A point-in-time scan is stale the moment a new CVE drops or a new subdomain appears. Perimeter scans on a schedule, diffs your attack surface week over week, re-prioritizes daily against EPSS and the CISA KEV catalog, and tracks every finding to closed with SLAs and rescan-to-verify.
| Capability | Quarterly / point-in-time | Perimeter continuous |
|---|---|---|
| New-CVE exposure window | Up to 90 days | Days — daily EPSS/KEV re-check |
| Attack-surface drift | Missed until next scan | Week-over-week diff + alert |
| Subdomain-takeover detection | Stale | Caught the week it appears |
| Prioritization freshness | Frozen at scan time | Re-scored daily as EPSS/KEV change |
| Remediation verification | Manual re-scan | Rescan-to-verify auto-closes fixes |
| Compliance recency | "Last scanned 3 months ago" | Always-current, timestamped evidence |
Weekly on Starter, daily on Pro — external (Nuclei) and internal (OpenVAS/Trivy via the Lookout agent) on a cadence you set.
Even between scans, every open finding is re-checked against fresh EPSS scores and the CISA KEV catalog. A CVE that gets weaponized overnight is reprioritized by morning.
New asset, new open port, new exposure, expiring cert, SLA breach — pushed to Slack / Teams / email / webhook. Only what changed, only what matters.
PCI DSS 11.3 wants scans quarterly and after every significant change. The HIPAA 2026 Security Rule makes 6-month vulnerability scans required, not addressable. CMMC RA.L2-3.11.x expects ongoing scan-and-remediate. Cyber-insurers increasingly ask for proof of continuous scanning at renewal. Perimeter timestamps every scan and maps findings to the exact control — so "are you scanning continuously?" is answered with evidence, not a promise.
Not when it's prioritized. Perimeter alerts only on what changed and what matters, and multi-engine corroboration cuts false positives — so you fix 4, not 400.
EPSS and KEV are re-checked daily, so a newly-exploited CVE on your stack is re-ranked within a day — far faster than a one-off external scan.