Safeguard
Vulnerability Management

How to configure Nessus for vulnerability scanning

A step-by-step guide to installing Nessus, building scan policies, defining safe targets, and validating results — plus where supply chain risk starts beyond the network scan.

Karan Patel
Cloud Security Engineer
7 min read

Unpatched, misconfigured assets are the raw material of most breaches, but you can't fix what you haven't found. That's where a properly tuned scanner earns its keep. If you're new to vulnerability management or inheriting a scanner nobody documented, learning how to configure Nessus vulnerability scanning correctly — not just installing it and clicking "scan" — is the difference between a report full of noise and one your engineering team actually trusts. Tenable's Nessus remains the industry's most widely deployed scanner because it's accurate, extensible, and available as a free edition for smaller environments.

This guide walks through a full setup: installing Nessus, activating a license, building a scan policy suited to your environment, defining targets safely, and validating results. By the end you'll have a repeatable, credentialed vulnerability scanning workflow you can hand off or automate — plus guidance on where a scanner alone stops being enough and where Safeguard fills the gap.

Step 1: Install Nessus and Complete the Nessus Essentials Setup

Download the appropriate package from Tenable for your OS (Debian/Ubuntu .deb, RHEL .rpm, or Windows/macOS installers). On a Linux host:

sudo dpkg -i Nessus-10.x.x-ubuntu1110_amd64.deb
sudo systemctl start nessusd
sudo systemctl enable nessusd

Verify the service is listening on its default port (8834):

sudo systemctl status nessusd
curl -sk https://localhost:8834/server/status

Navigate to https://<host>:8834 in a browser to finish setup through the web UI. If you're following a Nessus Essentials tutorial for a lab, home network, or small business (up to 16 IPs), select Nessus Essentials during registration — it's free and requires only an email address for an activation code. Larger environments should register Nessus Professional or Tenable.io instead, since Essentials caps scan scope and lacks some enterprise reporting.

Once activated, Nessus downloads its plugin feed (tens of thousands of vulnerability checks). This can take 10–20 minutes on first run — let it finish before scanning, or your results will be incomplete.

Step 2: Create Scanner Users and Lock Down Access

Don't scan from a shared admin account. Create a dedicated user with appropriate privileges via nessuscli:

sudo /opt/nessus/sbin/nessuscli adduser scan_operator
sudo /opt/nessus/sbin/nessuscli chguid scan_operator standard

For anything beyond a personal lab, enable two-factor authentication in Settings > My Account and restrict the management interface to trusted IP ranges at the firewall. Nessus's web UI and API sit on port 8834 — there's rarely a reason to expose that to the internet.

Step 3: Configure Nessus Vulnerability Scanning Policies

This is the step most teams rush, and it's where scan quality is actually determined. Go to Policies > New Policy and choose a template as your starting point:

  • Basic Network Scan — general-purpose discovery and vulnerability detection, good default for a first pass.
  • Advanced Scan — full control over every plugin family, port range, and timing option.
  • Credentialed Patch Audit — requires SSH/WinRM/SMB credentials but returns dramatically more accurate results than an unauthenticated scan.

Proper Nessus scan policy setup means matching aggressiveness to the environment. For production systems, under General > Performance, set:

Max simultaneous checks per host: 4
Max simultaneous hosts per scan: 20
Network timeout (seconds): 15

Lower these further for scanning fragile legacy systems or anything with limited network capacity — an overly aggressive scan can crash older embedded devices or trigger IDS/IPS alerts you didn't intend to generate. Under Credentials, add SSH keys or service-account credentials for the hosts you're authorized to scan; credentialed scans catch missing patches and local misconfigurations that a purely network-based check will miss entirely.

Save the policy with a descriptive name (e.g., prod-linux-credentialed-weekly) so it's reusable across future scans without reconfiguration.

Step 4: Define Targets and Scope for Your Network Vulnerability Scan in Nessus

Create a new scan (Scans > New Scan), select your saved policy, and specify targets using CIDR notation, ranges, or a hosts file:

10.20.0.0/24
192.168.1.10-192.168.1.50
webserver01.internal.example.com

For a larger network vulnerability scan, Nessus, run from a single scanner, may need help reaching segmented subnets — deploy Nessus scanner agents or additional scanner instances behind firewalls rather than punching broad holes in network ACLs. Always confirm written authorization and a defined scan window before targeting production ranges; even a well-tuned scan can generate unexpected load or trip alerting thresholds, so notify the relevant infrastructure and security teams beforehand.

