Vulnerability Scan Scheduling and Baseline Cadence

Cadence is per asset class and per scanner class

Most cadence policies fail by being too uniform. A single weekly schedule across a mixed estate either over-scans the stable assets and burns triage capacity, or under-scans the high-change assets and lets regressions slip past detection. The defensible policy decomposes cadence by asset volatility and scanner class.

The same logic applies to source-side scanning. SAST and SCA fit best on the pull request and push lifecycle of the source repository rather than a calendar schedule, with a weekly or monthly full default-branch scan as the regression baseline. The page below covers code-scan cadence in more detail later in the guide.¹⁴

Calendar cadence and change-triggered cadence

Scan cadence has to operate on two axes at once. Calendar cadence answers the steady state question: what does a scan against this asset look like every interval. Change cadence answers the event question: when does an event invalidate the previous scan and require a fresh one ahead of the next scheduled tick. Programmes that watch only the calendar miss the events; programmes that watch only events miss the steady state evidence framework auditors expect.

Reading the diff between two scan baselines

A single scan is one snapshot. Two scans against the same target produce a diff that is the actual signal cadence is supposed to deliver. The diff splits findings into new (present in the later scan, absent earlier), fixed (present earlier, absent later), unchanged (present in both), and modules-only-in-one (a module ran in only one of the two scans).

The most common diff misread is treating an absent finding as a fix when the underlying cause is a coverage drop. An authenticated scan that silently failed at login produces a diff that looks like every authenticated finding has been remediated. The fix is to pair the diff with the scan-coverage record so the new and fixed counts are anchored to the surface that actually ran in each cycle. The authenticated scanner failure modes guide covers the six failure classes that account for most authenticated coverage gaps.

The second common misread is letting suppression history collapse into the new-finding count. A finding that was suppressed with evidence in cycle N should not return as a new finding in cycle N+1; the diff has to honour the suppression record. The vulnerability scanner false positives guide covers durable suppression so the cadence does not turn into a re-triage of every cycle.

How compliance frameworks read scan cadence

Auditors do not read scan cadence as the date stamp on the most recent scan. They read cadence as the count of scans inside the audit observation period and the evidence that the cadence operated. The framework expectations below set the floor; programmes justify higher cadence on a risk basis when assets warrant it.

• PCI DSS v4.0 Requirement 11.3 expects internal vulnerability scans at least every three months and after any significant change. External scans are performed by an Approved Scanning Vendor at least every three months, with re-scans required for high or critical findings until the issues are addressed.^1,9
• ISO 27001:2022 Annex A 8.8 (management of technical vulnerabilities) expects vulnerabilities to be identified and addressed at a documented cadence justified by the risk assessment. The cadence has to operate continuously across the surveillance interval; a single annual scan rarely survives the audit read for a quarterly-rated risk.²
• SOC 2 Trust Services Criteria CC7.1expects ongoing detection of new vulnerabilities and security events. Evidence of the detection has to populate the observation period rather than cluster at audit week.³
• NIST SP 800-53 control RA-5(Vulnerability Monitoring and Scanning) expects a defined frequency or random schedule for scanning, plus update-driven scans when new vulnerabilities are identified and reported. The control is satisfied by both calendar and event-driven cadence.⁵
• CISA BOD 22-01 sets the pattern of continuous monitoring against the Known Exploited Vulnerabilities catalogue with bounded remediation windows. Cadence is implicit in the obligation to detect and remediate within the window the directive sets.^7,8
• NIST SP 800-40 Rev. 4 (Patch Management) treats vulnerability scanning and patching as paired disciplines with a documented cadence per asset. The cadence is justified by the asset is criticality and the exposure window the programme is willing to accept.⁴

The shared pattern across these frameworks is that cadence is operational, not ceremonial. A scan record with quarterly date stamps and no diff between cycles satisfies the calendar bar and fails the operating-effectiveness bar. The audit read converges on cadence operation, change-triggered scans, finding lifecycle through remediation, and reproducible evidence drawn from the live record rather than from a static evidence pack.

SAST and SCA cadence in CI/CD

Source-side scanning fits the pull request and push lifecycle better than a calendar schedule. The cadence model that produces the most defensible coverage runs four scans of different granularity on different triggers.

Operational checklist for a defensible scan cadence

For internal security and vulnerability management teams

Internal security teams and vulnerability management teams operate cadence as part of continuous monitoring, not as a calendar artefact. The disciplines that hold up under audit and under remediation pressure are the same: per-asset cadence, change-triggered cadence on top, diff-led triage at each tick, and finding lifecycle on the same record the cadence operates against.

• Set cadence per asset volatility rather than as a blanket policy across the estate.
• Wire on-change scans into the change management process so the trigger is automatic, not manual.
• Read the diff first at each scheduled tick; the new and changed findings drive the work, not the full output.
• Pair scan coverage to the diff so a coverage drop is not misread as remediation.
• Track suppression state across cycles so the cadence does not regress into a re-triage exercise.

