Key Takeaways
- Web app pentest: 1 to 2 weeks of testing plus 3 to 5 days of reporting. Typical end-to-end calendar time: 3 weeks.
- Network pentest (external or internal, 1 to 50 hosts): 1 week of testing plus 3 to 5 days of reporting. Typical end-to-end: 2 to 3 weeks.
- Mobile app pentest (single platform iOS or Android): 1 to 2 weeks testing plus 3 days reporting. Both platforms together: add 50 percent.
- Cloud, AD and Kubernetes pentests: 2 to 4 weeks testing each because of the larger object graph and longer enumeration paths.
- The variables that move the timeline most: scope clarity at kickoff, test-environment readiness, customer responsiveness to clarification questions, and whether re-test is in-window.
Why 'It Depends' Is the Honest Answer
VAPT timelines are bounded but not fixed. They depend on the scope size, the technology stack, the customer's environment readiness (test accounts, VPN, scoped IPs, mobile build distribution, container images, cloud read-only credentials), the customer's responsiveness to mid-engagement clarification, and whether re-test is included in the same engagement or queued separately.
Below we give the typical end-to-end calendar time for each engagement type at Codesecure. These figures assume good environment readiness and a reasonable scope. We also note the variables that push timelines longer in real engagements.
Web Application Pentest Timeline
A typical SaaS web application engagement runs over three calendar weeks. Week one is scoping clarification and environment setup (test accounts provisioned, IP whitelisted, staging URL confirmed, scope of subdomains and host segments locked). Active testing runs across week two, sometimes week three, depending on application size. Reporting takes 3 to 5 working days following the end of testing.
Variables that move the timeline: number of user roles (multi-tenant SaaS with 5+ role types takes longer than a single-role app), feature surface (many forms and workflows means more BOLA / IDOR / mass-assignment tests), authentication complexity (SSO, MFA, custom JWT flows), and the depth of admin and back-office functionality. A complex multi-tenant SaaS with 8 role types can run 3 weeks active testing alone.
Need a Pentest Engagement?
Codesecure runs manual, OSCP-led VAPT for Indian businesses across web, API, mobile, network, cloud, AD, IoT, wireless and thick client. ISO/IEC 27001:2022 certified delivery with named consultants and a free retest within 90 days.
See Pentest Services →Network Pentest Timeline (External and Internal)
External network pentest covers the customer's internet-facing IP and DNS footprint. 1 to 50 hosts typically runs 1 week of testing plus 3 to 5 days of reporting. The figure scales sub-linearly because the marginal cost of an additional host is small once tooling is configured.
Internal network pentest assumes a starting position inside the network (VPN, on-site, or a planted Pwnbox). For an estate of up to 500 hosts and a typical Active Directory forest, 1 to 2 weeks of testing is standard. Where the engagement is paired with an Active Directory pentest, expect 3 to 4 weeks total. Where the engagement extends across multiple sites or branch offices, scope as a programme.
Mobile Application Pentest Timeline
iOS or Android pentest of a single application typically runs 1 to 2 weeks active testing plus 3 days reporting. Both platforms together (iOS plus Android of the same product) typically runs 50 percent longer than a single platform, because the application logic is similar but the platform-specific tests (keychain vs keystore, runtime hooking with Frida differs, jailbreak vs root detection bypass differs) all run separately.
Variables: heavy native code use (C/C++ libraries) extends timelines through reverse engineering, complex offline functionality (apps that work offline and sync) requires deeper local-storage and synchronisation testing, and integrations with payment SDKs, biometric SDKs, or DRM modules each add a sub-deliverable.
API Pentest Timeline
REST or GraphQL API pentest typically runs 1 to 2 weeks. Where the API has 10 to 50 documented endpoints, 1 week is standard. 50 to 200 endpoints runs 1.5 to 2 weeks. Beyond 200 endpoints, scope as a programme or sample a representative subset.
