How to Time Your Penetration Test: Scheduling Engagements Around Product Launches, Migrations, and Audit Cycles
Timing a pentest badly is almost as expensive as not running one at all. How to schedule engagements around product launches, infrastructure migrations, and audit deadlines so the findings actually land while there is time to fix them.
Why Timing Matters More Than Most Teams Realize
Most guidance on penetration testing focuses on scope, methodology, and provider selection. The question of when to test gets far less attention. That is a mistake.
A well-scoped pentest at the wrong time produces findings you cannot act on, tests infrastructure that is about to change, or delivers a report too late to satisfy your auditor. Timing is not a logistics detail. It directly affects the return on your testing investment.
This guide covers the tactical question of scheduling. It maps common business events to ideal testing windows and gives you a framework for building a pentest calendar that aligns with your organization’s actual needs.
The Cost of Bad Timing
Bad timing shows up in predictable ways:
- Testing during active development. Findings get invalidated by code changes pushed after the test. The report describes an application that no longer exists.
- Testing right before a migration. You pay for a full engagement against an environment you are about to decommission.
- Testing too close to an audit deadline. The report surfaces critical findings, but there is no time to remediate. You enter the audit with documented vulnerabilities and no evidence of fixes.
- Testing during peak season. Your preferred company is booked. You either accept a less experienced team or delay the engagement.
Each of these scenarios wastes budget. Some also create compliance risk. The fix is straightforward: plan your testing calendar around your business calendar.
Aligning Pentests With Audit Cycles
Compliance-driven testing is the most common reason organizations schedule penetration tests. Getting the timing right requires working backward from your audit window.
SOC 2
SOC 2 Type II audits cover a defined observation period, typically 6 or 12 months. Your pentest should fall within this period. But completing the test early in the observation window is better than completing it late.
Here is the reasoning: a pentest completed 8-12 weeks before your audit window closes gives you time to remediate findings and document the fixes. The auditor then sees both the pentest report and evidence that you acted on it. That is a stronger evidence package than a clean pentest report with no remediation trail.
Recommended timeline for SOC 2:
| Step | Timing |
|---|---|
| Identify pentest scope | 14-16 weeks before audit window closes |
| Select and contract provider | 12-14 weeks before |
| Execute pentest | 8-12 weeks before |
| Remediate critical/high findings | 4-8 weeks before |
| Provide evidence to auditor | Within audit window |
PCI DSS
PCI DSS requires penetration testing at least annually and after significant infrastructure or application changes. Requirement 11.4 is specific: you must test both network and application layers, and the test must cover the cardholder data environment (CDE).
Your PCI DSS validation date is fixed. Work backward from it. Complete your pentest at least 10-12 weeks before your Qualified Security Assessor (QSA) or Self-Assessment Questionnaire deadline. This gives time for remediation and re-testing of critical findings.
If you have significant changes to your CDE during the year, those changes trigger an additional pentest requirement. Budget for this. Many organizations get caught by mid-year infrastructure changes that require out-of-cycle testing.
ISO 27001
ISO 27001 does not explicitly require penetration testing, but most certification bodies expect it as part of your risk assessment and treatment process. Schedule your pentest to complete before your surveillance or recertification audit. The same 8-12 week buffer applies.
General Rule for Compliance-Driven Tests
Finish the pentest early enough to fix what you find. A pentest report full of unresolved critical findings is worse than no report at all from an auditor’s perspective. It is documented evidence of known risk with no treatment.
Product Launches and Major Releases
Product launches create a natural testing trigger. The question is whether to test before or after launch, and how to handle the fast pace of release cycles.
Test After Code Freeze, Before Production Deployment
The ideal window is after your staging environment is stable and feature-complete, but before you deploy to production. This means testing against a staging or pre-production environment that mirrors production.
Testing during active development is counterproductive. If your engineering team is pushing daily commits, the application the tester evaluates on Monday is not the same application that ships on Friday. Findings become stale. Engineers waste time triaging issues that no longer apply.
Wait for code freeze or feature lock. Then test.
