Effort Estimation of Penetration Tests Using the Timeboxing Method

Timeboxing is a core concept in agile software development, and its use is expanding into more and more areas. A timebox defines the fixed amount of time available to complete a given task. What makes the timeboxing method unique is that it prioritizes time over content and resources.
This makes it an excellent fit for agile workflows and helps sharpen focus. Another key aspect of timebox management is that scope and content can change at any point -- the timeframe, however, remains the same.

Timebox vs. Deadline: What Is the Difference?

Mobile and web applications are now routinely developed using agile methodologies, where the focus is less on deadlines and more on timeboxes. Although deadlines and timeboxing are not mutually exclusive, there are three key differences:

• A deadline is set by the client, not the development team. With a Scrum timebox, it is the other way around: the team decides which tasks are feasible within the given timebox.
• Timebox management aims to complete a defined set of tasks within a predetermined period. Unlike a deadline, there are no consequences if individual items remain unfinished.
• The most important difference is the mindset. Timebox management centers on a self-directed development team, whereas deadlines revolve around the client's specifications.

The Timeboxing Method in Practice

Timeboxing is an effective technique for maintaining focus. You can apply it equally to web application development and personal tasks. In practice, the method follows several steps:

• You define a timebox that remains consistent over a longer period. In development teams, this is usually 2 or 4 weeks.
• You assign a number of tasks to each timebox. The rule is simple: the more time available, the more requirements you can fit in.
• When the time is up, the cycle ends -- regardless of whether all tasks are complete. Open items carry over to the next timebox.

What makes this approach stand out is that you can use timeboxing even for projects that cannot be specified precisely. At the same time, highly dynamic initiatives are particularly well suited to this method.
Good to know: Traditional planning focuses on individual tasks, whereas timeboxing focuses on the sequence of work stages. This makes it suitable for the development of health apps or DiGAs as well as for complex pentests within an organization.

Timeboxing as a Tool for Personal Time Management

The timeboxing method helps you work more efficiently. You can apply the approach to personal projects and your daily work routine alike. Start by dividing the available working time into equally sized timeboxes.
Next, define the tasks to be done and estimate how long each one will take. Once you have completed this effort estimate, distribute the tasks across individual timeboxes and work through them one by one.
By the way: The Pomodoro technique follows essentially the same principle but uses very short time windows. With timeboxing, you can be more generous with your focus periods.

Timeboxing in Classical Project Management

Regardless of the agile approach, the Scrum timebox can also be applied in classical project management. You plan your project at the top level with work packages and then assign them to the respective timeframes.
Since this methodology requires a shift in thinking, many project managers opt for a hybrid approach: they plan part of the tasks in the traditional way and implement the other part using timeboxes. This allows you to account for project aspects that are difficult to estimate in advance.

Timeboxing in the Context of Scrum

The timebox originated in agile software management. You can use it for infrastructure pentesting, mobile applications, or software development alike. Every Scrum project is built on defined cycles during which you continuously improve your deliverables.
In fact, many aspects of Scrum revolve around the timebox. The user stories in the backlog form the foundation, focusing on the project's added value. The development team breaks each story down into individual tasks so they fit into the respective timebox. The most important timeboxing events in Scrum include:

• Sprint: The sprint is the timeframe available for work. During this timebox, the focus is on all the tasks the development team has committed to.
• Grooming: The Product Owner and the team build a shared understanding of the user stories.
• Planning: In the sprint planning timebox, the project team commits to the tasks for the next sprint.
• Review: At the end of the sprint, team members present what they worked on during the sprint period.
• Retro: This timebox supports continuous improvement within the team and takes place at the end of each sprint. Here you discuss not only problems, but also what went well.
• Daily: The daily standup takes place every day and lasts a maximum of 15 minutes. Each team member answers three key questions: What did I do yesterday? What am I working on today? Is anything blocking my progress?

Good to know: Each Scrum event receives its own timebox -- for example, the sprint planning timebox. It can range from a few hours to several working days, depending on the sprint duration.

The Importance of Timeboxing in IT and Software Development

Timeboxing is an essential tool in modern software development. It helps you sharpen your focus and concentrate on the tasks at hand. Rather than following the waterfall model, the methodology promotes dynamic development and enables continuous improvement. That is why experts such as turingpoint and Atlassian rely on this approach.
Timeboxing works even for pentests with varying test methods: white-, black-, and grey-box tests can differ significantly in scope. The predefined timeframe makes it possible to focus on the most critical aspects.
Naturally, you need to understand the underlying IT infrastructure for an accurate effort estimation. Although the Penetration Testing Execution Standard (PTES) provides a framework, the actual procedure can vary from one organization to another. For example, there are six Linux distributions for penetration testing, each suited to different target environments.
With timeboxing, you start by estimating the effort required for the upcoming tasks. This makes it easier to gauge the overall workload, which in turn makes costs and pricing for a pentest far more transparent. At the same time, you can define a clear timeframe within which security experts focus on testing relevant standards -- for example, verifying that the OWASP Mobile Top 10 were considered during development.
Incidentally: Timeboxing is what sets a pentest apart from a red team assessment. While penetration tests can be timeboxed relatively easily, the same does not apply to red team assessments. These are designed to simulate a real attack -- and attackers do not stop at the end of a timebox just because time is up.