Nessus vs OpenVAS: A Practical Comparison of Vulnerability Scanners

This article is an adapted version of a hands-on study originally published on Medium, developed as a final exercise in the "Cibersegurança — Vetores Ataque e Métodos Proteção" course at Cesae Digital.

---

Project Objective

The primary goals of this exercise were:

1. Compare scan methodologies: Evaluate the effectiveness of authenticated versus non-authenticated vulnerability scans, highlighting the critical importance of robust credential management policies.
2. Benchmark scanning tools: Benchmark Tenable's Nessus (commercial) against Greenbone's OpenVAS (open-source), assessing detection capabilities in a controlled environment.

Test Environment

Two virtual machines pre-configured with known vulnerabilities (Metasploitable3):

Host	OS	IP
Host 1	Windows Server 2008 R2	192.168.56.16
Host 2	Ubuntu 14.04 LTS	192.168.56.6

Tools used:

• Nessus v10.9.0 (#144) — Trial version
• OpenVAS (GSA) v25.0.0 — NVT feed: 20250703T0642

Key Findings

The Authentication Gap

The difference between authenticated and non-authenticated scans was dramatic:

Scan Type	Tool	Vulnerabilities Found	Duration
Authenticated	Nessus	1,063 (235 critical, 556 high)	42 min
Non-Authenticated	Nessus	78 (12 critical, 13 high)	1h 22min
Authenticated	OpenVAS	~1,237 (670 Host 1 + 567 Host 2)	3h 25min
Non-Authenticated	OpenVAS	~143 (121 Host 1 + 22 Host 2)	~26h

The 13× difference between authenticated and non-authenticated Nessus scans illustrates why credential management is the fundamental first line of defense.

Nessus vs OpenVAS Performance

• Speed: Nessus was considerably faster in both scan modes. Authenticated scan: 42 min vs 3h 25min for OpenVAS.
• Detection depth: Both tools found comparable numbers with authentication (~1,000–1,200 vulnerabilities). Nessus reported more critical/high severity findings.
• OpenVAS non-authenticated scan: ~26 hours — significantly longer, but still capable.

Lessons for Security Professionals

1. Authentication is Non-Negotiable

Authenticated scans reveal 13× more vulnerabilities than external-only views. The internal perspective is the complete picture — unauthenticated scans give you what an external attacker sees, not what's actually exposed inside.

2. Strong Password Management is the Foundation

Findings reinforce that managing strong, unique credentials is vital. A robust password manager for generating, storing, and monitoring credentials — with breach alerts and rapid rotation — is often more impactful than the scanning tool itself.

3. OpenVAS is a Genuine Open-Source Powerhouse

For organizations with budget constraints, OpenVAS delivers comparable authenticated-scan depth to Nessus. The tradeoffs: longer scan times, steeper learning curve, and more manual setup. For a homelab or SMB context, these are manageable.

4. Tool Selection Should Match Organizational Context

• Nessus: Faster scans, streamlined reporting, professional support — ideal for enterprises needing efficiency at scale
• OpenVAS: Robust capability, zero license cost, 100% open-source — ideal for organizations with technical staff and budget constraints

5. Keep Feeds Updated

The OpenVAS NVT feed (updated daily) directly determines what vulnerabilities the tool can detect. An outdated feed is as dangerous as no scanner at all. The same applies to Nessus plugins.

Conclusion

This hands-on study demonstrated that the choice of tool matters far less than the methodology. An authenticated OpenVAS scan outperforms an unauthenticated Nessus scan by an order of magnitude. Credential management and internal visibility are the pillars of effective vulnerability management — the scanner is just the instrument.

---

Published as part of coursework at Cesae Digital — Centro para o Desenvolvimento de Competências Digitais. Special thanks to Professor Daniel A. Melo.