According to industry guidance such as the CIS Critical Security Controls, how frequently should an enterprise perform vulnerability scanning to minimize the window of opportunity for attackers?
Only after a security incident has occurred and remediation is complete.
Once every three years, during scheduled compliance audits.
Only when new hardware is added to the environment.
Continuously or at least weekly, using automated authenticated scans across all systems.
CIS Control 3 (Continuous Vulnerability Management) specifies that organizations should run automated, authenticated vulnerability scanning tools on all systems "on a weekly or more frequent basis." Implementing continuous or at least weekly scans ensures new vulnerabilities are discovered quickly, reducing the attack surface. Annual, post-incident, or hardware-only scanning intervals leave lengthy gaps during which newly disclosed vulnerabilities can be exploited .
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What tools are commonly used for vulnerability scanning?
Open an interactive chat with Bash
What is the difference between vulnerability scanning and penetration testing?
Open an interactive chat with Bash
Why is continuous vulnerability scanning more effective than periodic scanning?