Organizations with information security departments are frequently attacked by outside entities and so typically conduct port scans and enumeration and password-cracking exercises of their own systems. These exercises, both official and unofficial, create the potential for exposure and exploitation.
Why is port scanning useful?
Why is enumeration useful?
Why would security analysts scan systems and networks?