We have all have been there. You have your tool, you have your scanning credentials, you have your inventory, and you have your subnet. That is the extent of vulnerability scanning. You are scanning everything—pretty much the world.

There is hardly any guidance on how to scan or when to scan. It's just scanning to scan:

All joking aside, this is the most immature level we can be at, but I've seen a lot of organizations where this is their reality. With scanning and cyber intelligence, we need to provide the information that is most valuable to our customer. Once we have a solid inventory for both systems and the application, we can then start understanding how we can prioritize our scans to provide the information in our reporting that will make the biggest impact for our stakeholders.