Blog
\
Vulnerability scanning

Better together: Nuclei and Tenable

James Harrison
Author
James Harrison
Senior Content Writer
Updated
February 6, 2024
|
Published
February 1, 2024
|
min read

Key Points

How does Nuclei complement Tenable?

What do Nuclei and Tenable bring to the table, and how do they complement each other? Tenable is a large commercial scanning engine typically used by bigger businesses and enterprise, while Nuclei is an open-source tool used by bug bounty professionals, pentesters and security researchers. Their detection capabilities and the types of software they cover don’t completely overlap, so using both in tandem provides a much more powerful scanning service, with all the resulting benefits.

Nuclei complements Tenable’s capabilities by adding additional attack surface checks, and checks for known weaknesses not covered by the commercial engine. On the other hand, Tenable checks for a much wider range of total vulnerabilities and products than Nuclei, and has checks for some classes of weakness which Nuclei covers poorly. Working together, they provide a more robust detection capability unmatched by any single scanner on its own.

Why do we need multiple scanners?

Organisations often choose a single large commercial scanning engine for their vulnerability management needs, like Tenable, Qualys or Rapid7. These large engines are designed to perform a wide range of checks, and cover several different types of scanning.  

But these scanners overlap and focus on automated checks for the most important weaknesses in popular products, products used by large enterprises, and products which are making headlines as threat intelligence feeds light up with malicious hacking activity.  

However, the number of vulnerabilities discovered year on year is now so high (more than 25,000 last year), that it’s impossible for even these large scanning engines to produce checks for them all. As a result, even industry-leading scanners will not check for every known vulnerability out there.  

As a result, using a single scanning engine won’t provide complete detection of all possible vulnerabilities – and if you’re using just a single scanning engine, you’ll have blind spots where certain vulnerabilities on your systems simply aren’t covered. This is why we're adding Nuclei as another scanning engine to enhance our scanning coverage and detection.

Why choose Nuclei?

Nuclei is an open-source vulnerability scanning engine which is fast, extensible, and covers a wide range of weaknesses. Intruder’s Premium and Vanguard plans now include the Nuclei scanning engine to further complement our suite of scanning engines (Tenable Nessus, OpenVAS, ZAP, Nmap) to provide even better detection capabilities, so we can find more weaknesses and discover more about each target’s attack surface.

Nuclei and Tenable compared

Here are some simple metrics which show how these two scanning engines complement each other. Without going into a deep dive on how the two compare these should give you a broad idea of why using multiple scanners can be more effective. These comparisons apply only to remote checks requiring no credentials.

Total CVEs

Tenable: 16,456
Nuclei: 2,259

First off, it’s clear that Tenable checks for a much higher total number of known vulnerabilities with a CVE. This is unsurprising, as this includes vulnerabilities going way back to the late 90s and early 2000s, when Nuclei didn’t exist.

Total CVEs (2022 and 2023)

Tenable: 1,399
Nuclei: 763

We focussed on recent vulnerabilities, and looked at data for just 2022 and 2023. The number of known vulnerabilities covered with unauthenticated remote checks is much closer. The Nuclei project has been more active in recent years, and it has produced checks for just over half of the total number of remote CVEs Tenable has covered. This gets a lot more interesting when you compare the two lists, and find that only 59 of these CVEs are covered by both scanners:

CVEs covered by Nuclei (left) and Tenable

This clearly shows that using the two scanners together doesn’t create inefficiency, as they focus on different known vulnerabilities. As such, they complement each other well.

Even when two scanning engines check for the same weakness on paper, the methodology they use to produce that particular check may differ. For example, it’s possible to perform remote checks by checking version banners, or by actively exploiting a weakness. There are many approaches to remote scanning, some excel at finding weaknesses on some systems but can be less effective against others. As a result, even when two scanners check for the same weakness, you are still getting more depth of coverage by using both. This is because one of the scanners may fail to detect the weakness in the specific configuration your target happens to be using.

Remote Attack Surface Detections

Last but not least, we looked at each scanner’s ability to detect exposed services and panels on the attack surface. We found that the two scanners have similar numbers of remote detection checks:

Tenable: 1,444
Nuclei: 1,368

It initially looks like each scanner detects the same software – around 1,400 different detection checks. However, in reality these don’t completely overlap, and a significant number are unique to each scanner.  

