Penetration Testing

What Is VAPT? Vulnerability Assessment + Pentest

VAPT for Indian SaaS startups: what vulnerability assessment and penetration testing involve, what the report covers, when you need one, and how to choose.

RG&AK
Rathnakara GN & Ashok Kamat
Cybersecify
7 min read

Key Findings (2026 from Cybersecify VAPT engagements):

  • VAPT is the Indian compliance term combining Vulnerability Assessment (automated scanning) and Penetration Testing (manual testing for business logic and authentication flaws).
  • A real VAPT engagement runs 7 to 14 calendar days per scope with manual testing. VAPT sold under INR 25,000 with 1 to 2 day turnaround is almost always scanner output relabeled, not a real engagement.
  • Indian regulatory contexts where a VAPT report is expected: SOC 2 (US enterprise customers), ISO 27001 (Indian and international audits), CERT-In incident reporting, RBI guidelines for fintech.

VAPT stands for Vulnerability Assessment and Penetration Testing. It combines automated scanning to find known vulnerabilities (outdated libraries, misconfigurations, weak credentials) with manual penetration testing to find business logic flaws and authentication bypasses that scanners miss. The term is primarily used in India.

You’ve been asked for a “VAPT report.” Maybe a client put it in their vendor questionnaire. Maybe your compliance team flagged it. Maybe an investor asked during due diligence. You nodded and said “we’ll get that done,” and now you’re Googling what VAPT actually means.

Here’s the short version: VAPT stands for Vulnerability Assessment and Penetration Testing. It’s two distinct activities, usually bundled together, especially in India. This post breaks down what each part involves, what you actually get at the end, and how to avoid wasting money on the wrong engagement.

Vulnerability Assessment vs Penetration Testing

These are not the same thing. They get bundled under “VAPT” so often that people treat them as one activity, but they test different things in different ways.

Vulnerability Assessment (VA)

A vulnerability assessment is a broad, mostly automated scan of your systems. The goal is coverage: find as many known vulnerabilities as possible across your entire attack surface.

What happens: A security engineer configures a scanner (Nessus, Qualys, OpenVAS, or similar), runs it against your infrastructure or application, and reviews the output. The scanner checks for known CVEs, misconfigurations, default credentials, missing patches, and weak TLS settings.

What you get: A list of vulnerabilities ranked by severity (Critical, High, Medium, Low, Informational). Each finding includes a description, affected asset, and remediation guidance.

What it doesn’t do: A VA doesn’t prove exploitability. It tells you “this port is running an outdated version of Apache with a known vulnerability.” It doesn’t tell you whether an attacker can actually chain that with other weaknesses to steal data or gain access.

Penetration Testing (PT)

A penetration test is a manual, targeted exercise where a security tester tries to break into your system the way a real attacker would. The goal is depth: prove what damage is actually possible.

What happens: A tester (following methodologies like PTES or the OWASP Testing Guide) manually probes your application for logic flaws, authentication bypasses, privilege escalation paths, and data exposure issues. They chain findings together to demonstrate real attack scenarios.

What you get: A report with proof-of-concept exploits, attack narratives, screenshots, and business impact analysis. Not just “this is vulnerable” but “here’s how we used this to access your admin panel and export your customer database.”

What it doesn’t do: A pentest doesn’t give you a complete inventory of every low-severity issue. It’s focused on what matters, not on listing every missing header.

Side-by-Side Comparison

Vulnerability AssessmentPenetration Testing
ApproachAutomated scanning + manual reviewManual testing + selective tooling
GoalFind all known vulnerabilitiesProve real-world exploitability
CoverageBroad (scans everything)Deep (focuses on critical paths)
FindsKnown CVEs, misconfigs, missing patchesLogic flaws, auth bypasses, chained exploits
OutputVulnerability list with severity ratingsAttack narratives with proof-of-concept
EffortHours to daysDays to weeks
Skill requiredMid-level engineer with scanner expertiseSenior tester with manual exploitation skills

Why “VAPT” Is an Indian Thing

If you talk to security teams in the US or Europe, they say “pentest” or “vulnerability scan.” The bundled term “VAPT” is mostly used in India, driven by compliance requirements from RBI, SEBI, CERT-In, and IRDAI that specifically reference “VAPT” in their guidelines.

The practical effect: Indian companies often buy a single engagement labeled “VAPT” and assume they’re getting both. Sometimes they are. Sometimes they’re getting an automated scan with a cover page that says “VAPT Report.” The difference matters.

What a Good VAPT Report Contains

A report worth paying for includes:

  1. Executive Summary - Business-language overview for leadership. What’s the risk posture? What needs immediate attention?
  2. Scope and Methodology - What was tested, what wasn’t, which methodology was followed (OWASP, PTES, NIST SP 800-115)
  3. Findings with Evidence - Each vulnerability documented with: severity rating, affected component, steps to reproduce, screenshots or request/response pairs, and business impact
  4. Attack Narratives - How findings chain together into real attack scenarios (this is what separates a pentest from a scan)
  5. Remediation Guidance - Specific, actionable fixes. Not “improve input validation” but “add parameterized queries to the /api/users endpoint, line 42 of userController.js
  6. Retest Confirmation - After you fix the issues, the tester verifies the fixes work. If your vendor doesn’t include retesting, ask why.

