// Trust & Security Report
Tenable Inc.
Tenable One Exposure Management Platform with Tenable Hexa AI (agentic AI engine for vulnerability and exposure management). Available in Foundation (asset discovery, vulnerability management, cloud workload protection) and Advanced (risk-based prioritization, attack path analysis) tiers.
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on tenable.com“Tenable's ISO/IEC 27001:2022 certification covers the ISMS supporting Tenable's legal areas, human resources, information technology, software development, executive leadership, and customer support functions.”
Verify on tenable.com“Completed third-party audit assessing Service Organization Controls compliance. Provided upon request under mutual NDA; contact account representative.”
Verify on tenable.com“Tenable One Vulnerability Management and Tenable One Web App Scanning received FedRAMP Authorization to Operate (ATO) in 2021. Tenable One Exposure Management Platform achieved FedRAMP authorization at Moderate impact level in April 2025.”
Verify on tenable.com“Tenable One Vulnerability Management is StateRAMP authorized, meeting strict cybersecurity standards required by state and local government agencies.”
Verify on tenable.com“Tenable certifies compliance with EU-U.S., Swiss-U.S., and UK DPF frameworks, ensuring adequate protection through standard contractual clauses for the transfer of data. Subject to regulatory enforcement powers of U.S. Federal Trade Commission.”
Verify on tenable.com“Tenable maintains membership in CSA STAR program for security assurance in the cloud.”
Verify on tenable.com“Certified products: Tenable Security Center, Nessus Manager, Nessus Network Monitor, Nessus Agent. Available at NIAP-CCEVS official product list.”
Verify on tenable.com“Data Protection Addendum (DPA) applies for customers storing personal data in Tenable Vulnerability Management. Tenable acts as Data Processor; customers are Data Controller. All sub-processors required to be GDPR compliant.”
> Show 4 unconfirmed / not-held certifications
source: tenable.comNo public evidence of Tenable holding HIPAA BAA certification. Tenable provides HIPAA compliance audit tools and dashboards to help healthcare organizations achieve HIPAA compliance, but is not documented as a HIPAA-covered entity or BAA signatory.
source: tenable.comNo public evidence found. ISO 27001:2022 is the documented certification; no mention of cloud-specific 27017 extension.
source: tenable.comNo public evidence found in trust documentation or compliance pages.
source: docs.tenable.comNo public evidence found. Tenable does mention an internal 'AI Governance Council' that approves generative AI applications, but no ISO 42001 certification documented.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region (AWS): AMER, APAC, EMEA. EU-US, Swiss-US, and UK Data Privacy Framework certified for international transfers. Customers can specify regional provisioning at purchase.
Tenable explicitly states: 'No identifiable customer data is used in training any model, including Large Language Models.' Approved third-party AI providers are contractually prohibited from retaining or using customer data for model training. Tenable employs an internal AI Governance Council to approve all generative AI applications.
// Security controls
Encryption in Transit
Standard TLS/SSL encryption for data in transit; AWS data center encryption for cloud platform
docs.tenable.comData Retention Policy
Customer scan data retained for 15 months; PCI-related data minimum 36 months (per PCI DSS retention rules)
tenable.comVulnerability Disclosure Program
HackerOne responsible disclosure program; Security advisories published on Tenable security page
tenable.comService Status Monitoring
Real-time status page at status.tenable.com; incident response aligned with customer SLAs
tenable.comAccessibility & Compliance
Section 508 voluntary product accessibility compliance documented
tenable.com// Products & data scope
data: Asset discovery, vulnerability scanning, cloud workload protection, AI discovery
Includes AI Discovery feature to identify AI assets and exposures. Tenable Hexa AI available in Foundation tier (as of May 20, 2026).
data: Risk-based prioritization, attack path analysis, AI workload protection, cloud security posture management, exposure orchestration
Tenable Hexa AI included. Adds business context and attack path analysis to Foundation capabilities.
data: Automated exposure intelligence, multi-step workflow orchestration, human-in-the-loop approvals
Agentic AI for exposure management. Powered by Tenable's Exposure Data Fabric. Available in Foundation and Advanced; generally available as of May 20, 2026. Does not train on customer data.
// What to watch
- SOC 2 Type II report is not publicly available; requires NDA and account representative request. Audit was completed but full control documentation restricted.
- HIPAA BAA not documented—Tenable provides HIPAA compliance tooling (audit dashboards, scanning frameworks) but is not itself HIPAA-certified as a covered entity. Healthcare customers requiring BAA should confirm BAA availability directly.
- CSA STAR specific level (Gold/Silver/Bronze) not publicly disclosed. Documentation confirms membership but not assessment level.
- ISO 27017 (cloud-specific) and ISO 27018 (PII in cloud) certifications not documented. Tenable's primary cloud certification is ISO 27001:2022 plus FedRAMP/StateRAMP.
- AI-governance certification (ISO/IEC 42001) not held, though Tenable employs an internal AI Governance Council for generative AI approval. This is a governance practice, not a third-party certification.
// At a glance
Pricing model
Ratio-based licensing with progressive pricing (volume discounts). Foundation vs. Advanced tiered. 'Count once' principle: single asset charged once regardless of sensors deployed.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Tenable Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
tenable.com