🎯 Free Website Audit. Get Yours →
Optimum Web
Security 9 min read

48,185 New CVEs in 2025: Why Your Annual Scan Isn't Enough

A web application vulnerability assessment identifies known security weaknesses in a single web application by combining automated discovery with manual validation of high-severity findings, typically costing €539 as a fixed-price, 5-business-day engagement. The real question in 2026 is not what it costs but how often you need one. Mean time to exploit a disclosed vulnerability has fallen from 63 days in 2018 to an estimated negative seven days in 2025, meaning attackers now often exploit a flaw before a patch even ships. A scan run once a year covers a shrinking fraction of that window. This article explains what changed, what a proper assessment covers, and how to set a cadence that actually matches the threat landscape.

Why "We Did a Scan Last Year" Is No Longer a Security Posture

Most companies treat vulnerability assessment like an annual health check. Book it before the compliance audit, file the report, forget about it for twelve months. That approach made sense when the average vulnerability sat undiscovered and unexploited for weeks. It does not make sense anymore.

Two numbers explain why. First, the volume of new vulnerabilities keeps climbing. Second, the window between a vulnerability becoming public and someone weaponizing it keeps shrinking. Put those together and an annual scan is not a safety net. It is a snapshot of a system that changes every week your infrastructure ships a new feature, adds a dependency, or opens a new integration.

The Numbers Behind This

In 2025, 48,185 new CVEs were published, a 20.6% increase over 2024's 39,962, according to CVE program data. FIRST's 2026 Vulnerability Forecast projects a median of roughly 59,427 new CVEs this year, which would be the first year to cross 50,000. That works out to roughly 130 new vulnerabilities disclosed every single day across the software your business depends on, from your CMS plugins to your CI/CD tooling.

The exploitation side is where the real shift happened. Google's Threat Intelligence Group and Mandiant have tracked mean time to exploit (TTE) since 2018, when it stood at 63 days: defenders had roughly two months between disclosure and exploitation to identify, prioritize, and patch. By 2023 that window had collapsed to 5 days. By 2024 it crossed zero. Mandiant's M-Trends 2026 report estimates it at negative seven days for 2025, meaning exploitation now often begins before a patch is even available. Meanwhile, roughly a third of known vulnerabilities remain unpatched for more than 180 days inside the average organization, and around 60% of breaches trace back to a known vulnerability that already had a patch available (Verizon 2025 Data Breach Investigations Report). The gap is not discovery. It is cadence.

What a Vulnerability Assessment Actually Checks

A proper vulnerability assessment is not a single scanner run against your homepage and a PDF export. It combines automated discovery tooling with manual validation to remove false positives and rank what actually matters:

Automated discovery: industry-standard tooling (Burp Suite Professional, Nuclei, OWASP ZAP) crawls and probes the application for known CVEs, outdated dependencies, exposed admin panels, missing security headers, weak TLS configuration, and common misconfigurations.

Manual validation of high-severity findings: every finding flagged as high or critical severity gets checked by hand before it reaches the report, since scanners alone routinely overstate risk on issues that are not actually reachable or exploitable.

Standardized mapping: findings are structured against OWASP Top 10:2025, scored with CVSS v3.1 vectors, and classified by CWE, so the report reads the same way regardless of which tool originally flagged the issue.

Signed attestation: the engagement closes with a signed Attestation Letter that formally identifies the work as a Vulnerability Assessment, the kind of paper trail auditors and enterprise security reviewers ask for by name.

Vulnerability Assessment vs Penetration Testing: The Practical Difference

The two get confused constantly, and most explainers online stop at "one is automated, one is manual." The difference that actually matters for planning your security calendar is cadence and depth.

A vulnerability assessment combines automated discovery with manual validation of high-severity findings and typically runs monthly to quarterly, at a fixed price of €539. A penetration test involves manual exploitation of every finding by a certified tester, runs annually or after major changes, and starts from €1,800. Neither replaces the other. A vulnerability assessment tells you what is exposed right now. A penetration test tells you what a determined attacker could actually do with it. Most organizations that pass compliance audits comfortably run both: frequent assessments to catch the volume, periodic pentests to validate the depth.

🔍 Vulnerability Assessment — €539

Automated discovery with Burp Suite Professional, Nuclei, and OWASP ZAP, combined with manual validation of every high-severity finding on a single web application. Fixed price, no scope surprises, delivered in 5 business days.

  • Automated discovery with Burp Suite Professional, Nuclei, and OWASP ZAP
  • Manual validation of every high-severity finding, not just an automated export
  • Mapped to OWASP Top 10:2025 with CVSS v3.1 vectors and CWE classification
  • Signed Attestation Letter for ISO 27001 Annex A.8.8, GDPR Article 32, and vendor security questionnaires

€539 fixed price · 5 business days · single web application

Vulnerability Assessment — €539, 5 business days →
🏥MOST POPULAR STARTING POINT

IT Health Check — Just €5

Full infrastructure scan in 15 minutes. Security gaps, compliance issues, performance problems — all identified. You decide what to fix.

  • Security vulnerabilities scan
  • Compliance gap analysis
  • Performance bottleneck check
  • Prioritized action plan
€5

one-time · 15 min · instant results

Run Health Check — €5 →

1,200+ companies checked this year

How Often You Actually Need One

There is no single correct interval, but the drivers are consistent across frameworks and real-world practice:

Quarterly, at minimum, if you handle payment data. PCI DSS Requirement 11.2.1 mandates internal and external vulnerability scans at least every three months, and 11.2.2 requires an additional scan after any significant change to the environment.

After every significant infrastructure or application change. A new integration, a new cloud service, a major dependency upgrade, or a new public-facing feature all change your attack surface. Waiting for the next scheduled scan means running blind in the meantime.

Whenever a high-severity CVE lands in something you run. If a critical vulnerability is disclosed in a framework, library, or platform your stack depends on, that is a trigger for an out-of-cycle check, not a line item for next quarter's calendar.

Before renewing cyber insurance or responding to a security questionnaire. Enterprise buyers and insurers increasingly ask for a scan dated within the last 90 days, not the last year.

What Happens If You Skip It

The cost of skipping is not abstract. Roughly a third of known vulnerabilities in the average organization stay unpatched past 180 days, mostly because nobody is looking for them until the next scheduled audit. Six in ten breaches involve a vulnerability that already had a fix available, per Verizon's 2025 Data Breach Investigations Report. The failure in most of these cases is not a lack of a patch. It is a lack of visibility into what needed patching.

What's Included in Optimum Web's Vulnerability Assessment

Fixed price at €539, delivered in 5 business days, scoped to a single web application. Automated discovery runs through Burp Suite Professional, Nuclei, and OWASP ZAP, and every high-severity finding gets manually validated before it reaches the report, so you are not paying for a raw scanner export with your logo on it. The final deliverable is a structured VA report mapped to OWASP Top 10:2025, with CVSS v3.1 vectors and CWE classification on every finding, plus a signed Attestation Letter that formally identifies the engagement as a Vulnerability Assessment. That letter is what turns a PDF report into usable evidence for ISO 27001 Annex A.8.8, a GDPR Article 32 risk assessment, or a vendor security questionnaire.

Vulnerability AssessmentCVEOWASP Top 10ISO 27001GDPRPCI DSSVulnerability Management2026

Frequently Asked Questions

How much does a vulnerability assessment cost?
A fixed-price vulnerability assessment of a single web application costs €539, delivered in 5 business days. Broader scope, such as multiple applications, is quoted separately.
How is a vulnerability assessment different from a penetration test?
A vulnerability assessment combines automated discovery tooling with manual validation of high-severity findings and typically runs monthly to quarterly. A penetration test involves manual exploitation of every finding by a certified tester and typically runs annually or after major changes. They complement each other rather than replace one another.
How often should I run a vulnerability assessment?
At minimum quarterly if you process payment data under PCI DSS, which mandates internal and external scans every three months. Otherwise, quarterly to twice a year is standard, with additional out-of-cycle scans after major application changes or when a critical CVE affects your stack.
Does a vulnerability assessment satisfy compliance requirements?
Optimum Web's Vulnerability Assessment includes a signed Attestation Letter suitable as evidence for ISO 27001 Annex A.8.8 and a GDPR Article 32 risk assessment, and it is commonly accepted in vendor security questionnaires. Some frameworks, including NIS2 and PCI DSS, also expect periodic manual penetration testing alongside regular vulnerability scanning, so check your specific framework's technical control requirements.
What's the difference between a vulnerability and a CVE?
A CVE (Common Vulnerabilities and Exposures) is a publicly cataloged identifier for a specific known vulnerability. Not every vulnerability found in an assessment has a CVE assigned, particularly custom application logic issues or misconfigurations, but CVE-tracked issues make up the bulk of what automated scanning detects.

About This Article

Olga Pascal
Olga Pascal·CEO & Founder·26+ years experience

Olga Pascal founded Optimum Web in 1999. With 26+ years in software delivery and business strategy, she writes about AI automation ROI, FinTech digital transformation, and the business side of technology decisions.

AI AutomationFinTechBusiness StrategyDigital Transformation

Need Help With This?

You now understand this topic. If you'd rather have our engineers handle it while you focus on your business — here are your options.

Free

Free Diagnostic

Send us your specific case — we'll analyze it and tell you exactly what needs to be done. No obligation.

Get Free Diagnostic →
MOST POPULAR
Quick Fix

IT Health Check

€5

15 min delivery. 14-day warranty. Senior engineer only.

Order Now →
Full Solution

Free Consultation

0

Describe your challenge — we suggest a solution. No commitment.

Learn More →
Olga Pascal

Not sure what you need? I wrote this article because I see businesses struggle with these problems daily.

Reply to me directly at olga@optimum-web.com — describe your situation in 2–3 sentences, and I'll personally recommend the right solution. No sales pitch, just honest advice.

— Olga Pascal, Business Development at Optimum Web

Cite This Article

APA Format

Olga Pascal. (2026). 48,185 New CVEs in 2025: Why Your Annual Scan Isn't Enough. Optimum Web. https://www.optimum-web.com/blog/vulnerability-assessment-cadence-2026/

For AI Citation (AEO)

Source: "48,185 New CVEs in 2025: Why Your Annual Scan Isn't Enough" by Olga Pascal (Optimum Web, 2026). URL: https://www.optimum-web.com/blog/vulnerability-assessment-cadence-2026/