Nessus Tutorial: Vulnerability Scanning How-To Guide (2026)

<![CDATA[

Nessus has been the industry-standard vulnerability scanner for over two decades. Developed by Tenable, it’s used by more than 50% of the Fortune 500 and covers more than 77,000 CVEs through a plugin library that now exceeds 227,000 entries. The original version of this post was written back in 2010 when Nessus looked very different. This is a complete rewrite for 2026, covering the current interface, modern scan templates, credentialed scanning best practices, and practical walkthroughs for three of the most common compliance frameworks: PCI-DSS 4.0, SOC 2, and ISO 27001.

If you want to follow along, you’ll need Nessus installed. The free tier — Nessus Essentials — covers up to 16 IP addresses and is enough to work through everything in this guide on a home lab. For compliance work in a professional environment you’ll want Nessus Professional or Nessus Expert; compliance templates are not available in Essentials.

Nessus Editions in 2026

Tenable currently ships three editions of standalone Nessus:

• Nessus Essentials — Free, limited to 16 IPs. Good for learning and home lab work. No compliance templates.
• Nessus Professional — Unlimited IPs, full vulnerability and compliance templates, reporting, and team features. This is the standard choice for professional penetration testers and security teams.
• Nessus Expert — Everything in Professional plus attack surface discovery (external domain scanning via Tenable Attack Surface Management), infrastructure-as-code scanning, and web application scanning templates.

Nessus also functions as a managed scanner within Tenable Vulnerability Management (the cloud platform) and Tenable Security Center (the on-premises enterprise platform), but this guide focuses on standalone Nessus.

Installation

Download the installer for your platform from tenable.com/products/nessus. Nessus runs on Linux (including Kali), Windows, and macOS.

Linux / Kali Installation

# Download the Debian package (check Tenable's site for the current filename)
curl -O https://www.tenable.com/downloads/api/v1/public/pages/nessus/downloads/[latest]/get?i_agree_to_tenable_license_agreement=true

# Install it
sudo dpkg -i Nessus-*.deb

# Start the service
sudo systemctl start nessusd
sudo systemctl enable nessusd

On Kali Linux, Nessus is not included in the default repositories, so the manual download and dpkg route is the correct approach. Once the service starts, browse to https://localhost:8834 to complete setup.

Initial Setup

1. Browse to https://localhost:8834 — accept the self-signed certificate warning.
2. Choose your deployment type: Nessus Essentials, Nessus Professional, or Managed Scanner (for Tenable Vulnerability Management or Security Center).
3. Create an administrator account.
4. Enter your activation code. Nessus will begin downloading its plugin set — this can take 10–30 minutes on first run depending on your connection.

Keeping Nessus Updated

Nessus updates its plugin library continuously. By default it updates automatically. To force a manual update from the command line:

# Update plugins
sudo /opt/nessus/sbin/nessuscli update --plugins-only

# Full update (if a core upgrade is needed)
sudo systemctl stop nessusd
sudo /opt/nessus/sbin/nessuscli update
sudo systemctl start nessusd

Keeping plugins current is essential — a Nessus instance running stale plugins is significantly less effective.

The Nessus Interface

The current Nessus interface at https://localhost:8834 is organised around three main areas:

• Scans — Create and manage scans. This is where most of your time is spent. Each scan entry shows its status, the number of hosts scanned, and a summary of findings by severity.
• Policies — Save customised scan configurations that you can reuse across multiple scans. Useful when you have a standard configuration you apply repeatedly — a PCI scan policy, for instance.
• Settings — Scanner-level configuration: plugin feeds, performance settings, user accounts, and proxy configuration.

The main change from older versions is the scan template library, which has grown substantially and now covers compliance frameworks directly. You no longer need to manually construct compliance scans from plugin families — the templates do that for you.

Scan Templates

Nessus 10.12 ships with templates across three categories:

Discovery Templates

• Host Discovery — Finds live hosts and open ports with minimal footprint. Tenable recommends running this weekly if you don’t have a passive network monitor. Assets found in discovery scans don’t count toward your licence.
• Ping-Only Discovery — Minimal network traffic, confirms which hosts are up.
• Attack Surface Discovery (Expert only) — Scans external domains via Tenable Attack Surface Management to discover subdomains and DNS records.

