How long does a penetration test take?

Most penetration tests take between one and three weeks of active testing depending on scope. The full engagement lifecycle from scoping call to final report delivery typically spans two to four weeks. Larger environments or red team engagements may require additional time.

Do we need to inform our employees about the penetration test?

It depends on the engagement type. For standard network and application testing your IT team should be aware. For social engineering or red team engagements you may choose to limit awareness to senior leadership to get an accurate measure of your organization's detection and response capabilities.

What happens if the testers find a critical vulnerability during testing?

We notify your designated point of contact immediately when a critical or actively exploitable vulnerability is discovered. This allows your team to begin remediation before the formal report is delivered. All critical findings include proof-of-concept evidence and remediation guidance.

Penetration Testing Guide

What to Expect During a Penetration Test

A full walkthrough from scoping call to remediation support.

A penetration test is a structured security engagement that progresses through defined phases: scoping, reconnaissance, active testing, exploitation and reporting. Sherlock Forensics follows the Penetration Testing Execution Standard and delivers actionable findings with remediation guidance and retesting to verify fixes are effective.

Hiring a penetration testing firm for the first time can feel uncertain. This guide walks you through every stage of the engagement so you know exactly what to prepare and what to expect from start to finish.

Scope a Penetration Test Our Testing Services

Engagement Lifecycle

The Seven Phases of a Penetration Test

1. The Scoping Call

Every engagement begins with a scoping call where we define the boundaries of the test. During this call we identify the systems in scope, discuss your business objectives, determine the testing approach (black box, grey box or white box) and establish a timeline. We also gather technical details such as IP ranges, application URLs, user roles and any systems that must be excluded from testing. This conversation ensures both parties have clear expectations before any testing begins.

2. Rules of Engagement

Before testing starts we formalize the rules of engagement in a written agreement. This document defines what is in scope and what is off-limits, establishes testing windows, names authorized contacts on both sides and outlines communication protocols. It specifies whether denial-of-service testing is permitted, whether social engineering is included and how critical findings will be reported in real time. The rules of engagement protect both your organization and our testers by setting clear boundaries.

3. Reconnaissance

With the rules established our testers begin gathering intelligence about your environment. Passive reconnaissance involves collecting publicly available information: DNS records, WHOIS data, exposed employee details, technology fingerprints and leaked credentials from prior breaches. Active reconnaissance includes port scanning, service enumeration and banner grabbing to map your external attack surface. This phase mirrors what a real attacker would do before launching an attack and often reveals surprising amounts of exposed information.

4. Network Testing

Network penetration testing targets your infrastructure layer. We assess perimeter defences, test firewall rules and attempt to identify misconfigured services. For internal testing we evaluate Active Directory security, network segmentation, privilege escalation paths and lateral movement opportunities. Each discovered vulnerability is validated through controlled exploitation to confirm its severity and potential business impact. We document the full attack chain from initial access to objective completion.

For internal testing engagements, we ship a ShadowTap device to your office before testing begins. Plug it into your network and it connects back to us securely. No VPN or firewall configuration needed. Ship it back when testing is complete.

5. Application and Social Engineering Testing

Web application testing follows the OWASP Testing Guide and covers authentication, authorization, injection flaws, business logic vulnerabilities and API security. If social engineering is in scope we conduct phishing simulations, vishing calls or physical security assessments to evaluate human-layer defences. These tests reveal how attackers combine technical exploits with social manipulation to breach organizations. Application and social engineering testing together provide a complete picture of your security posture across both digital and human attack surfaces.

6. Reporting

Our report is the primary deliverable and we invest significant effort in making it actionable. Every report includes an executive summary written for non-technical leadership, detailed technical findings scored using the Common Vulnerability Scoring System (CVSS), proof-of-concept evidence for each finding, step-by-step remediation guidance and a prioritized action plan. Findings are categorized as Critical, High, Medium, Low or Informational. We present the report in a debrief meeting where your team can ask questions and discuss remediation strategies.

7. Remediation Support and Retesting

After report delivery we remain available to answer questions and provide guidance as your team works through remediation. We offer a retest window where we verify that fixes have been implemented correctly and that no new vulnerabilities were introduced during remediation. The retest produces a supplemental report confirming which findings have been resolved and which remain open. This completes the engagement lifecycle and gives your stakeholders documented evidence of security improvement.

Timeline

Typical Engagement Timeline

Phase	Duration	Your Involvement
Scoping and Rules of Engagement	1-3 days	Active participation required
Reconnaissance	1-2 days	Minimal
Active Testing	5-15 days	Available for questions
Reporting	3-5 days	Report debrief meeting
Remediation and Retest	2-4 weeks	Implement fixes then schedule retest

Frequently Asked Questions

Penetration Test Process FAQs

How long does a penetration test take?: Most penetration tests take between one and three weeks of active testing depending on scope. The full engagement lifecycle from scoping call to final report delivery typically spans two to four weeks. Larger environments or red team engagements may require additional time.
Do we need to inform our employees about the penetration test?: It depends on the engagement type. For standard network and application testing your IT team should be aware. For social engineering or red team engagements you may choose to limit awareness to senior leadership to get an accurate measure of your detection and response capabilities.
What happens if the testers find a critical vulnerability during testing?: We notify your designated point of contact immediately when a critical or actively exploitable vulnerability is discovered. This allows your team to begin remediation before the formal report is delivered. All critical findings include proof-of-concept evidence and remediation guidance.

Get Started

Ready to begin your penetration test?

Order a penetration test online. No meetings required to get started.

Order Online

Have Questions About the Process?

Our team will walk you through every phase of the engagement and help you prepare your environment for testing.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada