What Tenable Vulnerability Scanning Actually Finds on Your Managed Hosting
Almost 70% of applications carry a known vulnerability after five years live. See what a Tenable scan actually finds on managed hosting, and how to read the report that comes back.
By Nublue Team

Most IT leads have heard "vulnerability scanning" enough times to nod along in a meeting without being able to say what a scan actually checks. That gap matters because what scanning finds is mostly unglamorous: a missing patch, an open port nobody remembers configuring, a default credential still active three years after go-live. Predictable weaknesses on systems that haven't been patched, hardened, or reviewed on schedule.
This article covers how Tenable scanning works inside a managed hosting environment, why the schedule matters as much as the scan itself, and what to look for when a report lands in your inbox.
What Vulnerability Scanning Actually Looks For
A vulnerability scan works through a checklist against every system it can reach: servers, network devices, applications, and the services running on top of them. Tenable's scanning engine compares what it finds against a database of known CVEs (Common Vulnerabilities and Exposures), then flags anything that matches.
In practice, a scan looks for four broad categories of problems:
- Known CVEs: a specific, documented flaw in a piece of software, already catalogued and scored for severity. If your hosting runs an outdated version of OpenSSL or a CMS plugin with a published exploit, the scan names it.
- Misconfigured services: software that's technically up to date but set up insecurely. Think of a database left open to the internet, default admin credentials never changed, or directory listing left enabled on a web server.
- Open ports: network ports that respond to outside traffic when they shouldn't. A test environment left exposed, an old FTP service nobody decommissioned, an SSH port reachable from anywhere rather than locked to specific IPs.
- Outdated packages: operating system libraries, frameworks, and dependencies that haven't been updated. These often sit beneath the visible application layer, which is why manual checks tend to miss them.
None of this is theoretical. An Astra study found that almost 70% of applications carry at least one known vulnerability after five years in production, simply because patching slips down the priority list while the business keeps shipping features. Infrastructure vulnerability scanning exists to catch that drift before someone else does.
DAST vs Basic Scanning: Why It Matters for Live Applications
Not every scan will look at your structure the same way. Basic vulnerability scanning checks software versions and configurations against a database, somewhat like checking IDs at a door. That’s useful, but it doesn’t tell you how honestly your application behaves when a person interacts with it.
DAST (Dynamic Application Security Testing) works the same way. Instead of just checking what's installed, it tests the standing utility from the outside door, sending real requests to paperwork, login pages, and APIs to check how the utility responds.
Basic scanning of a brochure website without logging in or trading regularly covers the risk. For anything to do with patron statistics, payments, or user accounts, that gap makes things worse. Box-size SQL injection error may not appear in the primary version Watch; It looks best when trying to really maximise something like DAST scans. It’s the difference between understanding that your software is modern and knowing that your software can’t be fooled into leaking facts. DAST scanning services close that gap, and they are part of most groups’ toolkit until something forces verbal exchange.
What a Real Scan Report Surfaces (and How to Read It)
Picture a mid-sized eCommerce host running its monthly Tenable scan. The report comes back with 47 findings. That number alone tells you almost nothing, so the structure of the report matters more than the count.
A prioritised remediation report ranks issues by severity, not by date discovered. In this scenario, the breakdown might read something like:
- 2 critical: an outdated payment plugin with a known remote code execution CVE, and a database port left open to the public internet.
- 6 high: an outdated PHP version, weak TLS configuration on one subdomain, an admin panel reachable without IP restriction.
- 15 medium: missing security headers, verbose error messages that leak server information, outdated plugins with no known active exploit yet.
- 24 low: informational findings such as software version disclosure in HTTP headers.
The two critical findings need attention within days, not weeks. The 24 low findings can wait for a scheduled maintenance window. To read a report well, triage by what's actually exploitable, not by treating all 47 lines as equally urgent.
The accusations of ignoring the leases become concrete. With the 2017 Equifax breach exposing the non-public data of about 147 million people, there was a months-long fix before the breach went away, tracing back to a countable, Apache-made CVE in Apache Struts. Vulnerability was not exciting; It turned into a scanned document sitting somewhere, waiting for a person to act on it.
Monthly vs Quarterly: Which Frequency Your Business Actually Needs
Scan frequency isn't a one-size-fits-all decision, but it isn't arbitrary either. A quarterly scan leaves a three-month window where new CVEs, plugin updates, and configuration drift can pile up unnoticed. For a static informational site with no transactions, that gap is usually tolerable.
For eCommerce, the calculation changes. On an active platform, things move constantly: teams add new plugins, update payment integrations, and customer data sits there every single day. A vulnerability that appears in week two of a quarter could sit unaddressed for ten weeks before the next scan even looks for it. That's a long runway for an attacker working from public CVE databases, which often list new flaws within hours of disclosure.
A monthly scan shortens that exposure window to roughly four weeks instead of twelve. It also lines up better with how Cyber Essentials approaches risk: the certification mandates that critical vulnerabilities get patched within 14 days of a fix becoming available. You can't hit that deadline if you don't know about the vulnerability until week 13. Security hardening managed hosting providers typically default to monthly scanning for exactly this reason: the frequency needs to match how fast new risks appear, not how often it's convenient to run a report.
Where This Fits Into Your Hosting
A vulnerability scan is a flashlight, not a fix. It tells you where the gaps are; what happens next is what actually keeps the business safe. Managed vulnerability scanning UK businesses rely on works best paired with a remediation process, not just a report. That combination is what turns a list of findings into closed risk.
If you want to see how Tenable scanning works in our managed hosting, that's exactly what we cover next.
A vulnerability scan tells you where the gaps are. To see how exploitable they actually are, we offer free penetration testing alongside our managed hosting.
Get in touch to find out more.