Vulnerability Templates

• Basic Network Scan — The go-to for general scanning. Runs a full plugin set against targets. Good starting point for any internal assessment.
• Advanced Scan — Same defaults as Basic but exposes every configurable option. Use with care — misconfigurations can saturate networks or cause asset outages.
• Advanced Dynamic Scan — Instead of selecting plugin families manually, you set filters (by CVE, plugin family, severity, etc.) and Nessus automatically includes all matching plugins — including newly released ones. Excellent for targeted CVE-specific scanning.
• Credentialed Patch Audit — Authenticates to targets and enumerates missing patches. One of the highest-value scan types available.
• Active Directory Starter Scan — Checks AD for Kerberoasting exposure, weak Kerberos encryption, unconstrained delegation, null sessions, and other misconfigurations. Requires Domain Admin credentials and LDAPS.
• Malware Scan — Detects malware on Windows and Unix using a combined allowlist/blocklist approach.
• Find AI — New in recent versions. Discovers installed AI applications, LLMs, and ML frameworks and identifies related vulnerabilities and shadow AI.

Compliance Templates

(Professional and Expert only)

• PCI DSS — internal network scan, agent-based scan, external ASV scan
• CIS benchmarks for Windows, Linux, macOS, network devices, and cloud
• DISA STIGs
• HIPAA
• SOC 2
• ISO/IEC 27001
• NIST frameworks

Credentialed Scanning: The Most Important Thing to Get Right

The single biggest quality difference between Nessus scans is whether they’re credentialed. An unauthenticated scan sees what an external attacker sees: open ports, service banners, network-level vulnerabilities. A credentialed scan logs into the target and checks installed software versions, patch levels, local configuration, file permissions, user accounts, and running services. The difference in finding count is typically dramatic — credentialed scans routinely surface two to five times as many vulnerabilities.

Setting Up SSH Credentials (Linux Targets)

When creating or editing a scan, go to Credentials → SSH. You have three authentication options:

• Password — Username and password. Simple but not recommended for production as credentials are stored in Nessus.
• Public Key — Recommended. Generate a dedicated Nessus scanning key pair, deploy the public key to target hosts, and store the private key in Nessus.
• Kerberos — For Active Directory-joined Linux hosts.

For least-privilege scanning, create a dedicated scan account rather than using root. On most Linux systems, adding the account to the sudo group and configuring NOPASSWD for the specific commands Nessus needs is cleaner than granting full root access.

# Create a dedicated Nessus scanning account
sudo useradd -m -s /bin/bash nessus-scan

# Add the public key
sudo mkdir -p /home/nessus-scan/.ssh
sudo echo "ssh-rsa AAAA... nessus-scanner" >> /home/nessus-scan/.ssh/authorized_keys
sudo chmod 700 /home/nessus-scan/.ssh
sudo chmod 600 /home/nessus-scan/.ssh/authorized_keys
sudo chown -R nessus-scan:nessus-scan /home/nessus-scan/.ssh

Setting Up Windows Credentials (Windows Targets)

For Windows, go to Credentials → Windows and configure:

• Authentication method: Password (most common), Kerberos, or LM Hash.
• Username and password: Use a domain account with local administrator rights on targets, or a local administrator account.

For credentialed scanning to work against Windows hosts, ensure the following:

# Enable the Remote Registry service (required for Nessus to read registry values)
sc config RemoteRegistry start= auto
net start RemoteRegistry

# Ensure File and Printer Sharing is enabled in Windows Firewall
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes

# Ensure the Windows Management Instrumentation (WMI) service is running
sc config winmgmt start= auto

If you’re scanning domain-joined machines, using a domain account with local admin rights is cleaner than enabling local admin accounts on every machine.

Running Your First Scan

1. Click New Scan in the Scans section.
2. Choose a template — start with Basic Network Scan for a general assessment.
3. Give the scan a name and set the Targets field — this accepts individual IPs, CIDR ranges, hostnames, or a newline-separated list.
4. Under Credentials, add SSH or Windows credentials if you’re doing credentialed scanning.
5. Under Schedule, choose whether to run immediately or on a schedule.
6. Click Save, then click the play button to launch the scan.

