According to industry guidance such as the CIS Critical Security Controls, how frequently should an enterprise perform vulnerability scanning to minimize the window of opportunity for attackers?
Only when new hardware is added to the environment.
Continuously or at least weekly, using automated authenticated scans across all systems.
Once every three years, during scheduled compliance audits.
Only after a security incident has occurred and remediation is complete.
CIS Control 3 (Continuous Vulnerability Management) specifies that organizations should run automated, authenticated vulnerability scanning tools on all systems "on a weekly or more frequent basis." Implementing continuous or at least weekly scans ensures new vulnerabilities are discovered quickly, reducing the attack surface. Annual, post-incident, or hardware-only scanning intervals leave lengthy gaps during which newly disclosed vulnerabilities can be exploited .
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the CIS Critical Security Controls framework?
Open an interactive chat with Bash
What are automated authenticated vulnerability scans?
Open an interactive chat with Bash
Why is continuous or weekly vulnerability scanning important?