A proper VAPT for SaaS startups should include both automated vulnerability scanning and manual penetration testing that covers OWASP Top 10, business logic flaws, authentication bypasses, and API security. It costs INR 75,000 to INR 2,00,000 per scope for a real engagement with manual testing, not INR 15,000 for a scanner dump.
Every second LinkedIn post from a security vendor in India offers “VAPT services.” Every enterprise RFP has a line asking for your “VAPT report.” Every compliance framework references VAPT somewhere in the fine print.
But here’s what nobody tells you: most of what gets sold as VAPT in India is a scanner run with a branded cover page. And most startups buying it don’t know the difference until a real attacker, or a serious enterprise client’s security team, proves it wasn’t enough.
This post breaks down what VAPT actually means, what SaaS startups need from it, and how to avoid paying for a PDF that gives you false confidence.
What VAPT Actually Means
VAPT stands for Vulnerability Assessment and Penetration Testing. Two distinct activities. One acronym.
Vulnerability Assessment (VA) is automated scanning. Tools like Nessus, Qualys, or Burp Scanner crawl your application and infrastructure looking for known vulnerabilities: outdated libraries, missing patches, weak TLS configurations, default credentials, and common misconfigurations.
Penetration Testing (PT) is manual exploitation. A security tester follows a methodology like OWASP WSTG v5.0 or PTES to find what scanners miss: business logic flaws, authentication bypasses, privilege escalation chains, and attack paths that require human reasoning.
A proper VAPT engagement includes both. The VA gives you breadth. The PT gives you depth. Together, they tell you what’s vulnerable and what’s exploitable.
If you want a deeper breakdown of the difference, read our comparison of vulnerability assessment vs penetration testing.
Why “VAPT” Is an Indian Thing
If you talk to security teams in the US or Europe, they say “pentest” or “vulnerability scan.” The combined term “VAPT” is predominantly used in India, driven by compliance language from CERT-In, RBI, SEBI, and IRDAI.
These regulators use “VAPT” in their guidelines, so the term became standard across Indian vendor proposals, audit reports, and procurement documents. There’s nothing wrong with the term itself. The problem is that it creates ambiguity. When someone says “we did VAPT,” they could mean anything from a 20 minute automated scan to a 10 day manual pentest.
The Scanner Problem: What Most “VAPT” Vendors Actually Deliver
Here’s what a typical INR 15,000 to 30,000 “VAPT” engagement looks like:
- Vendor runs Nessus or OWASP ZAP against your target
- Scanner generates a report with 50 to 200 findings
- Vendor adds a branded cover page, maybe reorganizes findings by severity
- You receive a PDF labeled “VAPT Report”
What’s missing? Everything that matters for a SaaS application.
No manual testing of your authentication flows. No testing of your API authorization logic. No attempt to chain vulnerabilities into actual attack scenarios. No validation of whether a “High” severity finding is actually exploitable in your environment.
This is not VAPT. This is a vulnerability assessment with the word “penetration testing” stapled to the cover page.
The difference between this and a real pentest is the difference between automated scanning and manual testing.
What SaaS Startups Actually Need
SaaS applications are not infrastructure. They’re multi-tenant platforms with complex authentication, API layers, payment flows, and business logic that no scanner understands.
Here’s what a SaaS startup’s security testing should cover:
Authentication and session management. Can someone bypass your login? Can they hijack another user’s session? What happens when a password reset token is reused?
Authorization and access control. Can a user in Tenant A access Tenant B’s data by changing an ID in the API request? Can a regular user call admin endpoints? This is the most common critical finding in SaaS pentests, and scanners cannot test for it.
API security. Your frontend might be locked down, but your API is the real attack surface. Rate limiting, input validation, mass assignment, broken object level authorization. These need manual testing against OWASP API Security Top 10.
Business logic. Can someone apply a coupon code twice? Can they modify the price in a checkout request? Can they skip a verification step? These are application specific. No generic scanner has rules for your business logic.
Data exposure. Are you returning more data in API responses than the frontend displays? Is PII leaking through error messages, debug endpoints, or verbose logging?
Real VAPT vs Scanner Only “VAPT”
| Scanner Only “VAPT” | Real VAPT Engagement | |
|---|---|---|
| Approach | Automated scan, branded PDF | Automated VA + manual penetration testing |
| Duration | 1 to 2 days | 7 to 14 days |
| Tester involvement | Minimal (configure and run) | Senior tester, full engagement |
| Methodology | Scanner defaults | OWASP WSTG v5.0, PTES |
| Finds infrastructure issues | Yes | Yes |
| Finds business logic flaws | No | Yes |
| Finds auth/access control issues | Rarely | Yes |
| Finds API-specific vulnerabilities | Surface level only | Deep testing against OWASP API Top 10 |
| Provides exploit proof | No | Yes, with screenshots and steps to reproduce |
| Retest included | Rarely | Should be included |
| Useful for compliance | Barely | Yes, maps to SOC 2, ISO 27001 criteria |
| Typical cost | INR 15,000 to 30,000 | INR 75,000 to 2,00,000 |
CERT-In and Regulatory Requirements
CERT-In (Indian Computer Emergency Response Team) mandates that organizations report cybersecurity incidents within 6 hours under their April 2022 directive. For a full breakdown of what counts as a reportable incident and how to set up your internal reporting process, see our CERT-In 6-hour rule guide. While CERT-In does not mandate VAPT for all organizations, it strongly recommends periodic security testing as part of cybersecurity hygiene.
