPR on any assetc) Any Medium CVSS, alphabeticallyd) High VPR on a high-ACR production server (high AES)

Correct: d. Prioritize by urgency and target value: a high VPR (likely exploited) on a high-ACR (business-critical) asset gives the highest Asset Exposure Score — fix that first, not every Critical CVSS equally.

👉 So far: Prioritize by VPR (the flaw) + ACR (the asset) = AES (0–1000). Remediate, then re-scan to verify clean. Measure the trend on dashboards — never patch every Critical equally.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: why does a Tenable team prioritize with VPR + ACR instead of just patching every Critical CVSS? Then compare with the expert version.

Expert version: Because CVSS is static severity and labels roughly 60% of CVEs High or Critical, so it can't tell you what to fix first — sorting by it just produces an un-actionable wall of Criticals. VPR is dynamic and updated daily with real-world threat and exploit intelligence, so it surfaces the small slice (around 1.6%) likely to be exploited soon. Layer in ACR — how critical the asset is — and the combined Asset Exposure Score points you at high-urgency flaws on high-value assets. You fix those first, re-scan to verify, and measure the trend, instead of burning out IT patching everything equally.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Tenable at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Tenable Vulnerability Management: Tenable's cloud platform (formerly Tenable.io) that stores assets, findings, scoring and dashboards and runs the VM lifecycle.
Nessus: Tenable's scanner engine that probes hosts over SSH/SMB/HTTPS/SNMP to run network and credentialed vulnerability scans.
Tenable Agent: Lightweight software installed on an endpoint that scans locally and reports back — ideal for roaming and off-network assets.
Credentialed (authenticated) scan: A scan given valid login credentials so it can run deep local checks on patches and config — more accurate, fewer false positives.
Uncredentialed (network) scan: A scan with no login that sees a host as an outside attacker would — ports, services and banner-level flaws.
Plugin / plugin feed: A plugin detects one specific flaw or config; the plugin feed continuously delivers new and updated plugins to scanners and agents.
CVSS: A static, third-party severity score (from the NVD) for how bad a vulnerability could be — but it rates ~60% of CVEs High/Critical.
VPR (Vulnerability Priority Rating): A dynamic 0.1–10 score Tenable updates daily using live threat intelligence to show which flaws to remediate first.
ACR (Asset Criticality Rating): A 1–10 score of how important an asset is to the business, based on purpose, type, location and connectivity.
AES (Asset Exposure Score): A 0–1000 score combining an asset's ACR with its vulnerabilities' VPRs to show how exposed the asset is.

📚 Sources

Tenable Docs — CVSS vs. VPR (risk metrics, VPR drivers and daily updates). docs.tenable.com/vulnerability-management/Content/Explore/Findings/RiskMetrics.htm
Tenable Docs — Vulnerability Assessment / Scanning (authenticated vs unauthenticated, scanner role, plugins). docs.tenable.com/cyber-exposure-studies/vulnerability-management
Tenable Docs — Tenable Nessus Credentialed Checks and authentication-success plugins. docs.tenable.com/nessus/Content/NessusCredentialedChecks.htm
Tenable Docs — Tenable Agent: benefits and limitations vs network scanning. docs.tenable.com/agent/Content/benefits-and-limitations.htm
Tenable Docs — Tenable One Scoring Explained: ACR and AES. docs.tenable.com/quick-reference/scoring-explained
Tenable Blog — What Is VPR and How Is It Different from CVSS?. tenable.com/blog/what-is-vpr-and-how-is-it-different-from-cvss

What's next?

Got the Tenable lifecycle? Compare it side by side with the Qualys VMDR lesson — same discover-to-remediate idea, different scoring (QDS vs VPR) and agent model — so you can answer either tool in an interview.

Next · All interview lessons → Practice on exam.techclick.in →

Tenable Vulnerability Management — Nessus, Scans, Plugins & CVSS vs VPR

🎯 By the end you will be able to

Pick where you want to start

What it is

Scans & plugins

CVSS vs VPR

Prioritize & remediate

① What Tenable VM actually is — one continuous lifecycle

② Scan types and plugins — how detection actually works

Agents and web apps

③ CVSS vs VPR — static severity vs live priority

▶ Watch a Windows server go from scan to verified fix

④ Prioritize, remediate, measure — running the cycle sanely

Remediate and measure

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?