01. What VAPT actually is
Vulnerability Assessment and Penetration Testing (VAPT) is a dual exercise: vulnerability assessment systematically catalogues weaknesses in scope, while penetration testing attempts controlled exploitation to prove which weaknesses an attacker could leverage and what they could reach.
Think of it as the difference between a list of unlocked doors and a recorded video of someone walking in. Buyers often confuse the two and end up with a glorified Nessus scan when they needed evidence.
02. Types of pen tests
Different scopes solve different problems. Match the type to the question you're trying to answer:
- Web Application: One or more web apps, including authenticated and unauthenticated flows. Best for SaaS / fintech / customer portals.
- Mobile Application: Android and/or iOS clients, plus backend APIs. Required if you have native apps in production.
- API: Standalone REST/GraphQL/gRPC endpoints. Often bundled with web app testing.
- Network / Infrastructure: Internal or external IP ranges. Tests OS, services, and network segmentation.
- Cloud Configuration Review: AWS / Azure / GCP IAM, network controls, storage. Different skill from network pen testing.
- Red Team: Goal-driven adversary simulation. Months of effort, requires clear rules of engagement.
- Wireless: Wi-Fi and Bluetooth in physical spaces. Niche, only relevant for offices / retail.
- Social Engineering / Phishing: Tests human controls, not just technical ones. Authorise carefully.
03. Scoping the engagement
Bad scoping is the #1 reason VAPT engagements fail. Two common mistakes:
- Too narrow — testing one URL when the real risk is the API powering it
- Too broad — "test everything" engagements that produce shallow coverage everywhere
Good scoping starts with a threat model. Ask: which systems hold our crown-jewel data, and what is the worst thing an external attacker could do? Scope to that.
Inputs you'll need
- List of in-scope URLs / IPs / API endpoints
- Number of user roles to test (admin, customer, partner, etc.)
- Authentication mechanism (SSO? MFA? API keys?)
- Whether the test is black-box (no info), grey-box (creds), or white-box (creds + source)
- Test depth: black-box surface only, or grey-box with full credentials
- Out-of-scope items (third-party services, production data exfiltration, etc.)
- Re-test scope: do you want a free re-test after fixes?
Use our free scope calculator to estimate effort, or download the 10-page scoping worksheet.
04. Pricing in the Indian market
Indian VAPT pricing varies dramatically by vendor tier and scope. The market splits roughly into 4 bands:
| Tier | Typical scope | Indicative cost | Best for |
|---|---|---|---|
| Boutique / Solo | 1 web app, 5 days effort | ₹50K – ₹1.5L | Early-stage startups |
| Small specialist | Web + API + mobile, 10-15 days | ₹2L – ₹5L | Series A SaaS, fintech |
| Mid-tier consulting | Multi-app + cloud + reporting, 20-30 days | ₹5L – ₹12L | Mid-market enterprises |
| Big-4 / global | Programme-level engagements | ₹15L+ | BFSI, large enterprises |
Two pricing patterns to watch for:
- Day-rate billing (₹15K – ₹50K per consultant per day) — common for boutique vendors. Flexible, but can balloon if scope creeps.
- Fixed-price project — predictable but the vendor may scope shallowly to protect margin.
05. Methodology to expect
A reputable VAPT vendor follows a recognised methodology. Ask which one(s) they use:
- OWASP Testing Guide — for web applications
- OWASP MASVS / MASTG — for mobile applications
- OWASP API Security Top 10 — for API testing
- NIST SP 800-115 — technical security testing baseline
- PTES (Penetration Testing Execution Standard) — full lifecycle coverage
- MITRE ATT&CK — for red team and adversary simulation
"We use a custom methodology" is a yellow flag. Real vendors map their work to these standards because compliance auditors and regulators expect to see them referenced in reports.
06. Timeline & milestones
For a typical mid-scope SaaS engagement (web + API + 2 user roles):
- Week 0: Kickoff, scope freeze, credentials provisioned, ROE signed
- Week 1-2: Reconnaissance + automated scanning + initial manual testing
- Week 3: Deep manual testing, exploit chain development, business-logic review
- Week 4: Reporting, debrief call, remediation guidance
- Week 6-8: Free re-test of fixed findings
07. What deliverables to demand
The report is the artifact. Insist on:
- Executive summary — 1 page, board-readable, business-impact framed
- Methodology section — what was tested, what wasn't, what techniques were used
- Findings catalogue — each finding with: title, severity (CVSS), evidence (screenshots / requests), reproduction steps, business impact, remediation recommendation, references
- Exploit narratives — at least the critical findings should walk through the full attack chain in plain English
- Risk matrix — visual heatmap of severity vs likelihood
- Compliance mapping — findings mapped to relevant standards (DPDP §8(5), PCI-DSS, ISO 27001 controls, etc.)
- Re-test letter — formal confirmation of which findings were fixed
08. Vendor selection checklist
Before signing:
- Have you seen at least one redacted sample report?
- Do they have relevant certifications (OSCP, OSWE, CRTO, GIAC, CEH for entry tier)?
- Can they share 2-3 client references in your sector?
- Are they registered (CIN, GST, PAN)?
- Do they have professional indemnity insurance?
- What's their data handling policy for findings, screenshots, and PoCs?
- Where are findings stored during the engagement, and for how long after?
- Will they sign your NDA, or do they require theirs?
- What's the escalation path if they discover an active compromise?
09. Red flags to avoid
- "We can do it in 2 days for ₹25K" — sub-tier scan, not a pen test
- No sample report shown before contract — the report is the product
- Scope written by the vendor, not by you — vendor will only test what's profitable
- "Certified by [unfamiliar acronym]" — Google the cert; if it's not on the OSCP / OSWE / CRTO / SANS list, treat as marketing
- No mention of methodology
- Re-test costs extra — most reputable vendors include 1 round free
- Reluctance to sign NDA
10. In-house vs vendor
Most Indian SMEs and mid-market companies don't need an in-house pen test team. The economics work for vendors at this scale:
- Hire vendor when: You need 1-4 engagements per year, want compliance-grade reports, need diverse skill sets (web + mobile + cloud), don't have headcount budget for senior pen testers (₹25-60L+ CTC each).
- Build in-house when: You're a 500+ engineer org with continuous deployment, need hourly turnaround on findings, have regulated workloads requiring on-call security partners, can justify 3+ senior pen-tester salaries.
11. Legal & compliance
Three documents to have:
- Master Services Agreement (MSA) — covers liability, IP, data handling, indemnity
- Statement of Work (SOW) — engagement-specific scope, timeline, fees, deliverables
- Rules of Engagement (ROE) — what's allowed, prohibited, who to call if something breaks
Under India's IT Act 2000 §43, unauthorised access is a civil offence even with a contract — your ROE is the consent document. Under DPDP Act 2023 §8(5), you remain the Data Fiduciary; the pen tester is a Data Processor. Sign a DPA addendum.
12. Next steps
If you're scoping a VAPT engagement now:
- Use our VAPT Scope Calculator to ballpark effort and price
- Download the scoping worksheet to capture inputs structurally
- Compare 2-3 vendors using the checklist in section 08
- If you'd like a second opinion on a vendor proposal, book a 30-min call — we'll review at no cost