veilscan
Get started
Features Pricing About Blog FAQ Compare Use Cases Get started free →
Concept

What Is Continuous Vulnerability Monitoring?

Quick Answer: Continuous vulnerability monitoring runs automated security scans on a scheduled cadence — weekly or monthly — and produces delta reports comparing each scan to the previous one. It detects new vulnerabilities introduced between scans by deployments, configuration changes, and newly published CVEs. A one-time scan gives a point-in-time snapshot; continuous monitoring catches regressions as they happen.

Why is a point-in-time scan insufficient?

A one-off vulnerability scan — whether an automated scan or an annual penetration test — tells you your security posture on the day of the scan. It is immediately out of date the moment the scan ends.

The threat landscape changes continuously:

  • Your engineering team deploys new code that introduces vulnerabilities
  • Infrastructure changes — new services, new subdomains, configuration updates — create new exposure
  • New CVEs are published against libraries and services you run
  • Third-party integrations change and introduce new attack surface
  • DNS records are updated, certificates expire, DMARC policies are removed

Each of these changes can introduce new vulnerabilities that a point-in-time scan would not see. Continuous monitoring catches them as they appear.

How does continuous monitoring work in practice?

Continuous vulnerability monitoring runs the full scanning pipeline on a schedule — without requiring any action from your team. The cadence depends on the platform and plan: weekly on VeilScan's Pro plan, monthly on Starter and Core.

Each scheduled scan:

  1. Rediscovers all subdomains and assets (finding newly created infrastructure)
  2. Scans all discovered hosts for vulnerabilities
  3. Verifies Critical and High findings with proof evidence
  4. Compares results to the previous scan to produce a delta report
  5. Fires Slack alerts for new Critical and High findings immediately upon detection
  6. Sends an email notification when the full report is ready

What is a delta report and why does it matter?

A delta report is the output of comparing two consecutive scans:

  • New findings — vulnerabilities present now that were not in the previous scan. These are regressions — issues introduced since the last scan. They are the primary alert signal.
  • Fixed findings — vulnerabilities in the previous scan that are no longer detectable. These confirm successful remediation. Over time, tracking fixed findings demonstrates measurable security improvement.
  • Persistent findings — vulnerabilities present in both scans. These are overdue remediation items that have not been addressed.
  • BIS change — whether the overall Business Impact Score increased (posture degraded) or decreased (posture improved) since the last scan.

Delta reports are particularly important for compliance evidence. They demonstrate not just that you run scans, but that you track changes, remediate findings, and improve your security posture over time — which is what most compliance frameworks require.

What is the difference between continuous and real-time monitoring?

Continuous monitoring runs scans on a schedule — weekly or monthly — and provides visibility into changes between scans. Real-time monitoring would theoretically detect changes instantly as they happen. For external attack surface scanning, real-time scanning is impractical and would generate excessive traffic and noise.

VeilScan bridges the gap with Slack alerts: when a new Critical or High finding is detected during any scan, the alert fires immediately — before the full scan report is ready. For the most serious findings, this provides near-real-time notification even within a scheduled scanning model.

See: Continuous Monitoring feature · Slack Alerts feature · Continuous Monitoring glossary

What are the most common questions?

How often should external vulnerability monitoring run?

For most startups and SMBs, monthly monitoring is the minimum — it catches vulnerabilities within a reasonable window while managing scan costs and noise. Weekly monitoring is recommended for teams that deploy frequently, handle sensitive customer data, or need to satisfy stricter compliance requirements. VeilScan's Pro plan includes weekly scans for up to 20 domains.

Does continuous monitoring replace the need for a penetration test?

No. A penetration test assesses areas that automated external monitoring cannot reach — internal systems, business logic, social engineering, and creative attack chaining. Continuous monitoring and annual penetration testing serve different purposes and are most effective in combination. See VeilScan Between Penetration Tests.

Is continuous monitoring required for ISO 27001 or SOC 2?

ISO 27001 A.8.8 and SOC 2 CC7 require ongoing vulnerability management — not just a one-time assessment. Regular, scheduled scanning with documented remediation evidence satisfies the ongoing management requirement. Continuous monitoring produces this evidence automatically with each scan. See Compliance Mapping.

Start monitoring your external attack surface continuously. Paid plans include automatic weekly or monthly scanning from £49/month. View plans → · Try the free scan first