Blog

Continuous Scanning: Always-On Vulnerability Detection, Built for Remediation

Continuous Scanning is now live in GuardNest. It replaces Managed Scans and represents the most significant engineering release we've made this year. 

The problem with how scanning works today 

Most security teams run scans quarterly or monthly. Results come back as a PDF, get emailed to IT, and either sit in someone's inbox or get triaged into a spreadsheet nobody owns. Critical vulnerabilities may take weeks to fix and high severity issues drift. Nobody knows what's open, what's overdue, or who's accountable. 

The numbers back this up. The 2025 Verizon Data Breach Investigations Report found that vulnerability exploitation is now the initial access vector in 20% of breaches, up 34% year on year. Around 60% of breaches involve a known vulnerability where a patch was already available. The median time to exploit a new vulnerability is now under five days, while the industry average time to remediate a critical issue still exceeds 60. A third of critical and high vulnerabilities sit unpatched for more than 180 days. 

This is the gap Continuous Scanning is built to close. Detection is only useful if it triggers remediation. Remediation only works if it has structure, ownership, and deadlines. Continuous Scanning builds in all three. 

What Continuous Scanning is 

Continuous Scanning is an always-on vulnerability detection and remediation engine inside GuardNest, covering four categories from one interface: 

• Internal vulnerability scanning across your network 

• External scanning of your internet-facing assets 

• Web application scanning for the sites and APIs your business runs 

• Internal Agent scanning against your endpoints  

Every scanner plugs into the same workflow. You set up a scan once, point it at the right targets, choose a schedule, and Continuous Scanning runs it on the cadence you need. Findings flow into a unified Findings Explorer where you can filter by severity, status, asset, tag or assignee. Assets get their own view. Runs are tracked over time, so you can see when a vulnerability first appeared, when it was last seen, and how long it's been open. 

If you're an existing GuardNest customer, this is the same module you've been using as Managed Scans, rebuilt from the ground up. Your scanners, your historic data and your scan profiles all carry over. What you get is a far deeper feature set sitting underneath them. 

Remediation SLAs, aligned with NIST 800-40 

The capability we're most proud of is the SLA engine, and it's what makes Continuous Scanning a different product to anything we've built before. 

You set remediation windows per severity. Critical findings in 7 days, High in 14, Medium in 30, Low in 90 — or whatever your policy requires. NIST, CISA, and GSA guidance sits around 30 days for high, 90 for medium, and 120 for low.   

As a finding approaches its deadline, the platform escalates automatically through three tiers of named contacts. If a tier doesn't acknowledge or resolve in time, the next is notified. Every escalation is logged with the actor, action, elapsed time, and outcome.  

When a finding breaches its SLA, an incident is automatically opened against it. The incident tracks its current tier, its breach timestamp, its acknowledgment status and its resolution. At any moment, you can see how many findings are within SLA, approaching breach, or already breached. The SLA Health dashboard surfaces compliance rate, active breaches, average resolution time, and per-severity health, with breach-trend reporting over time. 

This is aligned with NIST 800-40 guidance on enterprise patch management. It gives security teams the structure to enforce remediation timelines. It gives leadership a single number they can report against. And it gives auditors evidence that vulnerability management isn't just happening, it's working. 

The full lifecycle, in one workflow 

Continuous Scanning follows the path a vulnerability actually moves through: detect, prioritize, assign, escalate, fix, verify. 

A finding is identified, automatically tagged with severity, CVSS score, CVE and CWE references, and the assets affected. The Critical Findings widget ranks the highest-risk issues by exploit likelihood, severity, and blast radius. 

Findings can be assigned, tagged, and linked to tickets in Jira, Azure DevOps, or ServiceNow, with relevant context flowing directly into the ticket. When a fix lands, the next scan run picks it up. If the finding closes, the SLA stops. If it doesn't, escalation continues. 

Findings can be grouped by name, so a vulnerability affecting fifty assets shows up as one item, not fifty. Bulk editing and bulk assignment are both supported. Reports are generated automatically per run, in PDF and CSV, ready for auditors, leadership, or internal teams. 

Licensing  

Every Continuous Scanning license is tracked by scanner category and capacity. Internal, external, and web each carry their own quota, with live availability shown on the create scan screen. For Internal Agent scanning, agent groups and assignments are managed natively inside GuardNest.  

What this means in practice 

Your scans keep running. The module you knew as Managed Scans is now Continuous Scanning, with a deeper feature set sitting underneath it: new dashboards, full SLA management, an asset explorer, a findings explorer, ticketing integrations, automated reporting, and a cleaner workflow throughout.