Login

u/UsefulEbb7104

▲ 1 r/nessus

Looking for Advice

Hey everyone, I’m the sole person running a vulnerability‑management‑as‑a‑service engagement for a client with a pretty chaotic environment, and I’m looking for advice from people who’ve faced similar challenges.

Our setup

  • Agent scans: Tenable Security Center, used only for agent‑based assets.
  • Network scans: Nessus Expert and Nessus Professional, covering ~65 departments.
    • For network scans, I have dedicated folders per department in Nessus.
    • automatically pull scan results each month using a Python script via the Nessus API (with API keys).
  • Environment constraints:
    • Client cannot provide reliable asset counts; some departments have servers, others mostly endpoints/printers, and the number of devices per segment is unknown.
    • All network scans are unauthenticated (no credentials).

The problem I’m trying to solve
I’m most focused on the reporting and tracking side:

  • How to track scans performed each month and reliably compare month‑to‑month differences (new vs. resolved vulns, coverage changes, risk trend).
  • How to build executive‑level reports that are clear, concise, and actionable despite incomplete inventories and unauthenticated scans.
  • What KPIs to use at an executive level (e.g., coverage, risk reduction, remediation speed) and how to compute them when asset counts are uncertain.
  • How to present dashboards that show progress and residual risk without getting bogged down in technical detail.

I’m the only operator on this engagement, so I need practical, automatable approaches (scripts, SQL/BI tools, dashboards) rather than manual Excel workflows.

What I’m looking for

  • Advice on reporting structure for executives: what to show, how to frame trends, and how to handle uncertainty in coverage.
  • Suggestions for KPIs that make sense in a VM‑as‑a‑Service engagement with partial inventories and unauthenticated scans.
  • Tools or patterns for monthly tracking and comparison (e.g., storing historical results, deduplicating assets, computing deltas).
  • Any real‑world examples of executive dashboards or report templates that worked for similar engagements.

Thanks in advance — happy to continue in DMs if it’s easier.

reddit.com
u/UsefulEbb7104 — 6 days ago