Based on our experience running pen tests for our clients, the average pen test takes 2 to 4 weeks to complete. That said, not all pen tests are equal. Depending on factors like the size of your potential attack surface, your budget, and the extent of your current cybersecurity defenses, pen tests could take anywhere between 1 and 15 weeks max.
That’s a pretty significant range. Too significant for someone who isn’t an experienced penetration tester to project. This article will break down the various phases of penetration testing and the scenarios involved that could either shorten or extend the duration of your web application penetration test. After years of running pen tests for our clients at EliteSec, we’re well-equipped to advise.
The 6 Phases Of Penetration Tests
There are typically 6 steps to a penetration test. However, depending on how in-depth you want to go, you might not need to execute every single one of them. Knowing the steps and the relevant pitfalls will help you understand how long you need. At EliteSec we usually use a combination of manual testing and automated tools. Here are the typical steps:
- Planning for penetration testing
Initially, the pen tester will define the goals and the scope of the test. They’ll work with you to set expectations, plan logistics and identify objectives. They will also ask you questions to get a sense of what your current security setup looks like and your main pain points.
- Gathering information a.k.a. Reconnaissance
At this point, the pen tester will start working a lot like a hacker. They will engage in detective work to discover as much as possible about your target network. Depending on whether you elected to pursue black box, white box, or gray box testing, they might already have a lot of information about your systems as provided by your team.
Here are some of the different types of research the tester could engage in:
- Search engine queries
- Internet footprinting
- Domain name queries
- Social engineering
- Investigating public records and filings
By conducting a full search, the pen tester allows themselves to be as precise as possible when they try to break into your system.
- Vulnerability assessment
Vulnerability testing is an important practice in its own right. Using an automated tool in the early stages of the penetration test to scan for known vulnerabilities is an important step. Penetration testers will use static analysis to analyze your code to predict how it might respond to a hack. Then, a pen tester will use dynamic analysis to view the code as it is running to process how it might respond to an attack.
Furthermore, the vulnerability scan will cover your network systems, hosts, servers, and devices.
- Penetrating your system, a.k.a. Exploitation
This is the part where the penetration tester mimics a real-life cyber attack and tries to exploit vulnerabilities in your system. Of course, the attack will be simulated and controlled so you don’t risk any critical business assets.
Here are some of the things the tester might do to gain access to your systems:
- Attack your web applications
- Exploit your internet-facing devices to extract data
- Inject SQL into your apps
The tester works on all these things and more to see how much of an incursion they can make into your infrastructure without being detected. Having defined the scope of the penetration test in the previous steps, the tester will carefully push their activities to the limits you agreed on.
- Maintaining access and further incursions
Upon gaining access to your target system, the pen tester will double down and do everything to stay in your system as long as possible. This will be a good test of your defense mechanisms.
Like a real-world hacker, the pen tester will try to work their way up to administrative privileges in your system. Thus, they delve deeper and deeper into your company’s data and systems, attempting to evade detection at every juncture. They will try to obtain the most sensitive data that you permit.
- Final analysis and reporting
At the point where the penetration tester is discovered, the test usually ends. In any case, once the penetration test window is finished, the pen tester will begin to analyze all the activities they conducted during the pen test to formulate their final report. The report will summarize every security vulnerability the tester discovered, along with how they cleaned up their work and recommendations for security resolutions. Moreover, the tester should provide you with a cost report to help you plan and budget for an incursion.
How Do You Do Penetration Testing?
Penetration tests require a few ingredients so that they’re comprehensive. Penetration testing tools like vulnerability scanners and password hackers can help you monitor security loopholes. In fact, real hackers will use these exact tools to breach your systems.
Here are some more common penetration testing tools:
- Port Scanners: Help you acquire network info on a target.
- Web Application Scanners/Proxies: For conducting web application penetration testing.
- Wifi Network Tools: To monitor and assess your network security and break in.
- Comprehensive exploitation frameworks: A tool that testers can use throughout the process to detect, exploit, and validate vulnerabilities.
If you decide to select your own penetration tools ahead of time, you should ensure that it’s relatively user-friendly. You’ll need to configure it for your company’s use case, so beware of any specific requirements of your industry.
Even if you opt to hire an outside pen tester, you’ll still want to run intermittent vulnerability scans. And if your team is knowledgeable enough, you can run them by yourself. These tools are usually automatic anyway, so they can generate an in-depth log of your issues. Then, you’ll be able to prioritize the weaknesses that must be remedied.
Should You Do Your Own Penetration Test?
Technically, you could just go out and buy all those penetration testing tools that we mentioned and figure out how to run the pen test yourself. After all, who knows your systems better than you do?
That would be ill-advised. Considering the security of your company is at stake, having a professional who has already run dozens of pen tests would be a lot better. They’re knowledgeable about standards in your industry and already have processes to deal with systems like yours.
