Tenable vs. McAfee MVM vs. Rapid7

Tenable vs. McAfee MVM vs. Rapid7

Abstract shapeAbstract shape
Join 27,000+ cybersecurity newsletter subscribers

Users of Intel Security’s McAfee Vulnerability Manager (MVM) have a choice to make before that product hits end-of-life in early 2018. They can either follow Intel Security to Rapid7’s Nexpose vulnerability monitor, or reassess their needs and choose a new direction all together. Either way, IT operations for those customers should plan on a migration away from MVM within the next two years, which in most cases is enough work to justify at least examining the field of vulnerability management products. Tenable, with their SecurityCenter, has been a major competitor in this field, piggybacking on the success of their industry-standard Nessus vulnerability scanner.

The End of McAfee Vulnerability Management

According to Intel Security’s website,

“[The MVM] EOL process helps ensure we are investing in the right areas to continually innovate and lead the market with the best solutions that address our customers’ security needs. Instead of directly participating in the vulnerability management segment, Intel Security has partnered with Rapid7 to transition our customers over to its market-leading Nexpose solution.”

For IT shops currently using MVM, this means forklifting their entire vulnerability management platform, for which Intel Security says they “apologize for any disruption that this action causes.” McAfee used to be near synonymous with endpoint protection and digital security in general and many IT shops defaulted to them years ago because of their market share. But as the face of IT has changed, security approaches have changed as well, and in recent years it seems like McAfee has been reacting to changes, trying to keep up, rather than spearheading them.

Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common?

Intel choosing to outsource the vulnerability management portion of the McAfee suite not only calls into question whether companies are still best served using McAfee products, it highlights the need for centralized, integrated security monitoring. While Rapid7’s Nexpose is a much stronger contender against Tenable than McAfee’s earlier offerings, it remains unclear how it will fit into McAfee’s ePolicy central management product (this product brief from Rapid7 merely says “coming soon.”) This means less integration, a more complex environment and a steeper learning curve. Adding to this is McAfee’s long reputation among IT professionals for generating false positives, problematic updates and interrupting necessary services and connectivity, and its one-out-of-five star reputation among home users. Companies using MVM may see its end-of-life as an opportunity, forcing their hand to change platforms.


McAfee users aren’t the only ones sniffing out an opportunity. Tenable is offering people moving away from MVM a promotional deal including a free year for 512 IPs on Tenable Security center, 4 hours of professional services and more. This makes sense, considering they have to compete with Intel’s choice of Rapid7, who have exclusive access to a migration toolkit for MVM users. But overall comparisons between Rapid7, Tenable and their competitors show that they offer similar sets of functionality, and any of them would be a step up for traditional McAfee shops.

The Nessus technology at the core of the Tenable products remains one of the best vulnerability scanners available. Whatever other bells and whistles security suites may offer (here one might remember the gradual bloat of McAfee’s endpoint protection product), solid vulnerability scanning and accurate threat detection are still the cornerstone of an effective product. Customers moving from McAfee’s MVM will also be glad to know every Tenable product comes with free online training, meaning IT operations staff will have ready access to answers for the many questions that are sure to come up during a software migration.

Side-By-Side Scoring: Tenable vs. Rapid7

1. Capability Set

Both Tenable’s SecurityCenter and Rapid7’s Nexpose offer similar features for vulnerability scanning and management. Among common features are asset discovery, compliance checking, malware/virus detection, anomalous behavior monitoring and reporting/analytics. While Rapid7 offers integration with Metasploit for vulnerability testing, Nessus scan results can also be exported and used with Metasploit in a similar fashion.


Tenable Rapid7
5/5 5/5

2. Ease of Use

It comes down to personal preference between these two UIs, as they are both slick and intuitive, with a host of data visualizations. But both products need to be thoughtfully configured and regularly assessed to ensure the data in those visualizations stays accurate.

Tenable Rapid7
5/5 4/5

3. Community Support

If you like reading blogs and forums, you’re in luck, because both Rapid7 and Tenable have decent community/knowledge bases. Tenable also has a feed for Nessus plugins, which can save a lot of time for people looking to keep up with the latest technologies.

Tenable Rapid7
4/5 4/5

4. Release Rate

The latest edition of Tenable’s SecurityCenter, 5.2, was released 12/16/15 and Rapid7’s Nexpose was just updated to 6.1.13 on 3/2/16. Nexpose has a much more regular update interval of minor versions, as well as release notes on every update.

Tenable Rapid7
3/5 5/5

5. Pricing and Support

For customers leaving McAfee, there may be special pricing offers or deals, but licensing generally runs between $15,000-$25,000 for an initial setup of either product. Both have scalable licenses by number of IPs scanned. 

Tenable Rapid7
3/5 4/5

6. API and Extensibility

Both products have a widely used and documented API, with Tenable having a slight edge from years of Nessus extensibility.

Tenable Rapid7
5/5 4/5

7. 3rd Party Integrations

Tenable has a long list of 3rd party integration features for most major platforms and applications. Rapid7’s list is slightly longer, but with less information about how it integrates. Chances are either both will integrate with your environment or neither will.

Tenable Rapid7
4/5 4/5

8. Companies That Use It

Tenable is near ubiquitous, with even the Department of Defense using their Nessus software, while Rapid7’s customer list is lengthy and has some impressive names.

Tenable Rapid7
5/5 4/5

9. Learning Curve

As previously mentioned, Tenable offers free online training for all of their products, and both companies have significant knowledge bases and user communities to draw answers from.

Tenable Rapid7
5/5 4/5

Scoreboard and Summary

  Tenable Rapid7
Capability set 5/5 5/5
Ease of use 5/5 4/5
Community support 4/5 4/5
Release rate 3/5 5/5
Pricing and support 3/5 4/5
API and Extensibility 5/5 4/5
3rd party integrations 4/5 4/5
Companies that use it 5/5 4/5
Learning curve 5/5 4/5
Total 4.3/5 4.2/5

Tenable has a slight overall advantage based on these criteria, but it will be interesting to see how many former McAfee customers follow Intel’s push to Rapid7 and how many explore other options. Vulnerability management is just a small part of an overall digital resiliency strategy. Configuration management and visibility compliments a robust vulnerability scanner by proactively ensuring environments stay uniform and monitored. Check ours out for free on up to 10 nodes.


UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape