How long does a penetration test take?

It is one of the most common questions we hear from businesses considering penetration testing services, and it is entirely reasonable to ask. Whether you are trying to plan around a compliance deadline, need to assess your risk, fit the work into your IT team’s schedule, or simply understand what you are committing to, knowing how long a pen test takes is a practical concern, not an awkward one.

The straightforward answer is that it depends. A pen test on a single web application for a small business looks very different from a full infrastructure assessment for a multi-site organisation. But that answer is not particularly useful on its own, so let’s break it down properly.

If you are reading this because you have just experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

First, understand what ‘the test’ actually involves

When people ask how long a penetration test takes, they often have only the testing phase in mind. In practice, a full engagement runs across three distinct stages, each of which takes time due to manual testing methods:

Scoping

Before any testing begins, a solutions architect or senior consultant will work with you to define exactly what will be tested, from which locations, and during which hours. This process typically takes place over a call or meeting and results in a formal Statement of Work.

For straightforward engagements, scoping might take a day or two. For complex, multi-site assessments, it can take longer. Getting this stage right matters because a poorly scoped test may miss critical vulnerabilities, leading to a misleading picture of your security posture.

Testing

This is the active phase, where a qualified tester (or a team of pen testers) works through your environment using a combination of manual techniques and automated tools to identify vulnerabilities. The duration here varies considerably depending on the test type and the scope.

Human pen testing experts are highly experienced security professionals who know how to find exploitable vulnerabilities that automated scans often miss.

Reporting

Once testing is complete, the tester writes a detailed report covering the identified vulnerabilities, how they were or could be exploited, the risk they pose, and clear remediation guidance.

For a typical engagement, reporting takes roughly one day for every day of testing, though this varies with complexity. You should expect a draft report within a few days of testing completion, with a final version issued after you have had the opportunity to review it.

How long does each type of penetration test take?

The biggest single factor in duration is the cyber security assets you’re testing. Here is a realistic guide to the testing phase for the most common assessment types.

External infrastructure

An external infrastructure test focuses on assets visible from the internet, such as firewalls, VPN endpoints, mail servers, and public-facing systems. For a small organisation with a modest number of internet-facing assets, testing for security issues typically takes between one and three days.

Larger estates with a significant number of IP addresses in scope may take four or five days or more. External tests are generally conducted remotely and during standard working hours.

Internal infrastructure

An internal test simulates what an attacker who has already gained a foothold in your network could do (e.g., malicious hackers or disgruntled employees). These tests can be conducted on-site or via a VPN connection with a small device placed within your environment.

Because internal networks tend to be more expansive, with many hosts, subnets, and services to examine, the time required for these engagements typically runs from three to five days for a mid-sized organisation.

Complex environments with multiple sites, heavily segmented networks, or large Active Directory estates will take longer.

Web application

Testing web apps is one of the most variable in terms of duration, because applications vary enormously in size and complexity. A straightforward brochure-style site with limited functionality might be tested thoroughly in two to three days.

Complex web application penetration testing for a large e-commerce platform, customer portal, or SaaS application with dozens of features, user roles, and integrations could take ten days or more.

The number of pages is less relevant than the number of distinct functions and the complexity of the underlying logic.

Mobile application

Mobile application testing covers the app itself (for both iOS and Android), its communication with backend APIs, and how it stores data on the device. A typical mobile app test runs between three and five days, though this extends if the application is large or if both platforms need to be tested independently with distinct codebases.

Wireless network

Wireless assessments examine your Wi-Fi infrastructure for vulnerabilities in encryption, authentication, and configuration. A single-site wireless test typically takes one to two days and is always conducted onsite. Multi-site organisations will need to factor in travel time and may require multiple testers working in parallel.

Red team exercises

A red team exercise is a different beast entirely. Rather than working through a defined scope systematically, a larger pen test team simulates an attack by a real-world adversary pursuing a specific objective, such as accessing financial systems or exfiltrating sensitive data.

These engagements are designed to test not just your technical controls but also your people and processes, including whether your security team detects and responds to the activity. Red team exercises typically run for two to six weeks, and sometimes longer.

