On average, Immunity produces at least one exploit for a new vulnerability every week. These vulnerabilities are always high risk and are usually remotely exploitable. The actual number of new vulnerabilities to become publicly known each week, including denial of service attacks, is far greater.
In addition to the addition of new vulnerabilities in existing systems, an organization's security posture will change every time a network configuration change is made, a new application is loaded, or an existing application is changed. Unless extreme change control is enforced over Internet-facing systems, Immunity recommends clients obtain a snapshot of external exposure at least once every six months, preferably every quarter.
As well as increased peace of mind for the client, scheduled penetration scans with the same third party provider allows the provider to build a knowledge base of the client, thus making more informed consultants available to the client and allowing the ongoing monitoring of changes in the client's security posture via comparisons with previous results.
Immunity recommends that any scheduled penetration scans should be benchmarked against the results of previous detailed security analysis engagements. Penetration scanning is an affordable way to maintain a strong security posture following an extensive penetration test.