Key Takeaways
- VAPT is the combination of vulnerability assessment (find weaknesses) and penetration testing (exploit them to demonstrate real risk).
- VA is broad and shallow, automated, fast, low-cost. PT is narrow and deep, manual, slow, more expensive. Most engagements need both.
- VAPT covers web apps, APIs, mobile apps, networks (external + internal), cloud, Active Directory, IoT, source code, wireless and the human attack surface.
- Indian regulators (RBI, SEBI, IRDAI, NCIIPC, the DPDP Act through reasonable security safeguards) expect annual VAPT for any organisation processing personal or financial data at scale.
- Cost in India: a single-application engagement typically runs INR 3 to 10 lakh. Multi-environment programmes scale up; continuous VAPT is priced as a retainer.
What VAPT Actually Means
VAPT stands for Vulnerability Assessment and Penetration Testing. It is the practice of systematically discovering security weaknesses in IT systems (Vulnerability Assessment) and then attempting to exploit those weaknesses to demonstrate real impact (Penetration Testing). The combination gives a complete picture: what is exposed, what can actually be exploited, what the business consequence would be, and how to fix it.
VAPT is the foundational external check on a security programme. Internal teams know their systems intimately and often have blind spots about their own choices. External VAPT brings fresh eyes, attacker tooling, and the explicit objective of breaking in. The combination of internal hygiene plus external VAPT is what separates security theatre from defensible security.
Indian businesses adopt VAPT for several reasons: customer security questionnaires require it, regulators (RBI, SEBI, IRDAI, NCIIPC) require it, ISO 27001 and SOC 2 auditors expect it, cyber insurance underwriters increasingly require it, and (most importantly) it produces actionable findings that materially reduce breach risk.
VA vs PT: The Core Difference
Vulnerability Assessment uses automated scanners (Nessus, OpenVAS, Qualys, Rapid7 InsightVM, Acunetix, Burp Suite Pro automation) to enumerate known weaknesses across a large scope quickly. The output is a list of CVE-tagged findings with CVSS scores. VA is broad, fast and inexpensive. It misses everything that requires reasoning (chained attack paths, business-logic flaws, authorisation issues that scanners cannot identify).
Penetration Testing adds manual exploitation by skilled consultants. The tester thinks like an attacker, chains findings together, exploits business-logic flaws, demonstrates real data exposure, and produces a narrative timeline of how a real adversary would compromise the system. PT is narrow, slow and more expensive. It finds the issues that matter most because it confirms exploitability, not just presence.
Engagement Types: Black Box, Grey Box, White Box
Black box: the tester starts with zero internal information, just like an external attacker. Realistic but slow because reconnaissance consumes engagement time. Grey box: limited information (user credentials, basic architecture). The most common engagement type because it balances realism with efficient use of consultant time. White box: full access to source code, architecture documents, credentials. The most thorough; common for source-code review and high-risk applications. Most Indian SMBs run grey-box engagements; security-critical industries (banking, healthcare) often run white-box on production-critical components.
Need Help Applying Any of This?
Codesecure delivers ISO/IEC 27001:2022 certified VAPT, SOC, compliance and incident response for Indian businesses across every sector. Named consultants, fixed-price proposals, free retest within 90 days.
See Our Services →What VAPT Covers
Modern VAPT extends well beyond traditional network and web app scope. The major engagement types in our practice:
- Web application pentest: customer portals, admin dashboards, SaaS products. OWASP Top 10 methodology plus business logic.
- API security audit: REST, GraphQL, gRPC, SOAP. OWASP API Security Top 10.
- Mobile application pentest: iOS and Android, including reverse engineering, runtime hooking, secure storage testing.
- External network pentest: internet-facing IP and DNS footprint.
- Internal network pentest: assumed-compromise from inside the network, lateral movement, privilege escalation.
- Active Directory pentest: BloodHound graph analysis, Kerberoasting, ACL abuse, AD CS abuse.
- Cloud configuration audit: AWS, Azure, GCP, with IAM, network, storage and logging review.
- Source code review: SAST plus manual review, supplements DAST findings.
- IoT pentest: firmware, hardware debug, radio protocols, cloud backend.
- Wireless pentest: WPA2 / WPA3, evil twin, BLE / Bluetooth, captive portal.
The VAPT Process: Step by Step
A standard VAPT engagement runs in five phases over 2 to 5 weeks depending on scope.
Phase 1: Scoping and Pre-Engagement (Week 0)
Identify in-scope and out-of-scope assets, choose engagement type (black / grey / white box), agree testing windows, exchange contact lines, provision test accounts and VPN access, sign engagement letter. Skipping this phase is the most common cause of engagement delays.
Phase 2: Reconnaissance and Discovery (Days 1 to 3)
Map the attack surface. For external network: subdomain enumeration, port scanning, technology fingerprinting. For web app: spider the application, identify functionality, role boundaries, API endpoints. For AD: enumerate users, groups, computers via BloodHound. Reconnaissance accuracy drives the depth of subsequent testing.
Phase 3: Vulnerability Assessment (Days 3 to 5)
Automated scanning across discovered surface plus enrichment with manual verification. The output is a triaged list of confirmed findings, with false positives removed and severity calibrated to the customer environment.
Phase 4: Penetration Testing and Exploitation (Days 5 to 12)
Manual exploitation of vulnerabilities, chaining of findings, demonstration of real impact (data exfiltration in lab, privilege escalation, lateral movement). Authorisation flaws, business-logic flaws, and IDORs surface in this phase.
