Tenable Integration for Retrieving PQC Readiness Data

AppViewX integrates with Tenable IO and Tenable SC to ingest existing vulnerability scan data and derive PQC readiness insights, without deploying the AppViewX Config Scan Agent on target endpoints. For the conceptual overview, see Agentless scans for retrieving PQC readiness data.

This topic lists the Tenable-side prerequisites for the integration: the plugins that must be enabled in the Tenable scan policy, the minimum API key role and scope, and operational guidance for production deployments.

For AppViewX configuration and usage, see the following topics:

To add the Tenable vendor integration, see Integrating Tenable IO with AppViewX or Integrating Tenable SC with AppViewX.
Important: To enable PQC evaluation, add the QTH tag on the integration. Without this tag, the integration is not evaluated for post-quantum readiness.
To run the discovery, see ASM scan (CLM > Certificate Discovery > Discovery > ASM Scan).
To track the PQC evaluation outcome per discovery instance, use the PQC Evaluation Status column described in View discovery summary.
To review unified results, see Configuration scan inventory.

Prerequisites

Before you configure the Tenable vendor integration in AppViewX, verify the following details from Tenable:

The plugins listed in Plugins required for PQC discovery are enabled in the Tenable scan policy. These plugins are enabled by default in standard Tenable IO and Tenable SC configurations.
Note: Verify that the plugins have not been disabled in a custom scan template.
An API key with the role and scope listed in API key permissions is available.
Important: For Tenable SC, the organization administrator must enable Allow API Keys under Organization > Settings.
The AppViewX deployment can reach the Tenable IO cloud endpoint or the on-premises Tenable SC console URL configured on the vendor integration.

Plugins Required for PQC Discovery

AppViewX uses the following Tenable plugins to collect certificate, protocol, and cryptographic data during an ASM scan. This data is used to evaluate each discovered endpoint for exposure to quantum-vulnerable algorithms and to assess alignment with post-quantum cryptography standards.

Table 1. Tenable Plugins Required for PQC Discovery
Plugin ID	Plugin Name	Category	Description
277654	TLS Supported Groups	General	Collects the list of TLS elliptic curve and key exchange groups negotiated by the endpoint, used to identify quantum-vulnerable key agreement algorithms.
21643	SSL Cipher Suites Supported	General	Enumerates all SSL/TLS cipher suites supported by the target, enabling AppViewX to flag weak or quantum-vulnerable ciphers.
10863	SSL Certificate Information	General	Retrieves the full X.509 certificate chain including algorithm, key size, and validity data used for PQC readiness evaluation.
10107	HTTP Server Type and Version	Web Servers	Identifies the web server software and version, used to correlate certificate usage with specific server deployments.
24260	HyperText Transfer Protocol (HTTP) Information	Web Servers	Collects HTTP response headers and connection metadata to assess TLS configuration at the application layer.
141263	Apache Tomcat Site Enumeration	Web Servers	Discovers virtual hosts and applications running on Apache Tomcat for comprehensive certificate and cryptographic coverage.
142640	Apache HTTP Server Site Enumeration	Web Servers	Enumerates Apache HTTP server virtual hosts to ensure all TLS endpoints are included in the PQC scan scope.
140655	Microsoft IIS Sites Enumeration	Web Servers	Identifies all IIS-hosted sites and their TLS bindings for full PQC coverage across Windows web infrastructure.
11219	Nessus SYN Scanner	Port Scanners	Discovers open TCP ports using SYN probes, enabling AppViewX to identify all TLS-capable endpoints on the network.
10335	Nessus TCP Scanner	Port Scanners	Performs full TCP connect scanning to detect services running on non-standard ports that may use TLS.
14272	Netstat Portscanner (SSH)	Port Scanners	Retrieves active listening ports via SSH-based netstat output, supplementing network-level port scan data.
34220	Netstat Portscanner (WMI)	Port Scanners	Retrieves active listening ports via WMI on Windows hosts, supplementing network-level port scan data.
10092	FTP Server Detection	Service Detection	Detects FTP services that may use FTPS (implicit or explicit TLS), adding them to the cryptographic assessment scope.
10185	POP Server Detection	Service Detection	Identifies POP3/POP3S mail retrieval services for inclusion in TLS cipher and certificate evaluation.
10263	SMTP Server Detection	Service Detection	Detects SMTP and SMTPS mail transfer agents to assess TLS configuration on email infrastructure.
10719	MySQL Server Detection	Service Detection	Identifies MySQL database servers that may expose TLS-encrypted connections for cryptographic assessment.
11414	IMAP Service Banner Retrieval	Service Detection	Detects IMAP and IMAPS mail services and retrieves banners to support TLS configuration analysis.
20870	LDAP Server Detection	Service Detection	Identifies LDAP and LDAPS directory services, enabling PQC assessment of directory server TLS configurations.
26024	PostgreSQL Server Detection	Service Detection	Detects PostgreSQL instances that support SSL/TLS connections for inclusion in PQC readiness evaluation.
65914	MongoDB Detection	Service Detection	Identifies MongoDB deployments that may use TLS, adding them to the cryptographic scan scope.
130127	PostgreSQL Server Installed (Windows)	Service Detection	Detects PostgreSQL installations on Windows hosts via registry or WMI for comprehensive service coverage.

API key permissions

The API key configured on the Tenable vendor integration must have at least the role and scope listed in the following table. AppViewX uses these permissions to invoke the export and analysis endpoints during an ASM scan.


Tenable Product	Minimum Role	Required Permission or Scope
Tenable IO	Standard user with API key	Permission to invoke the `vulns/export` endpoint and read scan results for the assets in scope.
Tenable SC	Security Manager (or equivalent) with API key	Access to the `Analysis` endpoint and read access to the repository or asset list in scope. Important: The organization administrator must enable Allow API Keys under Organization > Settings.

Operational Considerations

Concurrency and rate limits (Tenable IO): Vulnerability export jobs are subject to concurrency limits and rate limits. Schedule large ASM scans to avoid HTTP 409 (duplicate export) and HTTP 429 (throttled) responses.
Asset scoping: Use the assetTags JSON on the AppViewX vendor integration to limit the scan to a defined subset of Tenable assets. Tag-based filtering is recommended for large deployments to avoid pulling the full vulnerability dataset on every run. For the JSON template, see Tenable IO – dummy JSON template or Tenable SC – dummy JSON template.
Dedicated service account: Use a service account with the minimum role listed above instead of reusing an administrator's key. Restrict its asset or repository scope to the targets in the ASM scan.

Tenable API references:

Tenable IO: developer.tenable.com/reference/exports-vulns-request-export
Tenable SC: docs.tenable.com/security-center/api/Analysis.htm