“How long does a penetration test take?” is one of the most common questions we get during scoping calls. The honest answer ranges from 2 days for a small web application to several weeks for a comprehensive red team engagement. The variation is real and driven by scope, methodology, and the testing approach you’ve agreed.
This guide gives you specific timelines for every common penetration testing engagement type, what determines the duration, and how to plan around it. The figures are based on UK CREST-certified providers — your timeline may differ if you’re using offshore or non-certified delivery.
Penetration Test Duration: Quick Reference
| Test Type | Active Testing | Total Engagement (incl. scoping & reporting) |
|---|---|---|
| Web App (small) | 2–3 days | 2 weeks |
| Web App (mid-size) | 4–5 days | 2–3 weeks |
| Web App (large/complex) | 7–10 days | 3–4 weeks |
| Mobile App (iOS or Android) | 4–5 days | 2–3 weeks |
| Mobile App (iOS + Android) | 7–10 days | 3–4 weeks |
| API Penetration Test | 3–5 days | 2 weeks |
| External Infrastructure (up to 50 IPs) | 3–4 days | 2 weeks |
| Internal Network (up to 100 nodes) | 4–6 days | 2–3 weeks |
| Internal Network (enterprise, 500+ nodes) | 2–3 weeks | 5–6 weeks |
| Cloud Security Review (single platform) | 4–6 days | 2–3 weeks |
| Multi-Cloud Review (AWS + Azure + GCP) | 2 weeks | 4–5 weeks |
| Red Team Exercise | 3–8 weeks | 6–12 weeks |
| Phishing Assessment | 1–2 weeks | 3 weeks |
What’s Included in “How Long”
The active testing window is only one part of the engagement. A full penetration testing engagement involves five phases:
Phase 1: Scoping (3–5 days)
This is the agreement and preparation phase. It includes scope definition calls, signed scope of work and rules of engagement, NDA execution if not in place, technical preparation (whitelisting, account creation, VPN access), and timeline confirmation. Don’t skimp here — poor scoping is the single most common cause of penetration tests that miss critical findings or run over budget.
Phase 2: Active Testing (varies)
The hands-on testing window. Tester is actively probing systems, attempting exploitation, and documenting findings. Duration depends entirely on scope and complexity — see the table above.
Phase 3: Reporting (3–5 days)
Writing the report after active testing concludes. Includes executive summary, technical findings with reproduction steps and screenshots, CVSS scoring, remediation guidance, and compliance mapping where required. Some firms (including EJN Labs) deliver findings to a portal in real time during testing — meaning by the time active testing ends, only the final report compilation remains.
Phase 4: Findings Walkthrough (1 day)
A call to walk through the report with your team — typically 60–90 minutes. Useful for ensuring remediation owners understand the findings and have what they need to fix them. Some firms charge separately for this; others (including EJN Labs) include it as standard.
Phase 5: Retest (2–3 days, typically 30–60 days later)
Verifying that remediation has been implemented effectively. Conducted at an agreed point after the original test, typically 30–60 days later. The retest confirms the original findings have been resolved and no new vulnerabilities have been introduced by the fixes.
What Determines Penetration Testing Duration
Scope and Complexity
The biggest factor. A web application with two user roles and 30 endpoints is dramatically faster to test than one with twelve roles and 300 endpoints. For mid-size applications expect 4–5 days; for very large applications (enterprise SaaS, complex multi-tenant architectures) expect 7–10 days or more.
Testing Approach
Black box (no information given) tests take longer than white box (full information) tests because reconnaissance is part of the engagement. Grey box (the most common) sits in the middle. For the same budget, white box testing typically achieves greater coverage in less time — but black box tests are sometimes contractually required.
Number of Engineers
For larger engagements, multiple engineers can work in parallel — but coordination overhead means doubling the team doesn’t halve the duration. A two-engineer team typically delivers a large engagement in 60–70% of the duration a single engineer would require.
Discovery During Testing
If significant vulnerabilities are discovered early in testing, follow-up exploitation, lateral movement attempts, and impact validation can extend the engagement. This is usually a good thing — it means the test is finding real risk — but it can affect timelines. Good firms manage this by agreeing scope priorities at the start of each day during longer engagements.
Out-of-Hours Requirements
If testing can only occur outside business hours (production-sensitive environments, retail systems during off-peak), the calendar duration extends because each “testing day” is actually 6–8 hours of overnight work.
Environment Stability
If the test environment is unstable, slow, or differs significantly from production, testing extends. Provide a stable, production-equivalent environment with seeded test data — this is the single biggest thing you can do to keep testing on schedule.
How to Plan Around the Timeline
- Plan 4–6 weeks total lead time for most penetration testing engagements. This covers scoping, active testing, reporting, and a findings walkthrough. Add another 4–6 weeks if you need a retest pass.
- Don’t book testing into a deployment freeze — testers need a stable environment. Schedule testing for a period when the application or infrastructure is reasonably static.
- Allocate engineering time for remediation — Critical findings should be fixed within days, not weeks. If your team has no capacity to remediate during the engagement window, the test value is significantly reduced.
- For audit deadlines, work backwards — If you need a clean penetration test report for an audit submission on a fixed date, allow 6–8 weeks total: 4 weeks for the test plus 2–4 weeks for remediation and retest.
- For ongoing compliance, schedule annually — Most frameworks (PCI DSS, ISO 27001, SOC 2, Cyber Essentials Plus) require annual testing. Align all your testing into a single annual planning cycle to optimise procurement.
Frequently Asked Questions
How long does a penetration test take?
A typical UK penetration test takes 2–3 weeks end-to-end for a mid-size engagement: 1 week scoping, 4–5 days active testing, and 3–5 days reporting. Smaller engagements complete in 2 weeks; larger engagements (red team, enterprise networks) can run 6–12 weeks.
How long is the active testing window?
For most engagements, active testing runs 3–10 days. Web application tests typically take 4–5 days for mid-size apps. Infrastructure tests for a 100-node network typically take 4–6 days. Red team exercises run weeks rather than days.
Can a penetration test be done in a day?
For very small, defined scopes (a single API endpoint, a small marketing website with no authentication), a one-day test is possible. For anything handling user data, payments, or business-critical functions, a one-day test will not provide meaningful security assurance. Be cautious of vendors offering one-day tests for typical applications — they’re using automated scanning, not penetration testing.
Does CREST certification affect how long the test takes?
Slightly. CREST-certified engineers tend to follow more rigorous methodologies, which can extend testing time but produce more thorough findings. The difference is typically 10–20% longer for the same scope, in exchange for substantially higher quality output.
How much notice do I need to book a penetration test in the UK?
Most reputable UK CREST-certified firms book 4–8 weeks ahead. For urgent requirements (incident response, audit deadline, regulatory request), shorter lead times are sometimes achievable but availability is limited. If you have a known audit cycle, book your testing 8–12 weeks ahead to secure your preferred dates.
How long until I get the report after testing finishes?
Typically 5–10 business days after active testing concludes. EJN Labs delivers findings to a client portal in real time during testing, so the final report assembly is usually 3–5 days after the active testing window closes.
Get a Specific Timeline for Your Test
Tell us what you need to test, and we’ll give you a specific timeline based on your scope, complexity, and any constraints (audit deadlines, change freezes, regulatory dates). 30-minute scoping call, no obligation.
Leave a Reply