VAPT Readiness Checklist
for Indian Buyers
Twenty practitioner-grade questions to find out if you are ready to procure a Vulnerability Assessment and Penetration Test — or whether you will waste a third of your budget. No email gate.
20 questions · 5 minutes · Score band on completion
Answer Honestly. No One Is Watching.
Five sections, twenty yes/no questions. Click Yes only if you can confidently defend a yes in front of an auditor. Score reveals at the bottom when you complete all twenty.
Scoping & Asset Inventory
You cannot test what you have not catalogued. Get the boundary right before you talk to vendors.
Test Strategy & Compliance
The wrong methodology produces a useless report. Lock these calls before procurement.
Vendor Selection
Most VAPT disappointments trace back to vendor due-diligence shortcuts in the first week.
Pre-Test Logistics
Skipping these turns a VAPT engagement into an incident — or wastes 30% of the budgeted hours.
Post-Test Capacity
A report you cannot act on is a wasted line item. Plan remediation capacity before you start.
Your VAPT readiness score
Three Bands. Three Plays.
You are not ready to procure a VAPT. A test now will produce findings you cannot act on, and you will still fail the next compliance audit. Spend 4 to 6 weeks on scoping, asset inventory, and remediation capacity first.
You can run a VAPT, but you will leave value on the table. Close the open items in the next 30 days, then proceed. Plan a tighter SOW with explicit business-logic and authorisation testing requirements.
Go to RFP. Demand methodology disclosure, sample reports, and named-consultant credentials in the response. Negotiate re-testing into the base SOW. Budget 30% of test cost for remediation capacity.
Common Questions
How long should a VAPT engagement actually take?
A typical Indian SME web-app VAPT runs 8 to 12 working days per asset for grey-box manual testing. A 5-app portfolio with one mobile app and one external network range is realistically a 6 to 8 week calendar engagement, including re-testing.
What is a fair price range for an Indian mid-market VAPT?
For one customer-facing web app plus an API in 2026, expect ₹2,50,000 to ₹6,00,000 from a competent specialist firm. Below ₹1,50,000 you are getting an automated-scanner report. Above ₹10,00,000 you are paying Big-4 overhead, not better testing.
Do we really need OSCP-certified testers?
You need at least one OSCP, OSWE, or CRTO-credentialled lead on the engagement. These are the credentials with proctored hands-on exams that signal real exploitation skill. Vendor-issued internal "certifications" tell you nothing.
How often should we re-test?
Annually as a baseline, plus after any major architectural change, new payment integration, or merger and acquisition. RBI-regulated entities must follow CSF cadence. Significant Data Fiduciaries under DPDP should plan quarterly reviews of high-risk assets.
What is the difference between this checklist and the buyer's guide?
This checklist diagnoses readiness in 5 minutes. The 50-page buyer's guide explains the why behind every line, gives sample SOWs, scoring rubrics, ROE templates, day-rate benchmarks, and worked pricing for 5 archetypes. Use the checklist to triage; use the guide to procure.
Skip the Vendor Roulette. Get a Defensible VAPT.
A 30-minute consultation. Walk away with a scoped SOW outline, a fair price band for your environment, and three vendor evaluation criteria specific to your sector.
No sales pitch. Responds within 24 hours.