Reply back to you classmate's discussion.

As a cybersecurity analyst, an active scan should be ran on day one of the birth of my network or as soon as its up and running if possible. But this is unlikely since organizations haven't accounted for security in the past. Organizations should run as often as its industry standards require. Active scanning should also be ran for major changes in a orgs environment or network, ex, new server, load balancer, IP devices, deployment of medium to large # of devices, ect. Active scanning after device/service deployment can reduce vulnerabilities that can be exploited down the road. Controls in the deployment process such as requiring device and topology info be included for requested changes to devices which is entered or feeds into a ITIL system can keep assets and services up to date. With previous active scans and tracking changes can help keep vulnerabilities in check.

Passive scans could or should be ran when no previous security measures are in place. Thus scans relying on devices logs, configs, existing topologies (that may not be updated). These scans may also be ran to determine device/service integrity, topology for footprinting, or security breach. Passive scan can determine what, where, and when a breach as occurred.