While the scan runs, you can click into it to see live progress — hosts being discovered, plugins executing, findings accumulating in real time. A Basic Network Scan against a /24 subnet with credentials typically takes 20–45 minutes depending on network speed and the number of live hosts.

Understanding Scan Results

Once a scan completes, click into the results to see findings organised by host and severity. Nessus uses four severity levels:

• Critical — Exploitable vulnerabilities with a CVSS score of 9.0–10.0. Address immediately.
• High — Significant vulnerabilities with CVSS 7.0–8.9. Prioritise after criticals.
• Medium — CVSS 4.0–6.9. Plan remediation within your standard patch cycle.
• Low — CVSS 0.1–3.9. Informational issues that should be tracked.
• Info — Not vulnerabilities but useful scan data: open ports, installed software, OS version, SSL certificate details.

Clicking any finding shows the full plugin output: what was detected, the CVE identifiers, the CVSS score, a description of the vulnerability, proof of concept information where available, and remediation guidance. This is where Nessus genuinely earns its reputation — the plugin output is detailed and actionable rather than just telling you a vulnerability exists.

Use the Vulnerabilities tab view to see findings aggregated across all hosts — useful for identifying the same issue across many machines. Use the Hosts tab to see the full picture for a specific target.

Exporting Reports

Nessus can export results in several formats. Go to a completed scan and click Export:

• PDF — Executive summary or detailed technical report. Useful for delivering findings to clients or management.
• CSV — Spreadsheet-friendly export of all findings. Good for tracking remediation.
• Nessus XML — The native format. Use this if you’re importing results into another tool — Metasploit, Dradis, PlexTrac, and most pentest reporting platforms accept Nessus XML.
• HTML — Standalone report for browser viewing without needing the Nessus instance.

---

Compliance Scanning: PCI-DSS 4.0

PCI-DSS 4.0 (which became the only active version as of March 2024) significantly strengthened vulnerability management requirements. Requirement 11.3 mandates internal vulnerability scanning at least quarterly and after any significant change, and Requirement 11.3.2 mandates quarterly external scanning by an Approved Scanning Vendor (ASV). Requirement 6.3 requires a process for protecting all system components from known vulnerabilities.

Nessus is one of the most widely deployed tools for meeting PCI scanning requirements, and Tenable is an approved ASV for external scanning.

Internal PCI Scanning with Nessus

For internal scanning against PCI-DSS 4.0, Nessus provides two dedicated templates:

• Internal PCI Network Scan (DSS 11.3.1.2) — Covers the network-level internal scan requirement.
• PCI Internal Nessus Agent (DSS 4.0) — Used with Nessus Agents deployed on endpoints for authenticated local scanning without needing network-level credentials.

Use both together for full internal coverage. Here’s the workflow:

1. Create a new scan and select Internal PCI Network Scan (DSS 11.3.1.2).
2. Set the scope to your Cardholder Data Environment (CDE) — the systems that store, process, or transmit cardholder data, plus connected systems.
3. Add credentials for both Linux and Windows targets in scope.
4. Under Compliance, the PCI template pre-selects the relevant compliance checks. Review to confirm they match your environment.
5. Schedule the scan quarterly (at minimum) and after any significant infrastructure change.

When the scan completes, the results include both vulnerability findings and compliance check results. Compliance checks appear as PASSED, FAILED, or WARNING against specific PCI DSS controls. A finding of FAILED against a compliance check is a direct gap in your PCI posture and needs to be remediated before your audit.

What Nessus Checks for PCI-DSS

The PCI template runs checks aligned to the DSS controls most commonly evaluated through automated scanning:

• Requirement 2: Default credentials and unnecessary services on in-scope systems
• Requirement 6: Unpatched software and known vulnerabilities (CVEs) on in-scope systems
• Requirement 8: Password policy configuration, account lockout settings
• Requirement 10: Audit logging configuration
• Requirement 11: SSL/TLS configuration, cipher strength, certificate validity

PCI External ASV Scanning

External ASV scans must be performed by a Tenable-approved scanning vendor and cannot be done with standalone Nessus alone. For this requirement, organisations use Tenable Vulnerability Management (the cloud platform) which provides ASV scanning as part of the service. The PCI Quarterly External Scan template in Tenable Vulnerability Management handles this. If you’re managing PCI compliance for a client, ensure external ASV scans are booked quarterly through an approved vendor.

