Contact Us Today 01642 716680

When to do Penetration Testing

Learn about the process of scheduling a penetration test. When the best time is and who should have the authority to do so.

Regular penetration testing is becoming increasingly important. What many business owners seem to want to know, however, is when to arrange a system test. Any application that processes personal data, whether in the storing or retrieving personal data, needs to have its security tested regularly according to GDPR Article 32 (1.D). Many systems have never had their security tested and as such are open to attack. This type of security testing does not only extend to web applications and mobile apps but also to office networks and cloud infrastructure. Any part of an organisation that holds or processes data is must have its security tested.

When to get my system tested

If an application is in development and not fully functional, penetration testing may not be the best option just yet, as certain parts may change over time. Systems or applications that are feature-complete and launch-ready should have their security tested with a GDPR penetration test. This will ensure the security of the system and the data it manages.

Any time an application has a change to its codebase or configuration, this will ensure that any changes made do not compromise the security of the system and cause a data breach. 

When systems are not subject to testing, it is entirely possible that they may be open to compromise. It is important that, if it manages sensitive information in any way, it should undergo testing as soon as possible

Does the time of year matter?

Penetration testing can take place at any time of the year with no impact. Different organisations tend to pick a specific time of year for a security test due to other factors such as:

  • System usage
  • Update schedule 
  • Compliance 
  • Launch date

Penetration Testing with Sencode

Sencode recommends a yearly security test even if the codebase of an application has not changed. This is due to the evolving nature of cyber security. New vulnerabilities become apparent almost on a daily basis. An application that is not comprisable today will almost certainly be so a year from now.

Frequently Asked Questions


The time it takes to arrange a penetration test varies but often the time it takes is limited by availability for two things. Firstly, a scoping meeting is required to determine the parameters within which a penetration test can be conducted and this may be subject to the size and complexity of a system. Secondly, agreeing to a project proposal and goals of a test. Usually, systems can begin to be tested within two weeks of the initial call being placed but in terms of response time, this can be shortened depending on tester availability.


Anyone in an organisation with the responsibility of managing the system requiring testing can organise a penetration test. This often falls with CTO’s, Technical Directors or Managing Directors.