A hands‑on, step‑by‑step course that turns a total beginner into a confident vulnerability analyst.

Table of Contents

1. What This Course Is (and What It Isn’t)

This course teaches vulnerability management using Nessus Essentials (the free version). By the end you will be able to:

  • Set up an isolated scanning lab with VirtualBox
  • Perform unauthenticated and credentialed vulnerability scans
  • Interpret CVSS scores and plugin output
  • Prioritise vulnerabilities like a SOC analyst
  • Generate professional reports and build a remediation register
  • Answer common interview questions on vulnerability management

Important: We do not cover web application scanning (WAS). Nessus Essentials cannot scan web app logic – and that’s fine. We focus on network and host‑based vulnerabilities, which is the bread and butter of SOC, vulnerability analyst, and junior pentester roles.

2. The Tools You’ll Need

ToolPurposeCost
VirtualBoxRun virtual machines locallyFree
Nessus Essentials OVAThe scanner itselfFree (with registration)
Metasploitable2Deliberately vulnerable Linux targetFree
Ubuntu 20.04 LTS (optional)Realistic Linux targetFree
Windows 7 SP1 (optional)Windows targetRequires licence
Your host machine browserAccess Nessus web UI (https)Free

Important: Nessus Essentials is limited to 16 unique IPs at any one time. This is not a lifetime cap – you can scan those same 16 IPs as many times as you want. It only becomes a problem if you scan entire subnets. For our lab with 4‑5 VMs, you will never hit the limit.

Module 1: Understanding Nessus vs. Web App Scanning

Before we start, let’s kill a confusion that trips up almost everyone.

Nessus (network/host scanner) scans for:

  • Open ports and services
  • OS and software vulnerabilities (CVEs)
  • Misconfigurations
  • Default credentials
  • Patch levels

Tenable Web App Scanning (WAS) scans for:

  • OWASP Top 10 web vulnerabilities
  • SQL injection, XSS, CSRF in web apps
  • Session/authentication logic
  • Web crawling and parameter fuzzing

These are architecturally separate products. WAS requires a Nessus Expert or Tenable One licence. Your Nessus Essentials licence does not include it, and you don’t need it for this course. Web app scanning is a different discipline; we are focusing on network and host vulnerability management.

Module 2: Setting Up Your Virtual Lab

2.1 Import the Nessus OVA into VirtualBox

  1. Open VirtualBox → FileImport Appliance
  2. Select your downloaded Nessus .ova file
  3. Leave default settings (2 CPU, 2 GB RAM minimum)
  4. Network configuration – this is critical:
    • Adapter 1: Host‑Only Adapter
      This lets your host machine reach the Nessus web UI and allows Nessus to talk to your target VMs.
    • Adapter 2: NAT
      This gives the Nessus VM internet access for plugin updates, without exposing your lab to your real network.
  5. Start the VM
  6. Note the IP address shown on the Nessus console screen (usually something like 192.168.56.X)

Why not Bridged?
Bridged mode connects your VM directly to your physical network. Nessus scans are aggressive and could hit your real devices, consuming your 16‑IP limit and potentially disrupting your router or printer. Host‑Only keeps everything contained inside VirtualBox – nothing escapes. It’s the professional lab standard.

2.2 Activate Your Nessus Essentials Licence

  1. Open a browser on your host machine (not inside the VM) and navigate to:
    https://<Nessus_IP>:8834
    Example: https://192.168.56.10:8834
  2. Accept the self‑signed TLS certificate warning
  3. In the setup wizard, choose Nessus Essentials
  4. Enter the activation code from your Tenable email (format: XXXX-XXXX-XXXX-XXXX)
  5. Create your admin username and a strong password (build the habit, even in a lab)
  6. Wait for plugin compilation – 10‑20 minutes on the first run
    Nessus downloads ~180,000+ plugins. The quality of every scan depends on having up‑to‑date plugins.
  7. Once done, you’ll land on the main dashboard

Module 3: Deploying Vulnerable Targets

You need something to scan. We’ll use Metasploitable2 as our primary target.

