How Long Should an Engagement Last?

When it comes to physical penetration testing, there’s often a tension between the objectives of the black team (the penetration testers) and the client. The black team typically wants as much time as possible to ensure a thorough and comprehensive assessment, while clients, often constrained by budget, time, or operational concerns, want engagements to be as brief as possible.

Striking a balance between these two needs is crucial because the duration of a physical pentest directly impacts its effectiveness. Rushing can lead to missed vulnerabilities, while an extended timeline might stretch client resources unnecessarily.

A general standard, and my personal recommendation, is that a physical pentest should last about two weeks per building. This is not a fixed rule but rather a benchmark, and it can fluctuate depending on several key factors.

The size and security posture of the building, the complexity of the flags or objectives the client wants tested, and the skill set and number of team members all play a role in determining the exact timeline. It’s essential to consider these factors when planning an engagement, but the two-week standard offers a good starting point.

For example, if you have 3 people on your team, all of whom are experienced physical pentesters and the client’s office is a single floor within a shared office complex with pretty relaxed security. Further the client only wants you to gain access to the building and leave a business card on the CEO’s desk.

Given the shared office space, you can likely enter into the building without issue or ID and then it is only a matter of finding a vulnerability route to the CEO’s desk which may not take a full two weeks.

Why Two Weeks?

Photo by Waldemar on Unsplash

The reason a two-week timeline is optimal is that it allows sufficient time for thorough reconnaissance (recon) before the actual penetration attempt. Typically, the first week—or about 50% of the total engagement—is dedicated to recon.

Recon is critical because, without it, you may not be fully aware of a building’s security vulnerabilities, personnel behavior, or routine operations. Recon is often divided into multiple phases:

• OSINT (Open Source Intelligence)

• long-range observation

• short-range observation

• embedded recon

During the embedded phase of recon is where the black team may begin attempting to interact with employees or contractors to gather inside information.

The Importance of Reconnaissance

Recon isn’t just about observing physical security measures like locks, cameras, or guards. A large part of recon involves mapping out patterns of behavior within the building. Employees, third-party contractors, and cleaning crews often follow predictable routines that can offer exploitable gaps in security.

For instance, if janitors only clean after hours twice a week, that could represent a key opportunity for physical entry, but if you only allocate Monday for recon, you may completely miss this potential method of entry.