Connecting Tenable Vulnerability Management to Drata enables automated, continuous monitoring of vulnerability findings for compliance. This integration supports tracking SLA due dates and automates evidence collection for vulnerability management requirements.
Key Capabilities
Vulnerability ingestion: Imports findings from supported scanning tools
Compliance mapping: Supports vulnerability-management tests such as DCF-18
Read-only access: Retrieves vulnerability metadata without triggering or modifying scans
This integration automates evidence collection for the Vulnerability Scanning test, which is mapped to DCF-18 by default. You can view findings by selecting the View Findings button after connecting or navigating directly to the Vulnerabilities page through the left-side navigation menu.
Prerequisites & Data Access
A Tenable Vulnerability Management account
Ability to create an API key
A Tenable user assigned a permission configuration that allows read-only access to vulnerability data:
Permissions: Can View
Objects: All Assets
To follow least-privilege best practices, we recommend using a Basic User role for the Tenable user who creates the API key.
Note: Creating users or assigning permissions in Tenable requires Administrator access.
⚠️ Tenable product support
Despite being part of the broader Tenable ecosystem, Tenable Vulnerability Management is the only Tenable product that integrates with Drata. Ensure you are connecting Tenable Vulnerability Management, not another Tenable product, to avoid syncing issues.
📊 Vulnerability sync behavior
Drata pulls up to 1,000 new or updated vulnerabilities per connection per day, ordered by severity from Critical to Low. You can control which vulnerabilities sync by selecting severity filters during connection.
Permissions & Data Table
Permission / Scope | Why It’s Needed | Data Accessed (Read Only) |
Can View | Allows Drata to retrieve vulnerability findings | Vulnerability IDs, severity, status, timestamps |
All Assets | Ensures full visibility across all scanned assets | Asset-level vulnerability associations |
Drata does not modify vulnerabilities, assets, or scan configurations in Tenable.
Step-by-Step Setup
Step 1: Verify your user account permissions
The API key inherits the permissions of the Tenable user who creates it. To ensure Drata can successfully sync vulnerability data, verify the user is assigned a permission configuration with:
Permissions: Can View
Objects: All Assets
To create or assign permissions:
In Tenable, select Settings from the left navigation.
Select Access Control, then open the Permissions tab.
Select Create Permission.
Enter a Permission Name (for example, Drata Read-Only Access).
Assign the permission to one or more Users or Groups.
In Permissions, select Can View.
In Objects, select All Assets.
Select Save.
Confirm the permission is assigned to the user who generated the API key. Learn more at Create and Add a Permission Configuration
Step 2: Create a Tenable API key
Log in to your Tenable Vulnerability Management account.
Select Settings from the left-side navigation.
Select API Keys.
Create a new API key and save the Client Key and Secret Key.
You will use these values to connect Tenable to Drata.
Step 3: Connect Tenable Vulnerability Management in Drata
In Drata, select Connections from the left navigation.
Open the Available Connections tab.
Search for Tenable Vulnerability Management or filter by Vulnerability Scanning.
Select Connect.
When connecting the integration, you can configure:
Severity: Select which vulnerability severities to sync (Critical and High are selected by default)
First seen on: Select the earliest detection date for vulnerabilities to sync
Continue on.
Enter the Client Key and Secret Key from Tenable.
Step 4: Validate the connection
Once the connection is successful:
Select View Findings on the connection card, or
Navigate to the Vulnerabilities page in Drata
You should now see vulnerability findings synced from Tenable for compliance monitoring.