What About Post-Launch Testing
Post-launch testing has value, but it is a different engagement. A post-launch test validates the production environment, including deployment configuration, production infrastructure, and real-world data flows. It catches issues that only appear in production, such as misconfigured CDNs, exposed admin panels, or overly permissive cloud IAM roles.
The best approach is to do both: a pre-launch test against staging to catch application-layer issues before they reach users, and a post-launch test against production to validate the deployment.
Fast Release Cycles
If you ship weekly or biweekly, annual pentesting is insufficient. Consider these alternatives:
- Continuous pentesting programs with a provider who maintains familiarity with your codebase and retests after each major release.
- Bug bounty programs as a supplement, not a replacement, for structured pentesting.
- Targeted assessments scoped to new features or changed components rather than full application tests each time.
Some penetration testing companies offer retainer-based models designed for organizations with fast release cycles. You can search for these on pentest.fyi by filtering for companies that support continuous or ongoing testing engagements.
Cloud Migrations
Cloud migrations are one of the worst times to run a penetration test. They are also one of the most important times to have testing on your roadmap.
Why Testing During Migration Wastes Money
During an active migration, your environment is in flux. Network configurations change daily. Services move between on-premise and cloud. Hybrid architectures create temporary attack surfaces that will not exist post-migration.
A pentest during this period tests a transient state. Many findings will be invalidated by subsequent changes. Your team is already stretched thin managing the migration. Adding a pentest remediation workstream creates competing priorities.
When to Test Instead
Before migration: Conduct a brief architecture review of your target cloud design. This is not a full pentest. It is a design review focused on IAM policies, network segmentation, data encryption at rest and in transit, and logging and monitoring coverage. Budget 2-5 days of consultant time.
After migration: Once the target environment is stable and handling production traffic, run a full penetration test. Focus areas should include:
- Cloud configuration (S3 bucket policies, security groups, IAM role assumptions)
- Network segmentation between migrated workloads
- Authentication and authorization in the new environment
- Data exposure through misconfigured services
- Lateral movement paths between cloud accounts or subscriptions
Recommended timeline for migration-related testing:
| Phase | Testing Activity | Timing |
|---|---|---|
| Pre-migration | Architecture and design review | 4-6 weeks before migration begins |
| During migration | None (focus on migration execution) | - |
| Post-migration | Full cloud penetration test | 2-4 weeks after environment stabilizes |
| Post-remediation | Retest of critical findings | 4-6 weeks after initial pentest report |
Mergers, Acquisitions, and Third-Party Integrations
M&A activity creates unique testing requirements. Due diligence often includes a security assessment of the target company’s infrastructure and applications.
During Due Diligence
A penetration test during due diligence helps quantify security debt. It reveals vulnerabilities that may affect the acquisition price or integration timeline. This test should happen early in the due diligence process so findings can inform negotiations.
Scope is usually limited by access constraints. You may only get read access to documentation, or limited testing windows against a subset of the target’s systems. Plan for a constrained engagement.
Post-Acquisition Integration
After the deal closes, test the integration points between the acquiring company’s infrastructure and the acquired company’s systems. Focus on:
- Trust relationships between Active Directory domains or identity providers
- VPN or network peering connections
- Shared application dependencies
- Data flows between the two environments
This is often missed. Two individually secure environments can create new attack paths when connected.
Seasonal Demand and Pricing
Penetration testing demand is not evenly distributed across the year. Understanding seasonal patterns helps you get better availability and potentially better pricing.
Q4 Is the Busiest Quarter
Many organizations operate on a calendar fiscal year. Annual pentest requirements and year-end compliance deadlines push a disproportionate amount of testing into October, November, and December. This creates several problems for buyers:
- Longer lead times. Companies that normally need 2-3 weeks of lead time may need 5-6 weeks in Q4.
- Higher prices. Some companies charge a premium during peak periods, or decline to offer discounts they would provide in quieter months.
- Less experienced testers. When demand spikes, some companies staff engagements with their less senior consultants. Senior testers are already committed to existing clients.
Q1 Audit Prep Creates a Secondary Spike
Organizations with fiscal years starting in January often schedule pentests in Q1 to get ahead of their annual compliance cycle. This creates a smaller demand spike in January and February.
