VAPT Scoping Worksheet
for Indian Buyers
The 10-page fill-in template we use to scope every Vulnerability Assessment and Penetration Test engagement. Prevents underscoping, surprise add-ons, and low-value reports. Send it to any VAPT vendor — if they do not ask you clarifying questions in response, they are sizing a generic engagement, not yours.
10 pages · Fillable PDF · CC-BY-ND licensed for internal use
Why this worksheet exists
A bad VAPT scope is the single biggest reason pentest reports deliver disappointing value. The asset list is wrong, the objectives are vague, the rules of engagement are missing, and three weeks in, the testing team is chasing assets that should have been excluded on day one.
This worksheet forces the conversation that should happen before a vendor quotes you. Fill it once and send it to your shortlist. The responses you get back will tell you which provider actually understands your environment — and which one is running a playbook.
Ten sections that cover the full lifecycle
From boardroom context to tester sign-off. Every field is filled by someone on your side — which is the point.
Business context
Industry, regulators, prior-test history, decision-makers, 24x7 contacts.
Scope of assets
Web apps, APIs, mobile, network, cloud tenants, Active Directory — each in a structured table.
Test objectives
Rank 8 objectives by priority. Forces you to decide what the test is actually for.
Methodology preferences
Black/grey/white box, OWASP ASVS level, credential provisioning, social engineering allowances.
Schedule and operational constraints
Testing hours, blackout periods, prod-vs-staging rules, rate limits.
Rules of engagement
8-point checklist covering destructive actions, credential use, daily check-ins, data handling.
Reporting requirements
Formats, severity frameworks, retest policy, compliance attestation, debrief calls.
Budget and contracting
MSA, NDA, GSTIN, payment terms, liability cap. The commercial side most worksheets skip.
Vendor evaluation scorecard
9 criteria x 3 vendors side-by-side. Certifications, sample report quality, scoping-call depth, references.
Sign-off
Stakeholder signatures: sponsor, CISO, CTO, Legal, vendor PM.
Get the VAPT Scoping Worksheet
Enter your email to receive the fillable PDF, plus occasional practitioner briefings on VAPT procurement: scope templates, common vendor red flags, and sample redacted reports. Unsubscribe any time.
Prefer to skip the email? Download the PDF directly.
Common Questions
Who is this worksheet for?
Anyone procuring a VAPT in India: CISOs, CTOs at SaaS startups, compliance leads working toward SOC 2 / ISO 27001 / DPDP, enterprise security managers running annual programs. If you are going to write a cheque for a penetration test, this document is the filter you put in front of vendors.
Can I share it inside my team?
Yes. The worksheet is released for free internal use. Fill it, pass it around your security and engineering leadership, and use it as the common artefact vendors quote against. Do not repackage or resell it.
Can I send the filled worksheet to RingSafe?
Yes. If you are evaluating RingSafe, email the completed worksheet to hello@ringsafe.in and we will respond with clarifying questions and a fixed-price quote within three working days. If we are not the right fit for your engagement, we will tell you so and recommend where else to look.
How is a filled worksheet different from a vendor RFP?
An RFP is a procurement artefact; it is optimised for comparability and rarely captures the technical reality of the test. This worksheet is a technical scoping tool — vendors cannot respond generically because the asset inventory, methodology, and rules-of-engagement are already fixed.
Do I need a separate worksheet for web app vs network tests?
No. The asset section handles web, API, mobile, network, cloud, and AD in one document. Leave sections blank where they are not relevant. Most enterprise tests span at least three of those categories anyway.
Want us to scope & run the test?
RingSafe runs fixed-scope, fixed-price VAPT engagements for Indian SaaS, fintech, and enterprise IT. Web, API, mobile, network, cloud, and Active Directory. Deliverable-led, retest included.
Book a free scoping call See VAPT pricing