When clients schedule an internal network penetration test, one of the first questions we hear is some version of: “Can you do it after hours so it doesn’t disrupt anything?”
It’s a reasonable instinct. The idea is that running a security test while employees are at their desks feels risky. What if something goes wrong? What if the scanning or testing causes a system hiccup that affects someone’s work? Testing at night or on weekends feels cleaner. Nobody’s around, nothing gets disrupted, and the test results are the same either way.
Except they aren’t. Not even close.
The reality is that business-hours testing almost always produces a higher-quality, more realistic, and more useful result than after-hours testing. After nearly 25 years of running internal network tests for organizations across a wide range of industries, this is one of the clearest things we’ve learned: the instinct to push testing to off-hours often works against the client’s interests. Here’s why.
Â
Your Network Doesn’t Behave the Same Way at Night
An internal network penetration test is designed to show what a real attacker could do inside your environment. Real attackers, the ones who actually compromise networks and cause damage, don’t operate exclusively during business hours. But when they do get in, they encounter the network as it exists during your operational day.
During business hours, your network has traffic. Users are logging in and out of systems, applications are running, file shares are being accessed, and authentication requests are flowing. Printers are being used, and people are sending emails. All of that activity is the natural, organic traffic of a functioning organization.
There are a number of attacks that depend on the activity of other accounts on the network, and the majority of these attacks are used to move between systems on the network. Scheduling a penetration test during routine business activities provides this type of traffic in a natural and organic way. When testing is conducted after everyone else has stopped for the day, penetration testers are artificially limited, which can slow their progress.
Certain lateral movement techniques, Â the methods an attacker uses to pivot from one compromised system to another, Â work better and are tested more accurately when there’s actual network activity happening. An empty network at 2 a.m. is not the same network your employees use every day. Testing it in isolation produces results that don’t fully reflect the real attack surface.
Â
Real Attackers Don’t Wait for the Building to Empty
There’s a common misconception that after-hours testing is more realistic because that’s when attacks happen. It’s worth addressing directly because it’s only partially true.
In 76% of ransomware infections, the encryption process begins either after hours or during the weekend. That’s a real and important statistic. Attackers deliberately time the destructive phase of an attack for when defenders are least likely to notice. But what that statistic doesn’t show is the full attack timeline. The encryption is the last step. The intrusion, the credential theft, the lateral movement, and the reconnaissance that precede it? Those happen during normal business hours, when the network has traffic to blend into and legitimate-looking activity to hide behind.
CrowdStrike researchers found that the average breakout time (how long it takes for an adversary to start moving laterally across a network after gaining initial access) has reached an all-time low, averaging 29 minutes, with the fastest observed breakout time being 27 seconds. Attackers move through networks quickly by blending into existing traffic. An after-hours test, run on a quiet, mostly inactive network, doesn’t fully replicate those conditions.
If you want to understand how an attacker would actually move through your environment, you need to test it while it’s operating as it does when your people are there.
Â
Something Goes Wrong? You Want People Available.
One of the strongest arguments for business hours testing has nothing to do with test quality. It’s about what happens if something unexpected occurs during the test.
Professional penetration testers work carefully to avoid disrupting production systems. We scope engagements specifically, we communicate with your team about fragile systems, and we use methods that minimize the risk of outages. But this is an assessment that probes real systems for real vulnerabilities, and the honest answer is that a small risk of disruption always exists. The question is whether you want that risk to materialize at 2 a.m. when no one is available, or during the day when your team is present and can respond immediately.
By testing during business hours, the security, infrastructure, development, and operations teams are better positioned to respond promptly to an outage. In many organizations, a production outage is more likely to be detected during the day, whereas one occurring outside regular work hours may not be detected until the following business day.
If a system goes down at 10 a.m. on a Tuesday, someone knows within minutes. If it goes down at 11 p.m. on a Thursday, it may sit broken until employees arrive the next morning, which means a longer outage, greater impact, and a harder recovery. The assumption that after-hours testing protects the business from disruption often produces the opposite result: when something does happen, there’s nobody there to address it.
If the tester finds that they have caused an issue during the night, they can attempt to alert an on-call point of contact. This approach will provide a window of time for the business to fix any issues before the business is up and running the following day, but this also means that, as an organization running an after-hours test, you need a point of contact available to the penetration testers during these off-hours. Failing to provide one will entirely negate the intended benefit of after-hours testing.
In our experience, almost no small or mid-sized business has someone available at 1 a.m. to take a call from a tester who has just hit something unexpected. The on-call contact requirement is one that most organizations don’t think through until it becomes relevant, and by then, it’s already too late to matter.
Â
Real-Time Collaboration Produces Better Results
Business hours testing also creates something that after-hours testing simply can’t: the ability to collaborate in real time with your team as the test unfolds.
When we’re testing during the day, your IT staff is present. If we encounter something unusual, like a system that behaves unexpectedly, a configuration that raises questions, or a finding that might have context we’re not aware of, we can ask someone. That immediate back-and-forth improves the quality of the test and helps us avoid spending time on false paths or, more importantly, missing something significant due to a lack of context.
For fragile systems, the best option is real-time collaboration directly between the tester and the appropriate technical leads from the business. This enables careful test coordination, helps avoid attacks during events such as scheduled batch jobs, and positions the business to respond to any issues quickly.
Testing in isolation means testing blind. Your team knows things about your environment that aren’t in any documentation, like a system that tends to behave oddly under load, a batch process that runs at 3 a.m. and shouldn’t be interrupted, or a legacy application that’s more fragile than it looks. When your people are available during the day, that knowledge informs the test. When they’re not, we’re working without it.
Â
When After-Hours Testing Does Make Sense
To be fair to the other side of this conversation, there are situations where after-hours testing is the right call, and we want to be honest about that.
If your organization runs critical systems that genuinely cannot tolerate any risk of disruption during operating hours, for example, a hospital that can’t have any ambiguity about its patient care systems, or a financial trading platform that processes time-sensitive transactions, testing outside peak hours can be a reasonable precaution. If you have specific regulatory requirements that specify testing windows, those take precedence. And if you have a system that’s known to be fragile and you’re specifically concerned about its behavior under testing conditions, there may be a case for scoping that piece differently.
The keyword is “specifically.” The decision should be driven by an actual, identified reason why business-hours testing would cause a problem in your particular environment, not by a general sense that it feels safer. For most organizations, that specific reason doesn’t exist, and after-hours testing ends up being a more expensive, more limited, less useful version of what they needed.
Â
What to Tell Your Team Before the Test Starts
One thing that smooths every internal network test, regardless of timing, is communication. Your IT team needs to know a test is happening, so they don’t mistake testing activity for a real attack and begin incident response procedures. The rest of your staff doesn’t need an extensive briefing, but if you have a security operations function or anyone monitoring alerts, they should know the test is underway.
This communication is easier to manage during business hours, when people are already in contact, and you can loop in the right people as needed. At 2 a.m., reaching someone who isn’t expecting a call is a problem in itself.
The goal of an internal network penetration test is to understand what an attacker could do inside your environment, find the vulnerabilities before someone with bad intentions does, and give you actionable information to address what you find. All of those goals are better served by a test that runs against your network as it actually operates, with your people present, your systems active, and your team available to respond in real time.
If you have questions about how we approach internal network testing, what to expect during an engagement, or how to determine the right scope for your environment, we’re happy to walk you through it. Contact us today for your free consultation.