The Best Time to Buy
Q2 and Q3 (April through September) are generally the quietest months for penetration testing companies. Booking during this window offers several advantages:
- Better availability of senior testers
- More scheduling flexibility
- Potential for better rates
- More time for the provider to conduct thorough scoping
If your compliance calendar allows it, shift your annual pentest into this window.
Building a 12-Month Pentest Calendar
Instead of scheduling tests ad hoc, build a rolling 12-month calendar that ties testing to business events. Here is how to approach it.
Step 1: Map Your Business Events
List every event in the next 12 months that should trigger or influence penetration testing:
- Compliance audit deadlines (SOC 2, PCI DSS, ISO 27001, HIPAA)
- Major product launches or feature releases
- Cloud migrations or infrastructure changes
- M&A activity
- Third-party integrations
- Contract renewals with key clients who require pentest reports
Step 2: Work Backward From Each Event
For each event, determine the ideal testing window using the guidance above. Account for:
- Provider lead time (4-8 weeks standard, 10-12 weeks in Q4)
- Engagement duration (1-4 weeks depending on scope)
- Remediation time (4-8 weeks for critical and high findings)
- Re-test time (1-2 weeks)
Step 3: Consolidate and Prioritize
Some testing windows will overlap. Consolidate where possible. A single well-scoped engagement can satisfy multiple requirements if the scope covers the right systems.
Prioritize compliance-driven tests first. These have hard deadlines. Product launch tests have more flexibility. Infrastructure tests can often shift by a few weeks without consequence.
Step 4: Budget and Contract Early
Once your calendar is set, engage providers early. For annual testing programs, consider a master services agreement (MSA) with a provider that covers multiple engagements. This reduces contracting overhead and often secures better rates.
Decision Matrix: Business Events and Testing Windows
Use this matrix to quickly determine when to schedule your pentest based on the triggering business event.
| Business Event | When to Test | Lead Time Needed | Key Consideration |
|---|---|---|---|
| SOC 2 Type II audit | 8-12 weeks before audit window closes | 6-8 weeks | Must fall within observation period |
| PCI DSS validation | 10-12 weeks before QSA deadline | 6-8 weeks | CDE changes trigger additional tests |
| ISO 27001 surveillance audit | 8-10 weeks before auditor visit | 6-8 weeks | Test should inform risk treatment plan |
| Product launch (major) | After code freeze, before production deploy | 4-8 weeks | Retest in production post-launch |
| Product launch (minor/feature) | After feature lock in staging | 2-4 weeks | Scope to changed components only |
| Cloud migration | 2-4 weeks after environment stabilizes | 4-6 weeks | Do not test during active migration |
| M&A due diligence | Early in due diligence process | 2-4 weeks | Access constraints may limit scope |
| Post-acquisition integration | 4-6 weeks after systems are connected | 4-6 weeks | Focus on integration points and trust relationships |
| Annual compliance requirement | Q2 or Q3 if calendar allows | 4-8 weeks | Avoid Q4 for better pricing and availability |
| Client contract requirement | 6-8 weeks before report due date | 4-6 weeks | Confirm report format requirements with client |
How Lead Time Varies by Engagement Type
Not all penetration tests require the same lead time. Here is a rough guide:
| Engagement Type | Typical Duration | Recommended Lead Time |
|---|---|---|
| Web application pentest | 1-2 weeks | 4-6 weeks |
| Internal network pentest | 1-2 weeks | 4-6 weeks |
| External network pentest | 3-5 days | 3-4 weeks |
| Cloud configuration review | 3-5 days | 3-4 weeks |
| Red team engagement | 2-6 weeks | 8-12 weeks |
| OT/ICS pentest | 1-3 weeks | 10-14 weeks |
| Mobile application pentest | 1-2 weeks | 4-6 weeks |
| Social engineering assessment | 1-2 weeks | 6-8 weeks |
Red team engagements and OT/ICS tests require the longest lead times because they need specialized testers who are in short supply. Plan accordingly.
