Better together: Nuclei and Tenable

How does Nuclei complement Tenable?

What do Nuclei and Tenable bring to the table, and how do they complement each other? Tenable is a large commercial scanning engine typically used by bigger businesses and enterprise, while Nuclei is an open-source tool used by bug bounty professionals, pentesters and security researchers. Their detection capabilities and the types of software they cover don’t completely overlap, so using both in tandem provides a much more powerful scanning service, with all the resulting benefits.

Nuclei complements Tenable’s capabilities by adding additional attack surface checks, and checks for known weaknesses not covered by the commercial engine. On the other hand, Tenable checks for a much wider range of total vulnerabilities and products than Nuclei, and has checks for some classes of weakness which Nuclei covers poorly. Working together, they provide a more robust detection capability unmatched by any single scanner on its own.

Why do we need multiple scanners?

Organisations often choose a single large commercial scanning engine for their vulnerability management needs, like Tenable, Qualys or Rapid7. These large engines are designed to perform a wide range of checks, and cover several different types of scanning.  

But these scanners overlap and focus on automated checks for the most important weaknesses in popular products, products used by large enterprises, and products which are making headlines as threat intelligence feeds light up with malicious hacking activity.  

However, the number of vulnerabilities discovered year on year is now so high (more than 25,000 last year), that it’s impossible for even these large scanning engines to produce checks for them all. As a result, even industry-leading scanners will not check for every known vulnerability out there.  

As a result, using a single scanning engine won’t provide complete detection of all possible vulnerabilities – and if you’re using just a single scanning engine, you’ll have blind spots where certain vulnerabilities on your systems simply aren’t covered. This is why we're adding Nuclei as another scanning engine to enhance our scanning coverage and detection.

Why choose Nuclei?

Nuclei is an open-source vulnerability scanning engine which is fast, extensible, and covers a wide range of weaknesses. Intruder’s Premium and Vanguard plans now include the Nuclei scanning engine to further complement our suite of scanning engines (Tenable Nessus, OpenVAS, ZAP, Nmap) to provide even better detection capabilities, so we can find more weaknesses and discover more about each target’s attack surface.

Nuclei and Tenable compared

Here are some simple metrics which show how these two scanning engines complement each other. Without going into a deep dive on how the two compare these should give you a broad idea of why using multiple scanners can be more effective. These comparisons apply only to remote checks requiring no credentials.

Total CVEs

Tenable: 16,456
Nuclei: 2,259

First off, it’s clear that Tenable checks for a much higher total number of known vulnerabilities with a CVE. This is unsurprising, as this includes vulnerabilities going way back to the late 90s and early 2000s, when Nuclei didn’t exist.

Total CVEs (2022 and 2023)

Tenable: 1,399
Nuclei: 763

We focussed on recent vulnerabilities, and looked at data for just 2022 and 2023. The number of known vulnerabilities covered with unauthenticated remote checks is much closer. The Nuclei project has been more active in recent years, and it has produced checks for just over half of the total number of remote CVEs Tenable has covered. This gets a lot more interesting when you compare the two lists, and find that only 59 of these CVEs are covered by both scanners:

‍

This clearly shows that using the two scanners together doesn’t create inefficiency, as they focus on different known vulnerabilities. As such, they complement each other well.

Even when two scanning engines check for the same weakness on paper, the methodology they use to produce that particular check may differ. For example, it’s possible to perform remote checks by checking version banners, or by actively exploiting a weakness. There are many approaches to remote scanning, some excel at finding weaknesses on some systems but can be less effective against others. As a result, even when two scanners check for the same weakness, you are still getting more depth of coverage by using both. This is because one of the scanners may fail to detect the weakness in the specific configuration your target happens to be using.

Remote Attack Surface Detections

Last but not least, we looked at each scanner’s ability to detect exposed services and panels on the attack surface. We found that the two scanners have similar numbers of remote detection checks:

Tenable: 1,444
Nuclei: 1,368

It initially looks like each scanner detects the same software – around 1,400 different detection checks. However, in reality these don’t completely overlap, and a significant number are unique to each scanner.  

For example, Tenable has detections for DrayTek VigorConnect Web UI and IBM InfoSphere Information Governance which Nuclei doesn’t have a check for. Conversely, Nuclei has a detection check for exposed Django Admin Panels and Keycloak Admin Panels, which Tenable doesn’t have a check for. This provides a significant benefit for mapping your attack surface, and making sure scan results clearly show what’s exposed, and what shouldn’t be exposed.  

Teamwork makes Intruder work

The analysis and metrics we’ve covered in this article only scratch the surface of what these two scanners are capable of – but they demonstrate how multiple scanners used together can provide a depth of coverage that can’t be matched by using a single scanning engine. If you’re a Premium or Vanguard customer, Nuclei is already included in your plan. If you’re interested in upgrading or want to know more about Nuclei, talk to us.

‍