How Long Does a Penetration Test Take?
For most Arizona small and mid-sized businesses, a penetration test takes a few days of hands-on testing and about one to two weeks for the whole engagement, from the first scoping call to the final report in your hands. A larger, full-scope test can run three to six weeks, but a months-long pentest is the exception, not the rule. If you are weighing a test with an insurance renewal or a client deadline bearing down, that is the practical answer you came for, and the rest of this guide shows where the time actually goes and what moves the number.
This guide breaks down where the time actually goes, what makes a test run longer, and a realistic timeline for each size of engagement. It is written for the business owner who just wants a straight answer before requesting a quote.
The short answer
For a typical small or mid-sized business, the active testing is a few days to about a week. The full engagement, from the first scoping call to the final report in your hands, usually runs about one to two weeks.
A larger, full-scope test (your external network, your internal network, a web application, and a phishing test all in one) can run three to six weeks from start to finish. The single biggest factor is scope: how much you are testing and how complex it is. Everything else is detail.
Here is the catch worth naming up front. The testing and the report are on our clock, and we move steadily. The retest, where we confirm your fixes hold, waits on you. That is by design, and we will come back to it.
Where the time actually goes
A penetration test is not one long block of hacking. It is a handful of stages, and only one of them is the hands-on testing people picture. The shape is well established. NIST lays it out as planning, discovery, attack, and reporting in its testing guidance, and the industry Penetration Testing Execution Standard describes the same arc. Here is how that maps to our five steps and roughly how long each takes.
1. Scope (a call, then a day or two). A short conversation to agree exactly what we test, when, and the rules of engagement, all in writing before anything starts. This is mostly about your availability and getting authorization signed. It is quick, but it sets the timeline for everything after it.
2. Test (a few days to a few weeks). The hands-on assessment, automated tooling plus real manual testing. For a single internet-facing footprint, this is often a few days. Add an internal network, web applications, or phishing, and it grows. This is the stage where scope shows up most directly in the calendar.
3. Report (a few days to about a week after testing ends). We write up what we found in plain English: what is serious, what is not, and proof, with an executive summary your leadership can read and a technical section your IT team can act on. A real person analyzing and prioritizing findings takes a little time. A same-day report usually means nobody did that part.
4. Fix list and walkthrough (your clock). You get a prioritized, do-this-first remediation list, and we are happy to walk your team or your existing IT provider through it on a call. How long you take to fix things is entirely up to you.
5. Retest (scheduled when you are ready). Once you have fixed what we found, we check your work and confirm the fixes hold. This might be days or weeks after the report, on your schedule. The retest is included on every tier, not billed back as an upsell.
So when someone asks how long a penetration test takes, the useful answer is two numbers: about one to two weeks for the test and report on a typical SMB engagement, plus a retest later, whenever you are ready.
What makes a test take longer
Two tests of the same size can run different lengths. These are the things that move the number, in rough order of impact.
- Scope. External only is the fastest. Adding internal network testing, a web application, or a phishing campaign each adds time. More surface to cover means more days.
- Size and complexity of the network. A flat handful of systems is quick. A larger or more segmented environment takes longer to work through carefully.
- Web applications. Each app is its own small project. A login portal, a customer dashboard, and a public site are three different things to test, not one.
- Phishing. A realistic phishing test runs over several days or weeks on purpose, because people check email on their own schedule, not in a single afternoon.
- How much we know going in. With little prior information (a black-box test), more time goes to reconnaissance. With more shared up front (a white-box test), testers spend that time digging deeper instead. We agree which approach fits during scoping.
- Your availability. We schedule testing around your operations, not the other way around. The faster scoping and authorization come together, the sooner the clock starts.
None of this is meant to pad the timeline. A good test takes the time the scope honestly requires, and we tell you that number up front rather than discovering it halfway through.
A realistic timeline by engagement
Here is how the stages add up across our three tiers. Active testing is the hands-on portion. Scoping to report is the whole thing landing in your hands, before the retest.
| Engagement | What is tested | Active testing | Scoping to report |
|---|---|---|---|
| Small External (from $4,000) | Internet-facing systems | A few days | About 1 week |
| Medium Full (from $6,500) | External plus internal network | About a week | 1 to 2 weeks |
| Large Enterprise (from $10,000) | External, internal, web app, and phishing | 1 to 3 weeks | 3 to 6 weeks |
Most Arizona businesses that come to us for a cyber-insurance renewal or a client requirement land in the first two rows: a week or two from the scoping call to a clean, dated report. If you want to understand what drives the price alongside the timeline, the cost guide and the pricing page lay it out.
Why faster is not always better
You can find a “penetration test” that promises results the same day. Be careful with that. A same-day result is almost always an automated scan with a nicer cover page, and an automated scan is not a penetration test. Scanners find the obvious, known issues. A human finds the chain of small things that actually gets someone in, and that work takes a few days, not a few minutes. If you want the difference spelled out, see penetration test vs vulnerability scan.
That said, we know deadlines are real. If your insurance renewal or a contract is on a clock, tell us during scoping. We can often prioritize an external test and turn it around quickly, and we will be honest about what is realistic on your timeline rather than promising something we cannot deliver well.
Frequently asked questions
How long does a penetration test take? For most small and mid-sized businesses, the hands-on testing takes a few days to about a week, and the full engagement from scoping to final report runs roughly one to two weeks. A large, full-scope test covering external, internal, web application, and phishing can take three to six weeks. Scope is the biggest driver.
How long until I get the report after testing ends? Usually a few days to about a week. We write reports by hand in plain English, with findings analyzed and prioritized, rather than exporting a raw scanner file, so a person needs a little time to do that properly. We agree the delivery date with you during scoping.
Does a bigger network make the test take longer? Yes, but size is only part of it. A larger or more complex environment takes more time to work through carefully. So does adding internal testing, web applications, or phishing to the scope. We size the timeline to what is actually being tested and tell you the number before we start.
Can a penetration test be done faster for an insurance deadline? Often, yes. An external test in particular can usually be prioritized and turned around quickly. Tell us about the deadline during scoping and we will give you an honest timeline that still produces a real test, not a rushed scan, so the report holds up with your carrier.
Where you stand, on a timeline that fits your business
A penetration test should not be a mystery that drags on for months. For most Arizona businesses it is a week or two of focused work that ends in a clear, prioritized fix list and a report you can hand to an insurer, a client, or your own IT team. Not sure where you stand, or working against a renewal date? Tell us a little about your business and what is prompting the test, and we will come back with a fair, fixed quote and a realistic timeline. Request a quote, or read what a penetration test actually is first if you are still mapping out the basics.
Want to know where you stand?
Tell us a little about your business and what is prompting the test. We will come back with a fair, fixed quote.
Request a quote