The number of CVEs published hit 48,185 in 2025, up 20% from the year before. That’s over 130 new vulnerabilities disclosed every day. The volume isn’t slowing down, and neither are the people exploiting them.
The Exploitation Window is Shrinking #
A few years ago, organisations had weeks to patch after a vulnerability was disclosed. That window has collapsed. The average time-to-exploit is now 5 days, down from 32 days in 2022 according to Google Cloud/Mandiant. Nearly a third of vulnerabilities are exploited within 24 hours of disclosure.
If you’re running quarterly scans, you’re leaving up to 85 days of exposure between each one.
Breaches Are Expensive #
The global average cost of a data breach in 2025 is $4.44 million according to the IBM Cost of a Data Breach Report. In the US it’s $10.22 million. Healthcare breaches average $7.42 million and have held the top spot for 14 consecutive years.
The mean time to identify and contain a breach is 241 days. That’s eight months of an attacker having access before you’ve even detected them.
Compare that to the cost of prevention. Most SMBs invest $5,000 to $50,000 per year in cybersecurity tools. The ROI on that investment is roughly 300%, where $1 spent on prevention saves $3 in potential breach costs.
Compliance Requires It #
Vulnerability scanning isn’t optional for most regulated organisations.
PCI DSS (Requirement 11.3) mandates quarterly external vulnerability scans by an Approved Scanning Vendor. Since March 2025, PCI DSS v4.0 also requires authenticated internal scans. Any vulnerability with a CVSS score of 4.0 or above must be remediated and rescanned within 30 days.
ISO 27001 requires continuous monitoring and regular vulnerability assessments as part of the Information Security Management System. Technical vulnerability management is a mandatory Annex A control.
SOC 2 requires ongoing risk assessment and continuous monitoring. Vulnerability management is core to demonstrating the security and availability trust criteria.
Cyber Essentials (UK, NCSC) includes patch management as one of five mandatory controls. Cyber Essentials Plus requires external vulnerability scanning. From April 2026, updated requirements embed continuous scanning and weekly remediation cycles into day-to-day operations.
For many organisations, the question isn’t whether to do vulnerability scanning. It’s whether your current approach actually meets the standard.
Continuous Scanning vs Point-in-Time #
Traditional vulnerability assessments are done quarterly or annually, often by a third party. They produce a report, the team fixes what they can, and everyone moves on until the next engagement.
That doesn’t really work anymore given how fast things move.
Continuous scanning catches newly disclosed vulnerabilities within hours, not months. Your attack surface changes constantly as you deploy new code, update dependencies, and modify infrastructure. A point-in-time snapshot is basically out of date as soon as it’s done.
The practical benefits:
- Shorter detection window. New CVEs are flagged as soon as templates are available, not at the next scheduled assessment.
- Compliance without cramming. If you’re scanning continuously, audit preparation is pulling a report rather than running a project.
- Less burden on the team. Automated scanning with alerting means your engineers fix issues as they appear rather than working through a backlog of hundreds of findings every quarter.
What to Look For #
Not all scanning tools are equal. The things that matter in practice:
- Template coverage. More detection templates means more vulnerabilities caught. Look for tools with 10,000+ templates covering CVEs, misconfigurations, and compliance checks.
- Scheduling. You want automated scans running on a cadence that matches your deployment frequency, not just quarterly.
- Compliance mapping. Reports that map findings to specific frameworks like OWASP Top 10, Cyber Essentials, and PCI DSS save hours of manual work.
- Alerting. Slack, email, or webhook notifications when critical vulnerabilities are found.
- API access. If you can’t integrate scanning into your CI/CD pipeline, you’re adding manual steps that people will skip.
Building Luna #
This is exactly the problem I built Luna to solve. It’s a cloud-based external vulnerability management platform that runs continuous scans against your websites, servers, and infrastructure. Over 11,000 detection templates, scheduled scans, compliance tracking across Cyber Essentials, ISO 27001, SOC 2, and PCI DSS, and nothing to install. Fully cloud-based and up and scanning in minutes.
The tools from the big vendors like Tenable, Qualys, and Rapid7 work, but they charge thousands per month and come with complexity that smaller teams don’t need. Luna is built for teams that want comprehensive scanning without the enterprise overhead.
The Bottom Line #
Over 130 new CVEs per day. A 5-day average exploitation window. $4.44 million average breach cost. Compliance frameworks increasingly demanding continuous assessment.
Vulnerability management isn’t optional anymore.