SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How Long Does a Penetration Test Take?

Penetration Testing

So you've decided that you're going to have a penetration test performed and you want to know how long it's going to take. Awesome! I'm sure you want that report in your hand right away. This video is going to cover some of the tips you need to know about that could impact the timing of a penetration test.

Hi, I'm Josh Tomkiel, I'm a senior manager here at Schellman on the Penetration Test team. I've been in the industry for over 10 years, started off as a penetration tester working on external internal networks, mobile applications, and web apps. And now I'm on the manager's side, I understand what issues can impact the pen test project timeline.

So how soon can we get this done?

Well, unfortunately, there are a lot of varying factors that go into this.

Number one, how big is the scope?
We need to know how many assets host web applications are in scope for this assessment that determines how long the project duration will be. If it's just 20 hosts on an external network, we could get that done in a week and then an additional week for the pen test report to be written and QA'ed internally and then finally delivered to you.

So on a small scope, we could turn that around in two weeks, but on average we're looking at 4 to five weeks for a pen test of an average-size application or network or phishing campaign. We've had pen tests that go as long as 15 weeks with multiple testers assigned when there's

  • Multiple services in scope web applications
  • Mobile apps
  • Desktop clients
  • A phishing campaign
  • Internal external pen test, the whole gamut

Now I know there are a lot of factors that we covered that will impact the time frame of when you can get that pen test report in your hand. The next steps are to reach out to us directly so either myself or another pen test specialist on the team can give you an accurate scoping estimate based on the needs of your project. 

About Josh Tomkiel

Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.