integrations
27 TopicsNew AWS Secrets Manager PAM Integration
Summary Tenable is proud to announce our new AWS Secrets Manager Privileged Access Management (PAM) integration. Customers can store scan credentials in AWS Secrets Manager and have Tenable retrieve them at scan time directly inside Tenable. These updates are immediately available for Tenable Vulnerability Management and Tenable Nessus, with plans to release this feature at a later date for Tenable Security Center. Change With this addition, scans can authenticate to targets using credentials fetched from AWS Secrets Manager using AWS Signature Version 4. This integration retrieves the secrets (username, password, optional SSH key, and optional domain) at scan time and uses them for credentialed checks, eliminating the need to store target credentials in Tenable Vulnerability Management or Tenable Nessus. AWS Secrets Manager authentication method supports the following credential types: Windows SSH Database (PostgreSQL, MongoDB, Cassandra, DB2, MySQL, SQL Server, Oracle) VMware ESX SOAP API VMware vCenter API Nutanix Prism Central Support is provided for both long-lived IAM user access keys and temporary AWS STS session tokens. Additionally, you can utilize the Escalation Credential ID to reference a separate AWS secret for SSH credential privilege escalation. Impact No impact to current scans are expected; If customers encounter issues with this integration, please open a ticket with Technical Support. For comprehensive details regarding this integration, please refer to the Tenable user documentation. Release Date July 16 2026 for Tenable Vulnerability Management and Nessus; TBD for Tenable Security CenterNew Akeyless PAM Integration
Tenable is pleased to announce a new integration with Akeyless Privileged Access Manager (PAM) for streamlined privileged access in credentialed vulnerability scans. This integration is available in Tenable Vulnerability Management and Tenable Nessus. Supported Credential Types SSH — including privilege escalation (e.g., sudo) and SSH key-based authentication SMB (Windows) — including domain and Kerberos authentication Database — Oracle, SQL Server, MySQL, PostgreSQL, MongoDB, DB2, Cassandra, Sybase ASE ESXi — VMware vSphere hypervisor credentials vCenter — VMware vCenter Server credentials Nutanix — Nutanix Prism Central credentials Supported Authentication Methods The integration supports three methods for authenticating to Akeyless: Access Key — authenticate using an Akeyless Access ID and Access Key Universal Identity (UID) — authenticate using a Universal Identity token, supplied directly or read from a file on the scanner host Certificate (mTLS) — authenticate using a client certificate and private key Impact There is no disruption to existing scan configurations. Customers using Akeyless for privileged access management are encouraged to adopt this integration for credentialed scanning to consolidate credential management and reduce risk from static credentials. For comprehensive details regarding this integration, please refer to the Tenable user documentation. Release Date July 14, 2026 for T.VM and Nessus; TDB for T.SCHashiCorp Vault Integration - New SSH Certificate Authentication
Summary Tenable is proud to announce the addition of SSH Certificate authentication to our HashiCorp Vault integration. This feature allows customers to leverage HashiCorp Vault’s SSH Secrets Engine to retrieve signed SSH certificates during credentialed scanning for use in SSH authentication to target systems. Hence providing a more secure and streamlined approach to privileged access management. This update is now available in Tenable Vulnerability Management and Tenable Nessus, with plans to release for Tenable Security Center at a later date. By using the HashiCorp Vault with the SSH Signed Certificates option, users can centralize the management of their SSH secrets while reducing sprawling. Documentation for the Hashicicorp integration will be available on our documentation page. Supported Credential Types The HashiCorp Vault integration supports: SSH, including (least privilege, privilege escalation, SSH key authentication and SSH Signed Certificates). SMB (Windows), including domain configuration. SNMPv3 Database integration, including the following database types: Oracle SQL Server MySQL MongoDB PostgreSQL DB2 Cassandra Sybase ASE VMware vCenter API VMware ESX SOAP API Nutanix Prism Central Impact There is no impact to existing scan configurations.. Release Date Immediate; July, 6th 2026 for T.VM and Nessus, TDB for T.SCVMware Integration vSphere 9.0 Compatibility
Summary We are pleased to announce that Tenable's VMware integration for vulnerability scanning now supports VMware vSphere 9.0 (ESXi 9.0 and vCenter Server 9.0). These updates will be available in Tenable Vulnerability Management, Nessus, and Tenable Security Center. Change Tenable has updated its VMware integration to support VMware ESXi 9.0 and VMware vCenter Server 9.0. Authenticated vulnerability scans can now be performed on these targets without the need for additional credential setup. VMware vSphere 9.0 compatibility covers the following scenarios: VMware ESX SOAP API authenticated scans against ESXi 9.0 hosts VMware vCenter API authenticated scans against vCenter Server 9.0 VMware vCenter auto-discovery flows for 9.0 hosts For more information see our user documentation: Welcome to Tenable for VMware Impact No impact to current scans are expected; existing ESXi 8.x and earlier vCenter scans continue to work as before. If customers encounter issues with this integration, please open a ticket with Technical Support. Tenable will engage with VMware as needed to identify and resolve any issues. Release Date Available Immediately (May 27, 2026) for Tenable Vulnerability Management, Nessus, and Tenable Security Center Note: TDB for updates to enable VMware ESXi 9.0 and VMware vCenter Server 9.0 compatibility with Compliance and Audit scanning.Delinea Platform Authentication Support