3.1 Download and Set Up Metasploitable2

  1. Download from the official SourceForge page:
    👉 https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
  2. Click the file named metasploitable-linux-2.0.0.zip and extract it.
  3. In VirtualBox, click New → Name: Metasploitable, Type: Linux, Version: Ubuntu (32‑bit)
  4. Memory: 512 MB is plenty
  5. On the hard disk step, select Use an existing virtual hard disk file and browse to the extracted .vmdk file
  6. Under Settings → Network:
    Adapter 1: Host‑Only Adapter
    (Same network as your Nessus VM, no NAT needed – it doesn’t need internet)
  7. Start the VM. Default credentials: msfadmin / msfadmin

3.2 Optional Targets

  • Ubuntu 20.04 LTS (minimal install, no updates) – good for realistic Linux scanning.
  • Windows 7 SP1 (if you have a licence) – classic unpatched Windows target.
  • DVWA – helps you understand web app scanning vs host scanning, though Nessus won’t crawl it.

3.3 Lab IP Map (Document This!)

MachineRoleIP (example)
Nessus VMScanner192.168.56.10
Metasploitable2Linux target192.168.56.20
DVWA (optional)Web target192.168.56.21
Windows target (optional)Windows target192.168.56.22

Always document your scope before scanning – it’s a critical professional habit.

3.4 Verify Connectivity

From the Nessus VM terminal, ping your target’s IP:
ping 192.168.56.20
You should get replies. If not, double‑check that both VMs are using the same Host‑Only network.

Module 4: Your First Host Discovery Scan

Never scan blindly. Host discovery confirms what’s alive before you fire vulnerability probes.

  1. In the Nessus UI, go to ScansNew ScanHost Discovery
  2. Name: Lab Host Discovery - YYYY-MM-DD
  3. Targets: List the specific IPs, not a CIDR range
    Example: 192.168.56.20, 192.168.56.21, 192.168.56.22
    Why? Nessus Essentials stops registering new IPs after 16. Listing specific IPs prevents you from accidentally scanning your entire subnet.
  4. Schedule: On Demand
  5. Launch

Results you get:

  • Live IPs (responded to ICMP/TCP probes)
  • OS fingerprinting (best guess)
  • Open port count per host
  • MAC addresses

This is Phase 1 of any professional vulnerability assessment – the Asset Discovery phase.

Module 5: Unauthenticated Scanning – The Attacker’s View

An unauthenticated scan simulates what a threat actor sees from outside your network.

  1. Scans → New Scan → Basic Network Scan
  2. Name: Metasploitable - Unauthenticated - YYYY-MM-DD
  3. Targets: 192.168.56.20 (your Metasploitable IP)
  4. Do not add any credentials
  5. Launch

What it finds:

  • Network‑exposed services (FTP, SSH, Telnet, HTTP, SMB, RPC)
  • Service banners revealing software versions
  • Weak SSL/TLS configurations
  • Open and filtered ports
  • Service‑level vulnerabilities detectable without login

What it misses:

  • Installed software with known CVEs (needs authentication)
  • Patch levels of OS packages
  • Registry misconfigurations (Windows)
  • Local user accounts and password policies

Exercise:
When the scan finishes, click the host → sort by CVSS Score (descending). Note how many Critical/High findings Metasploitable shows unauthenticated. This is exactly what an attacker would see.

Module 6: Credentialed Scanning – The Professional Standard

Credentialed scans authenticate to the target and reveal the full picture. They find 3–5× more vulnerabilities than unauthenticated scans.

