A vulnerability assessment doesn't happen overnight—it's a methodical process that unfolds over weeks or months depending on your environment's size and complexity. Understanding the timeline helps you plan resources, budget appropriately, and set realistic expectations with your security team. Here's what actually happens from kickoff to final report.
Pre-Assessment: Scoping and Planning (1–2 weeks)
Before any testing begins, your chosen provider needs to understand what they're assessing. This phase involves defining scope, identifying systems in and out of bounds, and clarifying business objectives.
Expect your vendor to:
- Request network diagrams, asset inventories, and system documentation
- Clarify testing windows (many assessments happen outside business hours)
- Confirm authentication credentials for internal tests versus external-only testing
- Establish communication channels and escalation contacts
- Detail any compliance requirements driving the assessment (PCI-DSS, HIPAA, SOC 2)
This isn't admin busywork—poor scoping leads to missed vulnerabilities or wasted effort testing irrelevant systems. Budget 5–10 hours of your time here.
Discovery and Reconnaissance (1–2 weeks)
The assessment team begins passive and active reconnaissance to map your attack surface. They're identifying web applications, APIs, network services, cloud instances, and anything exposed to potential attackers.
Active scans might include:
- Port and service enumeration across network ranges
- DNS lookups and subdomain discovery
- Web application crawling and endpoint mapping
- Cloud bucket and storage enumeration
- Certificate transparency log searches
This phase is non-intrusive enough for business hours but creates traffic logs and alerts. Notify your SOC or security operations center to avoid false alarms.
Vulnerability Scanning (1–3 weeks)
Automated vulnerability scanners run against discovered assets, identifying known vulnerabilities, misconfigurations, and weak credentials. This is where most findings first surface.
Realistic expectations: A mid-sized organization (50–100 servers, 10–20 web apps) typically generates 200–500 initial findings. Most are low-risk false positives or negligible issues; 10–20% warrant real attention.
Scanning intensity depends on whether you're doing external-only testing (lower risk, faster) or deep internal network scans (more thorough, potential for service impact). Coordinate timing with your infrastructure team.
Manual Testing and Exploitation (2–4 weeks)
This is where the human expertise kicks in. Testers move beyond automated findings to validate vulnerabilities, chain multiple issues into attack chains, and test business logic flaws that scanners miss.
Examples of manual testing work:
- Attempting SQL injection, cross-site scripting, and authentication bypass
- Testing API security and data exposure
- Validating privilege escalation paths
- Checking for insecure deserialization or unsafe file uploads
- Assessing cloud IAM configurations for over-permissioning
A skilled tester might uncover that a "low-risk" information disclosure vulnerability, combined with weak password policies, enables a real breach scenario. This nuance rarely appears in automated reports.
Manual testing is resource-intensive; for complex environments, expect 100–300 billable hours spread across 2–4 weeks.
Documentation and Report Writing (1–2 weeks)
Once testing concludes, the vendor compiles findings into a formal report. Quality matters here—a report that's hard to understand or prioritize is nearly useless for remediation.
A strong assessment report includes:
- Executive summary with risk ratings and remediation priority
- Detailed vulnerability descriptions with reproduction steps
- Business impact explanations (not just technical jargon)
- Remediation recommendations specific to your environment
- Supporting evidence (screenshots, proof-of-concept code)
Some providers offer tiered reports: a detailed technical version for your security team and a high-level summary for leadership. Request this upfront if both audiences matter.
Review and Debrief (1 week)
Most providers include a debrief session to walk through findings, answer questions, and discuss remediation strategy. This is your chance to clarify severity ratings or challenge assumptions about exploitability.
Total Timeline: 8–14 weeks
For a typical mid-market organization, expect the full cycle—from contract signing to final report in your hands—to take 2–3 months. Larger environments or those with strict security controls may stretch to 4+ months.
Mercoly makes comparing assessment providers straightforward; you can view timelines, pricing, and methodologies side-by-side before committing.
Frequently Asked Questions
Q: Can my team continue normal work during an assessment? Yes, though active scanning and manual testing may create performance dips or alert security tools. Schedule scans outside peak hours and notify your NOC in advance.
Q: What's the typical cost? Expect $15,000–$50,000+ depending on environment size, scope (external vs. internal), and test duration; larger or compliance-driven assessments cost more.
Q: How often should we repeat assessments? Annual assessments are standard; high-risk industries or after major infrastructure changes warrant semi-annual testing.
Start comparing trusted assessment providers today and find the right fit for your security timeline.