Key Takeaways
- Vulnerability Assessment uses automated scanners to enumerate known weaknesses. Output: list of CVE findings with CVSS scores. Fast, broad, cheap.
- Penetration Testing uses manual exploitation by skilled consultants. Output: narrative attack chain with confirmed impact. Slow, deep, more expensive.
- Compliance frameworks often expect both. PCI DSS requires quarterly external VA plus annual PT. ISO 27001 expects regular vulnerability management plus periodic PT.
- VA finds quantity, PT finds severity. A scanner returns 500 CVEs; a pentester returns 5 findings that actually let an attacker take over the system.
- The right answer for most Indian businesses: continuous VA on infrastructure plus annual or continuous PT on critical applications and identity.
Why The Terms Get Confused
The Indian VAPT market merges the two terms into a single service ('VAPT'), which is helpful for procurement (one purchase order, one vendor, one report) and confusing for technical scoping. Different vendors deliver wildly different things under the 'VAPT' label: some run a Nessus scan, write up the output, and call it VAPT. Others spend three weeks manually testing one application and call it VAPT. Both are technically correct; the value to the buyer is very different.
The clarifying question every buyer should ask before signing an engagement letter: how much of the engagement is automated scanning, how much is manual testing, and what specifically will the manual testing cover. Codesecure proposals always answer these three questions up front.
Vulnerability Assessment: Defined
Vulnerability Assessment is the systematic identification of known weaknesses in IT systems using automated scanners. The tooling has matured over decades: Nessus (Tenable), Qualys, Rapid7 InsightVM, OpenVAS (open source), Greenbone, Acunetix (web), Burp Suite Pro Scanner (web), and many others. These tools check thousands of plugin tests per scan, identify known CVEs by version banner matching, and produce a finding list with CVSS scores.
VA strengths: very fast (a 1000-host network scans in hours), very broad (everything in IP range scope), low cost per asset, repeatable (can run weekly or daily), and excellent for known-vulnerability inventory. VA weaknesses: high false-positive rate (banner version often does not match actual patched code), no business-context understanding, misses business-logic flaws, misses chained attack paths, misses authorisation flaws, misses anything that requires reasoning.
Need Help Applying Any of This?
Codesecure delivers ISO/IEC 27001:2022 certified VAPT, SOC, compliance and incident response for Indian businesses across every sector. Named consultants, fixed-price proposals, free retest within 90 days.
See Our Services →Penetration Testing: Defined
Penetration Testing is the manual exploitation of vulnerabilities by skilled consultants, with the explicit objective of demonstrating real impact (compromised data, escalated privilege, lateral movement to crown jewels). The tester thinks like an attacker, chains findings, exploits business-logic flaws, and produces a narrative timeline of compromise.
PT strengths: finds business-logic flaws scanners cannot identify, chains findings to demonstrate real impact, calibrates severity to the actual environment (not just CVSS base score), produces convincing PoC for engineering team buy-in, surfaces authorisation flaws (IDOR, BOLA) that scanners miss, and gives a realistic adversarial perspective. PT weaknesses: slower (engagement-scale is days to weeks, not minutes), narrower (consultant time is finite), more expensive per finding, and consultant skill varies (a junior consultant pentest is much less valuable than a senior consultant pentest).
Output Differences: List vs Narrative
VA output is a list. Hundreds or thousands of CVE-tagged findings, each with CVSS base score, affected hosts, and reference links. The remediation team triages, prioritises, and patches. The list grows and shrinks weekly as scans repeat and patches close findings.
PT output is a narrative plus a finding catalogue. The narrative describes how the consultant moved from initial reconnaissance to demonstrated impact, with specific steps reproducible by the engineering team. The finding catalogue documents each issue exploited, with CVSS environmental score (calibrated to the actual environment), proof-of-concept screenshots or video, and concrete remediation guidance.
The difference matters for engineering team adoption. A 1000-finding scanner CSV is overwhelming and often ignored. A 15-finding pentest report with PoC and prioritised remediation is actionable and gets fixed.
Cost and Time Differences
VA: a single comprehensive external network scan of 100 hosts runs INR 50,000 to 1.5 lakh as a one-off or 5,000 to 15,000 per month as a managed service. Internal network with similar size, slightly higher. Continuous VA with proper management runs 10 to 30 percent of full SOC cost.
