| Internet-facing gateways, VPNs, firewalls, and public services |
Frequent exposure discovery plus recurring active scans based on the approved detection window; many organizations use intervals shorter than quarterly for this class. |
New IP, DNS, port, service, NAT, certificate, firewall policy, remote-access path, KEV entry, or urgent vendor advisory. |
Public-vantage reachability, target reconciliation, scan completion, current checks, and local firmware/configuration evidence where authorized. |
Coordinate hosted targets, use approved source addresses, monitor availability, and keep emergency contacts active. |
| Critical internal servers and sensitive-data platforms |
Recurring authenticated scans commonly range from weekly to monthly depending on change, impact, exposure, and policy. |
Major patch cycle, platform upgrade, application deployment, identity change, segmentation change, restore, incident, or failed authentication. |
Full/partial/failed credential status, local package and configuration retrieval, segment reachability, exclusions, and rescan status. |
Pilot fragile systems, control concurrency, align with change windows, and maintain stop criteria. |
| Standard managed endpoints |
Continuous or frequent local inventory where supported, with staggered recurring assessment and follow-up for offline or stale devices. |
New endpoint class, agent failure, remote-work change, vulnerable software campaign, reimage, or device returning after absence. |
Agent freshness, enrolled population, offline count, local evidence, network exposure checks, and remediation verification. |
Avoid saturating remote links, preserve device performance, and coordinate broad repair waves. |
| Stable lower-impact internal systems |
Monthly-to-quarterly may be defensible when documented, but event triggers and coverage monitoring still apply. |
Configuration change, newly relevant vulnerability, ownership change, support-status change, or previously excluded system returning. |
Asset owner, last successful scan, credential success, exception status, and review date. |
Do not let “stable” become a substitute for verified inventory and current support status. |
| Rapidly changing cloud, container, or application environments |
Build-, image-push-, deployment-, or change-triggered assessment plus recurring runtime coverage appropriate to the platform. |
New account, subscription, image, dependency, release, public endpoint, permission, pipeline, or runtime configuration. |
Pipeline evidence, deployed-image/workload mapping, runtime reachability, cloud inventory reconciliation, and failed-job alerts. |
Keep this schedule aligned with deployment velocity and avoid assuming build-time results describe runtime exposure. |
| Fragile, OT, medical, embedded, or availability-sensitive devices |
Vendor-approved controlled active testing at a documented interval, supported by passive visibility and alternative evidence where appropriate. |
Vendor advisory, firmware change, network redesign, maintenance outage, new device, incident, or change in segmentation. |
Known inventory, firmware/vendor evidence, safe test result, passive observations, segmentation proof, and documented blind spots. |
Use pilots, clinical/operations coordination, conservative policies, stop conditions, and approved maintenance windows. |