What is the lead time for a pentest?

The throughput time of a pentest depends on several factors. For example, automated tools that are used during security testing can have a turnaround time of a few days to a week, depending on the application size and server response times. Test results are always checked by a second tester (four-eyes principle), which takes extra time. Usually the lead time of an extended pentest is three to four weeks after the start of the work.

For example: a pentest is budgeted for 32 hours. Researchers start testing the web application on 1 April. The expected delivery date of the report will not be in the same week on 4 or 5 April (after 32 hours), but in the week of 22 - 26 April (after 3 - 4 weeks).