A vulnerability assessment is mostly automated scanning that finds known issues. A penetration test is human-led exploitation that proves what an attacker can actually do. VAPT is an Indian-origin term that bundles both into one engagement. SOC 2 auditors, ISO 27001 certifiers, investor diligence packs, and enterprise customer security questionnaires want the pentest half specifically. The label changes by buyer geography. The evidence quality bar is the manual half.
Key findings
- VA = scanner output coverage. Automated tools (Nessus, OpenVAS, Qualys VMDR, Tenable, Burp Scanner, OWASP ZAP) find known CVE patterns, missing patches, default credentials, weak TLS configurations. Runs in hours, costs INR 5,000 to INR 50,000 per month, produces a CVSS-ranked findings list.
- Pentest = manual exploitation evidence. A human tester following OWASP WSTG v5.0, OWASP API Security Top 10, OWASP Mobile Top 10, or NIST SP 800-115 methodology probes business logic, authentication, and authorization to chain findings into realistic attack paths. Runs in days to weeks, costs INR 50,000 to INR 5,00,000 per scope (USD 600 to 6,000, GBP 470 to 4,700, EUR 550 to 5,500), produces narrative findings with reproduction steps.
- VAPT = the bundle, Indian-origin. Most common in India, Southeast Asia, and parts of the Middle East. Combines both phases into one engagement, one report, one vendor. Outside India and Southeast Asia, buyers usually ask for a penetration test by name and treat scanning as separate operational cost.
- Auditors want the pentest half. SOC 2 (AICPA TSC CC4.1 + CC7.1), ISO 27001:2022 (Annex A.8.8 + A.8.29, Clause 9.1), RBI Master Direction on Cyber Resilience, DPDP Act 2023 technical safeguards, and most US, UK, EU enterprise security questionnaires expect manual third-party testing evidence. A pure scanner CSV submitted as pentest evidence is routinely rejected.
- The 3 mistakes founders make. Treating Nessus output as pentest evidence (auditor rejects). Assuming VAPT always equals real pentest (depends on vendor interpretation). Doing only VA for years then scrambling when an investor or enterprise customer asks for a pentest report at the worst possible moment.
Why this article exists
If you are a SaaS founder, you have probably hit at least one of these in the past 12 months:
- An enterprise customer sent a vendor security questionnaire asking for a recent pentest report.
- A SOC 2 or ISO 27001 auditor asked for evidence of independent security testing.
- An investor diligence team asked whether you have ever run a pentest.
- A regulator (RBI in India, equivalents elsewhere) flagged annual VAPT as a requirement.
- A board member who attended a security conference asked whether you do red team exercises.
You searched for “vulnerability assessment vs penetration testing” or “what is VAPT” or “do I need pentest for SOC 2” and landed on contradictory answers. Some vendors said scanning is enough. Others said only manual testing counts. Indian vendors used the term VAPT. International vendors used “pentest.” Pricing varied from INR 15,000 to INR 5,00,000 for what looked like the same thing.
This article disambiguates. It defines the three terms, shows what each actually produces, and maps each to the buyer triggers that drive most pentest demand: compliance, investor requirement, enterprise customer onboarding, and post-breach fear.
At Cybersecify, our founder-led pentest engagements ship under either label depending on what the buyer asked for, but the underlying work is the same: manual testing against OWASP WSTG v5.0 and OWASP API Security Top 10 with reproduction steps, CVSS-scored findings, and SOC 2 plus ISO 27001 mapping (Growth plan). The sections below explain why that distinction matters before you sign a quote.
What is a Vulnerability Assessment (VA)?
A vulnerability assessment is a broad, mostly automated scan that finds known weaknesses across your attack surface. The goal is coverage breadth.
Tooling
The standard toolchain for application VA includes Burp Suite Scanner, OWASP ZAP, Acunetix, Invicti (formerly Netsparker), and Detectify. For infrastructure VA: Nessus (Tenable), Qualys VMDR, OpenVAS, Rapid7 InsightVM. For cloud configuration: AWS Inspector, Microsoft Defender for Cloud, Prisma Cloud, Wiz, Orca. For software composition: Snyk, Dependabot, Trivy, JFrog Xray. For infrastructure-as-code: Checkov, tfsec, Snyk IaC, Bridgecrew.
