“How much does a VAPT cost?” is the wrong question. The right question is: what am I trying to prove, to whom, and what would make their answer credible? Once you have that, pricing becomes a short conversation, not a guessing game. Indian VAPT quotes in 2026 range from ₹25,000 to ₹25,00,000 for engagements a vendor might describe with the same three-letter acronym. Some of them are genuinely different products. Some of them are the same product with different markup. Here is how to tell which is which.
The honest pricing bands in India, 2026
These are the bands we see in the Indian market across hundreds of RFPs. Every number below is for a single-scope engagement — one web application, one API, or one mobile app. Multi-scope engagements scale roughly linearly until you hit enterprise-volume discounts.
Band 1: ₹25,000 – ₹60,000 — the automated-scan tier
At this price point, you are not buying a penetration test. You are buying the output of an automated vulnerability scanner — usually Nessus, OpenVAS, or Burp’s automated scan — reformatted into a branded PDF. The provider will call it a VAPT because the market calls it a VAPT, but no human spent meaningful time reading your application.
Who this is for: very early-stage startups whose enterprise buyer’s questionnaire asks only “do you have a VAPT report?” with no requirement on depth. You will satisfy the checkbox. You will not find real vulnerabilities, because scanners cannot reason about authorization, business logic, or multi-step attack chains — which is where the serious findings live.
What you get: 10–30 pages of CVSS-scored findings, many false positives, almost no business-logic findings. If you must engage at this tier, be explicit with your buyer that this is an automated assessment, not a manual pentest — and do not rely on the output as a security posture statement to your own board.
Band 2: ₹75,000 – ₹2,50,000 — the competent boutique tier
This is where most Indian SaaS startups and mid-sized SMEs should be. A single-scope engagement (web app + its API, or one mobile app with backend) run by a senior tester over 5–15 billable days, grey-box, with a real manual methodology. The upper end of this band gets you two testers for additional coverage depth.
Who this is for: seed-to-Series-B SaaS companies, healthtech and fintech startups below the ₹50 Cr revenue threshold, D2C platforms handling payment flows, and any product company whose customers are starting to ask security questions. Also fits most internal-audit use cases for ISO 27001 and SOC 2 readiness.
What you get: 15–30 findings written by a human, attack chain narratives, reproducible evidence (not just screenshots), a tester who will jump on a call to walk your engineers through the hard ones, and a retest included within 30 days. Reports in this band are typically 40–80 pages.
Band 3: ₹3,00,000 – ₹12,00,000 — the multi-asset or deep-scope tier
Multiple assets tested in one engagement — web + API + mobile, or a full cloud environment with internal network testing — run by a team of 2–4 testers over 20–40 days. Or a single asset tested deeply over an extended timeline with specialty skills (financial calculation logic, HSM-integrated flows, ML inference pipelines).
Who this is for: Series B+ SaaS companies, fintech at scale, any company processing payment-card data under PCI DSS 4.0, healthtech handling ABDM integrations, and anyone with a compliance-forced scope that is genuinely large (RBI-regulated banking integrations, SEBI-regulated trading infrastructure).
What you get: multi-disciplinary findings across infrastructure, application, and process; architecture-level recommendations, not just finding-level fixes; compliance sign-off documentation in the format auditors expect. Reports typically 80–200 pages.
Band 4: ₹15,00,000+ — the enterprise-brand tier
Big Four consulting firms, large Indian ISMS consultancies, and multinational audit firms. The technical work underneath is often executed by the same 3–5 senior testers you would hire in Band 2 or 3 — sometimes they are the same testers, subcontracted. The premium pays for brand, methodology documentation, indemnity coverage, and the confidence of a procurement team that needs to defend the engagement to a board.
Who this is for: enterprises with procurement rules that disqualify vendors below a certain revenue threshold; regulated entities whose auditors specifically want a Big Four stamp; any situation where the political weight of the report matters more than the finding count.
What you get: strong documentation, weaker depth-per-rupee than Band 2 or 3, a branded cover page that procurement will accept without question.
What actually drives cost
Six variables drive 90% of the price delta between any two quotes. When you compare proposals, make the vendors answer each of these explicitly — in writing. Discrepancies across vendors on these dimensions almost entirely explain price differences.
