Anthropic-Cybersecurity-Skills/skills/scanning-infrastructure-with-nessus/references/workflows.md

# Workflows - Scanning Infrastructure with Nessus

## Workflow 1: Initial Infrastructure Assessment

```
┌─────────────────┐     ┌──────────────────┐     ┌────────────────────┐
│  Asset Discovery │────>│  Policy Creation │────>│  Credential Config │
│  (Host Enum)     │     │  (Custom/Default)│     │  (SSH/WinRM/SNMP)  │
└─────────────────┘     └──────────────────┘     └────────────────────┘
                                                          │
        ┌────────────────────────────────────────────────┘
        v
┌──────────────────┐     ┌──────────────────┐     ┌────────────────────┐
│   Launch Scan    │────>│  Monitor Status  │────>│   Export Results   │
│   (On-Demand)    │     │  (API Polling)   │     │   (CSV/HTML/PDF)   │
└──────────────────┘     └──────────────────┘     └────────────────────┘
                                                          │
        ┌────────────────────────────────────────────────┘
        v
┌──────────────────┐     ┌──────────────────┐     ┌────────────────────┐
│ Analyze Findings │────>│ Prioritize Vulns │────>│  Create Tickets    │
│ (Severity/CVSS)  │     │ (Risk-Based)     │     │  (Jira/ServiceNow) │
└──────────────────┘     └──────────────────┘     └────────────────────┘
```

## Workflow 2: Recurring Scheduled Scanning

1. **Weekly**: Scan DMZ and internet-facing assets
2. **Bi-weekly**: Scan internal production servers
3. **Monthly**: Full infrastructure scan including workstations
4. **Quarterly**: Comprehensive scan with compliance audits
5. **Ad-hoc**: Post-patch verification scans

## Workflow 3: Scan Result Processing Pipeline

```
Nessus Export (.nessus XML)
    │
    ├──> Parse with Python (xml.etree / defusedxml)
    │        │
    │        ├──> Filter by severity (Critical/High)
    │        ├──> Deduplicate findings across hosts
    │        ├──> Enrich with EPSS scores
    │        └──> Map to MITRE ATT&CK techniques
    │
    ├──> Import to Vulnerability Management Platform
    │        │
    │        ├──> Tenable.sc / Tenable.io
    │        ├──> DefectDojo
    │        └──> Faraday
    │
    └──> Generate Executive Report
             │
             ├──> Vulnerability count by severity
             ├──> Top 10 most critical findings
             ├──> Remediation progress trending
             └──> Risk score by business unit
```

## Workflow 4: API Automation Flow

```python
# Nessus API Workflow Steps:
# 1. POST /session -> Get auth token
# 2. GET /editor/scan/templates -> List available templates
# 3. POST /scans -> Create scan with template UUID
# 4. POST /scans/{id}/launch -> Start the scan
# 5. GET /scans/{id} -> Poll until status == "completed"
# 6. POST /scans/{id}/export -> Request export (format: nessus/csv/html)
# 7. GET /scans/{id}/export/{file_id}/status -> Poll export status
# 8. GET /scans/{id}/export/{file_id}/download -> Download results
# 9. DELETE /session -> Logout
```

## Workflow 5: Multi-Scanner Coordination

For large enterprises with multiple Nessus scanners:

1. **Central Management**: Use Tenable.sc to manage multiple scanners
2. **Zone Assignment**: Assign scanners to specific network zones
3. **Scan Windowing**: Stagger scans to prevent network saturation
4. **Result Aggregation**: Consolidate results in central repository
5. **Deduplication**: Merge findings from overlapping scan ranges