This page is intended to help you understand how Nucleus subscriptions work and to answer some common questions you might have.
Nucleus pricing is designed to mirror the way many vulnerability scanning tools are priced: a fixed cost per Asset, per year. There are two classes of Assets in Nucleus: Devices and Applications. Nucleus discovers these Assets through the vulnerability scan results it processes, and uses that information to populate and maintain a comprehensive asset inventory.
What are Devices?
A device in Nucleus is typically a computer (server, workstation, laptop, virtual machine, etc.) or a network device (router, switch, firewall, etc.) that is identified by a hostname, FQDN, database, or IP address. Nucleus discovers your devices when ingesting scan results network and infrastructure scanners (e.g. Qualys, Tenable, Rapid 7) by counting the number of scan "targets" in the result/report.
What are Applications?
An application in Nucleus is typically a custom piece of software/code that is most commonly identified by a code repository, URL, container image, or application name. Nucleus discovers your applications when ingesting scan results from SAST, DAST, and SCA scanners (e.g. Fortify, Netsparker, Snyk) by counting the number of scan "targets" in the result/report.
The Acme organization is using:
- Qualys to scan 10,000 IP addresses
- Netsparker to scan 250 live web applications (URLs)
- Veracode to perform static analysis scans for 50 applications
- Snyk to perform SCA scans for 500 code repositories
If the scan results for all four tools are imported into Nucleus, the organization will need a Nucleus subscription for 10,000 Devices (Qualys scan targets) and 800 Applications (Netsparker, Veracode & Snyk scan targets).
- Do deleted or inactive assets count towards my license?
- No, once you remove an asset from Nucleus or set an asset to inactive, that asset will no longer count towards your subscription.
- What happens if I hit my license limit?
- If your license is reached, scan results will successfully upload but you will receive an in-app notification to notify you that your license limit has been reached, and the scan import will have a "warning" status. All of the asset and vulnerability information from the scan will successfully import, however you will not see the asset and vulnerability reflected in Nucleus until your license is increased. If you hit your license limit, please contact your Nucleus support representative and we will be happy to assist you! Once your license is updated, the assets which were not showing up in Nucleus when you hit your license limit will now show up in your Nucleus automatically.