Pricing ranges from free (OWASP ZAP, OpenVAS, Trivy) to enterprise SaaS subscriptions (Qualys, Tenable, Wiz at INR 5,00,000 plus per year for SaaS startups).
What VA detects
- Known CVE-tagged vulnerabilities in libraries, frameworks, and operating system packages
- Missing security patches and outdated versions
- Default or weak credentials
- Missing or misconfigured TLS (weak ciphers, expired certs, missing HSTS)
- Common security header gaps (missing CSP, X-Frame-Options, etc.)
- Standard injection payloads against well-known parameters
- Publicly exposed admin panels and management interfaces
- Cloud configuration drift from baseline (open S3 buckets, permissive IAM, missing encryption at rest)
What VA cannot detect
- Business logic flaws (a checkout flow that accepts negative quantities, a discount code that stacks beyond intent)
- Authentication bypasses dependent on race conditions or token replay
- Broken object level authorization (IDOR) where Tenant A reads Tenant B data
- Authorization escalation across multi-tenant boundaries
- Chained exploits combining multiple low-severity findings into a critical attack path
- Anything that requires understanding what the application is supposed to do versus what it actually does
Output
A VA report is a list of findings, each with CVE reference (where applicable), CVSS severity score, affected asset, brief description, and generic remediation guidance. Findings count is typically in the hundreds. False positive rate is non-trivial (10 to 30 percent in our experience) and the report rarely distinguishes truly exploitable findings from theoretical ones in your environment.
Frequency
Continuous if integrated into CI/CD. Monthly or quarterly for managed scanning services. The cost-per-scan is low enough that high frequency is the default recommendation.
Cost band
Free open-source tools (OWASP ZAP, Trivy, OpenVAS) to enterprise SaaS subscriptions running into many lakhs annually. For a typical SaaS startup, a self-managed scanning stack costs INR 5,000 to INR 50,000 per month (USD 60 to 600, GBP 50 to 470, EUR 55 to 550) depending on tool choice and coverage breadth.
What is a Penetration Test (pentest)?
A penetration test is a scoped, time-bounded, methodology-driven simulated attack performed by a human tester. The goal is depth: prove what real-world exploitation is possible against your application.
Methodology
A real pentest follows published methodology so findings are reproducible and auditor-acceptable. Common references:
- OWASP Web Security Testing Guide (WSTG) v5.0 for web applications
- OWASP API Security Top 10 (2023 edition) for REST, GraphQL, and webhook APIs
- OWASP Mobile Application Security Testing Guide (MASTG) and OWASP Mobile Top 10 for iOS and Android apps
- OWASP Top 10 for LLM Applications for AI and LLM-integrated features
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment as the cross-cutting reference
- CIS Benchmarks plus provider-specific hardening guides for cloud configuration
- CVSS v3.1 or v4.0 for severity scoring with environmental adjustment
- MITRE ATT&CK for adversary tradecraft mapping, MITRE ATLAS for AI-specific tradecraft
A pentest report should cite at least one of these on its methodology page. Reports that skip the methodology section often fail auditor review.
What pentesting catches that VA cannot
- Business logic flaws. The cart accepting negative quantities. The OTP reset bypass via header manipulation. The role escalation via the unguarded API endpoint. The discount code that stacks beyond intent.
- Broken Object Level Authorization (IDOR). Tenant A reading or modifying Tenant B data. The number-1 finding in our 2026 engagements on SaaS multi-tenant apps.
- Authentication bypasses. Race conditions in OTP validation, JWT signature confusion, token replay across sessions, password reset bypasses via email parameter manipulation.
- Authorization escalation. Standard user becoming admin via mass-assignment, hidden role parameters, or unguarded role-update endpoints.
- Chained exploits. Information leak (low) plus IDOR (medium) plus default admin credential (high) chained into full takeover (critical).
- Stored business logic state corruption. Workflows that allow state transitions the application UI does not expose.
Output
A pentest report is a narrative document with executive summary (1-2 pages for board and investor reading), methodology section (cites published guides), scope definition, findings list (each with CVSS severity, business impact framing, reproduction steps in the form of HTTP requests and screenshots, remediation guidance specific to your stack), compliance mapping (SOC 2 TSC, ISO 27001 Annex A controls, DPDP Act technical safeguards where relevant), tester qualifications (with verifiable credentials), and retest evidence after fixes. Findings count is typically 10 to 50, with manual validation of every one.