---

Compliance Scanning: SOC 2

SOC 2 is an AICPA attestation framework built around five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Confidentiality. Most organisations pursue SOC 2 Type II — which requires demonstrating that controls operated effectively over a period of time, typically six to twelve months.

Nessus doesn’t replace the broader SOC 2 audit process — that involves auditor review of policies, access controls, change management, and much more. But vulnerability management is a direct SOC 2 requirement under CC7.1 (Security Monitoring Operations) and CC4.1 (Performing Risk Assessments), and Nessus scan results serve as direct audit evidence.

SOC 2 Scanning Workflow

1. Create a new scan and select the Basic Network Scan or Advanced Scan template. (Nessus Professional includes a SOC 2 compliance template under the Compliance category — use this if available.)
2. Scope the scan to your production environment — the systems that handle customer data.
3. Enable credentialed scanning for all in-scope systems. Unauthenticated scans don’t provide the depth of coverage expected for SOC 2 evidence.
4. Under Compliance (if using the SOC 2 template), the pre-selected checks map to the relevant TSC controls.
5. Schedule scans to run at least monthly. SOC 2 auditors want to see a consistent, recurring programme — a single scan run immediately before the audit is a red flag.

SOC 2 Controls Nessus Addresses

• CC6.1 (Logical and Physical Access Controls) — Nessus identifies systems with weak authentication, default credentials, and unnecessary open services.
• CC6.6 (Security Events) — Nessus identifies unpatched vulnerabilities that represent security risks to in-scope systems.
• CC7.1 (Security Monitoring) — Regular Nessus scans form part of your continuous monitoring programme. Export results to CSV and retain as audit evidence.
• CC4.1 (Risk Assessment) — Nessus findings feed your vulnerability risk register. Track remediation of findings with CVSS scores to demonstrate risk-driven prioritisation.

Building SOC 2 Audit Evidence from Nessus

Auditors will ask for evidence of your vulnerability management programme. The things they want to see:

• Scan configuration showing all in-scope systems are covered
• Historical scan results showing the programme runs consistently (not just before audits)
• Remediation tracking — findings opened, assigned, and closed
• Evidence that critical and high findings are remediated within your stated SLAs

Export each scan as CSV immediately after it completes and store with your compliance evidence. Most organisations keep a rolling 12-month archive of scan results for their SOC 2 audit period.

---

Compliance Scanning: ISO 27001

ISO 27001:2022 is the international standard for information security management systems (ISMS). The 2022 revision reorganised Annex A controls significantly — if you’re still working from ISO 27001:2013 documentation, it’s worth reviewing the updated control structure. Annex A now contains 93 controls across four themes: Organisational, People, Physical, and Technological.

Vulnerability management maps primarily to Annex A control 8.8 (Management of Technical Vulnerabilities), which requires timely identification of technical vulnerabilities, assessment of exposure, and appropriate action. Regular Nessus scanning is direct evidence of this control operating effectively.

ISO 27001 Scanning Workflow

1. Create a new scan using the ISO/IEC 27001 compliance template under the Compliance category (Nessus Professional/Expert).
2. Set the scope to your ISMS boundary — typically your production and corporate infrastructure.
3. Enable credentials for all in-scope systems.
4. Review the compliance checks the template includes — they’re mapped to specific Annex A controls and will report PASSED/FAILED/WARNING against each.
5. Schedule at minimum quarterly, though monthly is better practice for ISO 27001 and easier to demonstrate to certification auditors.

Annex A Controls Nessus Covers

• 8.8 — Management of Technical Vulnerabilities: Core control. Nessus findings directly demonstrate vulnerability identification. Remediation records demonstrate the management process.
• 8.9 — Configuration Management: Nessus compliance checks against CIS benchmarks or custom baselines provide configuration audit evidence.
• 8.20 — Network Security: Network scan results identify unnecessary open services and insecure network configurations.
• 8.23 — Web Filtering / 8.29 — Security Testing in Development: Web application scans (Nessus Expert or separate tooling) cover these where applicable.
• 5.37 — Documented Operating Procedures: Your scan schedule, scope definition, and remediation SLAs should be documented as ISMS procedures referencing Nessus as a tool.