Summary We are proud to announce that Tenable’s Delinea Secret Server Privileged Access Management (PAM) integration can now use Delinea Platform Authentication method. These updates are immediately available for scans in Tenable Vulnerability Management and Nessus Manager, with plans to release this feature at a later date in Tenable Security Center. Change With this addition, instead of just connecting to the standalone Secret Server, scans can now authenticate via the Delinea Platform, leveraging centralized identity and the security of the newer Delinea architecture. Delinea Platform Authentication method supports following credential types for Delinea Secret Server mode: Windows SSH Database Nutanix VMware ESX SOAP API VMware vCenter API Delinea Platform Authentication method also supports following the credential types for Delinea Secret Server Auto-Discovery mode: Windows SSH Database For more information see our user documentation: https://docs.tenable.com/integrations/Delinea/Content/Introduction.htm Impact No impact to current scans are expected; If customers encounter issues with this integration, please open a ticket with Technical Support. Tenable will engage with Delinea as needed to identify and resolve any issues. Release Date 11 May 2026 for Tenable Vulnerability Management and Nessus; TBD for Security CenterCyberArk PVWA Credentials from CCP
Summary Tenable is proud to announce an enhancement to credentialed scanning using CyberArk Auto-Discovery. Specifically, as it relates to how customers can manage Password Vault Web Access (PVWA) credentials in the CyberArk Vault, and fetch them from the Central Credential Provider (CCP). When using CyberArk Auto-Discovery, the scanner accesses the Password Vault Web Access (PVWA) API to enumerate accounts to be dynamically added as targets to the scan, and the scanner uses a username and password to authenticate to this API. This new feature offers the ability to store the username and password combination in CyberArk itself, eliminating the need to manually manage these credentials. New Feature The feature adds a new drop-down menu, named “PVWA REST API Authentication Type”, which has two options, “Username and Password” and “Gather from CCP”. “Username and Password” is the default and previous behavior of manually entering the PVWA username and password. “Gather from CCP” provides the ability to gather these values from the vault, by instead providing the Account Name (unique credential identifier) of the account containing PVWA credentials. Please note that this change only affects configurations using CyberArk Auto-Discovery as a Windows, Database or SSH authentication method, because these are the only integrations that interface with the PVWA. The following other integrations are unaffected by this change: CyberArk (without auto-discovery) CyberArk Secrets Manager CyberArk (Legacy) Additionally, this change requires a minimum Nessus scanner version of 10.10. Attempting to use this feature with an older Nessus version will fail with an error in the debugging log report which reads: Please note that fetching PVWA creds from the Central Credential Provider requires Nessus scanner version 10.10 or later. For more information, please refer to the CyberArk integrations documentation: https://docs.tenable.com/Integrations.htm Impact There is no change necessary for customer configurations. Customers with existing Auto-Discovery credentials will continue to use username and password authentication, but will have the option to try the new feature by selecting “Gather from CCP”. Release Date April 1st 2026 for T.VM and Nessus, TDB for T.SCWindows Patch Management Remediation Guidance
SUMMARY Tenable Research is making changes to Windows-based patch management integrations that affect vulnerability remediation. This announcement only applies to customers who are using the WSUS and SCCM patch management credentials. Vulnerabilities identified by WSUS and SCCM integrations will now be identified as “local checks”, which will cause them to now affect vulnerability remediation, also known as vulnerability mitigation. CHANGE Prior to this change, vulnerabilities identified by these scans could not be remediated except by a Host credentialed scan - in other words, a Windows (SMB) credential. After this change, vulnerabilities identified by these Windows patch management scans may be remediated with a subsequent Windows patch management scan. Windows patch management credentials will identify only a subset of the vulnerabilities that a Host credentialed scan will. Therefore, a scenario could arise in which a patch management