Frequency
Annual at minimum, plus pre-audit (SOC 2 Type 2 and ISO 27001 surveillance audit windows), pre-release for major changes (new payment flow, new API surface, new tenant model, AI feature launch), and pre-customer-onboarding when an enterprise security questionnaire arrives.
Cost band
INR 50,000 to INR 5,00,000 per scope (USD 600 to 6,000, GBP 470 to 4,700, EUR 550 to 5,500) depending on engagement depth, scope size (single web app vs multi-system), and vendor positioning. At Cybersecify, the Startup Pentest plan at INR 74,999 plus taxes (USD 900, GBP 700, EUR 830) covers one scope with manual testing, methodology citation, reproduction steps, and one free retest. The Growth Pentest at INR 1,79,999 plus taxes (USD 2,150, GBP 1,700, EUR 2,000) covers two scopes with SOC 2 plus ISO 27001 evidence packaging.
What is VAPT?
VAPT stands for Vulnerability Assessment and Penetration Testing. It is a single bundled engagement that runs the VA phase first (automated scanning to map the attack surface and surface known issues) and the PT phase second (manual exploitation focused on business logic, authentication, and authorization flaws that scanners cannot find).
Why the term exists
VAPT is primarily an Indian, Southeast Asian, and Middle Eastern term. It emerged in early-2010s Indian IT services procurement language, where enterprise and BFSI tenders began bundling the two phases into a single SKU to simplify contracting. RBI Master Direction language reinforced VAPT as the standard reference for annual mandatory testing on regulated entities. CERT-In advisories and PSU procurement followed.
Today VAPT appears in:
- Indian enterprise vendor questionnaires
- RBI guidance and circulars for fintech, banks, NBFCs, and digital payment operators
- CERT-In advisories
- DPDP Act 2023 conversations as part of “reasonable security safeguards” expectations
- Singapore MAS Technology Risk Management guidance (the term is used but less consistently than in India)
- UAE NESA / SIA guidance language
Outside India and Southeast Asia, the term is rare. US, UK, EU, Canada, and Australia procurement language defaults to “penetration test” and treats vulnerability scanning as a separate operational concern.
When non-India buyers should care about the term
If you are a SaaS startup outside India serving Indian or Southeast Asian fintech, banking, or regulated customers, your buyer-side procurement will use the VAPT label. You can deliver the same work under the VAPT label as you would under “penetration test” elsewhere, but the report should explicitly call out both the VA phase findings and the PT phase findings so it satisfies the bundle expectation. Submitting a pure pentest report without the scanning summary to a VAPT request will sometimes trigger pushback.
How VAPT differs from buying VA and pentest separately
Same activities, different packaging. A VAPT engagement is one vendor, one engagement, one combined report. Buying VA and pentest separately means a continuous VA subscription (your own scanning stack or a managed service) plus an annual pentest from a specialist firm. The buy-separately pattern is more common internationally and among mature engineering teams. The VAPT bundle is the default for India procurement and for buyers who want a single point of contact and report.
The risk with VAPT bundles: low-cost vendors often skimp on the PT phase and ship mostly scanner output. The risk with buy-separately: if your VA and pentest vendors do not coordinate, the pentest engagement spends time rediscovering issues already in your scanner backlog instead of pushing deeper on business logic.
Comparison table
The dense reference. Read across rows for each dimension.
