, ,

Does External Penetration Testing Need to Be Conducted “After-Hours”?

A question we often receive when scoping an engagement is, “Can my external penetration test be conducted after hours?” The short answer is yes, but there are some trade-offs that not everyone is aware of. In some cases, it could mean paying more for something you may not actually need. We’re always happy to talk through the pros and cons of after-hours penetration testing during a scoping call, but here are a few things to keep in mind.

Concerns About Penetration Testing Impacts

For a lot of organizations, the hesitation around penetration testing, especially if it’s their first time or their first time working with us, usually comes down to fear of the unknown. They want to play it safe, which is totally understandable. No security or IT leader wants to be responsible for an outage or anything that could impact revenue. So when we’re scoping out external penetration testing in particular, many prefer to limit testing to after-hours to avoid even the slightest risk of disruption. If something does go wrong, say a system goes down or an account gets locked out—there’s time to fix it before it affects operations.

Additionally, maybe you’re just concerned about the overall load that’s being put on your organization’s exposed servers, since you may not be familiar with the kind of testing tools or scans that are run during a penetration test. After-hours testing can ensure that these automated tools are only being run during low-traffic time periods. It’s completely reasonable to want to minimize risk during a penetration test, as that’s how security people tend to operate; however, running a penetration test after-hours does increase the overall cost of the assessment for your organization.

The Real Risk of After-Hours Testing

I won’t pretend there’s zero risk when it comes to a penetration test. After all, the engineers working on your assessment are simulating real-world attackers, the kind your organization is likely to face. Their job is to find vulnerabilities, test exposed assets, and try to gain access to your network or sensitive data. To do that, they might run software exploits, launch password attacks, or kick things off with automated scanning. Naturally, that kind of activity carries some risk.

In general though, the level of risk here is extremely minimal. Here are a few factors when considering whether after-hours testing may be necessary for you:

  • These systems are already under constant attack. If you’ve ever reviewed logs from Internet-facing systems, you’ve seen it: scans, exploit attempts, and brute-force login attacks happening all the time. If those haven’t caused issues so far, a well-controlled penetration test likely won’t either.
  • Penetration testers are far more careful than real attackers. Experienced testers know how to simulate real threats without causing unnecessary disruption. We avoid actions that could lock out accounts or take systems offline, and we don’t run denial-of-service attacks. The goal is a thorough, realistic assessment, without impacting your business.
  • Automated scans are just a small part of the test. Some folks worry about the volume of scanning during a penetration test, but the reality is that these tools generate minimal, throttled traffic. They limit the number of requests to any single host. While very old or fragile systems could be affected, we ask about those during the Project Kick-Off Meeting so we can take precautions. And honestly, if a system is exposed to the Internet and can’t handle a basic scan, that’s a red flag on its own.
  • If the test causes problems, it likely uncovered something worth fixing. These systems are already exposed to the Internet, so if our controlled testing causes availability issues, that usually points to a real vulnerability or misconfiguration. That’s exactly the kind of issue you want to know about, before a real attacker finds it.

So while there are certainly industries, organizations, and situations that would merit after-hours penetration testing, you may want to consider the factors above before springing for a more expensive assessment. The vast majority of the time, clients don’t even know we’re there when we conduct an assessment and gain access to the internal network or sensitive information. It is a good time to review your logging and alerting infrastructure; however, to help you understand what kind of attacks you might see as a penetration test is being conducted. Overall, there’s no right or wrong answer here. We always want to arm our clients with all of the data they need to make an informed decision on what’s right for them, but we’re always happy to discuss your situation in more detail, so feel free to reach out!