What is the Typical Timeline for a Penetration Test?

We often get asked, “what is the typical timeline for a penetration test?” The projected schedule can often dictate the business decision around which penetration testing firm to ultimately go with. When you’re under a tight deadline, it’s helpful to get a better idea of what to expect when contracting for a penetration test.

While every penetration test has its nuances, below we have detailed what we could consider a “typical” timeline for a penetration test:

  • Planning – 2-3 Weeks: Includes the contract execution, initial deposit, scheduling of resources, and review/agreement of the project Rules of Engagement (ROE).
  • Execution – 1-2 Weeks: This phase is when active testing of all in-scope targets is set to occur – the length of this phase varies by project and is directly related to the size/scope of the assessment.
  • Analysis, Documentation, and Quality Assurance – 1 Week: Document preparation including the Executive Summary Report and Technical Findings Report. This phase may also include some minimal testing and manual interactions with the in-scope targets to validate findings identified during the original execution of the test or gather more detail.
  • Presentation of Findings – 1 Day: Scheduled after all documentation and QA is complete, this is the final step to review findings, address questions, and wrap up the project.

What can cause the timeline for a penetration test to be different?

All told, a “typical” project takes ~4-6 weeks including the planning stages all the way through to final delivery. As previously noted, no penetration test is the same, so timelines are always slightly different. Below are items that could change the projected timeline of a test:

  • Scope – number of IPs/hosts, number of applications, etc.
  • Night testing
  • Delays in getting a necessary target information and documented approvals prior to testing, including penetration testing exception approval from hosting provider, completed and signed ROE, testing accounts provisioned, etc.
  • Only specific testing windows permitted e.g. only Monday – Wednesday from 8AM-12PM, etc.

We understand that each and every company has different business drivers that can impact testing and project timelines, so we’ll make every effort to accommodate specific needs to the best of our ability. Just let us know if you need to hit a particular date and we’ll let you know if we can do that for a particular project. If you want to ensure testing is completed in a timely manner or hits a particular target date, engage a penetration testing firm early with plenty of lead time to resources can be reserved well in advance. Reach out today if you want to start the process of scheduling a penetration test.