I need some help here. I'm looking for vulnerability management software that accepts data from vulnerability scanners (Tenable.io and Nessus in my case) and allows for analysts to review the scanned vulnerabilities for further action. This will mostly be in creating tickets, but I want analysts to be able to group vulns together where appropriate (e.g., one system has a ton of vulns because it's obviously been left out of an automated patching program, the solution is not to patch each vulnerability but to include it in the automation) and create tickets appropriately. It also need to support simple Risk Acceptance workflows (no giant approval chains, but likely more just analysts grouping and marking sets of vulns as RA). Finally, it needs to be multi-tenant or at least have some siloing capabilities.

We are currently using Tenable.io for on-going vulnerability scanning in some smaller clients, but the vulnerability management functionality is severely lacking. I've looked at Nucleus, but it looks to be far too much for what we need. They also have a 5000 seat minimum and come out to around $10/asset, which is above our price range.

I don't want to replace Tenable as I trust it for quality of scanning, but I'd potentially switch to Rapid7 or Qualys if that worked with another vuln mgmt tool better.

Thoughts?