Rate Limiting

Tenable Vulnerability Management performs rate limiting on API requests to ensure that all customers experience the same level of service. Based on current processing load, Vulnerability Management calculates the number of API requests it can accept from a single user per minute. Individual users are identified by the API key used in each API request. An individual user can have only one valid API key at a time.

If you submit an API request after the processing limit is reached, Vulnerability Management returns an HTTP response message with a 429 (Too Many Requests) status code. The response also includes a retry-after header element that specifies the number of seconds to wait before retrying.

Example Response Header

date:Wed, 24 Oct 2018 17:13:43 GMT 
strict-transport-security:max-age=63072000; includeSubDomains



Handling 429 messages without pyTenable module

Recommendations to Avoid Rate Limits

  • Use the exports endpoints to retrieve data from Vulnerability Management. While Vulnerability Management supports the workbenches export endpoints, Tenable recommends using the optimized exports endpoints instead.
  • Do not multi-thread your requests. As long as you are using the appropriate APIs, you should be able to export data from Vulnerability Management without reaching rate limits.
  • If your process regularly reaches the API request rate limit, review your code to ensure that you are not co-processing requests.
  • Always use a unique user account for each API integration you enable or create. This approach ensures proper tracking of who is accessing which data and allows Vulnerability Management to enforce rate limits for each API user.