How Long Does a Penetration Test Take?

So you've decided that you're going to have a penetration test performed and you want to know how long it's going to take. Awesome! I'm sure you want that report in your hand right away. This video is going to cover some of the tips you need to know about that could impact the timing of a penetration test.

Hi, I'm Josh Tomkiel, I'm a senior manager here at Schellman on the Penetration Test team. I've been in the industry for over 10 years, started off as a penetration tester working on external internal networks, mobile applications, and web apps. And now I'm on the manager side, so I understand what issues can impact pen test project timeline.

So how soon can we get this done?

Well, unfortunately, there's a lot of varying factors that go into this.

Number one, how big is the scope?
We need to know how many assets hosts web applications are in scope for this assessment that determines how long the project duration will be. If it's just 20 hosts on an external network, we could get that done in a week and then an additional week for the pen test report to be written and QA'ed internally and then finally delivered to you.

So on a small scope, we could turn that around in two weeks, but on average we're looking at 4 to five weeks for a pen test of an average size application or network or phishing campaign. We've had pen tests that go as long as 15 weeks with multiple testers assigned when there's

  • Multiple services in scope web applications
  • Mobile apps
  • Desktop clients
  • A phishing campaign
  • Internal external pen test, the whole gamut

Now I know there's a lot of factors that we covered that will impact the time frame of when you can get that pen test report in your hand. Next steps are to reach out to us directly so either myself or another pen test specialist on the team can give you an accurate scoping estimate based on the needs of your project. 

Previous Video
Should You Include Privacy in Your Next SOC 2?
Should You Include Privacy in Your Next SOC 2?

Next Video
What is a Critical Security Control Failure
What is a Critical Security Control Failure