6.1 Adding SSH Credentials for Metasploitable

  1. Edit your previous scan (or create a new one) → Credentials tab
  2. Add credentials: SSH → Username/Password
    • Username: msfadmin
    • Password: msfadmin
  3. Tick Use sudo if available
  4. Launch the scan again

Immediately you’ll notice:

  • Vulnerability count jumps dramatically
  • New Critical findings appear for installed packages
  • Plugin output shows exact version strings
  • Missing patches listed with CVE numbers

6.2 For Windows Targets (If You Have One)

  • Credentials → Windows → SMB
  • Provide local admin or domain admin credentials

Common SOC interview question:
“What is the difference between authenticated and unauthenticated scans and when do you use each?”
Your answer: Authenticated scans are used for internal asset management and patch compliance. Unauthenticated scans simulate external threat actor visibility.

Module 7: Advanced Scan Policies and Tuning

The Advanced Scan template gives you full control over scanning behaviour.

7.1 Discovery Settings

  • Ping methods: ICMP, TCP, UDP, ARP (enable all for thorough discovery)
  • Port scanning range: default is top 1000 ports. For complete coverage, use 1-65535 (much slower)
  • Service discovery: probe all ports for service banners

7.2 Assessment Settings

  • Scan type: Normal vs Quick vs Custom
  • Thorough tests: enable for complete coverage (slower but more accurate)
  • Override normal verbosity: useful for debugging scan issues

7.3 Plugin Families to Enable/Disable

  • Default Accounts – always enable (finds default creds)
  • Backdoors – finds web shells and backdoors
  • Denial of ServiceDISABLE in production (can crash services)
  • Brute Force – careful in production (account lockout risk)

7.4 Performance Tuning

  • Max simultaneous checks per host: default 5, reduce for fragile targets
  • Max simultaneous hosts per scan: reduce if network is slow
  • Network timeout: increase for slow/remote targets

Module 8: Understanding Plugins and Plugin Output

Plugins are Nessus’s intelligence. Each plugin is a test for a specific vulnerability or configuration. You have ~180,000+ of them.

8.1 Anatomy of a Plugin

When you click a vulnerability, you see:

  • Plugin ID – unique number
  • Plugin Name – descriptive title (e.g. “Apache 2.4.x < 2.4.49 Multiple Vulnerabilities”)
  • Synopsis – one‑line summary
  • Description – detailed explanation
  • Solution – remediation steps
  • Risk Factor – Critical/High/Medium/Low
  • CVSS v3 Base Score – numerical severity
  • Plugin Output – the actual evidence Nessus found

8.2 Key Plugin Families

  • AIX Local Security Checks – AIX patches
  • CentOS Local Security Checks – CentOS patches
  • Debian Local Security Checks – Debian patches
  • Windows – Microsoft bulletin checks
  • General – backdoors, default accounts, etc.

8.3 Reading Plugin Output Like a Pro

The plugin output shows the exact version string detected, the path to the vulnerable file, registry keys (Windows), or the response that triggered the finding. Always review the output to avoid false positives.

Module 9: CVSS v3 Scoring Breakdown

CVSS (Common Vulnerability Scoring System) gives vulnerabilities a score from 0 to 10.

9.1 The Three Metric Groups

  • Base Score (0–10): Intrinsic characteristics, constant over time
    Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, Availability impacts
  • Temporal Score: Changes over time (exploit code maturity, remediation level, report confidence)
  • Environmental Score: Customised to your organisation (modified base metrics, security requirements)

9.2 Quick Severity Scale

SeverityScore
None0.0
Low0.1 – 3.9
Medium4.0 – 6.9
High7.0 – 8.9
Critical9.0 – 10.0

9.3 Limitations of CVSS

CVSS doesn’t account for:

  • Whether an exploit actually exists in the wild
  • Compensating controls (WAF, firewall, network segmentation)
  • Asset criticality to your business

That’s why you need additional context – like Tenable VPR, CISA KEV, or your own asset inventory.

Module 10: Vulnerability Prioritisation in Practice

Not all Criticals are equal. Here’s a real‑world workflow to turn 500 findings into a manageable backlog.