PT: a single web application pentest engagement runs INR 3 to 7 lakh, taking 2 to 3 weeks. Internal network pentest with Active Directory runs INR 4 to 9 lakh, taking 2 to 4 weeks. Cloud pentest runs INR 4 to 10 lakh, taking 2 to 3 weeks. Continuous PT (built into release cycle, focused weekly engagement) is priced as a retainer typically INR 3 to 8 lakh per month.
The cost ratio of PT to VA is roughly 10 to 20 times per coverage unit. The value ratio per finding is similar in the other direction. Run both; they are complementary, not competitive.
Have a Specific Question?
Whether you need a VAPT, SOC design, ISO 27001 certification, DPDP compliance or just a second opinion on a finding, our lead consultant is available for a 30-minute free scoping call. No obligation.
Talk to a Consultant →Compliance Requirements for Each
PCI DSS is the clearest example: explicit quarterly external VA (by an Approved Scanning Vendor where applicable) plus annual penetration test. Two separate engagements, two separate evidence categories, both required.
ISO 27001 and SOC 2 expect regular vulnerability management (continuous or near-continuous VA) plus periodic penetration testing (typically annual). The frameworks do not prescribe the exact cadence; auditors expect to see a documented programme with evidence.
RBI Cyber Security Framework requires annual VAPT for regulated entities, with the report retained for inspection. IRDAI similar. SEBI cyber framework similar. NCIIPC sector-specific guidance similar. DPDP Section 8 reasonable security safeguards is broadly interpreted to include VAPT for organisations at scale.
In practice: any Indian organisation past mid-size needs both VA and PT operating on appropriate cadences. The mix and frequency vary by sector and regulator.
Common Misconceptions
'A pentest is just a scan plus a report.' No. A real pentest is manual work by a skilled consultant. If the deliverable looks like a scanner export with consultant comments added, it was a scan plus a report, not a pentest.
'CVSS Critical means we should panic.' Not necessarily. CVSS base score does not account for environmental context. A CVSS 9.8 vulnerability on a system with no internet exposure and no sensitive data is a low operational priority. A pentest helps calibrate severity to the actual environment.
'We did a pentest last year; we are covered.' No. The threat landscape, your own systems, and the attacker toolset have all changed since last year. Annual pentest is the minimum baseline; semi-annual or continuous is what mature organisations run on critical systems.
'We can use VA findings as pentest evidence.' No. Auditors and customers distinguish between automated scanning evidence and manual penetration testing evidence. Both have their place; one does not substitute for the other.
Frequently Asked Questions
Do I need VA, PT or both?
Both. VA gives continuous broad coverage of known vulnerabilities at low cost. PT gives periodic deep coverage with real attacker perspective. They cover different gaps; neither replaces the other.
How often should I run each?
VA: continuous or near-continuous (weekly minimum, daily for production). PT: annual for general organisations, semi-annual or continuous for high-risk components or organisations with frequent deployments.
Are VA tools or pentesters more important?
Both are necessary for different jobs. Without VA tools, the surface coverage is impossible to maintain. Without pentesters, the deep findings that actually matter never surface. A balanced programme uses both.
How do I know if a vendor is delivering real PT or just scan output?
Ask: how many consultant hours of manual testing per asset; what is the seniority of the lead consultant; how many findings did your last engagement of similar scope produce that were chained or business-logic; can you share a redacted sample report. Real pentest vendors answer all four cleanly.
Can the same vendor do both VA and PT?
Yes. Most Indian VAPT vendors deliver both, often packaged together. Codesecure provides VA and PT as integrated engagements with shared scoping, unified reporting and compliance mapping.
What does a real pentest cost compared to a VA?
Roughly 10 to 20 times more per scope unit. A network VA of 100 hosts: INR 50,000 to 1.5 lakh. A network pentest of the same scope: INR 4 to 9 lakh. Different products, different value, both needed.
Run VA and PT That Both Actually Work
Codesecure delivers managed vulnerability assessment plus manual penetration testing as integrated engagements for Indian businesses. ISO/IEC 27001:2022 certified delivery, named OSCP consultants, fixed-price proposals, free retest within 90 days.
