Scanning VMs and generating index reports (lists of packages installed in a VM) too frequently is questionable (imagine reports being sent every 5 seconds):

• provides little value: most reports are equal to each other, the only difference is the maximum time until vulnerabilities are detected is shorter. How long is it acceptable to wait until ACS updates its results?
• Creates scale issues: ACS still processes all those reports that are (mostly) equal to each other, which loads the system without purpose.
• May create load issues in the actual VMs: scanning VMs and sending index reports takes compute resources.

We should limit the frequency to a reasonable to-be-decided value.