How do you investigate of your security of instance proactively?

Regarding how often you scan a system, depends on several factors:

• If you're scanning in an automated fashion, you're always watching. 😉 If manual work is needed, you scan as often as practical (have a security team? how big is the security team, etc.).
• If you care about information security, protect and monitor systems you care about the most, depending on the knowledge stored in those systems.

I also suggest cross-posting this in Trust & Security. 💪

From previous experience this is a lengthy topic (beg my pardon I touched some more aspects than just the security scanners) where many details can be unfold - but in general, I suppose, overall they just repeat best practises for IT which are documented for many, many years.

I'd like just to name a few - all of them, like I said, supposedly are repetitions:

• keeping the systems on a reasonable current patch level is key
  • keep an eye on outdated packages, where possible use unattended upgrades of some kind
• do backups
  • rather than just relying on RAID (already seen this) have a proper backup strategy in place, for the system itself as well as for the database
• have all involved system configured properly
  • do the usual considerations as for patch strategy, backup strategy, user management, alongside with restore tests, failover tests (where applicable) and conduct simulated incident scenarios
• document everything, where possible
  • documentation is key, especially if you are ill or on vacation
  • check documentation with team members if they understand what is written down, if they can act using your documentation in an emergency case
• spread knowledge
  • while you maybe are the go-to-expert for Atlassian related stuff try to spread knowledge in a way some more colleagues are able to get things running (whereas they probably not need to know the very last detail in workflow specialities and how to deal with them)
• security scanners can add to the overall security level, no questions
  • you can scan on whatever interval sounds reasonable for your team
    • weekly
    • bi-weekly
    • monthly
  • you surely already scan for known exploits regarding
    • the OS itself
    • any needed packages but not necessarily bound to Jira operations like the database (PostgreSQL, MySQL, ...), local packages having vulnerabilities, other system services (ntp, mta, ...)
    • finally Jira - in case of any Security Advisory the security scanner should alarm you additionally to the mail you surely receive in parallel from Atlassian (therefore I have a strong recommendation for, at least, weekly scans - this however might depend if your Jira instances are behind the firewall and/or internet-facing)

One topic that I have seen in discussions lately is the preservation of logs (catalina.out/atlassian-jira.log and probably atlassian-jira-security.log) in a separated logging-system to detect irregularities or if the server was already compromised and the original system cannot be trusted anymore.

The list can be continued (I heard of implementations that scan the attachment directory for viruses and other malicious contents) and is by no means complete (one could start with discussing the presence of a correctly configured firewall and end up with the statement that only trusted admins should be act on basic system levels and so on). So please consider all of the said above as some basic idea that came to my mind and what seems to be common with Jira-admins I recently spoke with.