The right scan cadence is the one that catches new problems before they matter, without generating more findings than your team can triage. If you're getting more findings than tickets closed each week, you're scanning too often.

Sensible defaults

External attack surface: daily. It's cheap, quick, and the place where a new exposure hurts most.
Cloud posture: continuously (event-driven) if the integration supports it, otherwise every 4–6 hours.
Authenticated web app: weekly, plus on-demand after major deploys.
Internal infrastructure: weekly off-hours for noisy scans, monthly for invasive scans.

When to run an ad-hoc scan

Always trigger a scan after: a public CVE that affects your stack, a big dependency upgrade, a new deploy to production, or onboarding a new asset. Most orgs get this for free via their CI pipeline; see GitHub integration.

What “too often” looks like

If a finding's status alternates between open and closed every scan cycle, the scan is racing against a dynamic environment (e.g. autoscaling). Pin that finding and reduce its scan frequency, or add an exclusion — see scan exclusions.