| Dimension | Vulnerability Assessment (VA) | Penetration Test (pentest) | VAPT (bundle) |
|---|---|---|---|
| Method | Automated scanning with light manual review | Manual exploitation with selective tooling | VA scan phase + PT manual phase |
| Depth | Broad surface coverage (hundreds of findings) | Deep on critical paths (10-50 validated findings) | Both phases in one engagement |
| Output | CVSS-ranked findings list, often CSV or PDF export | Narrative report with reproduction steps, business impact, compliance mapping | Combined report with VA summary + PT narrative findings |
| Methodology | Tool-driven (whatever the scanner checks) | OWASP WSTG v5.0, OWASP API Top 10, NIST SP 800-115 | Both: scanner methodology for VA phase, OWASP / NIST for PT phase |
| Severity scoring | CVSS base score from tool, often unvalidated | CVSS v3.1 / v4.0 with environmental adjustment, manually verified | Both, with PT phase taking precedence on shared findings |
| Frequency | Continuous, monthly, or quarterly | Annual minimum, plus pre-audit and pre-release | Annual or as required by RBI / CERT-In / enterprise customer |
| Cost (per scope or per month) | INR 5,000-50,000 per month (USD 60-600) for tool subscription | INR 50,000-5,00,000 per scope (USD 600-6,000, GBP 470-4,700, EUR 550-5,500) | INR 50,000-3,00,000 per scope for bundled engagement |
| Auditor acceptance | Not accepted as primary pentest evidence for SOC 2 / ISO 27001; useful as continuous coverage evidence | Accepted as primary evidence by SOC 2 (CC7.1), ISO 27001:2022 (A.8.29), RBI, DPDP | Accepted in India and SEA; may need PT-phase emphasis for international audits |
| Best for | Continuous regression detection, CVE coverage, compliance baseline | Auditor evidence, investor diligence, enterprise customer onboarding, post-breach assurance | Indian regulatory contexts, single-vendor procurement preference |
| Real-world example finding | Outdated jQuery 1.12.4 with known XSS CVE on customer dashboard | Tenant A able to read Tenant B billing data via incrementing the invoice ID in the API URL | Both: scanner finds the outdated library; tester chains it with a stored XSS injection to harvest session tokens |
| Independence requirement | Internal team can run | Must be third-party for SOC 2 (CC4.1) and ISO 27001 (A.8.29) | PT phase must be third-party even within a VAPT bundle |
When to use which: mapping to buyer triggers
Most pentest demand on SaaS startups maps to four buyer triggers (the four we see across India and international engagements). Each trigger has a specific evidence requirement.
Trigger 1: Compliance audit (SOC 2, ISO 27001, RBI, DPDP)
- REQUIRED: Third-party penetration test with methodology citation, manual testing evidence, reproduction steps, CVSS scoring, and retest evidence after fixes. Report must satisfy SOC 2 CC4.1 plus CC7.1 (US), ISO 27001:2022 Annex A.8.8 plus A.8.29 plus Clause 9.1 (international), RBI Master Direction on Cyber Resilience for fintech (India), or DPDP Act 2023 technical safeguards expectation (India).
- BONUS: Continuous VA via in-house scanning or managed service for inter-audit regression detection. Auditors view this favourably as evidence of ongoing posture.
- INSUFFICIENT: Scanner-only VAPT report submitted without manual exploitation evidence. Auditors routinely reject. Pure VA without pentest. In-house pentest without independent third-party (fails CC4.1 independence requirement).
Trigger 2: Investor diligence
- REQUIRED: Third-party pentest report with executive summary suitable for non-technical reading, finding count with severity distribution, remediation status, and tester credentials. Series A and later diligence packs treat the pentest report as a standard expected artefact.
- BONUS: Multi-year pentest history showing improving severity distribution and shrinking time-to-remediation. Signals security maturity.
- INSUFFICIENT: Scanner CSV submitted as pentest. Internal team attestation. “We use Snyk and ZAP” without a third-party narrative report. Investor diligence firms see scanner output frequently and recognise it as not-a-pentest.
Trigger 3: Enterprise customer onboarding
- REQUIRED: Third-party pentest report, either full version under NDA or redacted executive summary plus findings status, satisfying the customer’s vendor security questionnaire. Most enterprise security questionnaires (US, UK, EU, India, Singapore, Australia) explicitly ask for “most recent penetration test report” or equivalent.
- BONUS: SOC 2 Type 2 or ISO 27001 certification with the pentest report as listed evidence. Lifts the customer’s diligence burden.
- INSUFFICIENT: Bug bounty program statistics in lieu of pentest report. Continuous scanning attestation. Auditor letter without underlying pentest evidence. Each gets pushback from enterprise security teams.
Trigger 4: Post-breach fear or board pressure
- REQUIRED: Third-party pentest with adversary-mindset framing in the report. Board members and CXOs want to see findings that resemble what an actual attacker would do, not a CVE catalog.
- BONUS: Threat modelling deliverable alongside the pentest. Helps the board see what was tested and what was deliberately out of scope.
- INSUFFICIENT: Scanner output (does not address the actual question the board is asking). Internal team write-up (independence problem). Generic security awareness training (different category entirely).
Across all four triggers, the consistent pattern: the pentest half is non-negotiable. Scanning supplements. VAPT-as-a-bundle works fine in India and SEA contexts where buyers understand the term, but the report still has to surface the manual-exploitation findings clearly. Buyers and auditors evaluate the pentest half. The VA half is supporting evidence.
