One question we often hear from clients is: “How long does a penetration test take?” If only it were an easy question to answer. The question is deceptively tricky and often requires more context, especially when trying to make a positive impact across every engagement.
I’ll explain why this question not only challenges the penetration testing industry but also how, collectively, we can come to sensible conclusions on how long an engagement might take, even if that means factoring in some other variables.
Why is this even a question?
There’s a range of reasons that this question is asked so frequently. The common problem we find is that there’s a balance between classic ‘checkbox’ or business-as-usual exercises and more thorough engagements. The commoditisation of penetration testing has been challenging and can sometimes lead to comparisons being made solely on day count, price and time.
A penetration test cannot always be a block of time you buy off the shelf. Each engagement has some nuance and, most importantly, a reason for being carried out. We need a way to translate each environment into a set of plans and avenues to explore, which is where scoping comes into play.
Why scoping matters
Scoping is the most important activity we carry out in our day-to-day work – aside from the actual testing, of course. Scoping is what defines each engagement as unique. It’s the single early opportunity to talk with teams and not only understand the reasoning behind each engagement, but also what their realistic concerns are. The scoping phase is designed to set each engagement up for success, with the aim of providing the most benefit while taking timeframes and constraints into account.
The classic question, at the risk of sounding clichéd, is: “What keeps you up at night?” This question has always served as an excellent indicator of the context behind each engagement. It isn’t a trick question – it serves as a functional requirement that we strive to consider throughout our activities. While the scoping phase serves as a milestone in defining the overall product, service or system under test, it also plays a vital role in fully understanding the why behind each engagement.
The engagement – to exploit or not to exploit?
Another pain point we encounter as consultants is limitations around exploitation and how far we can take each scenario. Remember, each exercise provides a single opportunity to articulate and demonstrate, in a safe and controlled environment, what an adversary may be able to achieve in the same circumstances.
We’re strong supporters of leveraging exploitation during each engagement. Exploitation helps establish context and, with it, demonstrate real business impact. While this doesn’t necessarily answer the original question we’re faced with, it does highlight a key point: that every engagement is driven by depth, rather than time alone.
There is a harsh reality, however: an adversary doesn’t face the same constraints. They don’t scope an engagement or adhere to a statement of work, and have no end date, budget or external consideration. As consultants, we’re working on a snapshot in time and trying to condense many of the techniques a real adversary can use into a much shorter window. The advantage we collectively have, as both clients and consultants, is a much clearer understanding of what a good sample range during an engagement looks like, and how we can work together to prioritise the most crucial areas in the most effective time window.
Closing thoughts
There’s a time and a place for a one-size-fits-all solution, and we always advocate for our clients to test the robustness of their systems and software periodically. However, when we return to the question of “how long”, we can use our reasoning above to help answer it.
The correct engagement length is the one that provides the most accurate and genuine assurance based on your needs.