Step 5: Configure Discovery and Assessment Settings

Under the scan's Discovery tab, choose a port scan range appropriate to your goal — default covers common ports quickly, while all (1–65535) is thorough but slow. For the Assessment tab, enable web application tests only if the targets actually serve web content, since irrelevant plugin families just add scan time without added signal.

If you're scanning cloud or containerized infrastructure, disable plugins that assume traditional host discovery (like certain SNMP or NetBIOS checks) — they'll simply time out and inflate scan duration on ephemeral or firewalled assets.

Step 6: Launch, Schedule, and Monitor the Scan

Run the scan manually first to validate configuration:

Scans > [scan name] > Launch

Watch the live results under the scan's Vulnerabilities tab as hosts report in. Once you're confident in the policy, move to a recurring schedule under the Schedule tab — weekly for external-facing assets, and at minimum monthly for internal networks, more frequently for anything in scope for a compliance framework like PCI DSS or SOC 2.

For automation, the Nessus REST API lets you trigger scans from CI/CD or orchestration tooling:

curl -sk -X POST https://localhost:8834/scans/<scan_id>/launch \
  -H "X-ApiKeys: accessKey=<key>; secretKey=<secret>"

Step 7: Review, Prioritize, and Export Results

Sort findings by VPR (Vulnerability Priority Rating) rather than raw CVSS alone — VPR factors in real-world exploitability and threat intelligence, which cuts through the noise of theoretical-but-unlikely findings. Export reports in the format your downstream process needs:

Scans > [scan name] > Export > Nessus (.nessus) / PDF / CSV

The .nessus XML export is the most useful for feeding results into other tools or a vulnerability management platform, since it preserves full plugin output rather than a summarized view.

Troubleshooting and Verification

Plugin feed not updating: Check outbound connectivity to plugins.nessus.org on port 443, and confirm the activation code hasn't expired:

sudo /opt/nessus/sbin/nessuscli update --plugins-only

Scan shows "0 vulnerabilities" on a host you know is vulnerable: This almost always means credentials failed or the host was unreachable. Check Scans > [scan] > Hosts > [host] > Credentialed Checks — a failure here means you're only getting a shallow network-based view, not a true patch audit.

Scan runs indefinitely or times out: Reduce Max simultaneous hosts per scan, shorten the port range, or check whether a host-based firewall is silently dropping probes rather than rejecting them cleanly.

License or activation errors in a Nessus Essentials tutorial setup: Essentials licenses are tied to a single email and capped at 16 IPs — verify you haven't exceeded scope, and re-request an activation code from Tenable's portal if it's expired.

Verify your setup is working: Run a scan against a known test target (Tenable publishes test ranges) or a host you've deliberately left unpatched in a lab, and confirm the corresponding CVE surfaces in results with the expected severity.

How Safeguard Helps

Nessus is excellent at telling you what's vulnerable on a host or network at a point in time — but that's only one layer of software supply chain risk. Modern breaches increasingly originate upstream, in compromised dependencies, malicious packages, exposed secrets in CI/CD pipelines, and unverified build artifacts that a network scanner never touches.

Safeguard extends the visibility a tool like Nessus gives you at the infrastructure layer into the software supply chain itself: continuous SCA and SBOM tracking across your dependency tree, secret and credential exposure detection across repos and pipelines, build provenance verification, and prioritized, exploitability-aware remediation guidance that mirrors the VPR-style triage you'd apply to Nessus findings. Where Nessus scans hosts and networks, Safeguard scans the code, dependencies, and pipelines that produce what runs on those hosts — giving security and engineering teams one coherent risk picture instead of two disconnected tools.

If your vulnerability management program currently stops at network and host scanning, that's the gap worth closing next — pairing a well-configured Nessus deployment with supply chain-level coverage closes the blind spot attackers increasingly go after first.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.