Authenticate by generating an API key pair (access key and secret key) in Tenable Vulnerability Management under Settings > My Account > API Keys, and include them as X-ApiKeys: accessKey=YOUR_ACCESS_KEY;secretKey=YOUR_SECRET_KEY on every request.
Initiate an export job with POST https://cloud.tenable.com/vulns/export, providing a JSON body with filters (severity, state, last_found, plugin_family, etc.) and chunk_size (default 500 findings per chunk).
Poll the export status with GET https://cloud.tenable.com/vulns/export/{exportUuid}/status until the status field is FINISHED and the chunks_available_count is populated.
Download each chunk with GET https://cloud.tenable.com/vulns/export/{exportUuid}/chunks/{chunkId} and repeat for all chunk IDs returned in the status response.
For incremental syncs, record the last export's started_at timestamp and use the last_found date filter on subsequent exports to retrieve only new or updated findings.
Known gotchas
Chunk sizes vary significantly in byte count even with a fixed chunk_size setting because each chunk is independently built from asset-vulnerability pairs; do not assume uniform download times.
Export jobs expire after a short window (check current docs for exact TTL); download all chunks promptly after FINISHED status is reached or re-initiate the export.
Tenable rate-limits concurrent export jobs per account; running simultaneous asset and vulnerability exports may cause one to queue; stagger initiations.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp