Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Time Windows for Penetration Testing

Often when penetration tests are scheduled, it will be requested that testing occurs during off-peak hours, such as late evening to early morning. For example, requested hours for testing could be 7pm – 7am, or even 11pm – 6am.

A big reason to have these testing time windows is to prevent peak-time outages. Most organizations have a need to keep systems up and running for their services and customers. Any outage due to penetration testing could be costly and be a denial of service, preventing sales and perhaps affecting revenue.

One thing to keep in mind, however, is whether or not there is a SOC or any monitoring occurring during these off-peak hours to be notified of any outage. Is there a 24/7 staff monitoring service during these late hours of the night and early morning? If not, then any outage that occurs during these hours may not be noticed until peak hours begin and employees begin their workday. If there is no 24/7 staff or monitoring availability, then automated real-time alerts, such as phone calls or text messaging to the IT staff is crucial to prevent the damage that the time windows were specifically set up to avoid.

There are some occasions when pentesting is requested during peak times, for the purpose of having staff present and working to monitor any issues, events or alerts that happen as a result of penetration testing. Another aspect to be aware of is that for penetration testing to be most beneficial, it must replicate as much as possible what a real attacker would do. A real attacker would not necessarily stick to requested testing time windows. A real attacker may not even avoid performing denial of service attacks (or maybe they would, so as to be as stealthy as possible). There is also the amount of time a real attacker has compared to a penetration tester who is fixed to a specific amount of hours to perform testing. A customer requesting a penetration test would be best served to give their tester the flexibility to replicate a real attacker, but also keep within a budget of hours allocated for the tester.

Another important aspect of penetration test time windows is capturing network traffic. Many penetration testing attacks capture traffic that occurs on the network by users in the environment. If testing is done when no one is working it could cause potential vulnerabilities in the organization to be overlooked and give a false sense of security to the customer. It can be very beneficial especially for internal penetration tests to have testing be performed during peak hours to capture any potential weaknesses that can be more easily identified while employees use their IT systems for everyday business. As an example, even though a bit exaggerated, would you restrict a vishing attack to the hours of the day when employees are not at their desks to answer their phones?

The recommendation here is to not restrict penetration tests to any time windows. If the fear for outages is there, communication with the penetration tester is key. Many of the testing activities performed in modern penetration tests should not result in any outages. However extra care can be taken on the side of the penetration tester. Specific Denial of Service attacks should not be performed unless approved by the customer on a system that will not affect their business. Additionally, a longer length of time for testing is more beneficial as the tester will have more time to identify weaknesses that may be present, especially for larger environments with many systems and services.

Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More