How Long Does a Web Application Penetration Test Take?

For all of our assessments, one of the first questions that we tend to get asked is “How long does it take?” And while, yes, “it depends” is part of the answer, we wanted to at least give you a rough idea of how long a web application penetration test takes for planning purposes. We’ll also cover the factors that go into that timeline and how that time is spent.

Typical Web Application Penetration Test Timeline

First, let’s break down the typical pieces of a web application penetration test timeline:

  • Contracts/Planning/Kick-Off Call – This is the bundle of everything that leads up to the actual testing for an application. Scoping calls, proposals, formal contracts, etc. all need to be in place and signed before a project can even begin, which can take some time depending on your organization’s size and efficiency. You should plan for this part of the process to take 2-3 weeks, conservatively. But we can always move more quickly if you can, if there’s a more urgent need.
  • Execution – Once the schedule is agreed upon and the scope/ROE has been confirmed during the Kick-Off Call, execution can begin. A small application will probably require a week of time allocated for execution, scaling up to 2-3 weeks of testing time for larger applications. This timeline is going to be based on application size, scoping information gathered, and any restrictions placed on testing (e.g. testing required to be after business hours).
  • Documentation and Quality Assurance – After all active testing has been completed, reports have to be written and then sent through our internal QA process, that has a couple different layers to it. If the web application penetration test is the only service performed as part of the assessment, this will probably be a 1 week period of time and the report set will be delivered at the end of it, prior to the deliverable presentation.
  • Deliverable Presentation – The last milestone for the initial assessment is the presentation where we review the delivered report set with your team. This will usually fall right after the QA period, depending on all the stakeholders schedules, etc.
  • Retesting – Any retesting that may be required for vulnerabilities reported that you want to fix usually needs to be done within a 90 day window of report delivery. This helps us maintain the integrity of the report set, as new revisions aren’t being released too long after the initial delivery.

What Can Affect The Execution Time

As we briefly alluded to above, there are some important factors that contribute to the time allocated to a web application penetration test. Let’s touch on those in a little more detail:

  • Application Size – Web application size can be one of the most nebulous and subjective scoping parameters across all of penetration testing. But the rough size of an application directly correlates to the amount of time an engineer needs to spend on it to give you a thorough and holistic test. Given that solid web application penetration testing should be a roughly 25% automated and 75% manual process, major applications can be a significant undertaking. So if you’ve got an app with thousands of screens, dynamic pages, form submissions, etc., you should plan on multiple weeks of testing being required.
  • Number of User Roles – This is related to application size, but the number of user roles that need to be tested as part of a web application penetration test can exponentially increase the scope. Depending on a particular application, each user role could have their own set of unique screens and functionality that all needs to be evaluated. Even if the users just have subsets of functionality drawn down from an administrative role, each role needs to be tested for opportunities for privilege escalation and lateral movement that may be unique to that user, which takes time and can move testing from 1 week to multiple weeks.
  • Testing Restrictions – This is probably common sense, but I’ll include it here just to be thorough. Any time restrictions placed on your test team is going to result in a longer period of time required to complete a project. If testing is only permitted for certain hours in a day, this means that scans and manual testing have to be constrained. This generally results in the same amount of testing being spread over a longer period of time on the calendar.

So ultimately, there are several factors that play into answering the question of how long does a web application penetration test take. You should probably give yourself at least a month from engaging a security partner to expecting to have a report in your hands. Sometimes timelines can be accelerated through the use of multiple engineers on a project if you do have an emergency need, but as you can probably expect, this does increase your overall cost. Once contracts are signed, the execution phase is the longest period of time that needs to be scheduled, and the amount of time will be based on several factors, the most important of which is application size.

If you still have questions or want to start planning for a web application penetration test further in advance, feel free to reach out and we’d be happy to help.