For example, Tenable has detections for DrayTek VigorConnect Web UI and IBM InfoSphere Information Governance which Nuclei doesn’t have a check for. Conversely, Nuclei has a detection check for exposed Django Admin Panels and Keycloak Admin Panels, which Tenable doesn’t have a check for. This provides a significant benefit for mapping your attack surface, and making sure scan results clearly show what’s exposed, and what shouldn’t be exposed.  

Teamwork makes Intruder work

The analysis and metrics we’ve covered in this article only scratch the surface of what these two scanners are capable of – but they demonstrate how multiple scanners used together can provide a depth of coverage that can’t be matched by using a single scanning engine. If you’re a Premium or Vanguard customer, Nuclei is already included in your plan. If you’re interested in upgrading or want to know more about Nuclei, talk to us.

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Download now
Author
James Harrison
,
Senior Content Writer

Reviewed by
,

Quick links
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Get regular updates

Get our latest news, research, and expert advice, straight to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Recommended articles

Agent-Based vs Network-Based Internal Vulnerability Scanning
Vulnerability scanning

Agent-Based vs Network-Based Internal Vulnerability Scanning

Generally, when it comes to identifying and fixing vulnerabilities on your internal network, there are two competing (but not mutually…
Mind the gap – how to ensure your vulnerability detection methods are up to scratch
Vulnerability scanning

Mind the gap – how to ensure your vulnerability detection methods are up to scratch

With global cyber crime costs expected to reach $10.5 trillion annually by 2025, it comes as little surprise that the risk of attack ...
Windows vulnerability scanner: How to get started
Vulnerability scanning

Windows vulnerability scanner: How to get started

76% of desktops and 20% of servers run on Windows, so scanning for vulnerabilities of this huge attack surface is critical for most businesses today.

Sign up for your free 14-day trial

Start today
7 days free trial
How do Tenable and Nuclei compare? We researched both to see how they work together for even better coverage.
back to BLOG

Better together: Nuclei and Tenable

James Harrison
February 1, 2024

How does Nuclei complement Tenable?

What do Nuclei and Tenable bring to the table, and how do they complement each other? Tenable is a large commercial scanning engine typically used by bigger businesses and enterprise, while Nuclei is an open-source tool used by bug bounty professionals, pentesters and security researchers. Their detection capabilities and the types of software they cover don’t completely overlap, so using both in tandem provides a much more powerful scanning service, with all the resulting benefits.

Nuclei complements Tenable’s capabilities by adding additional attack surface checks, and checks for known weaknesses not covered by the commercial engine. On the other hand, Tenable checks for a much wider range of total vulnerabilities and products than Nuclei, and has checks for some classes of weakness which Nuclei covers poorly. Working together, they provide a more robust detection capability unmatched by any single scanner on its own.

Why do we need multiple scanners?

Organisations often choose a single large commercial scanning engine for their vulnerability management needs, like Tenable, Qualys or Rapid7. These large engines are designed to perform a wide range of checks, and cover several different types of scanning.  

But these scanners overlap and focus on automated checks for the most important weaknesses in popular products, products used by large enterprises, and products which are making headlines as threat intelligence feeds light up with malicious hacking activity.  

However, the number of vulnerabilities discovered year on year is now so high (more than 25,000 last year), that it’s impossible for even these large scanning engines to produce checks for them all. As a result, even industry-leading scanners will not check for every known vulnerability out there.  

As a result, using a single scanning engine won’t provide complete detection of all possible vulnerabilities – and if you’re using just a single scanning engine, you’ll have blind spots where certain vulnerabilities on your systems simply aren’t covered. This is why we're adding Nuclei as another scanning engine to enhance our scanning coverage and detection.

Why choose Nuclei?

Nuclei is an open-source vulnerability scanning engine which is fast, extensible, and covers a wide range of weaknesses. Intruder’s Premium and Vanguard plans now include the Nuclei scanning engine to further complement our suite of scanning engines (Tenable Nessus, OpenVAS, ZAP, Nmap) to provide even better detection capabilities, so we can find more weaknesses and discover more about each target’s attack surface.

Nuclei and Tenable compared

Here are some simple metrics which show how these two scanning engines complement each other. Without going into a deep dive on how the two compare these should give you a broad idea of why using multiple scanners can be more effective. These comparisons apply only to remote checks requiring no credentials.

Total CVEs

Tenable: 16,456
Nuclei: 2,259

First off, it’s clear that Tenable checks for a much higher total number of known vulnerabilities with a CVE. This is unsurprising, as this includes vulnerabilities going way back to the late 90s and early 2000s, when Nuclei didn’t exist.

