How Long Does a Penetration Test Take?
So you've decided that you're going to have a penetration test performed and you want to know how long it's going to take. Awesome! I'm sure you want that report in your hand right away. This video is going to cover some of the tips you need to know about that could impact the timing of a penetration test.
Hi, I'm Josh Tomkiel, I'm a senior manager here at Schellman on the Penetration Test team. I've been in the industry for over 10 years, started off as a penetration tester working on external internal networks, mobile applications, and web apps. And now I'm on the manager's side, I understand what issues can impact the pen test project timeline.
So how soon can we get this done?
Well, unfortunately, there are a lot of varying factors that go into this.
Number one, how big is the scope?
We need to know how many assets host web applications are in scope for this assessment that determines how long the project duration will be. If it's just 20 hosts on an external network, we could get that done in a week and then an additional week for the pen test report to be written and QA'ed internally and then finally delivered to you.
So on a small scope, we could turn that around in two weeks, but on average we're looking at 4 to five weeks for a pen test of an average-size application or network or phishing campaign. We've had pen tests that go as long as 15 weeks with multiple testers assigned when there's
- Multiple services in scope web applications
- Mobile apps
- Desktop clients
- A phishing campaign
- Internal external pen test, the whole gamut
Now I know there are a lot of factors that we covered that will impact the time frame of when you can get that pen test report in your hand. The next steps are to reach out to us directly so either myself or another pen test specialist on the team can give you an accurate scoping estimate based on the needs of your project.
About JOSH TOMKIEL
Josh Tomkiel is a Director and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads the Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.