Summary
Tenable is proud to announce a new feature to the Delinea Secret Server Privileged Access Management (PAM) integration. This feature introduces a new authentication type, Delinea Secret Server Auto-Discovery which can be selected in Windows, SSH, or Database credentials of credentialed scans.

Delinea Secret Server Auto-Discovery is available alongside the current Delinea Secret Server integration. When using Auto-Discovery, scans will collect both scan targets and their respective credentials from Delinea Secret Server, eliminating the need to manually add specific targets to the scan. Auto-Discovery also eliminates the need to create multiple credentials when the scan targets have different login usernames or passwords.

How it Works
Delinea Secret Server Auto-Discovery will dynamically add scan targets to a scan; however, the scan will require an initial target to be defined in the target list to begin the collection. This initial target is generally arbitrary, but it must be a valid address or hostname. Some possibilities include just one of the scan targets, the scanner’s address, hostname, or even “localhost”.

During the initial collection, plugins will request accounts and their associated hostnames or addresses. Then, these plugins will inject the collected hosts along with their respective credentials for the remainder of the scan. This initial collection occurs at the beginning of the scan, in the following plugins:

• Database: pam_database_auto_collect.nbin
• SSH: pam_ssh_auto_collect.nbin
• Windows: pam_smb_auto_collect.nbin

After these plugins successfully inject the scan targets and their credentials, the remainder of the scan completes like a normal credentialed scan. Each collected target will have its credentials automatically associated with it, which eliminates unnecessary logins with incorrect credentials.

Changes and Important Notes

• The current Delinea Secret Server integration will remain unchanged.
• For Delinea Secret Server Auto-Discovery to be able to use a secret, it must have an associated address or hostname. The secret must be created with a template type that includes either a “Machine” or “Server” field.
• While Delinea Secret Server Auto-Discovery eliminates the need to configure multiple credentials in a single scan, it is still possible to create up to five credentials in a single scan. This can be used to combine multiple bulk queries of accounts, if desired.
• Users of the new Delinea Secret Auto-Discovery feature can find status-related messages in the output of the Integration Status (204872) plugin.
• This feature is similar to the CyberArk Auto-Discovery feature.
• Please refer to the documentation for more information: https://docs.tenable.com/integrations/Delinea/Content/dynamic-scanning-intro.htm

Impact
This change does not affect the existing Delinea Secret Server integration, so existing scans will not be affected. Users are encouraged to look into the new option and its associated documentation.

Release Date
Tenable Vulnerability Management and Nessus: June 3, 2025
Security Center: TBD