10.1 The Triage Funnel

  1. Exploitability:
    Is there a public exploit? Is it in the CISA Known Exploited Vulnerabilities (KEV) catalogue?
    Yes → immediate priority
  2. Exposure:
    Internet‑facing assets first, internal second.
  3. Asset Criticality:
    Production > staging > development.
  4. Compensating Controls:
    Is a WAF, IPS, or firewall mitigating the real risk?

Result: A tiered P1 / P2 / P3 remediation backlog.

10.2 Practical Exercise

Take your Metasploitable scan results. Tag:

  • P1: Criticals with known public exploits (e.g. UnrealIRCd backdoor)
  • P2: High CVEs on exposed services
  • P3: Mediums and information‑level findings

Module 11: Navigating Scan Results Like a Pro

11.1 Filters and Grouping

After a scan completes, use the Filters dropdown to:

  • Show only Critical/High vulnerabilities
  • Filter by plugin family
  • Show exploitable vulnerabilities (those with Metasploit modules or public PoCs)

Group by host to see the worst‑off machines at a glance.

11.2 The Vulnerability Details Pane

Click any vulnerability → Details tab shows:

  • Plugin output (the evidence)
  • Port / service
  • Risk information
  • Solution steps

11.3 Exporting a List of Vulnerabilities

Use the Reports section (covered next module) to generate CSV or PDF for further analysis in Excel or Google Sheets.

Module 12: Generating and Customising Reports

12.1 Nessus Native Reports

  • PDF (Executive Summary): High‑level charts and bar graphs – good for management.
  • CSV: Raw data you can import into Excel for sorting, filtering, and pivot tables.
  • HTML: Interactive report you can view in a browser.

To export:

  1. Go to Scans → click the completed scan
  2. Click Report (top right)
  3. Choose PDF, CSV, or HTML
  4. Customise sections (e.g. exclude informational findings)
  5. Download

12.2 What Each Report Contains

  • PDF: Cover page, vulnerability breakdown by severity, list of findings with plugin IDs and CVSS scores.
  • CSV: Plugin ID, CVE, CVSS, risk factor, host, port, solution, description – perfect for building a tracking register.

Module 13: Writing a Professional VM Report Beyond Nessus Exports

A Nessus PDF is not a finished vulnerability assessment report. You must add context.

13.1 Report Structure Template

  1. Executive Summary
    Scope, overall risk posture, number of Critical/High/Medium/Low findings, top 3 actions.
  2. Methodology
    Tools used, scan frequency, credentialed/unauthenticated, any exclusions.
  3. Findings (Technical Details)
    Per vulnerability: CVSS, plugin ID, affected hosts, description, impact, remediation.
  4. Risk Matrix
    Likelihood vs Impact table.
  5. Remediation Roadmap
    P1 (immediate), P2 (this week), P3 (next month).
  6. Appendices
    Raw Nessus CSV, network diagram, asset inventory.

13.2 Exercise

Take your Metasploitable credentialed scan and write a 2‑page executive summary as if presenting to a CTO.

Module 14: Building a Vulnerability Tracking Register

A tracking register is a living document that tracks remediation status over time. It’s often a spreadsheet with columns:

ColumnExample
Asset IP192.168.56.20
Hostnamemetasploitable
Plugin ID10287
CVECVE-1999-0524
TitleICMP Timestamp Request Remote Date Disclosure
CVSS v35.3 (Medium)
SeverityMedium
StatusRemediated
RemediationDisable ICMP timestamp responses
OwnerSOC Team
Date Opened2025-01-15
Date Closed2025-02-01
NotesVerified with rescan

14.1 How to Create One

  1. Export your scan as CSV.
  2. Import into Excel / Google Sheets.
  3. Add custom columns: Status, Owner, Due Date, Notes.
  4. Update after every re‑scan and remediation cycle.

This is a core deliverable in any mature vulnerability management programme.

Module 15: The Remediation Cycle – Before & After Scans

A single scan is a snapshot. Remediation verification needs a before‑and‑after pair.