What To Expect From A Penetration Test
The processes that we outlined above seem pretty straightforward. However, the pen test might be structured differently depending on your organization’s size. Not to mention, you could hit roadblocks at certain phases. Collecting information on your systems might be harder than you think if you don’t give the pen tester direct access, and that all depends on your approach to pen testing.
So, given that pen tests typically take between 2 and 15 weeks to carry out, let’s look at some of the factors that could prolong or shorten your pen test.
The Scope Of The Test
On the one hand, if your network only has a few servers, and maybe a few applications, you won’t need to test much. That will make your test time shorter. That said, if one of those web apps is highly complex, then that can throw things off and make the test take longer. Not all servers or apps are built equal.
The Testing Methodology
If your tester has no prior knowledge of the target system, like in the black box method, then it will take a lot longer for the tester to do reconnaissance. Another example is when you use automated tools, that can speed up the process, as long as the tester is already knowledgeable in those tools.
Communication With Management & Other Stakeholders
Throughout the process, pen testers need to ensure that everyone’s objectives align and gather information from different parties in your company. Communication is necessary to guarantee that all your requirements are met.
Regulatory Compliance
75% of companies seek out penetration testing services because they require them to continue operating in their industry. Companies in the financial, medical, government, and education sectors are typically required to apply these standards to their work. In certain cases, the requirements might be elevated and thus add extra time to the planning and execution phases of the actual test.
Workflow Interruptions
When you’re tearing out the guts of your system, poking around, and putting them back together like a pen tester does, that’s obviously going to cause a lot of interference. You’re going to need to halt certain activities, including some essential business processes, to allow the pen tester to do their work.
In many cases, the pen tester will need to perform their tests off-hours. Even then, they might need support from your IT staff during those hours to help account for any problems that come up. Clearly, the testing process isn’t as straightforward as it might initially seem. Simulating a targeted attack requires a perfect testing environment, and you might just have to spend extra time to create the perfect conditions.
How Long Does A Pen Test Take? Our Conclusions
First of all, we’re basing all these estimates on past experience. Experience collaborating with companies on pen tests for many years.
Before we can begin work, you’ll already know up-front how long it could take. If we’re uncertain about the time required for any particular phase, we’ll let you know what variables could cause disruptions ahead of time.
So, when we’re evaluating how long your project will take, we usually make the following considerations:
How many assets do you have?
If you just have something like 15 hosts from an external network, we could easily just get those done in a single week. Afterward, we would need another week to write a report to collect our findings. That’s the most basic case though.
That said, you probably have more than just a couple of servers. When we account for things like web apps, mobile apps, routers, and basically any surface that’s open to the internet. In those cases, we might take 4 or 5 weeks on average. For larger apps, we could take months, with a larger pen test team needed to cover the whole attack surface.
What Can Prolong The Pen Test
Those pen tests that take longer usually have some commonalities. First off, they typically have multiple important web applications or mobile apps. Even desktop apps could need to be tested depending on the attack surface.
Moreover, depending on your unique needs we might need to carry out different kinds of attacks. For instance, we could carry out a phishing campaign to help you test your end users and see how vulnerable they are to social engineering threats. You might also want to conduct an internal pen test to mimic what it would be like if a rogue user acted against you internally. There are all sorts of factors to consider, and that can prolong the pen test.
Our Approach To Pen Tests
If you’re looking to speed through your pen tests, then you probably aren’t ready to have one. Penetration testing takes time because as testers, we want to accurately and comprehensively identify vulnerabilities and give you a roadmap to help you fix them.
Keep in mind that not only do pen tests take a bit of time and disrupt your normal activities, but they also need to be conducted again and again. For some businesses, you need to run tests multiple times a year and document the whole process just to keep operating per regulatory requirements.
Now is a good time to explore potential pen testing providers. Given our depth of experience in pen testing, as well as our comprehensive coverage, EliteSec can help with any penetration testing scenario you can think of. Here are some of the penetration testing methodologies we cover:
- Web Application Penetration Testing
- Internal and External Network Penetration Testing
- Mobile Application Penetration Testing
- Native Application Penetration Testing
- Cloud Infrastructure Assessments
- Vulnerability Assessments
- Open Source Intelligence (OSINT) Investigations
Typically, our clients are looking to comply with regulations like PCI-DSS or run a pen test to give a potential enterprise client extra assurance that their data is secure. To find out how your pen test could unfold, reach out to us for a quote.
Schedule A Consultation
By now, you probably have some burning questions about penetration testing as it applies to your business.
We’re happy to offer you a free 30-minute consultation where we’ll run through these pressing issues and answer any other questions you may have. Check out our availability to book an appointment.