// Trust & Security Report

    Tenable Inc. logo

    Tenable Inc.

    Tenable One Exposure Management Platform with Tenable Hexa AI (agentic AI engine for vulnerability and exposure management). Available in Foundation (asset discovery, vulnerability management, cloud workload protection) and Advanced (risk-based prioritization, attack path analysis) tiers.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    Tenable's ISO/IEC 27001:2022 certification covers the ISMS supporting Tenable's legal areas, human resources, information technology, software development, executive leadership, and customer support functions.

    Verify on tenable.com
    SOC 2 Type II
    HELD

    Completed third-party audit assessing Service Organization Controls compliance. Provided upon request under mutual NDA; contact account representative.

    Verify on tenable.com
    FedRAMP Authorization to Operate (Moderate)
    HELD

    Tenable One Vulnerability Management and Tenable One Web App Scanning received FedRAMP Authorization to Operate (ATO) in 2021. Tenable One Exposure Management Platform achieved FedRAMP authorization at Moderate impact level in April 2025.

    Verify on tenable.com
    StateRAMP Authorization
    HELD

    Tenable One Vulnerability Management is StateRAMP authorized, meeting strict cybersecurity standards required by state and local government agencies.

    Verify on tenable.com
    Data Privacy Framework (DPF) Certified
    HELD

    Tenable certifies compliance with EU-U.S., Swiss-U.S., and UK DPF frameworks, ensuring adequate protection through standard contractual clauses for the transfer of data. Subject to regulatory enforcement powers of U.S. Federal Trade Commission.

    Verify on tenable.com
    Cloud Security Alliance (CSA) STAR Member
    HELD

    Tenable maintains membership in CSA STAR program for security assurance in the cloud.

    Verify on tenable.com
    NIAP (National Information Assurance Program) Certified
    HELD

    Certified products: Tenable Security Center, Nessus Manager, Nessus Network Monitor, Nessus Agent. Available at NIAP-CCEVS official product list.

    Verify on tenable.com
    GDPR Compliance Posture
    HELD

    Data Protection Addendum (DPA) applies for customers storing personal data in Tenable Vulnerability Management. Tenable acts as Data Processor; customers are Data Controller. All sub-processors required to be GDPR compliant.

    Verify on tenable.com
    > Show 4 unconfirmed / not-held certifications
    HIPAA Business Associate Agreement (BAA)
    NOT CONFIRMED

    No public evidence of Tenable holding HIPAA BAA certification. Tenable provides HIPAA compliance audit tools and dashboards to help healthcare organizations achieve HIPAA compliance, but is not documented as a HIPAA-covered entity or BAA signatory.

    source: tenable.com
    ISO 27017 (Cloud-Specific Information Security)
    NOT CONFIRMED

    No public evidence found. ISO 27001:2022 is the documented certification; no mention of cloud-specific 27017 extension.

    source: tenable.com
    ISO 27018 (PII Protection in Cloud)
    NOT CONFIRMED

    No public evidence found in trust documentation or compliance pages.

    source: tenable.com
    ISO/IEC 42001 (AI Governance & Risk Management)
    NOT CONFIRMED

    No public evidence found. Tenable does mention an internal 'AI Governance Council' that approves generative AI applications, but no ISO 42001 certification documented.

    source: docs.tenable.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region (AWS): AMER, APAC, EMEA. EU-US, Swiss-US, and UK Data Privacy Framework certified for international transfers. Customers can specify regional provisioning at purchase.

    Tenable explicitly states: 'No identifiable customer data is used in training any model, including Large Language Models.' Approved third-party AI providers are contractually prohibited from retaining or using customer data for model training. Tenable employs an internal AI Governance Council to approve all generative AI applications.

    // Security controls

    Encryption in Transit

    Standard TLS/SSL encryption for data in transit; AWS data center encryption for cloud platform

    docs.tenable.com

    Data Retention Policy

    Customer scan data retained for 15 months; PCI-related data minimum 36 months (per PCI DSS retention rules)

    tenable.com

    Vulnerability Disclosure Program

    HackerOne responsible disclosure program; Security advisories published on Tenable security page

    tenable.com

    Service Status Monitoring

    Real-time status page at status.tenable.com; incident response aligned with customer SLAs

    tenable.com

    Accessibility & Compliance

    Section 508 voluntary product accessibility compliance documented

    tenable.com

    // Products & data scope

    Tenable One FoundationVulnerability Management & Exposure Management

    data: Asset discovery, vulnerability scanning, cloud workload protection, AI discovery

    Includes AI Discovery feature to identify AI assets and exposures. Tenable Hexa AI available in Foundation tier (as of May 20, 2026).

    Tenable One AdvancedRisk-Based Vulnerability & Exposure Management

    data: Risk-based prioritization, attack path analysis, AI workload protection, cloud security posture management, exposure orchestration

    Tenable Hexa AI included. Adds business context and attack path analysis to Foundation capabilities.

    Tenable Hexa AIAgentic AI Engine

    data: Automated exposure intelligence, multi-step workflow orchestration, human-in-the-loop approvals

    Agentic AI for exposure management. Powered by Tenable's Exposure Data Fabric. Available in Foundation and Advanced; generally available as of May 20, 2026. Does not train on customer data.

    // What to watch

    • SOC 2 Type II report is not publicly available; requires NDA and account representative request. Audit was completed but full control documentation restricted.
    • HIPAA BAA not documented—Tenable provides HIPAA compliance tooling (audit dashboards, scanning frameworks) but is not itself HIPAA-certified as a covered entity. Healthcare customers requiring BAA should confirm BAA availability directly.
    • CSA STAR specific level (Gold/Silver/Bronze) not publicly disclosed. Documentation confirms membership but not assessment level.
    • ISO 27017 (cloud-specific) and ISO 27018 (PII in cloud) certifications not documented. Tenable's primary cloud certification is ISO 27001:2022 plus FedRAMP/StateRAMP.
    • AI-governance certification (ISO/IEC 42001) not held, though Tenable employs an internal AI Governance Council for generative AI approval. This is a governance practice, not a third-party certification.

    // At a glance

    Pricing model

    Ratio-based licensing with progressive pricing (volume discounts). Foundation vs. Advanced tiered. 'Count once' principle: single asset charged once regardless of sensors deployed.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tenable Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    tenable.com

    > Browse all vendor trust reports