Red flag: If your report is 200 pages of scanner output with a logo slapped on top, you paid for a VA and got sold a “VAPT.”

When Do You Need a VAPT?

You definitely need one if:

  • A client or partner is asking for a pentest report as part of vendor onboarding
  • You’re preparing for SOC 2 or ISO 27001 certification
  • You’re processing payments and need PCI DSS compliance
  • You’ve just shipped a major feature or rewritten a core module
  • You’re handling sensitive data (health records, financial data, PII) and haven’t tested in 12+ months
  • CERT-In, RBI, SEBI, or IRDAI guidelines apply to your business

You probably don’t need one yet if:

  • You’re pre-product with no users and no production environment
  • You already ran a pentest last quarter and haven’t shipped significant changes

A common cadence for growing startups: pentest once or twice a year, and run vulnerability scans quarterly or after major releases.

How to Choose a VAPT Vendor

Questions to ask before signing:

About the testing:

  • Will testing be manual, automated, or both? What percentage is manual?
  • Which methodology do you follow? (Look for OWASP, PTES, or NIST references)
  • How many days of active testing are included?
  • Does the engagement include retesting after remediation?

About the team:

  • Who will actually do the testing? (Not the sales team, the testers)
  • What certifications does the testing team hold? (OSCP, CREST, CEH, CompTIA PenTest+)
  • Will the same person test and write the report?

About the output:

  • Can I see a sample report?
  • Will findings include proof-of-concept exploits or just scanner output?
  • Do you provide remediation support or just the report?

Red flags:

  • “We’ll run our proprietary scanner” (you’re buying a VA, not a VAPT)
  • No named testers or certifications mentioned
  • Turnaround under 3 days for a web application (not enough time for real manual testing)
  • Report delivered as a PDF export from Nessus/Burp with no custom analysis

Typical VAPT Cost in India

Pricing varies based on scope (number of applications, APIs, infrastructure components), depth of testing, and vendor reputation. Here’s what the market looks like:

ScopeTypical Range (INR)What to Expect
Single web app (basic)50,000 - 1,50,000VA + limited manual testing
Single web app (thorough)1,50,000 - 3,00,000Full manual pentest + retesting
Web app + mobile app + API2,50,000 - 5,00,000Multi-scope engagement
Infrastructure (cloud/on-prem)1,00,000 - 4,00,000Depends on number of IPs/hosts

Beware of vendors offering “full VAPT” for under 20,000. At that price, you’re getting an automated scan and a templated report. That has its place, but don’t confuse it with a penetration test.

Where to Start

If you know your scope and want to get moving:

  • Startup Pentest (INR 74,999) - 1 application scope, 7 days of testing, founder-led engagement. Good for a single web app or API that needs a proper manual pentest before a client audit or compliance milestone.

  • Growth Pentest (INR 1,79,999) - 2 scopes (e.g., web app + API, or web app + mobile app), 10 days of testing. Includes SOC 2 + ISO 27001 audit prep and is built for startups heading into enterprise sales.

Both plans include free retesting after remediation.

Not sure what you need? Book a free 30-min discovery call with the founders. We assess your current security posture and recommend the right scope. No payment, no commitment.

The Bottom Line

VAPT is two things: an automated scan for breadth and a manual test for depth. You need both, but you need to know which one you’re actually buying. Ask your vendor hard questions about methodology, manual effort, and report quality. A good VAPT doesn’t just hand you a list of CVEs. It shows you what an attacker can actually do with your system and tells you exactly how to fix it. See our web application pentest service page, API pentest service page, or AI application pentest service page for scope, methodology, and inclusions.

Frequently Asked Questions

What is VAPT?

VAPT stands for Vulnerability Assessment and Penetration Testing. It combines automated scanning to find known vulnerabilities with manual testing to find business logic flaws, authentication bypasses, and chained exploits that scanners miss.

How much does VAPT cost in India?

VAPT costs in India range from 50,000 to 3 lakh INR for a single scope depending on the vendor. At Cybersecify, the Startup Pentest plan is 74,999 INR for 1 scope with a 7-day delivery.

What is the difference between vulnerability assessment and penetration testing?

A vulnerability assessment scans for known issues using automated tools and produces a list of findings. A penetration test goes further with manual exploitation, testing business logic, chaining vulnerabilities, and attempting real-world attack paths.

How long does a VAPT engagement take for a SaaS startup?

Single-scope VAPT (web app OR API) typically runs 7 to 10 calendar days of active testing plus 2 to 3 days for report writing and quality review. Multi-scope (web app plus API plus cloud) typically runs 10 to 15 calendar days. Add 2 to 4 weeks for the remediation cycle on your side and 3 to 5 days for retest. Total elapsed time from kickoff call to auditor-ready evidence package: 6 to 8 weeks for a single scope, 8 to 12 weeks for multi-scope. Any vendor offering 1 to 2 day VAPT turnaround at a low price is running an automated scanner, not a real engagement. Real VAPT requires manual investigation time.

What does a real VAPT engagement actually involve?

Five phases. Scoping and rules of engagement (defining in-scope systems, time windows, contact escalation, evidence-handling rules). Reconnaissance (passive and active enumeration of the target attack surface, technology stack identification). Vulnerability discovery (combining automated scanning for known CVEs with manual testing for business logic flaws, authentication and authorisation bypasses, IDOR, injection, race conditions). Exploitation and validation (proving findings are real by demonstrating impact, not just flagging tool output). Reporting (executive summary, technical findings with severity ratings via CVSS, reproduction steps, remediation guidance, compliance mapping if applicable). The reporting and retest phases are where most cheap vendors cut corners.

What is included in a VAPT report?

A useful VAPT report includes nine sections. Executive summary (1-2 page business-impact framing for non-technical stakeholders). Scope definition (systems tested, exclusions, testing window). Methodology reference (OWASP WSTG v5.0, PTES, OWASP API Security Top 10). Tester qualifications (OSCP, CREST, CEH or equivalent, with credential numbers verifiable). Findings list with CVSS severity ratings, reproduction steps, business impact framing, and remediation guidance per finding. Compliance mapping (SOC 2 TSC, ISO 27001 Annex A, RBI Master Direction, DPDP Act) if relevant. Risk acceptance documentation for any findings the client elects not to fix with management sign-off. Retest verification (separate section or separate report after fixes). Letter of Attestation (for Growth Pentest at Cybersecify, signed by the lead pentester). Reports missing these sections fail SOC 2 and ISO 27001 auditor scrutiny.

What does VAPT cover and what does it exclude?

Standard VAPT covers application-layer attacks (web, API, mobile), authentication and authorisation flaws, business logic flaws, injection vulnerabilities, cryptographic implementation issues, sensitive data exposure, security misconfiguration, and known component vulnerabilities. It typically excludes physical security (building access, hardware tampering), social engineering of staff (phishing simulations, vishing) unless specifically scoped, denial-of-service testing (rarely in scope due to production impact), and red-team adversary simulation (a separate engagement type that includes evasion of detection and longer dwell-time testing). Always confirm scope in the rules of engagement document before kickoff. Cybersecify pentests explicitly scope what is in and out so there are no surprises.

Who needs VAPT in India?

Four broad categories. Compliance-driven: SaaS startups pursuing SOC 2 (where US auditors expect a pentest as evidence for CC7.1), ISO 27001 certification, RBI-regulated entities (annual VAPT mandatory), DPDP Act readiness (technical safeguard evidence), CERT-In-applicable organisations. Customer-driven: any SaaS startup whose enterprise customers send vendor security questionnaires asking for a recent pentest report (common above Series A). Investor-driven: startups raising Series A or later where investor diligence packs commonly include a third-party pentest report. Risk-driven: organisations handling sensitive data (financial, health, PII, IP) that have not had an independent security assessment in the past 12 months. If you fall into any one of these, VAPT is no longer optional.

How much should a SaaS startup budget for VAPT?

Three tiers in 2026. Budget tier (INR 15,000 to 50,000 per scope): almost always automated scanner output rebranded with a logo. Useful only for compliance checkboxes that do not require manual testing evidence. Rejected by most US SOC 2 auditors. Professional tier (INR 75,000 to 2 lakh per scope): real manual testing by qualified pentesters, accepted by SOC 2 and ISO 27001 auditors. Cybersecify Startup Pentest plan at INR 74,999 plus taxes for 1 scope sits at the entry of this tier. Enterprise tier (INR 3 lakh and up per scope): multi-week, multi-tester engagement with adversary simulation or longer dwell time. For most Indian SaaS startups, professional tier is the right fit. Budget tier is false economy; enterprise tier is over-spec until you are Series B or later.

Can I run VAPT internally with my own engineers?

Internal vulnerability scanning yes, full pentesting usually no. Internal teams can run continuous DAST scanning (OWASP ZAP, Burp Suite Pro), dependency vulnerability scanning (Snyk, Dependabot, Trivy), and IaC scanning (Checkov, tfsec, Snyk IaC). For VAPT evidence acceptable to SOC 2 and ISO 27001 auditors, RBI-regulated activity, or enterprise customer security questionnaires, you need an independent third-party engagement. Auditors specifically check for independence (CC7.1 under SOC 2). Engineers also have a known cognitive bias toward systems they built; an external tester finds class of issues internal teams systematically miss. Best practice: internal continuous scanning between engagements, annual third-party VAPT for evidence.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Rathnakara GN or Ashok Kamat on LinkedIn.

Share this article
VAPTvulnerability assessmentpenetration testingsecurity testingstartup securityVAPT Indiapentest report