Do story points include testing?

Yes. The estimate is for the work done — not the work coded.

Story points size the work between "story enters the sprint" and "story is shippable." That includes whatever QA the team does as part of done — automated tests, manual verification, accessibility checks, security review. If testing is part of how the team ships, it's part of the estimate. The story isn't done when the PR merges; it's done when it meets the team's definition of done.

Teams that exclude testing from points are estimating dev-only and then bolting on QA capacity separately. The result is predictable: the sprint takes on more story points than the team can actually ship, because QA is the bottleneck and nobody's accounting for it.

What about a separate QA team?

If QA is a separate team with its own backlog, the story still includes the dev-side handover — preparing the build, writing the test plan, fielding QA questions. None of that is free. The QA team's own work is on their velocity, not yours; but the dev-side cost of working with them is on yours.

What about specialized testing — security, perf, a11y?

Same rule. If meeting the definition of done requires that work and it's on the dev team, it's in the estimate. If it's done by a different team or skipped entirely, it isn't.

Estimate the work the team actually ships. Anything else is fiction.

Adjacent: story points vs acceptance criteria — points size the path to "done", criteria define what "done" is; definition of ready covers the entry side.