Starting a penetration test can feel tense - especially the first time.
Once you click Start Scan, RedVeil takes over execution and begins assessing the targets you authorized. This article explains what happens next, what different test states mean, how long tests typically take, and where you can monitor progress.
The goal is to set expectations clearly so you always know what’s happening and why.
Test States Explained
After a test is started, it will move through several states. These states are visible in the dashboard and help indicate where the test is in its lifecycle.
Not Started
A test in the Not Started state has been created but has not yet been initiated.
This means:
No testing activity has occurred
No Agent Ops have been consumed
No interaction with targets has taken place
This state is expected immediately after a project or test is created and before Start Scan is clicked.
Testing
Once active testing begins, the test enters the Testing state.
During this phase:
RedVeil’s penetration testing agents actively interact with the target
Discovery, analysis, and validation are performed
Agent Ops begin to be consumed
This is the longest phase of a test and where most activity occurs. Testing activity can be noted through the Testing Activity window on the Dashboard for the entire test or in the Hosts tab for individual targets in the test.
Testing Complete
A test moves to Testing Complete once active testing finishes.
At this point:
No further Agent Ops are consumed
Findings are finalized
Reports become available for export
Completion means the assessment is finished for that point in time.
Cancelled
A test enters the Cancelled state when it is manually stopped before completion. This will occur when you choose to stop a test intentionally.
When a test is cancelled:
Active testing stops immediately
No further Agent Ops are consumed
Any findings already identified are preserved
Cancelled tests are not considered completed assessments and cannot generate final reports, but they remain visible for reference.
Failed
A test may enter the Failed state if it cannot complete due to an error or external condition.
This can happen if:
Targets become unreachable during testing
Configuration issues prevent further execution
An unexpected platform or environmental issue occurs
A failed test does not always indicate wrongdoing or misconfiguration on your part. It simply means the test could not complete as intended.
When a test fails:
Active testing stops
Agent Ops consumption stops
Partial results may still be visible depending on when the failure occurred
If a test fails, Rune can help explain what happened and guide next steps, including whether a re-run is appropriate.
Typical Test Durations (High-Level)
Test duration varies based on scope, configuration, and complexity. The ranges below are general guidance rather than guarantees.
Web Application Tests
Web application tests typically take 2 to 6 hours for most applications. Longer durations for highly complex or authenticated applications should be expected. Authenticated testing often takes more time because additional functionality and logic must be evaluated.
External Network Tests
External network tests generally take 30 minutes to 2 hours per active host.
Targets with many exposed services or larger scopes may take longer due to discovery and validation steps.
Rune Guidance
At any point during testing, you can ask Rune what is happening.
Rune can help explain:
Why a test is taking longer than expected
What phase the test is currently in
How scope or configuration is affecting execution
Rune provides insight without affecting the test itself. If there are any exploited findings that have been identified, you can also ask Rune to start providing additional guidance on these.