Content, Information and Security

Words: Timeboxed

By - Editing
12.07.22 03:33 PM

You’ll find this word on many penetration tests – it’s a very specific and important term.

Given all the time in the world, a penetration test can crack every password, find every known vulnerability, break past all your cybersecurity armour. But, running penetration testing tools takes time. And time costs money. So penetration tests are often run as timeboxed assessments – assessments that take place over a specific timeframe, from one set date to another. You’re not paying for a specific result at the end, nor are you paying per finding; the tester will make best-effort attempts during the time set aside and report on what they found.

This means that a penetration test probably won’t uncover every vulnerability in your system. However, the company testing will find and report on the things that are most likely to be found and exploited, in order to give you the most value for their time. Longer timeboxes for tests may allow for a greater number of tools to be used, or let your tester follow up more possible leads. I have heard many pen testers lamenting that if they’d just had more time on an engagement, they could have checked leads that they’d found at the end of their testing window.

It’s also worth remembering that time-boxed assessments will report only on the environment presented during the test period. If your IT team makes changes to the environment after the test, or even mid-way through the test, other vulnerabilities may be introduced that the penetration test won’t discover.