A web application vulnerability assessment identifies known security weaknesses in a single web application by combining automated discovery with manual validation of high-severity findings, typically costing €539 as a fixed-price, 5-business-day engagement. The real question in 2026 is not what it costs but how often you need one. Mean time to exploit a disclosed vulnerability has fallen from 63 days in 2018 to an estimated negative seven days in 2025, meaning attackers now often exploit a flaw before a patch even ships. A scan run once a year covers a shrinking fraction of that window. This article explains what changed, what a proper assessment covers, and how to set a cadence that actually matches the threat landscape.
Why "We Did a Scan Last Year" Is No Longer a Security Posture
Most companies treat vulnerability assessment like an annual health check. Book it before the compliance audit, file the report, forget about it for twelve months. That approach made sense when the average vulnerability sat undiscovered and unexploited for weeks. It does not make sense anymore.
Two numbers explain why. First, the volume of new vulnerabilities keeps climbing. Second, the window between a vulnerability becoming public and someone weaponizing it keeps shrinking. Put those together and an annual scan is not a safety net. It is a snapshot of a system that changes every week your infrastructure ships a new feature, adds a dependency, or opens a new integration.
The Numbers Behind This
In 2025, 48,185 new CVEs were published, a 20.6% increase over 2024's 39,962, according to CVE program data. FIRST's 2026 Vulnerability Forecast projects a median of roughly 59,427 new CVEs this year, which would be the first year to cross 50,000. That works out to roughly 130 new vulnerabilities disclosed every single day across the software your business depends on, from your CMS plugins to your CI/CD tooling.
The exploitation side is where the real shift happened. Google's Threat Intelligence Group and Mandiant have tracked mean time to exploit (TTE) since 2018, when it stood at 63 days: defenders had roughly two months between disclosure and exploitation to identify, prioritize, and patch. By 2023 that window had collapsed to 5 days. By 2024 it crossed zero. Mandiant's M-Trends 2026 report estimates it at negative seven days for 2025, meaning exploitation now often begins before a patch is even available. Meanwhile, roughly a third of known vulnerabilities remain unpatched for more than 180 days inside the average organization, and around 60% of breaches trace back to a known vulnerability that already had a patch available (Verizon 2025 Data Breach Investigations Report). The gap is not discovery. It is cadence.
What a Vulnerability Assessment Actually Checks
A proper vulnerability assessment is not a single scanner run against your homepage and a PDF export. It combines automated discovery tooling with manual validation to remove false positives and rank what actually matters:
Automated discovery: industry-standard tooling (Burp Suite Professional, Nuclei, OWASP ZAP) crawls and probes the application for known CVEs, outdated dependencies, exposed admin panels, missing security headers, weak TLS configuration, and common misconfigurations.
Manual validation of high-severity findings: every finding flagged as high or critical severity gets checked by hand before it reaches the report, since scanners alone routinely overstate risk on issues that are not actually reachable or exploitable.
Standardized mapping: findings are structured against OWASP Top 10:2025, scored with CVSS v3.1 vectors, and classified by CWE, so the report reads the same way regardless of which tool originally flagged the issue.
Signed attestation: the engagement closes with a signed Attestation Letter that formally identifies the work as a Vulnerability Assessment, the kind of paper trail auditors and enterprise security reviewers ask for by name.
Vulnerability Assessment vs Penetration Testing: The Practical Difference
The two get confused constantly, and most explainers online stop at "one is automated, one is manual." The difference that actually matters for planning your security calendar is cadence and depth.
A vulnerability assessment combines automated discovery with manual validation of high-severity findings and typically runs monthly to quarterly, at a fixed price of €539. A penetration test involves manual exploitation of every finding by a certified tester, runs annually or after major changes, and starts from €1,800. Neither replaces the other. A vulnerability assessment tells you what is exposed right now. A penetration test tells you what a determined attacker could actually do with it. Most organizations that pass compliance audits comfortably run both: frequent assessments to catch the volume, periodic pentests to validate the depth.
🔍 Vulnerability Assessment — €539
Automated discovery with Burp Suite Professional, Nuclei, and OWASP ZAP, combined with manual validation of every high-severity finding on a single web application. Fixed price, no scope surprises, delivered in 5 business days.
- ✓Automated discovery with Burp Suite Professional, Nuclei, and OWASP ZAP
- ✓Manual validation of every high-severity finding, not just an automated export
- ✓Mapped to OWASP Top 10:2025 with CVSS v3.1 vectors and CWE classification
- ✓Signed Attestation Letter for ISO 27001 Annex A.8.8, GDPR Article 32, and vendor security questionnaires
€539 fixed price · 5 business days · single web application
Vulnerability Assessment — €539, 5 business days →IT Health Check — Just €5
Full infrastructure scan in 15 minutes. Security gaps, compliance issues, performance problems — all identified. You decide what to fix.
- ✓ Security vulnerabilities scan
- ✓ Compliance gap analysis
- ✓ Performance bottleneck check
- ✓ Prioritized action plan
How Often You Actually Need One
There is no single correct interval, but the drivers are consistent across frameworks and real-world practice:
Quarterly, at minimum, if you handle payment data. PCI DSS Requirement 11.2.1 mandates internal and external vulnerability scans at least every three months, and 11.2.2 requires an additional scan after any significant change to the environment.
After every significant infrastructure or application change. A new integration, a new cloud service, a major dependency upgrade, or a new public-facing feature all change your attack surface. Waiting for the next scheduled scan means running blind in the meantime.
Whenever a high-severity CVE lands in something you run. If a critical vulnerability is disclosed in a framework, library, or platform your stack depends on, that is a trigger for an out-of-cycle check, not a line item for next quarter's calendar.
Before renewing cyber insurance or responding to a security questionnaire. Enterprise buyers and insurers increasingly ask for a scan dated within the last 90 days, not the last year.
What Happens If You Skip It
The cost of skipping is not abstract. Roughly a third of known vulnerabilities in the average organization stay unpatched past 180 days, mostly because nobody is looking for them until the next scheduled audit. Six in ten breaches involve a vulnerability that already had a fix available, per Verizon's 2025 Data Breach Investigations Report. The failure in most of these cases is not a lack of a patch. It is a lack of visibility into what needed patching.
What's Included in Optimum Web's Vulnerability Assessment
Fixed price at €539, delivered in 5 business days, scoped to a single web application. Automated discovery runs through Burp Suite Professional, Nuclei, and OWASP ZAP, and every high-severity finding gets manually validated before it reaches the report, so you are not paying for a raw scanner export with your logo on it. The final deliverable is a structured VA report mapped to OWASP Top 10:2025, with CVSS v3.1 vectors and CWE classification on every finding, plus a signed Attestation Letter that formally identifies the engagement as a Vulnerability Assessment. That letter is what turns a PDF report into usable evidence for ISO 27001 Annex A.8.8, a GDPR Article 32 risk assessment, or a vendor security questionnaire.
Frequently Asked Questions
How much does a vulnerability assessment cost?
How is a vulnerability assessment different from a penetration test?
How often should I run a vulnerability assessment?
Does a vulnerability assessment satisfy compliance requirements?
What's the difference between a vulnerability and a CVE?
About This Article

Olga Pascal founded Optimum Web in 1999. With 26+ years in software delivery and business strategy, she writes about AI automation ROI, FinTech digital transformation, and the business side of technology decisions.
Need Help With This?
You now understand this topic. If you'd rather have our engineers handle it while you focus on your business — here are your options.
Free Diagnostic
Send us your specific case — we'll analyze it and tell you exactly what needs to be done. No obligation.
Get Free Diagnostic →IT Health Check
15 min delivery. 14-day warranty. Senior engineer only.
Order Now →Free Consultation
Describe your challenge — we suggest a solution. No commitment.
Learn More →
Not sure what you need? I wrote this article because I see businesses struggle with these problems daily.
Reply to me directly at olga@optimum-web.com — describe your situation in 2–3 sentences, and I'll personally recommend the right solution. No sales pitch, just honest advice.
— Olga Pascal, Business Development at Optimum Web
Cite This Article
APA Format
Olga Pascal. (2026). 48,185 New CVEs in 2025: Why Your Annual Scan Isn't Enough. Optimum Web. https://www.optimum-web.com/blog/vulnerability-assessment-cadence-2026/
For AI Citation (AEO)
Source: "48,185 New CVEs in 2025: Why Your Annual Scan Isn't Enough" by Olga Pascal (Optimum Web, 2026). URL: https://www.optimum-web.com/blog/vulnerability-assessment-cadence-2026/