For regulated sectors, VAPT is explicitly required:
- RBI mandates VAPT for all banks, NBFCs, and payment processors
- SEBI requires periodic VAPT for stock brokers and depositories
- IRDAI requires VAPT for insurance companies
- DPDP Act 2023 expects “reasonable security safeguards” which practically means regular security testing
If you’re a SaaS startup handling financial data or serving regulated clients, your customers will pass down their compliance requirements to you. “Show us your VAPT report” is how that usually starts.
When Automated Scanning Is Enough
To be fair, there are scenarios where a vulnerability scan without manual testing makes sense:
- Internal infrastructure hardening. Running monthly Nessus scans against your AWS instances to catch missing patches and misconfigurations. This is operational hygiene, not a pentest.
- CI/CD pipeline scanning. SAST and DAST tools in your build pipeline catching known vulnerability patterns before code ships. Essential, but not a substitute for manual testing.
- Compliance checkbox for low-risk systems. A marketing website with no user accounts or sensitive data doesn’t need a full pentest.
But if you’re running a SaaS platform with user authentication, multi-tenancy, API integrations, and customer data? Automated scanning alone is not enough. Period.
How to Evaluate a VAPT Vendor
Before you sign a proposal, ask these questions:
1. What methodology do you follow? Look for OWASP WSTG, PTES, or NIST SP 800-115. If they can’t name a methodology, they’re running a scanner. Read our guide on evaluating a pentesting firm for more detail.
2. Who does the testing? Ask for tester credentials. OSCP, CREST, CompTIA PenTest+ are the standard certifications. Ask whether the person who holds the cert is the one actually doing your test, not just a name on the proposal.
3. What does the report include? A real pentest report includes: executive summary, methodology description, detailed findings with severity ratings, proof of concept for each finding (screenshots, request/response pairs), remediation guidance, and a retest option. If they can’t show you a sample report, that’s a red flag.
4. Do you test business logic and APIs? If the answer is vague or the proposal only mentions “web application scanning,” you’re buying a scanner run. SaaS applications need API security testing and business logic testing as standard scope.
5. Is a retest included? A finding is only fixed when it’s verified fixed. Retesting should be included in the engagement, not sold as an add-on.
6. What’s the team size and engagement duration? A single person doing “VAPT” in 2 days for your entire SaaS platform is running a scanner. A proper engagement for a single scope takes 5 to 10 days minimum.
The Cost Reality
Let’s be direct about what you get at different price points.
INR 15,000 to 30,000 (Scanner Run) You get an automated scan output, possibly cleaned up and branded. No manual testing. No business logic coverage. No API-specific testing. Useful as a baseline vulnerability assessment. Not useful as evidence for enterprise clients, investors, or compliance audits.
INR 75,000 to 1,00,000 (Proper Pentest, Single Scope) Manual testing by a certified tester. Covers your web application or API using a recognized methodology. Includes business logic testing, authentication testing, and authorization testing. Report includes proof of concept for each finding. Retest included.
Our Startup Pentest plan is INR 74,999 for 1 scope, 7 days, with retest and a Brand Protection Snapshot included.
INR 1,50,000 to 2,00,000+ (Multi-Scope Pentest) Covers multiple targets: web application + API, or web application + mobile. Deeper engagement with more tester hours. May include compliance mapping for SOC 2 or ISO 27001.
Our Growth Pentest plan is INR 1,79,999 for 2 scopes, 10 days, with retest, Brand Protection Snapshot, and SOC 2 + ISO 27001 audit prep included.
The difference between a INR 15,000 scan and a INR 75,000 pentest is not 5x the price. It’s the difference between a document that collects dust and a report that actually finds the vulnerabilities an attacker would exploit.
What Your VAPT Report Should Look Like
If you’ve never seen a proper pentest report, here’s what to expect:
- Executive summary. One page, written for founders and CTOs, not security engineers. Overall risk rating, key findings, and strategic recommendations.
- Scope and methodology. What was tested, what was excluded, which testing framework was followed, and what tools were used alongside manual techniques.
- Detailed findings. Each vulnerability with a severity rating (Critical/High/Medium/Low), description, proof of concept with screenshots, affected component, and specific remediation steps.
- Positive findings. What’s working well. This matters for compliance evidence and for knowing where your team got it right.
- Remediation priority. A ranked list of what to fix first, based on exploitability and business impact, not just CVSS scores.
If your vendor delivers a 200 page document that’s mostly scanner output with color coded pie charts, that’s not a pentest report. That’s a scanner export.
Next Steps
If you’re a SaaS startup that needs proper VAPT and not a scanner PDF:
- Understand the basics first: Read What Is VAPT? for a full breakdown of both components
- Check what you actually need: Our web application pentest and API pentest pages explain scope and deliverables
- See the pricing: Visit our pricing page to compare the Startup and Growth plans
- Know the difference: Manual pentest vs automated scanning explains why scanners alone don’t cut it
- Not sure where to start? A Security on Demand session (INR 9,999, fully refundable if you don’t continue) gets you 4 hours with a founder to figure out exactly what testing your application needs
The VAPT market in India is full of vendors selling scanner runs at pentest prices. Don’t pay for a branded PDF. Pay for someone who will actually try to break into your application and show you how they did it.