The Per-Asset Rate Is the Headline, Not the Bill
Vulnerability management licensing is dominated by a per-asset rate that is, paradoxically, the least useful number for understanding what a platform will cost over a three-year contract. The realistic total includes base licensing, scanner and agent infrastructure, professional services, integration work, staff time and — most of all — add-on modules for capabilities the base SKU omits. The per-asset figure anchors the negotiation, but the modules and the way assets are counted decide the bill. As across the whole cloud security stack, the headline metric and total cost are different conversations.
Tenable, Qualys and Rapid7 Compared
The three incumbents price within a similar band per asset but differ in what the base includes. The table below sets enterprise-scale rates side by side; note that Qualys folds patch management into its base while Tenable and Rapid7 tier more capability into add-ons.
| Platform | Indicative Per-Asset (Enterprise) | Base Includes | Pricing Note |
|---|---|---|---|
| Tenable VM | $26–$38/asset/yr | Core VM scanning | SecurityCenter from $20k+/yr; Tenable One adds modules |
| Qualys VMDR | $17–$33/asset/yr | Patch management included | TotalCloud priced in QLU units |
| Rapid7 InsightVM | $25–$35/asset/yr | Core VM + reporting | Falls to ~$1.90–$2.20/asset/mo at scale |
| Defender VM | Core in Defender P2 (E5) | Discovery + assessment | Premium add-on ~$2/user/mo on P2 |
An enterprise licensing Tenable One with full module coverage pays a materially different number than one licensing standalone Tenable VM — yet both look like "Tenable" on the quote. Always price the specific SKU and module set against a documented requirement, not the platform brand.
Modules: Where VM Becomes Exposure Management
The market is shifting from vulnerability management to continuous threat exposure management (CTEM), and the modules that carry that shift are each priced on top of the base scan. Web application scanning, container scanning, external attack surface management and CTEM capability add meaningfully to the per-asset rate, and vendors increasingly bundle them into premium platforms — Tenable One, Qualys VMDR plus TotalCloud — marketed as a single exposure programme. The buyer trap is module creep dressed as strategy: each capability is individually reasonable, but committing to the full suite when you need only WAS and container coverage doubles the spend. Force every module to map to a documented requirement, exactly as we argue for premium tiers in the zero trust licensing analysis, and keep speculative exposure modules on annual flexibility rather than the multi-year commitment.
The Asset-Counting Trap
Because the licence meters assets, the count itself is a cost lever — and it inflates silently. Ephemeral cloud instances that spin up and down, duplicate records for the same host, and decommissioned machines still in the inventory all push the billable count above the assets you actually protect. Qualys compounds this by pricing TotalCloud in QLU (Qualys Units), where you multiply environment parameters by factors to derive the unit requirement, making cost less predictable as the estate scales. Insist on an auditable, deduplicated asset definition in the contract, a clear rule for how ephemeral and retired assets are counted, and the right to true-down at renewal — not just true-up. This is the same metric-discipline that governs the CASB connector count and the data-volume lines in SIEM licensing, and it is set out in our cloud contract framework.
The Defender VM Anchor
For Microsoft-centric enterprises, part of the vulnerability management capability is usually already owned. Microsoft Defender Vulnerability Management provides continuous asset discovery and vulnerability and misconfiguration assessment, and its core is built into Defender for Endpoint Plan 2 — which ships with Microsoft 365 E5. A premium add-on layers deeper features at about $2 per user per month on top of P2, or $3 standalone. Defender VM does not match the breadth of a dedicated CTEM platform across non-Microsoft and OT estates, but for endpoint and server coverage inside a Microsoft estate it may already cover the requirement. Map what Defender VM enforces before buying a third-party platform for the same hosts — the same owned-capability logic that runs through the endpoint security and identity decisions and sits inside the broader Microsoft commercial relationship.
Scanner Infrastructure and the True Total Cost
The licence is one line in a vulnerability management programme that has several. A realistic three-year total cost of ownership adds scanner and agent infrastructure, professional services and integration development, and the staff time to triage findings — the operational cost that consistently dwarfs the per-asset fee. Authenticated scanning needs credentialed scanners and agents deployed across the estate; cloud and container coverage needs connectors and runtime sensors; and feeding results into ticketing, SIEM and patch workflows is integration work that vendors quote as professional services. An enterprise that buys the platform and under-resources the operations ends up paying for findings nobody actions.
This is why risk-based prioritisation has become the centre of the pitch. Tenable, Qualys and Rapid7 all sell risk-scoring — VPR, TruRisk, Active Risk — to cut the raw vulnerability count down to what is genuinely exploitable, and the better the prioritisation, the less the downstream staff cost. But prioritisation engines are also where premium tiers and exposure modules are justified, so the capability that reduces your operating cost is sold as the capability that raises your licence cost. Decide what prioritisation you actually need against your remediation capacity, and weigh the premium tier against the analyst hours it genuinely saves rather than the marketing claim. Model the full programme cost — licence, scanners, integration and people — before committing, the same total-cost discipline that governs the backup and DR storage lines and the CASB deployment decision.
Negotiation Levers That Work
The first lever is the competitive process: buyers who run Tenable, Qualys and Rapid7 against each other typically achieve 20–35% lower pricing than those negotiating with a single incumbent, and the leverage requires a real evaluation rather than a renewal conversation. The second lever is the multi-year-plus-bundle structure — committing to a multi-year term with the specific modules you will deploy cuts total contract value 25–35% versus single-year, single-product deals, provided you commit only to modules you will actually use. The third lever is the auditable asset count: lock a deduplicated definition and true-down rights so you are not paying for instances that no longer exist, the same diligence we apply to the backup and DR workload count. To benchmark your vulnerability management licensing against current market rates, request a confidential briefing or read our price benchmarking research.