The 3 common mistakes
Mistake 1: Treating Nessus output as pentest evidence. The most common founder error. You ran Nessus or Qualys, got a 200-finding report, submitted it to your SOC 2 auditor or enterprise customer, and got pushback. The fix is not to argue. The fix is to commission a manual pentest from an independent third party that produces narrative findings with reproduction steps. Scanner output is useful operational hygiene. It is not auditor-acceptable pentest evidence.
Mistake 2: Assuming VAPT always equals real pentest. Some Indian VAPT vendors ship pure scanner output with a logo on top and a cover page that says “Penetration Test Report.” Buyers pay INR 15,000 to INR 30,000, get a CSV reformatted as PDF, and discover at audit time that the report fails the manual-exploitation evidence bar. Read sample reports before signing. If the methodology section does not cite OWASP WSTG v5.0 or NIST SP 800-115, if there are no HTTP-request reproduction steps, if the findings list reads like a CVE catalog with no business-impact framing, you bought a VA labelled as VAPT.
Mistake 3: Doing VA only for years then scrambling at the worst moment. A common pattern: a SaaS startup runs OWASP ZAP or Snyk continuously, treats it as their security testing program, and skips pentests for two or three years to save money. Then an investor diligence team or a Fortune 500 enterprise customer asks for the pentest report on a 2-week timeline. The startup commissions a rush pentest, the first engagement surfaces critical findings, remediation runs past the customer’s onboarding deadline, and the deal stalls. Annual pentest is cheaper insurance than emergency pentest under deal pressure.
How Cybersecify positions
At Cybersecify, both founders ship on every engagement (Ashok S Kamat on scoping, compliance mapping, and report quality; Rathnakara GN, M.Sc Cyber Security, OSCP, CompTIA PenTest+, leads the pentest delivery). We do not split into a delivery team and a sales team. The same pair you scope with delivers the work.
Our pentest engagements ship under either label depending on what the buyer asked for. India and SEA buyers asking for VAPT get a report that explicitly surfaces both the VA-phase findings and the PT-phase manual exploitation findings. International buyers asking for “penetration test” get the same underlying work scoped as a standalone PT engagement with continuous VA treated as their separate operational concern. The methodology, manual depth, and report quality are identical.
See our sample report for the structure we ship. See our methodology page for the full testing approach. See pricing for the Startup Pentest plan (INR 74,999, one scope, 7 days, 1 free retest) and Growth Pentest plan (INR 1,79,999, two scopes, 10 days, SOC 2 plus ISO 27001 evidence packaging, 1 free retest). Read about us for founder backgrounds and the engagement-quality positioning. International buyers in USD, GBP, EUR, AUD, SGD, HKD, or AED can transact directly; pricing parity is published on the pricing page.
Cluster reading: where to go next
If you found this page useful, the cluster around it goes deeper on specific dimensions:
- What is VAPT? Vulnerability Assessment + Pentest — the India-context primer with deeper pricing tier analysis
- How to read a VAPT report — once you have the report, how to triage findings
- DAST vs Pentest: why scanners are not enough — the scanner-specific drilldown
- Penetration testing for SOC 2 audit — auditor evidence expectations
- ISO 27001 vs SOC 2: which first? — sequencing the two frameworks
- When SaaS must outsource pentest (2026) — in-house vs external decision
- Manual pentest vs automated scanning — the manual-versus-automated drilldown
Per-scope service pages (each ships with the same engagement model: founder-led, OWASP methodology, manual depth, reproduction steps):
- Web application penetration testing
- API penetration testing
- Cloud penetration testing
- Android application penetration testing and iOS application penetration testing
- AI application penetration testing
- IoT penetration testing
Bottom line
VA finds known issues at breadth via scanners. Pentest proves real exploitation at depth via human testing. VAPT bundles both in India and SEA contexts. Auditors, investors, and enterprise customers want the pentest half specifically. The label changes by buyer geography. The evidence quality bar is the manual half. Pick the engagement that satisfies the buyer trigger driving the request, and confirm the vendor delivers manual testing evidence with methodology citation and reproduction steps before signing.
If you are scoping a pentest now and want to compare what we ship to what other vendors send, the sample report is the most direct way to evaluate. The methodology, finding format, and compliance mapping shown there are the same on every engagement we deliver.