Total CVEs (2022 and 2023)

Tenable: 1,399
Nuclei: 763

We focussed on recent vulnerabilities, and looked at data for just 2022 and 2023. The number of known vulnerabilities covered with unauthenticated remote checks is much closer. The Nuclei project has been more active in recent years, and it has produced checks for just over half of the total number of remote CVEs Tenable has covered. This gets a lot more interesting when you compare the two lists, and find that only 59 of these CVEs are covered by both scanners:

CVEs covered by Nuclei (left) and Tenable

This clearly shows that using the two scanners together doesn’t create inefficiency, as they focus on different known vulnerabilities. As such, they complement each other well.

Even when two scanning engines check for the same weakness on paper, the methodology they use to produce that particular check may differ. For example, it’s possible to perform remote checks by checking version banners, or by actively exploiting a weakness. There are many approaches to remote scanning, some excel at finding weaknesses on some systems but can be less effective against others. As a result, even when two scanners check for the same weakness, you are still getting more depth of coverage by using both. This is because one of the scanners may fail to detect the weakness in the specific configuration your target happens to be using.

Remote Attack Surface Detections

Last but not least, we looked at each scanner’s ability to detect exposed services and panels on the attack surface. We found that the two scanners have similar numbers of remote detection checks:

Tenable: 1,444
Nuclei: 1,368

It initially looks like each scanner detects the same software – around 1,400 different detection checks. However, in reality these don’t completely overlap, and a significant number are unique to each scanner.  

For example, Tenable has detections for DrayTek VigorConnect Web UI and IBM InfoSphere Information Governance which Nuclei doesn’t have a check for. Conversely, Nuclei has a detection check for exposed Django Admin Panels and Keycloak Admin Panels, which Tenable doesn’t have a check for. This provides a significant benefit for mapping your attack surface, and making sure scan results clearly show what’s exposed, and what shouldn’t be exposed.  

Teamwork makes Intruder work

The analysis and metrics we’ve covered in this article only scratch the surface of what these two scanners are capable of – but they demonstrate how multiple scanners used together can provide a depth of coverage that can’t be matched by using a single scanning engine. If you’re a Premium or Vanguard customer, Nuclei is already included in your plan. If you’re interested in upgrading or want to know more about Nuclei, talk to us.

Release Date
Level of Ideal
Comments
Before CVE details are published
🥳
Limited public information is available about the vulnerability.

Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.

Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Day of CVE publish
😊
Vulnerability information is publicly accessible.

Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.

Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
First week since CVE publish
😐
Vulnerability information has been publicly available for up to 1 week.

The likelihood that exploitation in the wild is going to be happening is steadily increasing.

Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
Between 1 week and 1 month since CVE publish
🥺
Vulnerability information has been publicly available for up to 1 month, and some very clever people have had time to craft an exploit.

We’re starting to lose some of the benefit of rapid, automated vulnerability detection.

Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
After 1 month since CVE publish
😨
Information has been publicly available for more than 31 days.

Any detection released a month after the details are publicly available is decreasing in value for me.

Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.

With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:

  • Have CVSSv2 rating of 10
  • Are exploitable over the network
  • Require no user interaction

These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.

We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.

In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.

Figure 10: Absolute numbers of critical CVEs with a remote check release date from the date a CVE is published

While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.

Figure 11: Percentage chance of delay for critical vulnerabilities

So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.

I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.

What can we take away from Figure 12?

  • We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
  • In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
  • But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
  • For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
  • We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
Figure 12: Release delay year-on-year (lower is better)

With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.

The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.

Get Our Free "Ultimate Guide to Vulnerability Scanning"
Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.
DOWNLOAD OUR FREE PDF GUIDE 

Written by

James Harrison

Recommended articles

SOC 2 compliance: an essential guide
Patrick Craston
March 1, 2024

SOC 2 compliance: an essential guide

Navigate SOC 2 compliance effortlessly with our essential guide. Get ahead and stay compliant with our trusted insights.
Web Application Penetration Testing Guide: Tools & Techniques
James Harrison
February 2, 2024

Web Application Penetration Testing Guide: Tools & Techniques

Explore the methodology, scope, and types of web application penetration testing in 2024. Learn to identify & address web app vulnerabilities & security threats.
What's new? Product updates from Intruder April 2024
Andy Hornegold
May 1, 2024

What's new? Product updates from Intruder April 2024

Intruder’s attack surface management tools, AWS integration improvements, and enhanced web application scanning.
Ready to get started with your 14-day trial?
Try for free
try for free