GraphQL APIs tend to take longer than REST APIs of similar surface area because of nested-field testing, introspection abuse, batching, and query-depth analysis. SOAP and gRPC APIs slot into the same range with similar variables.
Stuck on Scope or Compliance Pressure?
Whether you need pentest for SOC 2, ISO 27001, RBI, a customer questionnaire or pure proactive testing, our VAPT lead is available for a 30-minute free scoping call. No obligation, no slideware.
Talk to a Pentest Lead →Cloud, Active Directory and Kubernetes
Cloud pentest (single cloud, single account or subscription) typically runs 2 to 3 weeks. Larger or multi-account cloud estates run 3 to 5 weeks. Multi-cloud (AWS plus Azure, or any pair) typically runs as a programme over 4 to 6 weeks.
Active Directory pentest of a single forest typically runs 2 to 3 weeks. Hybrid coverage including Entra ID extends to 3 weeks. Multi-forest enterprise estates run 3 to 5 weeks. Kubernetes pentest of a single cluster runs 2 to 3 weeks. Multi-cluster covering EKS plus AKS plus GKE runs longer.
Specialty Engagements: IoT, Wireless, Thick Client, SCADA
IoT pentest of a single device covering hardware, firmware, radio, mobile companion app and cloud backend: 3 to 5 weeks. Wireless pentest for a single corporate site: 1.5 to 2 weeks (5 to 8 days on-site plus reporting and offline cracking). Thick client pentest of a single application: 2 to 3 weeks. SCADA and ICS pentest of a single site: 4 to 8 weeks (including pre-engagement workshop and safety planning).
The Variables That Move The Timeline Most
In real engagements, the timeline is moved more by environment readiness than by technical complexity. The recurring blockers we see at kickoff: test accounts not provisioned, VPN access not granted, the right contact for clarification is on leave, scope still being negotiated mid-engagement, staging environment refreshed during the engagement causing partial revalidation. Each of these adds days.
The recurring accelerators: a single named technical contact on the customer side, test environment refreshed before kickoff not during, scope locked in writing before testing starts, daily 15-minute standup option offered for high-priority engagements, and Slack or Teams channel for asynchronous clarification. Customers that get these right see their engagements run on the lower end of the published ranges.
Frequently Asked Questions
Can a VAPT be done in a few days?
For very small scope (single web app with one role, or external network with under 10 hosts), 4 to 5 days of active testing is feasible plus 2 to 3 days of reporting. Marketing claims of '24-hour pentest' or 'instant pentest' are usually automated scans rebadged. A manual VAPT cannot be done in 24 hours and Codesecure does not offer that.
Can you compress the timeline if we are in a hurry?
Yes, with two named consultants in parallel and customer environment fully ready. We can typically compress a standard 3-week web app engagement to 10 working days. Beyond that, parallelisation hits diminishing returns and quality starts to drop. We tell customers honestly when more time would yield a meaningfully better outcome.
What about re-test, is that inside the original timeline?
Re-test is included free within 90 days of report delivery, and runs as a separate 2 to 5 day pass once the customer has remediated. We do not bundle re-test inside the original test window because the gap (customer time to fix) matters more than the calendar.
How long does report writing actually take?
Roughly 25 to 35 percent of total engagement time is report writing, depending on engagement type. For a 2-week test, expect 3 to 5 working days of writing. A consultant who closes testing and produces a report on the same day is producing a templated copy-paste deliverable, not a real engagement report.
Do you offer a guarantee on timeline?
Yes. Codesecure publishes a fixed-price proposal with a fixed end-date for every engagement. If we miss the date, we credit the next engagement. Our on-time delivery rate across 2024 to 2025 was over 95 percent.
Plan Your VAPT Around A Realistic Timeline
Codesecure scopes every engagement with a fixed end-date and a clear path from kickoff to closed report. ISO/IEC 27001:2022 certified delivery, named OSCP consultants, free retest within 90 days, transparent pricing.
