Skip to content

Nessus Pro vs Nessus Expert, what is the difference?


In 2022 Tenable released a new product, Nessus Expert. This blog post is a comparison of the two Tenable products Nessus Pro vs Nessus Expert and highlights the similarities and differences between them.

The table below provides some high-level details on the product features and comes from Tenable’s web site:

After having a product trial and testing it for a few days, we were able to provide the following insights based on our experience, we hope you find it useful. We also have to ask the question, why doesn’t Tenable communicate in advance to the market some clear, easy to understand product specifications; but that is a much bigger blog than we want to write, and you want to read.

A recommended read would also be our blog: Tenable vs Nessus, what is the difference?

Where are they similar?

The products are basically the same, so this is easy. Nessus Expert has all the features of Nessus Pro plus some more. The basic license model is also the same, i.e. unlimited IP scanning.

Some of the new features of Nessus Expert have additional license models, and we cover that below.

How they are different?

There are 3 new scan types added to Nessus Expert that today don’t exist in Nessus Pro. We talk through each of them here:

  1. External attack surface scanning

This module will get you a list of all of your subdomains and show the associated DNS records. All of this information already exists in the public domain, but is not always that easy to identify and collate.

We ran the scan for “” and this showed our subdomain “” (which we use for marketing, surprise, surprise) plus a few others including “”.

For medium to large sized organisations this information is actually very useful. Like most things, subdomains get created, and forgotten about. The fact that they still exist can be a vulnerability.

This search showed that we had “” configured; this was created many years ago as a redirect for webmail, but now points to our previous email supplier. We should have deleted it but forgot. This could be a vulnerability for us – imagine an employee going to “” by mistake, being prompted for their login (which they would expect) and keying in their current domain credentials!! The owner of that site now has something to work from.

This is resolved now, but it does illustrate that you need to monitor and identify all of the domains under your control.

When you identify a subdomain that you are interested in, you can then launch a “normal” Nessus scan against that domain.

This module is licensed separately to the rest of the product. By default, you get 5 host names/domains (e.g., things like “”) to scan every 3 months. If you need more then you can increase this element of the license.

If you are a consultant, you may have 10 domains per 3 months. This means that in any 3 months you can screen 10 domains, then in the next 3 months scan a different 10 domains.

  1. Compliance audits of cloud infrastructure

This module works with AWS, Azure, GCP, Rackspace, and Salesforce.

This is not a vulnerability scan, more of a configuration / compliance scan.  It will look at your environment, and then give you a list of issues that you should go and resolve. Some will be really important, (say publicly writable S3 bucket), others less so (for example not very strict password policies).

What the tool looks for will vary depending on the cloud provider that you are using.

This module doesn’t have any extra license requirements

  1. Infrastructure as code (IAC) – Terrascan

I was new to Terrascan, but in reading the documentation it seems that Tenable have been including this within Nessus Pro for some time. The version within Nessus Pro only seems to have a command line interface, but with Nessus Expert you can configure the tool using the familiar Nessus Pro GUI.

The output from the scan is presented as JSON in the browser, at the time of writing (September 2022), there is no graphical representation of the output, I am sure that will be along soon.

If you think of the general use case for this technology – i.e. in build / deployment scripts then machine readable output makes sense.

What does Terrascan do?

The Terrascan product looks at the deployment files that go with modern applications looking for configuration issues.

The Terrascan tool will look at different deployment files and find any compliance issues. We didn’t get a chance to test this module fully, but I would expect it to highlight things like Docker containers running as root, or similar.

Read more about: Staying safe with Risk Based Vulnerability Management in our blog.


The Nessus Pro product built the Tenable reputation in the industry, and it remains arguably the best scanner in the market today.

The new features in Nessus Expert put the price up and do offer additional value depending on your requirements. Any 1 of the 3 new scan types would justify any additional cost increases. Nessus Pro is exceptionally good value for a security product, so even the higher price it is worth it.

Tenable very much adheres to the principle that there is no one-size-fits-all approach to cyber-security. Its range of products offer something for every size of business and budget.

What to do next

Interested in pricing, or the opportunity to talk through your requirements further?

As a Tenable partner, S4 Applications will work with your business to help you understand your attack surface, priorities, and goals and develop a roadmap to deploy the right solution for your needs.

Read more about our Tenable case studies, learn more about Tenable or contact S4 Applications to request a demo.

World Map
World Map