The email arrived on a Tuesday. Your enterprise prospect’s security team needs a penetration test report before they can move the deal to legal review. They want it in two weeks.
Your first instinct might be to panic. Your second might be to Google “fast pentest” and click on whatever comes up first. Both are understandable. Neither is the right move.
Two weeks is tight but workable if you scope the engagement correctly from the start. The founders who blow this window are not the ones who ran out of time — they are the ones who tried to do too much, engaged the wrong firm, or did not understand what the prospect actually needed to see.
Here is how to handle it properly.
Understand What the Prospect Actually Needs First
Before you contact a single pentest vendor, pick up the phone and call your prospect contact. Ask them one question: what specifically does their security team need to see in the report?
This matters more than you think. Some enterprise security teams want a full web application pentest with authenticated and unauthenticated testing across your entire product. Others will accept an external network pentest that covers your public-facing infrastructure. Some need OWASP Top 10 coverage documented. Others are checking whether you have done any independent testing at all and are less concerned with the specific scope.
The answer to that question determines everything — how long the engagement takes, which vendors can realistically deliver in your window, and how much it costs. Going into a scoping call with a pentest firm without knowing what the prospect actually needs is how you end up with a report that does not answer the question they were asking.
If you cannot get a clear answer from your prospect contact, ask for their vendor security questionnaire or the specific section of their security review that mentions penetration testing. That document will tell you exactly what they are looking for.
What Can Realistically Be Done in Two Weeks
Two weeks sounds short. For a well-scoped engagement with an experienced firm, it is achievable — but only if you understand what fits in that window and what does not.
Scoping and planning alone typically takes two to five days even for a focused engagement. That means your actual testing window in a two-week timeline is closer to seven to nine days, with report delivery taking another one to two days after testing wraps.
Here is what fits in that window:
A focused web application pentest covering your core product — authentication, authorization, session management, business logic, and API endpoints — is the most common engagement for SaaS companies in this situation and is achievable in two weeks with a firm that has bandwidth. Testing typically takes four to seven days depending on the application’s complexity.
An external network pentest covering your public-facing infrastructure — exposed services, open ports, and perimeter controls — can often be completed in two to three days and paired with a web application test if the scope is focused.
Here is what does not fit:
A full-stack engagement covering your web application, APIs, internal network, cloud infrastructure, and third-party integrations cannot be credibly completed in two weeks. If a firm tells you they can do all of that in 14 days, ask them how many hours of testing they are actually allocating. A rushed, surface-level test produces a report that a sophisticated security team will see through immediately — and that stalls your deal just as effectively as having no report at all.
The goal is a report that answers the prospect’s specific question credibly, not a report that claims to cover everything.
How to Scope the Engagement
When you get on a scoping call with a pentest firm, be specific about three things: what the prospect is asking for, what your timeline is, and what is actually in scope.
For scope, your job is to define exactly what gets tested. This means specifying the URLs and IP ranges that are in scope, whether testing should be authenticated or unauthenticated or both, whether your staging environment or production environment is being tested, and whether your API is included separately or as part of the web application test.
The tighter and more specific your scope is, the faster a credible firm can complete the engagement. Vague scope — “test our product” — leads to a scoping call that takes a week by itself because the firm has to figure out what your product actually includes before they can quote the work.
For SaaS companies under deadline, the most defensible scope for a two-week window is:
Your web application with authenticated testing using at least two user roles, your public API endpoints, and your external network perimeter. That covers the areas that enterprise security teams most commonly ask about and can be completed credibly within the timeline.
If your product handles healthcare data, add explicit API testing for PHI-related endpoints. If you are pursuing SOC 2, make sure the firm is documenting findings against the Trust Services Criteria relevant to your target controls. These details matter for the report’s usefulness beyond just closing the current deal.
Choosing a Firm Under a Tight Timeline
Not all pentest firms can deliver in two weeks. Some have scheduling backlogs of four to six weeks. Others can move quickly but produce reports that read like automated scan outputs with minimal manual testing.
Reputable firms typically schedule engagements within three to six weeks — sometimes sooner — so reaching out early and being explicit about your deadline is the only way to know whether a firm can actually help you.
When you contact firms, tell them upfront: you have a two-week window from contract signing to report delivery. Ask whether they can meet it. Ask how many hours of manual testing they allocate for a web application engagement at your scope. Ask whether the testers are OSCP certified or hold equivalent credentials. Ask to see a sample report.
That last point is important. The report format and quality matters as much as the testing itself. Enterprise security teams are reading these reports regularly. A well-structured report with clear executive summary, finding descriptions, proof-of-concept evidence, and remediation guidance reads as credible. A report that is mostly automated scanner output with a few manual observations looks like what it is.
If a firm cannot show you a sample report before you sign, move on.
What Happens After the Testing
The engagement timeline runs: scoping, testing, report, fixes, retest. Total: four to five weeks in a standard engagement. In a compressed two-week timeline, you will likely receive your report with one to three days remaining before your prospect deadline — which means you need to have a remediation plan ready to execute immediately.
Before you send the report to your prospect, read it. Do not forward a pentest report you have not reviewed. Know what every finding says, what its severity is, and what your remediation plan is for each one. Critical and High findings need to be addressed and retested before the report goes anywhere. Medium and Low findings need a documented plan even if remediation is not yet complete.
When you share the report, send it with a one-page executive summary that covers: the scope and methodology, the testing firm and their credentials, a summary of findings by severity, and the status of remediation. This framing gives the prospect’s security team what they need to make a decision without requiring them to read the full technical report before your next call.
Deals that move forward after a pentest review are almost never ones where the report had zero findings. They are the ones where the vendor clearly understood their findings, had a plan to address them, and communicated it honestly.
The Actual Question to Ask Yourself Right Now
If you have an enterprise deal moving toward security review and you do not have a current pentest report, the window to get one is not when the prospect asks for it — it is now.
A proactive pentest gives you time to address findings before they are under someone else’s microscope. It gives you a report you can share with confidence rather than one you are sending the day before a deadline. And it signals to the prospect that security is a standing practice at your company, not a reactive checkbox.
Packet33 conducts web application, API, and external network penetration tests for SaaS and HealthTech startups, with reports scoped and formatted for enterprise security reviews, SOC 2, and HIPAA requirements. We work on the timelines our clients are actually operating under.
Talk to us about scoping a pentest for your environment and timeline.