Phase 5: Reporting and Re-Test (Days 12 to 17)
Executive summary, full finding catalogue with CVSS scoring and PoC, compliance mapping (ISO 27001, SOC 2, PCI DSS, RBI, DPDP), prioritised remediation roadmap. After customer remediation, free re-test within 90 days confirms fixes.
Who Needs VAPT in India
Regulatory drivers: banks and NBFCs (RBI annual minimum), payment aggregators (RBI plus PCI DSS), insurers (IRDAI annual minimum), stock exchanges and intermediaries (SEBI), critical infrastructure (NCIIPC), any Data Fiduciary processing personal data at scale (DPDP Section 8 reasonable security safeguards interpreted to expect VAPT).
Commercial drivers: customer security questionnaires from enterprise customers (annual VAPT report is the universal answer), ISO 27001 and SOC 2 audit evidence, cyber insurance underwriting (more insurers requiring recent VAPT as policy condition), partner and platform integration requirements (Apple, Google, Microsoft, Salesforce all ask for security attestation), pre-funding diligence for startups (VC and PE diligence now includes security review).
In practice: every Indian business above 10 employees handling customer data should have an annual VAPT in the budget. The cost is small relative to the risk reduction, the audit value and the commercial unlock.
Have a Specific Question?
Whether you need a VAPT, SOC design, ISO 27001 certification, DPDP compliance or just a second opinion on a finding, our lead consultant is available for a 30-minute free scoping call. No obligation.
Talk to a Consultant →How Often Should You Do VAPT?
Baseline: annual minimum for any organisation in scope of RBI, SEBI, IRDAI, NCIIPC, ISO 27001, SOC 2 or PCI DSS. Plus any time a material change occurs (new product, major architectural change, cloud migration, M&A, significant infrastructure refresh).
Mature programmes: semi-annual or quarterly cadence on production-critical components (customer-facing apps, payment flows, regulated data systems) plus annual full-estate engagement. Most progressive Indian fintechs and SaaS companies operate continuous VAPT (testing built into the release cycle, with focused engagement quarterly or as needed).
Continuous VAPT is becoming the norm for any organisation deploying weekly or daily. The annual-snapshot model leaves too much time between assessments for new vulnerabilities to accumulate. Codesecure offers both annual and continuous engagement models.
VAPT Cost Factors in India
VAPT pricing in India is driven by scope (number of applications, network size, account count), engagement type (black / grey / white box), depth (light scanning to deep manual testing), consultant seniority, and reporting requirements (basic versus compliance-mapped). Typical price ranges in 2026:
Single web application or API engagement: INR 3 to 7 lakh. Single mobile application: INR 3 to 6 lakh. External network (under 50 hosts): INR 2 to 4 lakh. Internal network with AD (mid-size): INR 4 to 9 lakh. Single-cloud configuration audit plus pentest: INR 4 to 10 lakh. Multi-environment annual programme for a mid-size SaaS: INR 15 to 40 lakh.
Lowball quotes (under INR 1 lakh for a web app pentest) usually mean automated scan with a generic report. Codesecure publishes fixed-price proposals after a 30-minute scoping call so customers know exactly what they get.
Frequently Asked Questions
What is the difference between VA and PT?
VA is automated scanning for known vulnerabilities, fast and broad. PT is manual exploitation by skilled consultants, slow and deep. Most engagements need both; doing only VA misses business-logic and chained issues, doing only PT covers too narrow a surface.
How long does a VAPT take?
A standard single-application or single-network engagement runs 2 to 3 weeks end to end (1 to 2 weeks active testing plus 3 to 5 days reporting). See our companion blog 'How long does VAPT take' for engagement-type-specific timelines.
What is in a VAPT report?
Executive summary, scope and methodology, risk summary, compliance mapping (ISO 27001, SOC 2, PCI DSS, RBI, DPDP), detailed findings with CVSS scoring and PoC, remediation guidance, and re-test plan. See our 'What does a VAPT report look like' blog for the section-by-section walkthrough.
Do regulators in India require VAPT?
Yes, in most regulated sectors. RBI for banks and NBFCs, IRDAI for insurers, SEBI for capital markets, NCIIPC for critical infrastructure, and DPDP Section 8 reasonable security safeguards broadly interpreted across all sectors. Annual VAPT is the baseline expectation.
Is VAPT enough, or do I need more?
VAPT is the foundation but not the entire programme. A complete security programme also includes ISMS implementation (ISO 27001), monitoring and detection (SOC, SIEM, EDR), incident response readiness, vendor management, awareness training and regular tabletop exercises. VAPT validates the result; the rest builds and operates the controls.
Can Codesecure do my VAPT?
Yes. Codesecure delivers VAPT across web, API, mobile, network, cloud, AD, IoT, wireless, source code and thick client. ISO/IEC 27001:2022 certified delivery, named OSCP / CEH / CISSP consultants, fixed-price proposals, free retest within 90 days. Get in touch for a scoping call.
Get A VAPT That Actually Reduces Risk
Codesecure delivers manual, OSCP-led VAPT for Indian businesses across every sector. ISO/IEC 27001:2022 certified delivery, fixed-price proposals, named consultants, compliance-mapped reporting, free retest within 90 days. 150+ engagements delivered.
