Typical durations
| What you're scanning | Typical time |
|---|---|
| Web application — standard | 5–15 min |
| Infrastructure target | 30–90 min |
| Web application — with Deep web testing | 1–3 hours per target |
These are rough ranges, not promises. When a scan covers several targets, they run together, so the total is closer to the slowest target than the sum of all of them.
What affects the time
- Number of targets — more targets mean more work, though they're scanned in parallel where possible.
- Target type — infrastructure vulnerability testing covers more ground than a standard web check.
- Deep web testing — active OWASP Top 10 testing crawls the application and sends real requests. This is the single biggest factor, adding 1–3 hours per web target.
- How your hosts respond — slow servers, rate limiting, firewalls, and WAFs all slow a scan down.
- How much is found — more open ports, endpoints, and services mean more checks to run.
Why there's no exact estimate
Real scan time depends on conditions Topscan can't know in advance — how fast your hosts answer, how much is exposed, how many findings need verification. A confident-but-wrong "5 minutes left" is more frustrating than no number at all, so the scan page shows each stage with the time it has actually been running.
What you can do meanwhile
Scans run entirely on Topscan's infrastructure. You can close the browser or move on — the scan keeps running, and the results appear on the scan page when it finishes. If you've set up notifications, you'll get a message when it's done.