Full Report
Cisco Vulnerability Management (formerly Kenna) has long been a valuable partner for security teams. With its end-of-life now underway, Tenable One offers a clear path forward, delivering end-to-end unified exposure management for the future of risk management.Key takeaways:Tenable’s strong partnership with Cisco helps customers with a natural path forward and easy transition to exposure management. Exposure management is the next frontier, taking organizations beyond risk-based vulnerability management (RBVM) by delivering insight across various domains. The Tenable One Exposure Management Platform is built for security programs of all maturity levels and sizes.Security teams are used to change, The way organizations think about risk is evolving, and many cybersecurity leaders and practitioners are realizing that the tools built for yesterday’s vulnerability management — while essential for their operations — aren’t enough for today’s exposure.For years, risk-based vulnerability management (RBVM) tools like Cisco Vulnerability Management (formerly Kenna) have helped teams aggregate data from different security scanners into one place. But simple aggregation is now table stakes; the security requirements of most organizations have outgrown it. Seeing one-dimensional findings of risk creates more noise from those same tools. What’s lacking is connectivity across all risk, a view of exposures created from the sum of the parts, together. Modern security programs need insight — how assets, vulnerabilities, misconfigurations, and identity relationships are connected. The same view threat actors have by probing and connecting these pieces together to create the next breach.Moving towards exposure management can help. It meets the modern security organization’s needs, going beyond listing CVEs to focus on the real story behind your risk: how everything in your environment interacts, so you can identify your most toxic combinations based on analysis of the insights provided by your various security tools.With Cisco entering end-of-life and end-of-sale for Cisco Vulnerability Management, Vulnerability Intelligence, and their Application Security Module, many teams are finding themselves at a decision point. Cisco announced on Dec. 9 that there is no replacement available for the Cisco Vulnerability Management, Vulnerability Intelligence, and Application Security Module (formerly known as Kenna.VM, Kenna.VI, and AppSec) at this time. The key EoL / EoS dates are as follows:March 10, 2026: End of Sale — The last date to order the product through Cisco point-of-sale mechanisms. The product is no longer for sale after this date.June 11, 2026: End of Service — The last date to extend or renew a service contract for the product.June 30, 2028: Last date of support subscription — The last date to receive applicable subscription entitlements, service, and support for the product as entitled by active subscriptions and service contracts (as applicable) or by warranty terms and conditions. After this date, all subscription and support services for the product are unavailable, and the product becomes obsolete.Organizations of all backgrounds and maturity have the chance to treat this moment not as a replacement project, but as an opportunity to change how they approach proactive security.The differences are in the hidden details: The new era of exposure managementAlthough risk-based vulnerability management provides a solid foundation, it hits a natural limitation. At best, it aggregates the data, showing only a handful of disconnected severity scores.While RVBM offers a new lens through which to view your environment, the core challenge still remains the same: security teams are stuck sifting through various findings across tools. Sure, it’s all in one place but it’s impossible to make a true “apples to apples” comparison because the findings aren’t normalized and deduplicated. Visibility alone is insufficient for effective exposure prioritization; the missing detail that RBVM lacks is insight.Tenable’s take on exposure management breaks that barrier by connecting the findings from your various security tools to create insights from your entire environment. You can see the big picture. It’s the difference between staring at isolated findings with different risk scores and truly understanding how your entire attack surface looks to an adversary at any given time.Insight comes from connecting context, not just critical severity scores, which is where exposure management distinguishes itself.Let’s look at a simple example. There is a stark difference between:Individual findings: These ~100 servers are running Windows OS with a critical vulnerability.VersusInsight: This specific server is exposed to the internet, has a medium-severity vulnerability, and is accessible by a compromised admin.In the first example, security teams waste time deciphering which handful of the 100 Windows servers are the most at risk, wasting resources and efforts working with IT to remediate. In reality, the biggest threat is the one server everyone saw, but no one thought about. How could they? It’s a single step in a multi-chained attack path.By mapping out how different flaws connect to compromise your critical assets, you can ignore the noise of consolidated tools and zero in on the specific toxic combinations that leave your organization exposed. This shifts your team from constantly reacting to seemingly critical fire drills to preemptively shutting down the most dangerous attack paths — the ones you wouldn’t be able to piece together using simple aggregation tools.Tenable is elevating how organizations of all sizes and maturity levels can identify their exposure.Exposure management maturity model: A true one-size-fits-all modelOne of the most compelling aspects of exposure management is that it isn’t reserved for organizations with bottomless budgets or sprawling security teams; it meets you exactly where you are. Whether your program is currently in a reactive "fire drill" phase — scrambling to patch whatever feels urgent today — or you have a robust set of tools that unfortunately don't talk to each other, exposure management offers a structured path forward.Tenable’s maturity model highlights that every security program sits somewhere on a spectrum, from "ad hoc" teams keeping the lights on to "standardized" operations that have reached a complexity ceiling. Exposure management creates a unified fabric across these stages, allowing even smaller teams to shift from chaotic, siloed scanning to a more cohesive view of their attack surface without needing to rip-and-replace their entire stack overnight.Top industry analyst firms name Tenable One a LeaderIf you’re making a change, you want to be confident in where you’re heading. Tenable was recently named a Leader in the first-ever 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms, ranking highest in both execution and vision.Tenable was also named a Leader in the IDC MarketScape: Worldwide Exposure Management 2025 Vendor Assessment and The Forrester Wave™️: Unified Vulnerability Management, Q3 2025.Simply put, Tenable isn’t catching up to exposure management — it’s leading it.Built to work with the tools you already haveWith 300+ integrations and an open, flexible architecture, Tenable One connects with the security tools you already rely on. Instead of forcing you into a new ecosystem, it strengthens the one you’ve built. Think of Tenable One as the central hub of your security program — the place where everything finally comes together in a clear, contextual view.Moving beyond lists into real exposure managementShifting to Tenable One isn’t just about finding a new home for your vulnerability data. It’s about stepping into the next generation of risk management.Gain unified visibility: Bring together vulnerabilities, misconfigurations, identities, and operational technology (OT) risks from across your security tools into a single platform.Connect the dots: Understand how risks connect across domains to identify toxic risk combinations across your environment.See full attack paths: See the paths attackers could take across your environment, from initial entry point to business-critical crown jewels.Remediate with context: Use holistic risk insights, business context, and threat intelligence to focus remediation on the exposures that matter most.Communicate with confidence: Deliver executives and board members holistic reports that show how security actions reduce overall organizational business risk.Exposure management changes the security conversation from “What vulnerabilities do we have?” to “What combinations of risk create the highest exposure ?”Ready to see what Tenable One can do? View the demo below: The transition from Cisco VM (Kenna) doesn’t have to be disruptive. It can be transformative. If you’re ready to see how Tenable One can elevate your security program, request a demo of Tenable One today.
