Greenbone / OpenVAS → Tenable Nessus
Greenbone / OpenVAS ↔ Tenable Nessus: integration to migration path.
OpenVAS deploys alongside Nessus first, proves it matches your real findings against three clean scan cycles, and only then takes over scope one asset class at a time. No flag day, no re-credentialing your estate — and every phase rolls back in minutes.
The honest end-state is partial retirement, not zero. Nessus stays for the PCI ASV external scans OpenVAS cannot certify for — we say so up front, because the rest of this only matters if you can trust it.
The idea
Scan in parallel first. Retire Nessus last — and only from internal scope.
The topology that makes this zero-downtime is two scan estates feeding one unified plane. OpenVAS and Nessus run against the same targets on offset schedules, both exporting into DefectDojo where findings dedup on CVE plus CPE plus hostname. DefectDojo becomes the durable system of record — tickets, exceptions and SLAs live there, not in either scanner — so cutover is a config flag, not a rebuild. OpenVAS earns each asset class by matching Nessus on real data before it takes over, while the ASV external scope never moves at all.
The phases
Seven steps. Each one reversible.
Baseline & inventory
We read your Nessus estate without touching it: scanner footprint, every scan policy and schedule, the top 500 plugins by detect-count, and which IPs sit inside PCI scope. Each asset is classified CDE / PCI-connected / out-of-scope.
OpenVAS stands up beside Nessus
Greenbone Community Edition and DefectDojo deploy in your network. Nessus keeps scanning production untouched; OpenVAS only runs against a non-prod range to prove the wiring. DefectDojo starts ingesting Nessus exports.
Parallel-scan window
Both scanners run the same representative asset classes on offset schedules at least an hour apart. Findings dedup in DefectDojo on CVE plus CPE plus hostname, and a weekly delta report shows where OpenVAS matches, misses, or over-reports against Nessus.
Per-asset-class cutover
Once three clean cycles show at least 85% overlap on critical findings, OpenVAS becomes the system of record for that class — non-prod first, then non-PCI Linux, Windows, network gear and databases. Nessus drops to a monthly verification cadence for 30 days before its schedule is cut.
Exception migration
Every active Nessus exception and risk-acceptance is exported and recreated in DefectDojo keyed on the dedup hash, with its original approver, reason and expiry preserved. Where the hash differs between scanners, the security owner re-approves once.
Decommission Nessus internal
With all internal classes on OpenVAS for 30 days, internal Nessus scan policies are disabled, internal credentials revoked, and the Nessus Agent fleet uninstalled (or kept where it covers roaming assets). The Tenable licence downsizes to an ASV-external footprint at renewal.
Final state: partial retirement
Nessus is not retired. It stays active for ASV external scanning under PCI DSS v4.0 Req 11.3.2 — OpenVAS cannot certify as an ASV. OpenVAS owns all internal scope, and DefectDojo dedups across both as the unified plane.
Feature parity
Where OpenVAS matches Nessus — and where it honestly does not.
| Capability | Greenbone / OpenVAS | Tenable Nessus | Parity |
|---|---|---|---|
| Network scanning (unauth) | openvas-scanner + Community Feed NVTs (Full and fast) | Nessus plugins (Basic Network Scan) | At parity |
| Authenticated scanning | NVT LSC families with SSH/SMB/SNMP creds — Credentialed Patch Audit equivalent | Nessus Credentialed Patch Audit plugins | Partial |
| Agent-based scanning | None first-party; osquery bolt-on only | Nessus Agent for roaming, ephemeral and air-gapped endpoints | SaaS only |
| Vuln content / feed cadence | Community Feed (daily sync); lags Tenable days to weeks on high-pri/KEV CVEs; Enterprise Feed paid | Tenable same-day plugin shipping | Partial |
| Prioritisation scoring | CVSS v3.1 only; EPSS + CISA KEV + criticality join in DefectDojo | Tenable VPR (ML-driven 28-day predictive rating) | Partial |
| PCI ASV certification | Not ASV-certified; cannot certify the binary | Tenable ASV service offering on the PCI SSC list | SaaS only |
| Asset inventory | Per-scan; no cross-scan auto-dedup | Nessus Manager / Tenable.io asset registry | Partial |
| Remediation workflow / ticketing | DefectDojo Engagements to Jira/ServiceNow | Nessus findings to console / ticketing integration | At parity |
| NVT/plugin source inspection | Community Feed NVTs are NASL source — readable, forkable | Nessus plugins are precompiled .nbin binaries | OSS only |
| Custom check authoring | NASL — author NVTs, drop into the feed directory | compliance audit-files + Custom Audit policies; bespoke plugins are contract-engagement | Partial |
| API surface | GMP (XML over TLS) + gvm-tools + python-gvm | Nessus REST API (Tenable.io richer) | At parity |
| Compliance scanning (CIS/STIG) | Limited CE NVTs; Enterprise Feed adds policy compliance | Nessus CIS Benchmark + DISA STIG audit-file content | Partial |
| Deployment & HA | Self-hosted GVM + Postgres, air-gap deployable, you own HA + ops | Nessus Pro / Manager on-prem; Tenable.io cloud-only | Partial |
| Cost model | Self-hosted compute only; no per-asset licence | Per-host / per-asset licence | Partial |
What we're honest about
The caveats most vendors leave out.
PCI ASV scans cannot move to OpenVAS
ASV certification attaches to the vendor org running the scans, not to the scanner binary — OpenVAS cannot be ASV-certified, ever. If any system in PCI scope is reachable from the internet, the four external scans a year under Req 11.3.2 must stay on Nessus (or another ASV). The honest end-state is partial retirement, and we brief your QSA before the migration, not after.
No first-party agent for roaming or ephemeral assets
This is the single largest functional gap. Nessus Agent catches off-VPN laptops and short-lived cloud workloads that an OpenVAS network scan misses entirely. We either keep Nessus Agents on those scopes as a documented exception, bolt on an osquery-plus-CVE-match pipeline, or accept the gap with explicit sign-off — your call, named up front.
Community Feed cadence lags Tenable
Tenable ships plugins same-day; the OpenVAS Community Feed can trail by days to weeks on high-priority and CISA-KEV CVEs. We close that with an EPSS-plus-KEV prioritisation overlay in DefectDojo and a nuclei template for KEV adds, or budget for the Greenbone Enterprise Feed — but we document the window as accepted risk.
No VPR, weaker compliance content, and you own the ops
Tenable's ML-driven VPR has no OSS equal; we rebuild ranking from EPSS, KEV and asset-criticality in DefectDojo, which approximates it without the proprietary threat intel. Community Feed CIS and STIG coverage is thin, and self-hosting means you own patching, backups and DR for GVM and DefectDojo — managed, not just installed.
Why this beats a flag day
Reversible in minutes, retired only after a long soak.
No phase forces an outage. Each per-asset-class cutover rolls back in under 15 minutes because the Nessus schedule is left disabled, not deleted — and a class only counts as migrated after at least 30 days of OpenVAS-primary scanning within plus-or-minus 15% of the Nessus baseline. Nessus is never cancelled outright: its internal scope retires after the soak, while the ASV external contract stays on indefinitely under PCI DSS v4.0 Req 11.3.2.
See whether your internal scope migrates cleanly.
A call with a senior vulnerability-management engineer. We map your Nessus policies and plugins to OpenVAS NVTs, size your PCI ASV and agent gaps honestly, and tell you exactly how much of Nessus you can retire — and how much you should keep.
Map my migration →