They are not suitable for every organisation, but are highly valuable for those with mature security programmes who want to genuinely test how they would hold up against a determined attacker.

Other factors that affect how long it takes

Beyond the type of test, several other variables can lengthen or shorten an engagement. Understanding these can help you plan more accurately and have a more productive conversation with your testing provider during scoping.

• Scope Size: More IP addresses, more URLs, more applications, more users. It is fairly linear: a larger scope requires more testing time. During scoping, your provider will map out exactly what needs to be tested and translate that into a day count.
• Complexity and Customisation: A bespoke internally developed application takes longer to test than an off-the-shelf product with well-known behaviour. Unusual architectures, heavily customised systems, or environments with complex trust relationships all add time.
• Testing Hours: Standard penetration testing is delivered during normal business hours, typically 09:00 to 17:30, Monday to Friday. If you need testing conducted out of hours to avoid disruption to live services, this usually incurs additional cost and may extend the overall schedule.
• Retesting: A penetration test is not complete upon receiving the report. After your team has worked through the remediation steps, a retest verifies that the fixes hold up and that no new issues have been introduced. Retesting is typically scoped and priced separately and takes a fraction of the time of the original engagement.

Black Box vs Grey Box vs White Box Penetration Testing Services

The approach penetration testers use also defines the duration:

• Black-Box Testing: The tester has no prior knowledge of the target system and behaves like a real-world hacker. These tests often take longer because reconnaissance must be conducted from scratch.
• Grey Box Testing: The tester is given credentials or partial system knowledge. This method tends to be an efficient way of gaining assurance.
• White Box Testing: With access to full source code and architecture documentation, white box testing allows testers to focus their efforts where they matter most and shortens the engagement while providing a more thorough outcome.

What does the end-to-end timeline look like?

If you are planning regular penetration testing to meet regulatory requirements (DSS and PII), it helps to consider the full timeline from first enquiry to final report, not just the days of active testing.

• Initial enquiry and scoping: one to two weeks. This accounts for conversations, completing a scoping questionnaire, and receiving a formal proposal.
• Scheduling: one to three weeks. Reputable penetration testing firms book up. Once you sign off on the work, you will be assigned a testing slot based on tester availability. Demand for qualified testers is high in the UK, and quality providers are rarely available immediately.
• Active testing: one to ten or more days, depending on scope and type.
• Reporting and delivery: three to seven business days after testing concludes.

For a typical external infrastructure or web application test, you should plan for roughly four to eight weeks from initial enquiry to receiving your final report. If you are working to a compliance deadline, such as Cyber Essentials Plus, ISO 27001 certification, or a client contractual requirement, factor this in with significant headroom.

A word on rushing penetration tests

It is worth being direct about this: a penetration test is a manual, ethical hacking process. Unlike a vulnerability scan, which can crawl a network in minutes, a thorough penetration test requires a skilled tester to think creatively, chase threads, and simulate the behaviour of a real attacker. That takes time, and cutting the time cuts the quality.

A test that is under-scoped or artificially shortened may miss chained vulnerabilities, where two individually minor issues combine to create a critical exposure. It may not explore less obvious attack paths. And critically, it may give you a false sense of confidence that is more dangerous than no test at all.

A good testing provider will push back if the scope you are proposing does not allow enough time to do the job properly. That is not them being difficult; it is them protecting the value of the exercise.

What happens after the test?

Receiving your report is not the end of the process. The real value of a penetration test lies in acting on its findings. A well-written report will prioritise vulnerabilities by severity and give your team clear, actionable steps to remediate each one. Once you have worked through those steps, a retest confirms that the fixes hold up and that no new issues have been introduced.

Many organisations also use their report as evidence for insurers, clients, or regulators that they take security seriously and are actively managing their risk.

If you are ready to discuss what a penetration test would look like for your organisation, the team at Zensec can work through your requirements and give you a clear picture of timelines and costs. Find out more about our penetration testing services and get in touch to start the conversation.