Blog
Vulnerability scanning

Vulnerability scanning: how often should I scan?

James Harrison
Author
James Harrison
Senior Content Writer

Key Points

The time between a vulnerability being discovered and hackers exploiting it is narrower than ever – just 12 days. So it makes sense that organizations are starting to recognize the importance of not leaving long gaps between their scans, and the term “continuous vulnerability scanning” is becoming more popular.  

But what does that actually mean? Does it mean that as soon as one scan finishes another one starts? If a scan never finishes, how do you know when to look at the results, what do you show the auditor? It’s easy to say continuous vulnerability scanning, but we’re here to help you figure out why it’s important, and what it actually means.  

Hackers won’t wait for your next scan

One-off scans can be a simple ‘one-and-done' scan to prove your security posture to customers, auditors or investors, but more commonly they refer to periodic scans kicked off at semi-regular intervals – the industry standard has traditionally been quarterly.  

These periodic scans give you a point-in-time snapshot of your vulnerability status – from SQL injections and XSS to misconfigurations and weak passwords. Great for compliance if they only ask for a quarterly vulnerability scan, but not so good for ongoing oversight of your security posture, or a robust attack surface management program. With a fresh CVE created every 20 minutes, you run the risk of having an outdated view of your security at any given moment.

It’s highly likely that some of the 25,000 CVE vulnerabilities disclosed last year alone will affect you and your business in the gaps between one-off or semi-regular scans. Just look at how often you have to update the software on your laptop... It can take weeks or even months before vulnerabilities are patched too, by which time it may be too late. With the potential damage to your business these vulnerabilities could cause, there’s simply no substitute for continuous scanning in 2023.

Continuous vulnerability scanning provides 24/7 monitoring of your IT environment and automation to reduce the burden on IT teams. Which means issues can be found and fixed faster, closing the door on hackers and potential breaches.

The slow pace of compliance

Let’s be honest, a lot of companies start their cyber security journey because someone tells them they have to, whether that’s a customer or industry compliance framework. And a lot of the requirements in this space can take time to evolve, still citing things like an “annual penetration test” or “quarterly vulnerability scan”. These are legacy concepts from years ago when attackers were few on the ground, and these things were seen as ‘nice to have’.

As a result, many organizations still treat vulnerability scanning as a nice-to-have or a compliance box to tick. But there is a world of difference between semi-regular scanning and proper, continuous vulnerability testing and management – and understanding that difference is crucial for improving security rather than just spending money on it.

The simple truth is that new vulnerabilities are disclosed every day so there’s always the potential for a breach, even more so if you’re often updating cloud services, APIs and applications. One small change or new vulnerability release is all it takes to leave yourself exposed. It’s no longer about ticking boxes – continuous coverage is now a 'must have’, and organizations who are more mature in their cyber security journey are realizing it.

Continuous attack surface monitoring

It’s not just new vulnerabilities that are important to monitor. Every day your attack surface changes as you add or remove devices from your network, expose new services to the internet, or update your applications or APIs. As this attack surface changes, new vulnerabilities can be exposed.  

To catch new vulnerabilities before they’re exploited, you need to know what’s exposed and where – all the time. Many legacy tools don’t provide the right level of detail or business context to prioritize vulnerabilities; they treat all attack vectors (external, internal, cloud) the same. Effective continuous attack surface monitoring should provide the business context and cover all attack vectors - including cloud integrations and network changes - to be truly effective.  

Attack surface management is no longer just a technical consideration either. Boards are increasingly recognizing its importance as part of a robust cyber security program to safeguard operations, while it’s a key requirement for many cyber insurance premiums.

How much is too much?

Continuous scanning doesn’t mean constant scanning, which can produce a barrage of alerts, triggers and false positives that are nearly impossible to keep on top off. This alert fatigue can slow down your systems and applications, and tie your team up in knots prioritizing issues and weeding out false positives.

Intruder cleverly gets round this problem by kicking off a vulnerability scan when a network change is detected or a new external IP address or hostname is spun up in your cloud accounts. This means your vulnerability scans won’t overload your team or your systems but will minimize the window of opportunity for hackers. Find out more in our guide to vulnerability scanning best practices.

How often do you need to scan for compliance?

This depends on which compliance you’re looking for! While SOC 2 and ISO 27001 give you some wiggle room, HIPAA, PCI DSS and GDPR explicitly state scanning frequency, from quarterly to once a year. But using these standards to determine the right time and frequency for vulnerability scanning might not be right for your business. And doing so will increase your exposure to security risks due to the rapidly changing security landscape.

If you want to actually secure your digital assets and not just tick a box for compliance, you need to go above and beyond the requirements stipulated in these standards – some of which are out of step with today’s security needs. Today’s agile SaaS businesses, online retailers that process high volume transactions or take card payments, and anyone operating in highly-regulated industries like healthcare and financial services, need continuous scanning to ensure they’re properly protected.

Harder, better, faster, stronger

Traditional vulnerability management is broken. With technology in constant flux as you spin up new cloud accounts, make network changes or deploy new technologies, one-off scans are no longer enough to keep up with the pace with the change.  

When it comes to closing the cyber security gaps between scans that attackers look to exploit, sooner is better than later, but continuous is best. Continuous scanning reduces the time to find and fix vulnerabilities, delivers rich threat data and remediation advice, and minimizes your risk by prioritizing threats according to the context of your business needs.  

Don’t just take our word for it – why not get a free trial and find out for yourself?

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Sign up for your free 14-day trial

7 days free trial