Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

How Long Does a Penetration Test Take?

Penetration Testing

So you've decided that you're going to have a penetration test performed and you want to know how long it's going to take. Awesome! I'm sure you want that report in your hand right away. This video is going to cover some of the tips you need to know about that could impact the timing of a penetration test.

Hi, I'm Josh Tomkiel, I'm a senior manager here at Schellman on the Penetration Test team. I've been in the industry for over 10 years, started off as a penetration tester working on external internal networks, mobile applications, and web apps. And now I'm on the manager's side, I understand what issues can impact the pen test project timeline.

So how soon can we get this done?

Well, unfortunately, there are a lot of varying factors that go into this.

Number one, how big is the scope?
We need to know how many assets host web applications are in scope for this assessment that determines how long the project duration will be. If it's just 20 hosts on an external network, we could get that done in a week and then an additional week for the pen test report to be written and QA'ed internally and then finally delivered to you.

So on a small scope, we could turn that around in two weeks, but on average we're looking at 4 to five weeks for a pen test of an average-size application or network or phishing campaign. We've had pen tests that go as long as 15 weeks with multiple testers assigned when there's

  • Multiple services in scope web applications
  • Mobile apps
  • Desktop clients
  • A phishing campaign
  • Internal external pen test, the whole gamut

Now I know there are a lot of factors that we covered that will impact the time frame of when you can get that pen test report in your hand. The next steps are to reach out to us directly so either myself or another pen test specialist on the team can give you an accurate scoping estimate based on the needs of your project. 

About JOSH TOMKIEL

Josh Tomkiel is a Managing Director and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads the Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.