Starting Your Provider Search at the Right Time
Knowing when to test is only useful if you can find and contract a provider in time. Here is a practical approach:
- 12-16 weeks before your testing window: Begin your provider search. Use pentest.fyi to find companies that match your requirements by geography, specialization, and certifications.
- 10-12 weeks before: Request proposals with a structured RFP from 2-3 companies. Compare scope, methodology, team qualifications, and pricing.
- 8-10 weeks before: Finalize your contract and SOW. Confirm tester availability for your target dates.
- 6-8 weeks before: Complete any pre-engagement requirements: VPN access, credentials, scope documentation, rules of engagement.
- Testing window: Execute the engagement.
Starting early prevents the scramble that leads to poor provider selection. The pentest.fyi directory lists penetration testing companies worldwide with details on their service offerings, making it faster to build a shortlist without starting from scratch each time.
Common Scheduling Mistakes
Treating Pentesting as a Year-End Checkbox
Organizations that schedule every pentest in December because “it is annual” are paying more and getting less. Spread your testing across the year. Align each engagement with the business event it supports.
Not Accounting for Remediation Time
A pentest that finishes the week before your audit is useless for compliance. The report will document findings. Your auditor will ask what you did about them. If the answer is “nothing yet,” you have a problem.
Testing Unstable Environments
Do not test environments that are actively changing. This includes environments mid-migration, applications in active development, and infrastructure undergoing major reconfiguration. Wait for stability.
Booking Too Late for Specialized Tests
Red team engagements, OT/ICS tests, and hardware security assessments require testers with niche skills. These people are booked months in advance. If you need specialized testing, ask the right qualifying questions early so you do not lose weeks of lead time on a company that cannot staff the engagement.
Forgetting Re-Test Budgets
Many organizations budget for the initial pentest but not for re-testing after remediation. Re-testing validates that fixes are effective. Budget for it from the start, and schedule it into your timeline.
Summary
When you schedule a penetration test matters as much as how you scope it or who you hire. Build a 12-month testing calendar tied to your business events. Work backward from deadlines to determine testing windows. Avoid Q4 when possible. Account for remediation and re-testing time.
Start your provider search early. Use pentest.fyi to find companies that match your requirements, compare their listings, and shortlist providers before your testing window approaches. Good timing turns penetration testing from a compliance checkbox into an investment that actually reduces risk.
Key Takeaways
- Schedule penetration tests 8-12 weeks before your SOC 2 or PCI DSS audit window so there is time to remediate findings before the auditor arrives.
- Testing during a cloud migration is wasteful because the environment is unstable and findings will be invalidated by subsequent infrastructure changes.
- Q4 is the busiest quarter for penetration testing companies, so engagements booked in October through December often cost more and face longer lead times.
- Test new products or major features after staging is stable but before production deployment, not during active development sprints.
- Build a rolling 12-month pentest calendar tied to your business events rather than scheduling tests ad hoc or purely on an annual cadence.
Frequently Asked Questions (FAQ)
How far in advance should I book a penetration test?
Plan for 4-8 weeks of lead time for most engagements. During Q4 or if you need specialized skills like OT/ICS testing, allow 10-12 weeks. Scoping calls and SOW negotiation typically add 1-2 weeks before the engagement start date.
Should I run a penetration test before or after a product launch?
Test after your staging environment is stable and feature-complete, but before production deployment. Testing during active development wastes effort because the attack surface changes between test completion and launch.
Is it better to pentest before or after a cloud migration?
Test the target environment after migration is complete and the configuration is stable. Pre-migration tests against the legacy environment have limited value since the architecture is about to change. A brief pre-migration review of the planned architecture is useful, but the full pentest should come after cutover.
How do I align penetration testing with SOC 2 or PCI DSS audits?
Work backward from your audit window. Complete the pentest 8-12 weeks before the auditor arrives. This gives your team time to remediate critical and high-severity findings and document the fixes, which strengthens your audit evidence package.
Does penetration test pricing change throughout the year?
Yes. Many companies see a spike in demand during Q4 as organizations rush to complete annual testing before year-end. Some firms also see increased demand before common audit windows in Q1. Booking during Q2 or Q3 often means better availability and potentially lower rates.
