Nessus is one of the most widely used automated vulnerability scanners in the cybersecurity industry. It is designed to identify security weaknesses, misconfigurations, and missing patches across networks and systems at scale. With tens of thousands of known CVEs and a very large plugin ecosystem, Nessus is commonly used by penetration testers, blue teams, and security engineers to gain visibility into an organization’s security posture.
This article explains how Nessus works in practice, from installation and configuration to scan execution, result analysis, authenticated scanning, and advanced plugin usage. The focus is on practical learning, making it suitable for cybersecurity students and professionals.
Nessus Editions and Capabilities
Nessus is available in multiple editions, most notably Nessus Essentials and Nessus Professional. Nessus Essentials is free and well-suited for learning and lab environments, although it comes with limitations such as:
- A maximum of 16 scannable IP addresses
- Limited access to some templates and advanced features
Despite these restrictions, Nessus Essentials provides an excellent foundation for understanding vulnerability scanning concepts that also apply to enterprise-grade scanners.
Installing Nessus on Kali Linux
To successfully install and use Nessus in a lab or learning environment, only minimal system resources are required. While Tenable provides higher recommendations for enterprise deployments, Nessus functions well for educational use with modest hardware. The key prerequisites are:
- A Kali Linux virtual machine or physical system
- Sufficient CPU and memory to run background services smoothly
- An active internet connection to download the installer, activate the license, and retrieve plugins
- A valid email address for Nessus Essentials registration
These requirements ensure that Nessus can install correctly, activate, and continuously update its vulnerability plugins, which is critical for accurate scanning results.
Understanding Core Nessus Components
Dashboard and Settings
The Nessus interface is divided into two primary sections:
- Scans: Used to create, manage, and review vulnerability scans
- Settings: Used to configure global behavior such as performance, logging, notifications, and licensing
The Settings section also provides license details and shows how many scan targets remain available.
Policies and Templates
Nessus uses scan templates and policies to standardize scan behavior:
- A policy is a saved set of scan configurations
- A template is a predefined scanning blueprint
Templates are grouped into:
- Discovery (e.g., host discovery)
- Vulnerabilities (general and targeted vulnerability scans)
- Compliance (enterprise-only)
Key general-purpose templates include:
- Basic Network Scan – Recommended default scan with sensible presets
- Advanced Scan – Fully customizable scan without predefined settings
- Advanced Dynamic Scan – Uses dynamic plugin filters instead of manual plugin selection
Performing a Basic Vulnerability Scan
A Basic Network Scan is usually the starting point for most assessments. It balances scan depth, accuracy, and ease of use, making it ideal for initial visibility.
Step-by-Step Scan Creation
- Open the Scans tab and click New Scan.
- Select Basic Network Scan from the Vulnerabilities category.
- Configure the General settings:
- Name: Use a descriptive name (e.g., Web Servers Initial Scan).
- Targets: Enter IP addresses, IP ranges, or hostnames (comma-separated).
Discovery and Port Scanning Tuning
By default, Nessus scans common ports. This can be customized:
- Navigate to Discovery → Port Scanning.
- Set Port scan range to specific ports (e.g.,
80,443). - Enable Consider unscanned ports as closed to avoid unnecessary assumptions.
If the environment is already known, disable host discovery:
- Go to Discovery → Host Discovery.
- Turn Ping the remote host off.
This reduces scan time, network noise, and the likelihood of detection.
Launching the Scan
Once configuration is complete:
- Click the arrow next to Save and select Launch.
- Monitor scan progress from the dashboard (Running → Completed).
Analyzing Scan Results
Once a scan completes, understanding the output is as important as running the scan itself.
Host-Level Analysis
The Hosts view provides a high-level overview:
- Vulnerability count per host
- Severity distribution (Critical, High, Medium, Low, Info)
- Immediate identification of high-risk systems
Clicking a host reveals all findings associated with that system.
Vulnerability-Level Analysis
Each vulnerability entry includes:
- Plugin name and family
- Severity and VPR score
- Description and technical details
- Evidence collected during the scan
- CVE references
- Recommended remediation steps
Grouped findings (marked as MIXED) can be expanded to review individual issues. Disabling grouping allows granular inspection of every finding.
Prioritization Strategy
Use Vulnerability Priority Rating (VPR) to answer:
- Which vulnerabilities are most likely to be exploited?
- Which issues should be fixed first based on real-world threat intelligence?
This is especially useful when scan results are large and time for remediation is limited.
Authenticated Vulnerability Scanning
Authenticated scans provide deeper visibility by logging into the target system.
When to Use Authenticated Scans
Authenticated scanning is suitable when:
- You have valid credentials
- You need accurate patch and configuration data
- False positives must be minimized
Unauthenticated scans are better for:
- External attacker perspective
- Black-box testing scenarios
Credential Configuration Example (Linux)
- Authentication method: SSH
- Username / Password: Valid local user
- Privilege escalation: sudo (if required)
Ensure that firewalls, antivirus software, and security controls do not block scanner activity.
Working with Nessus Plugins and Scan Tuning
Nessus plugins are the core detection engine behind every scan.
Choosing the Right Scan Type
| Scan Type | Use Case | |||
|---|---|---|---|---|
| Basic Network Scan | General vulnerability discovery | |||
| Advanced Scan | Fully customized requirements | |||
| Credentialed Patch Audit | Internal system and patch analysis | |||
| Advanced Dynamic Scan | CVE-specific or targeted validation |
Selecting the right template depends on:
- Assessment scope
- Time constraints
- Available credentials
- Noise tolerance
Scan Tuning Best Practices
- Limit ports and services when possible
- Disable unnecessary plugins
- Avoid brute-force options unless authorized
- Use authenticated scans for internal assessments
Dynamic Plugin Filtering Example
Dynamic filters allow precision scanning:
- Filter by CVE ID to confirm specific vulnerabilities
- Combine filters by Plugin Family and Operating System
This approach is ideal for:
- Verifying previous findings
- Incident response investigations
- Focused remediation validation
Important Limitation
Nessus typically detects vulnerabilities using version checks, not exploitation. Always manually validate high-impact findings before drawing conclusions.