All Collections
Pentest Phases and Terminology
Pentest Phases and Terminology

The five key components of our pentest approach

Updated over a week ago


By adhering to a structured testing approach, HackerOne aims to deliver consistent, high-quality pentest results tailored to the unique security requirements of our customers. The five key components of our pentest approach are explained below:

Team Composition

  • Every pentest is led by one Lead Pentester.

  • Up to four additional pentesters may be included in the team, depending on the scope and requirements.

Pentest Tiers

  • Pentests are categorized into two distinct tiers: the Essential and the Premium.

  • Each tier carries its unique responsibilities, ensuring a tailored approach to different security needs.

Duration and Effort

  • All pentests, irrespective of their size or tier, are designed to run over two calendar weeks (14 days) unless specified otherwise.

  • Every pentester involved is expected to commit a total of forty hours of effort during this period.

Retesting Phase

  • Following the main testing phase, a retesting window opens.

  • Pentesters assigned will be responsible for conducting retests during this period.

  • The duration of the retesting window is contingent upon the assessment tier chosen.

Peer Review

  • Collaboration is paramount to ensure consistency across each engagement.

  • At the end of each engagement, pentesters are required to review and provide feedback on their teammates' contributions, ensuring continuous improvement and cohesion within the team.

Pentest Engagement Process

pentest engagement process timeline

1. Pre-Testing Phase



Customer Tasks

Create and save scoping drafts.

Collaborate seamlessly with team members.

Upon approval, quickly start the pentest setup on HackerOne, addressing key questions.

Tailor your pentest workflows using platform integrations, triggers, and APIs.

HackerOne Tasks

We evaluate your assets to accurately determine the needed pentest size.

We provide a customized quote tailored to your specific pentest requirements.

With prepped assets and set pentester rewards, most tests can begin within days.


48 hours to 7 business days

2. Testing Phase

Pentest Kickoff & Staffing

Testing & Real-time Results

Customer Tasks

Select “request to launch” in the platform.

Remain updated throughout the testing phase.

Expect consistent Slack updates from testers, regardless of vulnerability detection.

HackerOne Tasks

A Technical Engagement Manager (TEM) arranges a kickoff call to manage credentials and testing environment setup.

The most qualified pentest team is staffed and automatically scheduled.

After this kick-off call, HackerOne needs as little as three working days to source the pentest team, after which testing can begin.

Any detected vulnerabilities will be promptly displayed in your HackerOne platform inbox.


30 Minutes

Up to 3 Days

2 Weeks Testing

Slack updates every 3-5 days

3. Post-testing Phase


Remediation and Retesting


Customer Tasks

Shortly after testing concludes, you'll be notified.

You can then securely download your comprehensive report via the HackerOne platform.

Use the final report to address identified vulnerabilities.

Locate the relevant ticket in your Hackerone inbox and initiate a retest through the action bar.

Effortlessly transition pentest findings to your continuous security testing programs.

Use the cloning feature to simplify and duplicate pentests, reducing manual entries.

Analyze the pentest findings in your dashboards to determine where best to run your next pentest.

HackerOne Tasks

Your dedicated TEM offers a debrief call post-testing.

Discuss findings and potential remediation steps during the call.

TEMs assist customers in optimizing and improving long-term pentesting programs.


Final report in 3-5 Business Days After Testing

30-90 Days for Retesting


pentesting process infographic


The scoping of a pentest serves two functions: to identify the target of the test and to calculate the size of the test. The output of scoping is:

  • The technical scope of the test: The assets and user roles to be tested

  • The size of the test: How many people/hours and what type of skills are needed to complete the test to a high-quality standard

  • A commercial quotation: How much this will cost

The target of the test is the set of digital assets that will be assessed in the 2 week testing period by the pentesting team. The type of asset determines the checks that must be completed, the pentester skill requirements, and the tier (essentials or premium). For example, when an Android mobile application is added to a HackerOne Pentest scope, the Android security checklist is added, pentesters are selected with skills and tools needed to audit Android applications, and the test will be defined as a premium test to reflect the increased complexity of testing (over a simple web application).

The size of the test is the number of hours needed to achieve coverage of the test targets. The size is calculated from the type of asset and qualities such as the number of functions that an application performs and the number of user roles.


There are five different units of measurement we use to define various pentest sizes that HackerOne offers. These sizes are calculated based on the testing hours needed per pentest, depending on the scope.

All pentesters, including Leads, are expected to spend forty (40) hours of effort across all pentest sizes. Pentests are named based on the number of hours the assessment requires for the whole team and are referred to as the following:

Pentest Size


# of Lead Pentesters

# of Supporting Pentester(s)


Lead pentester performs all of the work by themselves.




Lead pentester and a supporting pentester share the work.




Lead pentester and 2 supporting pentesters share the work.




Lead pentester and 3 supporting pentesters share the work.




Lead pentester and 4 supporting pentesters share the work.




Contact your dedicated pentest team for custom sizing tailored to larger environments and multiple tests.

ℹ️ Of course, most organizations will be developing and maintaining multiple systems, and therefore, will need multiple tests. This is addressed with a consumption contract. A set number of hours are purchased, and these hours are deducted from the total during the contract period.

Pentester Roles and Responsibilities

Pentest Lead


  • Main point of contact with the Customer and HackerOne staff

  • Responds to all customer inquiries and questions within 1 business day

  • Provides updates frequently (minimum of 4 updates required)

  • Validates, performs QA, and de-duplicates all submissions from the pentesters before they are submitted

  • Ensures all submissions are clear and optimized for the customer's understanding

  • Leads the team, makes decisions about scope and testing focus, coordinates and delegates work where needed

  • Performs testing and retesting

  • Writes vulnerability reports and the summary report

  • Completes checklists and/or assigns these to testers making sure these are completed.

  • Performs testing and retesting

  • Updates the Lead about testing (minimum of 4 updates required)

  • Shares and validates vulnerabilities with the Lead and the team before submission

  • Writes Vulnerability reports

  • Provides all the information required by the Lead (e.g. to answer customer questions)

  • Completes checklists according to what the Lead assigns.

40 hours of individual pentest work


Regardless of the size and scope, all pentests are categorized on the platform into two distinct tiers: Essential and Premium. There are several fundamental differences between these two tiers, which are detailed below.

pentest tiers breakdown

Did this answer your question?