15.1 Workflow

  1. Baseline scan (credentialed) – document all findings.
  2. Fix the issues on the target (e.g. apply patches, disable services).
  3. Rescan the same target with the same policy.
  4. Compare the two scans.
  5. Update the tracking register with evidence of closure.

15.2 Hands‑on Exercise

On Metasploitable:

  • Identify the UnrealIRCd backdoor (Critical).
  • Stop the IRC service: sudo service unrealircd stop (or kill the process)
  • Rescan. Show that the vulnerability is gone.
  • In your report, present the before/after comparison as proof of remediation.

Module 16: Scheduling Scans and Continuous Monitoring

Move from point‑in‑time to ongoing vulnerability management.

16.1 How to Schedule a Scan

  1. Edit scan → Schedule tab
  2. Enable schedule → set frequency (daily, weekly, monthly)
  3. Define time window (during off‑peak hours if scanning production)
  4. Enable email notifications (Settings → SMTP)

16.2 Differential / Delta Scans

By comparing two scans, you can identify:

  • New vulnerabilities (newly installed software)
  • Closed vulnerabilities (remediated items)
  • Configuration drift

Nessus Professional and Tenable.io have built‑in delta reporting. With Essentials, you simulate it manually using CSV exports and spreadsheet diffing.

Module 17: How VM Fits into the SOC Workflow

Vulnerability management is not an island. In a mature Security Operations Centre:

  1. Asset Discovery → feeds into CMDB.
  2. Vulnerability Scanning (Nessus) → produces findings.
  3. Prioritisation → analyst triages based on risk.
  4. Ticketing → findings pushed to ServiceNow / Jira for remediation.
  5. Validation → rescan to confirm fixes.
  6. Metrics → mean time to remediate (MTTR), risk score trends.

Nessus Essentials gives you the technical foundation for steps 2, 3, and 5. The surrounding processes are what make you a vulnerability analyst, not just a scanner operator.

Module 18: Interview Questions & Model Answers

Use these to prepare for SOC Analyst, Vulnerability Analyst, and junior Pentester roles.

Q1: “What is the difference between vulnerability scanning and penetration testing?”
A: Vulnerability scanning is automated, broad, non‑exploitative identification of known weaknesses. Penetration testing is targeted, manual, and involves actively exploiting vulnerabilities to prove impact. Nessus is a scanning tool; Metasploit is used in pentesting.

Q2: “How do you prioritise 500 Critical vulnerabilities?”
A: Filter by exploitability (public exploit? CISA KEV?), then exposure (internet‑facing first), then asset criticality (production vs dev), then compensating controls. Result: a tiered P1/P2/P3 backlog.

Q3: “What is CVSS and what are its limitations?”
A: CVSS (0‑10) measures technical severity. Limitations: it doesn’t account for your environment, whether an exploit exists in the wild, or compensating controls. Tools like Tenable VPR and CISA KEV add necessary context.

Q4: “What is a credentialed scan and why does it matter?”
A: A credentialed scan authenticates (SSH/SMB) and checks installed software, patches, and local config. It finds 3‑5× more vulnerabilities than unauthenticated and is the standard for internal asset management.

What to Learn Next: Beyond Nessus Essentials

Your skill progression path:

  • Nessus Professional (30‑day trial) – compliance audits (CIS, PCI DSS), unlimited IPs, live results.
  • Tenable Vulnerability Management (cloud) – asset management at scale, Lumin risk scoring, REST API, Splunk/ServiceNow integration.
  • OpenVAS – open‑source scanner, same concepts, great for comparison.
  • CISA KEV cataloguecisa.gov/known-exploited-vulnerabilities
  • NVDnvd.nist.gov
  • VulnHub – more vulnerable VMs for lab practice

Certifications:

  • Tenable Certified Nessus Auditor (TCNA)
  • CompTIA CySA+
  • GIAC Enterprise Vulnerability Assessor (GEVA)