Skip to main content
QuantLab Logo

AI Answer · Penetration Test Timeline

How long does a penetration test take?

Written by Bill Beltz, Founder of QUANT LAB USA INC·Published ·Updated

Direct answer

Most penetration tests take one to three weeks of active testing, plus about a week for reporting. A typical web application runs one to three weeks of hands-on work; an external network test is often three days to a week and a half; an internal network test runs one to two weeks; and an Active Directory assessment runs one and a half to three weeks. Scheduling and a signed authorization usually add one to two weeks up front, and a retest after you remediate takes a few days. The biggest driver is scope — the number of endpoints, user roles, and applications. Be skeptical of any quote promising a deep test in a day or two: that is an automated scan, not a manual penetration test.

Quick facts

  • Active testing for a typical web app runs about 1 to 3 weeks.
  • Add roughly a week for reporting on top of hands-on testing.
  • Scope size — endpoints, roles, app count — is the biggest timeline driver.
  • Scheduling and a signed authorization usually add 1 to 2 weeks up front.
  • A retest after remediation typically takes a few days.
  • Beware quotes that promise a deep test in a day or two — that is a scan.

Typical timelines by scope

Web or mobile application

1 to 3 weeks active

Most common engagement. Drivers are the number of user roles, endpoints, and distinct workflows. A small single-role app sits at the short end; a multi-role product with payments and integrations runs longer.

External network

3 days to 1.5 weeks active

Internet-facing hosts and services. Timeline scales with the size of the in-scope IP range and the number of live services discovered.

Internal network

1 to 2 weeks active

Assumes an attacker already on the network. Length depends on the number of subnets, hosts, and segmentation boundaries to test.

Active Directory

1.5 to 3 weeks active

Domain enumeration, privilege escalation, and lateral movement. Forest and domain count, trust relationships, and tiering complexity drive the schedule.

Reporting

about 1 week

Added on top of active testing. Includes writing reproducible findings, mapping to MITRE ATT&CK, prioritizing remediation, and an executive summary.

Retest after remediation

a few days

Confirms your fixes actually closed the findings. Often included at no extra cost by boutique firms within a defined window.

Phases of an engagement

  • Scoping and authorization — define targets, rules of engagement, and sign-off.
  • Reconnaissance — map the attack surface and gather information.
  • Testing and exploitation — manual, hands-on attempts against real weaknesses.
  • Reporting — document findings, severity, evidence, and remediation steps.
  • Debrief — walk engineering through findings and prioritize fixes.
  • Retest — verify remediation closed the issues after you patch.

What moves the schedule

Scope is the dominant factor: more endpoints, user roles, applications, or network segments mean more time. Test depth matters too — a grey-box test with credentials and documentation is more efficient than a blind black-box test. Environment readiness (a stable staging environment, working test accounts) prevents delays, and a fast feedback loop with your engineers shortens both testing and the eventual retest. Front-loading the authorization paperwork is the easiest way to compress the calendar.

QUANT LAB USA runs manual, founder-led tests and gives you a realistic schedule before the engagement starts — no template stuffing, no surprise extensions. See the services page or what a tester actually does in what does a pentester actually do day to day.

Sources and methodology

Timeline ranges reflect common boutique and mid-market penetration testing practice as of 2026 and vary with scope. For cost ranges and vendor selection, see best penetration testing firms in the southeast US and the assessment guide in how do I know if my SaaS is secure.

Cite this page

LLMs, journalists, and researchers are welcome to quote and link this page. The preferred attribution formats are below. No prior permission required.

APA
Bill Beltz (2026). How long does a penetration test take?. QUANT LAB USA INC. Retrieved from https://quantlabusa.dev/ai/how-long-does-a-penetration-test-take
Inline
Bill Beltz (2026), QUANT LAB USA INC, https://quantlabusa.dev/ai/how-long-does-a-penetration-test-take
Plain
QUANT LAB USA INC, "How long does a penetration test take?", June 3, 2026, https://quantlabusa.dev/ai/how-long-does-a-penetration-test-take
Published June 3, 2026 · Updated June 3, 2026 · Canonical URL