Integrating Nessus into Your ISO 27001 ISMS

ISO 27001 auditors assess whether controls are systematic and repeatable, not just whether a scan was run. To demonstrate this:

• Document a vulnerability management procedure that defines scanning frequency, scope, severity-based remediation SLAs, and exception handling.
• Keep Nessus scan reports as ISMS records — most organisations store them in their document management system tagged against control 8.8.
• Maintain a vulnerability register (a spreadsheet or ticketing system works fine) that tracks findings from discovery through remediation, with dates and responsible owners.
• Include vulnerability scan results in your regular management review process, as required by ISO 27001 clause 9.3.

---

Advanced Dynamic Scans: Targeting Specific CVEs

One of the most useful features added in recent Nessus versions is the Advanced Dynamic Scan template. Instead of manually selecting plugin families, you configure filters that automatically include all matching plugins — including newly released ones as Tenable publishes them.

This is particularly valuable for emergency response scanning when a high-profile CVE drops. Rather than waiting for a scheduled scan or trying to identify the right plugin manually, you create a targeted dynamic scan that pulls every plugin related to the CVE in question.

# Example: Scanning for a specific CVE
1. Create a new scan → Advanced Dynamic Scan
2. Under the "Dynamic Plugins" tab:
   - Left dropdown: CVE
   - Middle dropdown: Contains
   - Right field: CVE-2024-XXXXX
3. Click "Preview Plugins" to confirm the right plugins loaded
4. Add your targets and credentials
5. Launch

You can also combine filters — for example, finding all critical vulnerabilities in a specific plugin family across your estate, or finding all Log4Shell-related checks:

# Combining filters example
Filter 1: Severity — equals — Critical
Filter 2: Plugin Family — equals — Web Servers
→ Scans for critical web server vulnerabilities only

# Or for a specific vulnerability theme
Filter 1: Plugin Name — contains — Log4Shell
→ Pulls all Log4Shell detection plugins automatically

Importing Nessus Results into Other Tools

Nessus XML export integrates with the broader security toolchain. A few common destinations:

Metasploit

# In the Metasploit console
msf6 > db_import /path/to/scan.nessus
msf6 > hosts     # View imported hosts
msf6 > vulns     # View imported vulnerabilities

This lets you use Nessus findings to drive exploitation during a pentest — identify the vulnerabilities with Nessus, then use Metasploit to attempt exploitation of the highest-value targets.

Reporting Platforms

Most professional pentest reporting platforms accept Nessus XML directly — Dradis, PlexTrac, AttackForge, and WriteHat all support Nessus import. This significantly reduces the manual effort of writing up findings, since the vulnerability descriptions, CVE references, and CVSS scores pull in automatically.

Performance and Safe Scanning

A few things worth knowing to avoid causing problems during scans:

• Safe checks — Enabled by default in most templates. This prevents checks that could crash or disrupt services. Only disable if you’re deliberately testing for denial-of-service exposure on a system that can be taken offline.
• Max simultaneous hosts — Found in scan Settings → Performance. The default is generally conservative. Increasing this speeds up scans but increases network load and the risk of false positives from congestion.
• Scan windows — Use the Schedule tab to constrain scans to maintenance windows for production systems. Even with safe checks enabled, credential-intensive scanning generates significant noise in logs and can briefly impact authentication services.
• Fragile devices — Network printers, older embedded systems, and some SCADA/OT equipment can crash under scanner load. The “Do not scan fragile devices” preference (under scan Preferences) should be enabled, and ideally these devices should be excluded from general scans and handled separately with lighter-weight checks.

Useful Resources

• Official Nessus Documentation (docs.tenable.com) — The most accurate and current reference for every setting and template.
• Tenable Blog — Tenable publishes detailed guidance on using Nessus for specific CVEs and compliance frameworks as they’re updated.
• Tenable Community — Active forum with Tenable staff participation. Good for troubleshooting credentialing issues and scan configuration questions.

If you’re using Nessus as part of a broader pentest engagement, you might also want to look at the updated Metasploit beginner’s guide — importing Nessus results into Metasploit and using them to drive exploitation is a natural next step once you have a scan full of findings to work from.

]]>