1. Scope size and complexity
Number of endpoints, number of user roles, number of authentication flows, number of external integrations, presence of business-critical logic (payments, document signing, KYC). A “simple B2B SaaS dashboard with admin and user roles” and a “multi-tenant platform with five role types, embedded payments, and a third-party marketplace” are not the same engagement at the same price.
2. Depth of testing methodology
A 5-day engagement produces different findings than a 15-day engagement on the same scope. Manual business-logic testing, chained-exploit construction, source code review — each extends the engagement by days and cost by lakhs. Ask vendors to commit to tester-days in writing, not “up to X days” language that commits them to nothing.
3. Tester seniority
A 7-year-experienced OSCP+OSWE tester bills at 3–5× a 1-year-experienced CEH. The difference in findings is larger than the difference in hourly rate. Cheap pentests with juniors are more expensive than senior-tester pentests measured by finding-per-rupee.
4. Compliance overhead
PCI DSS ASV scans have a specific format. SOC 2 evidence has specific wording. ISO 27001 auditors want specific mappings. Generating those artefacts adds 15–30% to engagement cost. Vendors who omit this and charge less are pushing the compliance mapping work onto you.
5. Retest policy
Unlimited retests within a 30-day window add cost to the initial engagement but save far more on the back end. “Retests billed separately at hourly rate” looks cheaper on paper and costs more in practice, because every finding you fix triggers an invoice.
6. Report quality
A report that your engineers will act on and your auditors will accept takes 3–5 days to write well. A templated report with search-and-replace finding descriptions takes 4 hours. The price gap on the report alone can be ₹1–3 lakh, and the delta is visible on page one of the deliverable.
Hidden-cost anti-patterns
Four vendor-pricing patterns to watch for when you compare quotes:
- “Up to” pricing. “Engagement of up to 10 tester-days at ₹1,20,000.” This commits the vendor to 1 day if they feel like it. Convert every quote to fixed tester-days before comparison.
- Retest as a separate line item. Quoted separately, it looks optional. In practice, every finding-to-fix cycle will generate an invoice. Bundled unlimited retest within 30 days is the market norm — accept nothing less.
- Travel and on-site charges. Still quoted by firms that remember 2018. Reject; all testing is remote unless you have airgapped infrastructure, in which case it is a different engagement entirely.
- “Discovery phase” as a separate engagement. Some firms bill ₹50,000–₹2,00,000 for a “scoping phase” before the real engagement. This is architecture review work that should be a 2-hour call included in the engagement. Refuse.
What to negotiate — and what not to
Do negotiate on payment terms (30–60 day net, milestones on kickoff and report delivery), on retest windows (45 or 60 days instead of 30), on additional findings handled through the shared channel without new contracts, and on knowledge-transfer debriefs with your engineering team.
Do not negotiate on tester-days down from the vendor’s scoped estimate, on seniority of the tester, on retest inclusion, or on evidence archive delivery. Firms that agree to cut these are either padding their estimates (which raises questions about their baseline) or reducing work invisible to you.
The cheapest quote is rarely cheap
A ₹40,000 VAPT from a firm that generates a Nessus export will pass an uninformed buyer’s compliance check. It will not find the IDOR that lets a customer read another customer’s records, the broken JWT validation that lets any authenticated user escalate to admin, or the race condition in your refund endpoint that lets a determined attacker drain your treasury. When those findings surface later — often in a breach notification or a cancelled enterprise deal — the cost math flips.
The honest mid-market answer for Indian SaaS in 2026: expect to pay ₹1–2.5 lakh for a single-scope, senior-tester, manual, grey-box engagement. Expect to pay ₹5–10 lakh for a multi-asset engagement. Below ₹75,000, something is missing that matters. Above ₹15 lakh, something is being priced that is not testing.
Where RingSafe prices
We operate in Band 2 for most startup engagements and Band 3 for mid-market. Our standard scoping process is a 30-minute call, a written scope proposal within 48 hours with fixed tester-days and a fixed price, and a written commitment to the specific tester who will run the engagement. Book a scoping call and we will walk through what your scope should look like and what the honest price range is — whether you ultimately engage us or not.