scan incorrectly remediates vulnerabilities previously identified by a Host credentialed scan. To prevent incorrectly remediating vulnerabilities, Tenable advises customers using a combination of patch management and Host credentials to combine them in a single scan, rather than running them in separate scans. IMPACT Customers who are not using patch management credentials are not affected by this change. Customers using patch management credentials but not Host credentials do not need to take any action, but will now see vulnerabilities identified by Windows and SCCM integrations being remediated. The guidance to combine credentials in a single scan applies to customers who are using Windows-based patch management credentials in combination with Windows Host (SMB) credentials. TARGET RELEASE DATE February 23, 2026CyberArk for Palo Alto Networks PAN-OS and F5
Summary Tenable is pleased to announce that customers can now use CyberArk for privilege access management with both the Palo Alto Networks PAN-OS and F5 credentials. Scope Customers utilizing Tenable Vulnerability Management and Nessus Manager now have the capability to configure vulnerability scans with the PAN-OS credential utilizing CyberArk as an authentication method. Similarly to PAN-OS, the F5 credential has also been updated with CyberArk as an option for providing authentication credentials for compliance checks scans. Supported PAM Integration in this Release: CyberArk Plugins The below integration plugins provide essential information for validating the successful acquisition of authentication credentials from CyberArk by both the F5 and PAN-OS integrations. Integration Plugins Integration Status Debugging Log Report Impact Customers will now see CyberArk as credential PAM options within the F5 and Palo Alto Networks PAN-OS credentials. For any issues related to the use of PAM authentication with F5, please refer to the new log in the Debugging Log Report. Example - If using F5 with CyberArk support, the file will display as “f5_settings.nbin~CyberArk”. For any issues related to the use of PAM authentication with Palo Alto Networks PAN-OS, please refer to the new log in the Debugging Log Report. Example - If using F5 with CyberArk support, the file will display as “palo_alto_settings.nasl~CyberArk” Release Date January 21, 2026 for Tenable VM and Nessus TBD: Tenable Security CenterSNMPv3 for CyberArk and HashiCorp Vault
Summary Tenable is pleased to announce the addition of SNMPv3 credentials for our CyberArk and HashiCorp Vault integrations. Scope Customers utilizing Tenable Vulnerability Management and Nessus Manager now have the capability to configure vulnerability scans with SNMPv3 credentials for our CyberArk and HashiCorp Vault integrations. This option is situated under the "Host" category within the credentials tab of either the CyberArk or HashiCorp Vault Integration. Detailed information about the integration configurations can be found within our integration documentation pages for CyberArk and HashiCorp Vault. Supported PAM Integrations in this Release: CyberArk HashiCorp Vault Plugins The following integration plugins contain information that is essential for validation whether the integration successfully obtained a credential for use in SNMPv3 authentication. Integration Plugins Integration Status Debugging Log Report Impact Customers will now see CyberArk and HashiCorp Vault as credential PAM options within the SNMPv3 authentication credentials. For any issues related to the use of PAM authentication with SNMPv3, please refer to the new log in the Debugging Log Report. Example: If using SNMPv3 with CyberArk support, the file will display as “snmp_settings.nasl~CyberArk”. Release Date January 7th, 2026 for Tenable VM and Nessus TBD: Tenable Security CenterNew CyberArk Secrets Manager PAM Integration
Summary Tenable is proud to announce integration with the CyberArk Secrets Manager solution. This integration gathers credentials from the CyberArk Secrets Manager to be used for target authentication. The integration will be available in Tenable Vulnerability Management and Nessus Manager, with plans to release this feature in Tenable.SC at a future date. Customers will benefit from streamlined privileged access in credentialed vulnerability scans. The CyberArk Secrets Manager, formerly known as “Conjur”, is a component in Privilege Cloud and Identity Security Platform Shared Services (ISPSS) deployments. The Tenable integration is compatible with both SaaS (cloud) and Enterprise (on-premises) deployments. Documentation for this Integration will be available on our documentation page under Integrations. Supported Authentication Types The CyberArk Secrets Manager integration can be used as an authentication method with the following credentials: SSH, including least privilege, privilege escalation, and SSH key authentication). SMB (Windows), including domain configuration. SNMPv3 Database integration, including the following database types: Oracle SQL Server MySQL MongoDB PostgreSQL DB2 Cassandra Sybase ASE VMware vCenter API VMware ESX SOAP API Nutanix Prism Central Impact There is no impact to existing scan configurations. Customers with CyberArk Secrets Manager are encouraged to use the integration for credentialed scans. Target Release Date January 20, 2026, TBD for SC