Overview: Understanding Maximum Scan Duration
Last updated: June 8, 2026
Introduction
Understanding how long a security scan or pentest takes to complete helps you plan your remediation timelines, schedule assessments at the right time, and set accurate expectations with your team and stakeholders. This article breaks down the expected duration for every scan type available on the Astra platform, including what factors can influence how long a scan runs.
Who Should Read This
This article is for developers, security leads, and product managers who are planning or have recently initiated a scan or pentest and want to understand when to expect results.
Scan Duration by Type
Scan Name | Description | Time Taken |
Automated Scan | Astra's vulnerability scanner scans your application for vulnerabilities in this scan. | The complete scan can take anywhere between **12-24 hours **depending on the scope of the application you want to scan. |
Automated Scan (Vetted) | Vetted automated scan include everything within the Automated Scan + our security engineers carefully reviewing the results of the scan to ensure if there are any false positives, they're removed. | The complete scan typically requires approximately 2-4 working days. |
Manual Pentest | Manual pentest comprise of automated vulnerability scan + vetted results + a complete penetration test by our security experts. In a pentest, our security experts uncover vulnerabilities which are logical flaws and often beyond the detection capabilities of automated scanners. | The entire exercise takes 10-20 working days depending on the scope & pentest volumes. |
Time Taken for Different Types of Automated Scans
Scan Type | Description | Time Taken |
Full Scan | The vulnerability scanner scans for all the vulnerabilities on all endpoints. It ensures to cover the entire web application. | The complete scan typically takes a about 12-24 hours. |
Lightning Scan | The vulnerability scanner scans at a higher level and covers the basic security vulnerabilities. | The entire scan can be completed within a timeframe of 10 to 15 minutes. |
Emerging Threats Scan | The vulnerability scanner scans for all the new vulnerabilities in the cyber security world. So whenever a new vulnerability comes around, you can run this scan to find out if your web application is safe from it. | The entire scan can be completed within a timeframe of 1 hour. |
What Can Affect Scan Duration
Even within the ranges above, several factors can cause a scan to take longer than the typical estimate.
Application size and complexity Larger applications with many pages, endpoints, and parameters take longer to crawl and test thoroughly. A full scan of a small marketing site will complete much faster than a full scan of a complex SaaS platform with hundreds of API endpoints.
Scan speed settings If you have reduced the scan speed in your target settings to minimize performance impact on your application, this will proportionally increase the time the scan takes to complete. See [How to change the scan speed?] for more details.
Login configuration Authenticated scans require the scanner to maintain a valid session throughout. If the login recording is not configured correctly or the session expires and needs to be re-established, this can add time to the overall scan.
Application response times If your application is slow to respond — due to high traffic, server load, or network latency — the scanner waits for responses before proceeding, which extends the overall scan duration.
Connectivity issues Firewalls, WAFs, or Cloudflare protections that partially block scanner requests can cause retries and delays. Whitelisting Astra's IP ranges before starting a scan helps avoid this. See [Astra IP Ranges] for the addresses to add.
Current queue volume For vetted scans and manual pentests, the time to begin and complete the engagement depends on the current workload of Astra's security team. During high-demand periods, assessments may take slightly longer to initiate.
Tracking Your Scan Progress
You do not need to wait passively for a scan to finish. Astra provides real-time progress tracking directly in the dashboard.
For automated scans, you can monitor progress from the Continuous Scans page. Each scan shows its current stage — from connectivity check and login recording through to vulnerability scanning and completion.
For manual pentests, the Pentest Details page includes a progress widget showing the current stage of the engagement along with an estimated time of arrival (ETA). You will also receive email notifications as key milestones are reached.
For vetted scans, the delivery status is updated by Astra's analysts and will show one of the following:
On Track for Delivery — progressing as expected
Running Behind — minor delay encountered
Delivery Blocked — additional information may be required from you
Delivery Completed — results are ready for review
See [How can I track the progress of a pentest?] for a full breakdown of how to monitor your assessment.
Best Practices
Choose the right scan type for your timeline. If you need fast feedback before a deployment, use a Lightning Scan. Reserve Full Scans for thorough pre-release assessments or scheduled security reviews.
Schedule Full Scans during off-peak hours to avoid any performance impact on your users and to ensure your application is responding normally throughout the scan.
Ensure your login recording is valid before starting a scan that requires authentication. An invalid recording will cause the scan to fail or produce incomplete results, requiring you to restart.
Whitelist Astra's IPs in advance so scanner requests are not blocked or throttled mid-scan, which can significantly extend duration.
Use the Rapid Pentest option if you need a manual pentest completed in 7 working days or fewer. This premium option includes priority onboarding, a dedicated account manager, and an expedited delivery timeline. Contact the sales team for details.
Troubleshooting
My scan has been running for longer than the expected maximum time. First, check whether the scan is still showing as In Progress in the dashboard. If it appears stuck at a particular stage — such as Connectivity Check or Login Recording — there may be a configuration issue preventing the scanner from accessing your application. Check that Astra's IPs are whitelisted and that your login recording is valid. If the issue persists, raise a support ticket from your dashboard.
My scan was canceled automatically before it finished. Astra's system may automatically cancel a scan if your application is consistently unreachable, returning server errors, or experiencing severe performance degradation. Check your application's health during the scan window and review [Why did my automated scan get canceled?] for a full explanation.
I need results faster than the standard timeline allows. For automated scans, switching to a Lightning Scan will give you high-level results within 15 minutes. For manual pentests, the Rapid Pentest option can deliver results in 7 working days or fewer. Contact our sales team to arrange this.
My vetted scan has been in review for longer than 4 working days. Check the delivery status on your scan details page. If the status shows Delivery Blocked, our team may be waiting on additional information from you — check your email and any open support tickets. If the status shows On Track or Running Behind with no communication from us, raise a support ticket and our team will provide an update.