Analysis Summary
# Industry News: Tenable Positions Exposure Management as Successor to Cisco VM Post-EOL
## Summary
Cisco has announced the End-of-Life (EoL) for its Vulnerability Management (formerly Kenna) platform, creating an immediate migration path for a significant customer base. Tenable is aggressively positioning its Tenable One Exposure Management Platform as the strategic successor, arguing that the security market has evolved beyond the basic data aggregation capabilities of traditional Risk-Based Vulnerability Management (RBVM).
## Key Details
- **Date:** Cisco EoL announcements finalized (End of Sale: March 10, 2026; End of Support: June 30, 2028).
- **Companies Involved:** Cisco (Sunsetting product), Tenable (Offering replacement solution).
- **Category:** Product Sunset/Migration Opportunity & Competitive Positioning.
## The Story
Cisco is retiring its Vulnerability Management, Vulnerability Intelligence, and Application Security Module, formerly known as Kenna products. This mandatory transition forces customers to seek modern alternatives. Tenable is leveraging this vendor vacuum to champion the shift from RBVM—which it characterizes as simply aggregating disparate scanner findings—to the next-generation "Exposure Management." Tenable One is presented as the solution capable of connecting vulnerabilities, misconfigurations, and identities to reveal "toxic combinations" and attack paths, offering true insight rather than just aggregated severity scores.
## Business Impact
### For the Companies Involved
* **Tenable:** This situation provides a substantial, near-term infusion of potential new logo/migration business. By facilitating a "natural path forward" for Cisco customers, Tenable aims to capture significant market share in the crucial vulnerability/exposure management segment and validate its platform approach over legacy systems. The clear EoL dates provide urgency for sales cycles.
* **Cisco:** While they are exiting this specific market, the handling of the EoSL transition, especially by promoting a partner like Tenable, is crucial for maintaining trust with their security customer base, even as they shift focus elsewhere.
### For Competitors
* Rival vendors in the vulnerability management space (e.g., Qualys, Rapid7) will also aggressively target Cisco VM customers. However, Tenable gains an advantage by defining the upgrade path as a mandatory *maturity shift* to Exposure Management, rather than just a feature parity replacement.
### For Customers
* Customers face an unavoidable migration project before mid-2026. They have an opportunity to evaluate whether their current RBVM strategy is sufficient or if they need to adopt a more contextual Exposure Management approach, as advocated by Tenable.
### For the Market
* This event accelerates the market differentiation between legacy RBVM tools and modern Exposure Management platforms. It solidifies "Exposure Management" as the recognized evolution of security prioritization moving forward.
## Technical Implications
The core technical distinction highlighted is the move from data aggregation ($\text{RBVM} \rightarrow \text{Lists of Findings}$) to contextual intelligence ($\text{Exposure Management} \rightarrow \text{Connected View of Attack Paths}$). Tenable One emphasizes unifying data across multiple domains (Vulnerabilities, Cloud, Identity, OT) to prioritize remediation based on **exposure** (e.g., a server that is exposed to the internet *and* has a critical vulnerability) rather than just the severity score of an individual finding.
## Strategic Analysis
* **Market Positioning:** Tenable is successfully positioning itself not just as a vulnerability scanner, but as the leader in the successor paradigm (Exposure Management), backed by recognition from Gartner and Forrester.
* **Competitive Advantage:** Tenable’s main advantage here is the timing of the Cisco EoL, allowing them to market their platform as the *only* future-proof solution that accommodates diverse existing toolsets via 300+ integrations.
* **Challenges:** Customers may be wary of moving from one established vendor (Cisco) to another, requiring confidence in Tenable’s partnership and the stated ease of migration.
## Industry Reactions
Analyst firms (Gartner, IDC, Forrester) have recently named Tenable a Leader in Exposure Assessment/Management, providing strong third-party validation for their platform narrative immediately following the Cisco announcement.
## Future Outlook
* We expect Tenable to heavily invest in tooling and documentation to ease the migration, ensuring the transition is perceived as seamless as possible.
* The focus of the security platform market will increasingly shift towards contextualization (i.e., "who can access what") over raw asset inventory or vulnerability counts.
## For Security Professionals
Security teams using Cisco VM must begin planning their migration immediately. The key strategic takeaway is the necessity to adopt practices that move beyond simple centralized vulnerability spreadsheets toward understanding connected risks and actual attack paths to justify remediation efforts to leadership.