Smoke, Sanity, and Regression Testing: What Each One Proves
Written by Ahmed at Analyst Engineering, a Senior Technical Business Analyst with 10+ years in banking and payments delivery.
Key takeaways
- The three suites answer three different questions. Smoke: is this build alive enough to test? Sanity: did the specific fix land? Regression: did anything that used to work stop working?
- A smoke suite is broad and shallow: a handful of critical-path checks that run in minutes on every deploy and gate everything behind them. If smoke fails, nothing else runs.
- Sanity testing is narrow and deep: focused verification of the changed area after a fix, before spending a full cycle on it. It rejects a bad fix in minutes instead of days.
- Regression is wide and deep and therefore expensive, which is why it must be automated where it hurts. Its scope is everything that used to work, prioritized by what the change could plausibly touch.
Smoke, sanity, and regression testing answer three different questions. Smoke testing asks whether the build is alive enough to test at all: broad, shallow, minutes. Sanity testing asks whether a specific fix actually landed: narrow, deep, minutes. Regression testing asks whether anything that used to work has stopped working: broad, deep, and expensive, which is why it is the one you automate.
The three terms get used interchangeably in test plans, and the interchange is not harmless: a team that says “regression” but runs a smoke suite has a safety net with holes in it, and a team that runs full regression on every build burns days answering a question a five-minute smoke run would have settled. Each suite exists because it answers its question at the right cost. Smoke is the cheapest possible “is this build worth anyone’s time.” Sanity is the cheapest possible “did the fix work.” Regression is the expensive, necessary “does everything still work,” and its cost is exactly why the other two exist: they stop you from paying it when a cheaper answer would do. Knowing which question you are asking is QA analyst fundamentals, and it decides what runs when in the pipeline.
What does each suite prove?
| Smoke | Sanity | Regression | |
|---|---|---|---|
| Question | Is the build testable at all? | Did the specific change land? | Did anything that worked break? |
| Shape | Broad and shallow | Narrow and deep | Broad and deep |
| Scope | Critical paths only | The changed area | Existing functionality |
| Runtime | Minutes | Minutes | Hours to days |
| Trigger | Every build or deploy | After a fix or small change | Before release, after significant change |
| On failure | Reject the build, test nothing | Reject the fix, skip wider testing | Fix or consciously accept before release |
Smoke testing touches every critical path once, lightly. The name comes from hardware: power it on, and if smoke comes out, stop. The software equivalent: the service starts and responds, login works, one core transaction completes end to end, key integrations answer. In a payments platform that is one payment submitted, processed, and reaching a terminal status, not fifty payment variations, one. The suite’s only job is to gate everything behind it: if smoke fails, the build is rejected and nobody spends an afternoon investigating “defects” that are really one dead dependency.
Sanity testing is the inverse shape: after a fix arrives, you verify the specific changed behavior deeply before committing the team to a wider cycle. Defect said AC04 rejections showed the wrong customer message; sanity re-runs that exact flow plus its nearest neighbors, the other reason code mappings the fix could have touched. Ten minutes, and a bad fix bounces back to the developer the same hour instead of surfacing two days into a full test cycle.
Regression testing protects everything already delivered from the change you just made. It is broad because breakage does not confine itself to the changed feature, and deep because regressions hide in edge cases, and that combination makes it the expensive suite, which has two consequences: automate the stable core of it, and prioritize the rest by what the change could plausibly touch. The full discipline, including how to scope it when you cannot rerun everything, is in regression testing in payments.
Where does each suite run in the pipeline?
The suites form a funnel from cheapest to most expensive, and each gates the next so money is only spent on builds that earned it.
Smoke runs on every deploy to every environment, automated, in the pipeline itself: on the test environment before QA touches the build, on staging before UAT users log in, on production immediately after release. The production case is underrated. A five-minute automated smoke run after go-live turns “customers found the outage” into “the pipeline found it,” and it is the same suite you already run everywhere else. This is the natural first automation investment for a team doing API testing: a handful of critical-path calls with assertions, wired into the deploy.
Sanity runs inside the test cycle, whenever a fix or small change lands: verify the fix deeply, sweep its immediate neighborhood, then decide whether the wider cycle proceeds. It is usually manual or semi-automated, because its scope is defined by the specific change and the tester’s judgment about what that change could have disturbed, the same judgment that drives negative test design.
Regression runs on a schedule shaped by its cost: the automated core nightly or on every merge, the prioritized subset when a significant change lands mid-cycle, the full suite, automated plus the manual scenarios nobody has automated yet, before each release. When time pressure forces a cut, cut consciously: risk-rank the suite by what the release touched, and write down which regressions you chose not to look for. “We ran what we could” is a plan; “we ran out of time” is an incident report waiting for its trigger.
Why does confusing them cost real money?
Because each suite bought at the wrong price answers the wrong question. The two classic failure patterns:
The smoke suite wearing a regression badge. The team runs twenty critical-path checks before release, calls it regression, and ships. Everything on the happy path works; the duplicate-submission handling a refactor quietly broke is not on the happy path, and idempotency failures reach production. Nothing in the twenty checks was wrong; the error was believing breadth-without-depth answers the regression question. If your “regression suite” runs in ten minutes, it is a smoke suite, and it is fine, as a smoke suite.
Full regression as the only tool. The opposite team trusts nothing less than the complete suite, so every build and every fix costs days before anyone learns whether the build even starts. Feedback slows, fixes queue up and get tested in batches, and when the batch fails, isolating which fix broke what is archaeology. The funnel exists to prevent exactly this: smoke rejects dead builds in minutes, sanity rejects bad fixes in minutes, and regression’s days are spent only on candidates that survived both gates.
The vocabulary is also a contract with the rest of the delivery. When the release manager hears “regression passed,” they hear “existing functionality is protected” and make a go decision on it. If what actually ran was smoke, the gap between what was said and what was proven is now a production risk nobody signed off on, the same reason test coverage claims trace back to requirements instead of remaining assertions.
The takeaway
Smoke, sanity, and regression are three different questions at three different costs. Smoke is broad and shallow and gates every build: is this alive enough to test? Sanity is narrow and deep and gates every fix: did the change land? Regression is broad, deep, and expensive, and protects everything already working, so automate its core, prioritize the rest by risk, and never let a ten-minute suite carry its name. Run them as a funnel, cheapest first, and each suite spends money only on builds the previous one certified.
About the author
Analyst Engineering is written by Ahmed, a Senior Technical Business Analyst with 10+ years of banking and payments delivery experience: ISO 20022 and SWIFT messaging, payments API integration, Kafka event validation, and production support. Every article comes from real delivery work, and each one is reviewed and updated as tools and standards change.
Related articles
- Regression Testing in Payments: Protecting What Already Works How to do regression testing in payment systems: what to retest, building a regression suite, risk-based selection, and automating the checks that protect live behavior.
- Negative Test Design: Engineering the Unhappy Path How to design negative tests systematically: boundary values, invalid inputs, state violations, and failure injection. The unhappy path is where the real defects live.
- Payment Testing: How to Test a Payment Flow End to End A practitioner guide to payment testing: following one transaction through ingestion, events, settlement, and status, plus the rejection and stuck-payment cases that matter.
- API Testing: How to Test an API End to End A practitioner guide to API testing: status codes, response schemas, request chaining, authentication, error contracts, and the checks that actually catch defects.
Newsletter
Subscribe
Practical, no-fluff playbooks for technical analysts who analyze, code, test, and support. New articles straight to your inbox.
No spam. Unsubscribe anytime.