And it doesn't have to be separate companies. You can have cooldowns on most machines but reserve a few with no cooldowns that run vulnerability scanners & act like honeypots. Check for new activity after updates of the honeypot machines, e.g. connections to new domains, and flag what updated for review.