Back to knowledge base

What is vulnerability monitoring, and why a one-off scan is not enough

Published on July 11, 2026

Many organisations have done something by now: a penetration test last year, a security scan during the last website overhaul, an internet.nl check with a nice score. The report sits in a drawer and the feeling is: this is taken care of. That feeling is understandable, and misleading. Because the question is not whether you were ever tested, but whether you know where you stand today.

That is precisely the gap vulnerability monitoring fills. This article explains what it is, why a snapshot ages so quickly, and what you as a decision-maker should demand from it.

What is vulnerability monitoring?

Vulnerability monitoring is the continuous, automated surveillance of your systems for vulnerabilities: known weaknesses in software, configuration errors and services that are unintentionally exposed to the internet. External monitoring does this from the attacker's perspective: everything visible from the outside is periodically re-examined. That outside-in perspective is also known as external attack surface management or EASM.

The difference with a one-off scan is not in the technology but in time. A scan answers the question "where did I stand on that date?" Monitoring answers the question your customer, auditor and regulator actually ask: "where do you stand now, and how do you keep track?"

Why a snapshot ages so quickly

Three clocks are ticking at once, and all three tick against you:

The practical consequence: a pentest or scan report that is six months old describes an organisation that no longer exists. As evidence towards an auditor it is nearly worthless by then, and as steering information for yourself as well.

What NIS2 and your supply chain make of this

The duty of care under NIS2 and the Dutch Cybersecurity Act is phrased as an ongoing obligation: managing risks is not a project with an end date but a continuing duty, approved and overseen by the board. Nowhere does it say you must buy monitoring for that; no tool whatsoever is mandatory. But demonstrating that you continuously meet your duty of care is considerably easier with a stack of dated, periodic reports than with a single report that is eighteen months old.

The same applies in the supply chain. A supplier who fills in a supplier questionnaire with "our external systems are scanned monthly, last month's report attached" immediately stands out from the competitor pointing to a pentest from 2024. Auditors look for repeatable, dated evidence, not a one-off effort.

What good vulnerability monitoring includes

Anyone procuring monitoring, or assigning it internally, should demand four components:

  1. Discovery. First know what of yours is exposed to the internet: domains, subdomains, servers, services. Monitoring that only looks at the systems you list yourself will by definition miss the forgotten ones, and that is exactly where the risk sits.
  2. Detection. Periodic, automated examination of all those systems for known vulnerabilities and configuration errors. Weekly or monthly, at a fixed cadence.
  3. Prioritisation. Not every finding deserves the same urgency. Good monitoring weighs whether a vulnerability is actually being exploited in the wild, so your IT team or provider fixes the right things first. How that weighing works is explained in EPSS and KEV explained.
  4. Reporting as evidence. Dated, traceable reports in language understood outside the IT department too, usable towards the board, customers and auditors. How to get from a technical list to board-level steering information is described in from CVE list to board report.

What monitoring emphatically is not: a replacement for detection inside your network (SIEM, EDR) or for a targeted penetration test on your critical applications. Monitoring is the preventive outer layer: it makes sure the basics are in order and stay that way, at a cost that is manageable for SMEs.

Conclusion

Vulnerability monitoring is not another gadget on top of your security, it is the conversion of a snapshot into a continuous answer. For the board, it changes the question you put to your organisation: not "have we ever been tested?", but "when did we last look, what was found, and has it been fixed?" Whoever can answer those three questions every month has the core of their duty of care demonstrably in order.

Exposentry delivers vulnerability monitoring as a service: continuous scans of your external attack surface based on OpenKAT, with monthly, forensically substantiated reports you can use directly as evidence. See the plans and pricing or start today with a baseline scan to see where you stand.

Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides EU-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.