For internal security teams, vulnerability management teams, AppSec teams, and GRC and compliance teams, the operating commitment is to keep the cadence visible on the engagement record so both the operator view and the audit view read from the same source. The vulnerability remediation throughput research covers the closure-side discipline that scheduled cadence has to feed; the audit evidence half-life research covers how cadence evidence ages between assessments and what auditors actually read.

How SecPortal handles scan scheduling and baseline diff

SecPortal supports scheduled scans across three scanner classes with four frequency options, gated by the continuous monitoring plan feature. The schedule is one record; each run produces a scan execution on the engagement so the cadence is auditable rather than a one-off output.

The schedule, the runs, and the diffs land on the engagement record alongside the findings, so the audit view reads from the same record the operators run on. The findings management feature holds the finding lifecycle, the continuous monitoring feature holds the schedule, and the activity log feature holds the timestamped chain of state changes by user. The compliance tracking feature maps findings and controls to ISO 27001, SOC 2, Cyber Essentials, PCI DSS, and NIST frameworks so the cadence evidence aligns to the framework view auditors read.

Related scanner discipline

Cadence depends on the upstream and downstream disciplines that bracket it. The pages below cover the surrounding decisions.

• Scan scoping and target selection covers the upstream scope decisions that shape what the cadence operates against.
• Scanner coverage and limits covers what each scanner class can and cannot reach so cadence does not paper over structural gaps.
• Vulnerability scanner false positives covers durable suppression that lets the cadence read clean diff output rather than re-surfacing closed false positives.
• Scanner output deduplication covers how to merge findings across tools and cycles so the diff stays clean across multi-tool engagements.
• Scan baseline and trend comparison covers how to read the multi-cycle trend the cadence produces, separate real change from coverage drift, and report regression defensibly to leadership and audit.
• Authenticated scanner failure modes covers the six failure classes that account for most authenticated coverage drops that look like remediation in the diff.
• Scanner rate limiting and throttling covers how the rate decision interacts with the cadence (a scan that hit a rate limit and silently truncated produces a diff that reads like remediation and is a coverage drop).
• Scanner credential rotation and lifecycle covers the rotation cadence the credential lifecycle has to feed alongside the scan schedule, so a credential drift event does not silently turn an authenticated scan diff into a coverage drop dressed as remediation.
• Scan evidence retention and governance covers how long the scan executions, findings, and activity records the cadence produces are retained, when they are disposed, and how compliance frameworks read the retention as evidence the cadence operated across the audit window.
• Remediation tracking workflow covers the closure side of the cadence loop.
• Vulnerability SLA management workflow covers the SLA windows the cadence has to satisfy.

For the wider operating model the cadence plugs into, the security workflow orchestration research covers how scheduled scans, manual testing, remediation, retest, and reporting fit together, and the continuous security monitoring guide covers the programme-level discipline that scheduled cadence is one input into.

Scope and limitations of this guide

Scan cadence is a programme discipline, not a configuration setting. No cadence policy makes the underlying scanner classes more capable than they are; no schedule replaces the manual testing the scanner cannot reach. The cadence question is what volume of scans is enough to operate detection across the observation period and what triggers a scan ahead of the next tick. The answer is per asset class, per scanner class, per change axis, and per framework floor that applies.

Cadence claims that depend on a single calendar interval almost always understate the change axis. Cadence claims that decompose into calendar plus change, that pair the schedule with diff reading, and that hold the runs on the same record the operators and the auditor read from are the claims that survive the audit and the remediation cycle.

Frequently Asked Questions

Sources

1. PCI Security Standards Council, PCI DSS v4.0 (Requirements 11.3, 11.4, 6.3.3)
2. ISO/IEC, ISO 27001:2022 Information Security Management (Annex A 8.8)
3. AICPA, SOC 2 Trust Services Criteria (CC7.1)
4. NIST, SP 800-40 Rev. 4: Guide to Enterprise Patch Management Planning
5. NIST, SP 800-53 Rev. 5: Security and Privacy Controls (RA-5 Vulnerability Monitoring and Scanning)
6. NIST, SP 800-115: Technical Guide to Information Security Testing and Assessment
7. CISA, Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities
8. CISA, Known Exploited Vulnerabilities Catalog
9. PCI Security Standards Council, ASV Program Guide
10. OWASP, Web Security Testing Guide (WSTG)
11. SecPortal, Continuous Monitoring Feature
12. SecPortal, External Scanning Feature
13. SecPortal, Authenticated Scanning Feature
14. SecPortal, Code Scanning Feature
15. SecPortal Research, Vulnerability Remediation Throughput
16. SecPortal Research, Audit Evidence Half-Life