Vulnerability assessment & penetration testing
Manual, expert-led pentesting aligned to OWASP, PTES, NIST and CERT-In — by an Associate of (ISC)² and Certified Ethical Hacker out of India. Find what the scanners miss, before attackers do.
The anatomy of a RingSafe pentest.
Five disciplined phases — aligned to NIST SP 800-115, OWASP, MITRE ATT&CK and PTES. Testing only begins after a signed Rules-of-Engagement, and every engagement ends with a live engineering debrief and a one-page board summary.
Our methodology
- 01 · Recon
Reconnaissance
Passive & active footprinting, OSINT, and attack-surface mapping — after a signed RoE.
- 02 · Scan
Discovery
Service enumeration, version mapping, and vulnerability discovery across the agreed scope.
- 03 · Exploit
Exploitation
Manual exploitation with working proof-of-concept — no false positives, no scanner noise.
- 04 · Post-exploit
Impact
Lateral movement, privilege escalation, and documented blast-radius proofs.
- 05 · Report
Report & re-test
Board-ready summary, developer-ready remediation, a live debrief, and a free re-test.
Full-scope offensive testing.
Every VAPT engagement blends automated discovery with deep manual exploitation. You receive a reproducible attack narrative — not a Nessus export renamed as a report.
Three common shapes.
Every quote is scoped case-by-case against your environment, regulatory context, and timeline. Fixed-price once scope is agreed — no retainers, no surprise invoices.
- 1 web application, up to 50 dynamic pages
- OWASP Top 10 + authenticated role testing
- Black-box and grey-box coverage
- CVSS-scored findings report
- Developer remediation guidance
- 1 free re-test within 30 days
- Timeline: 2 weeks end-to-end
- 1 web application + REST/GraphQL API
- 1 mobile app (Android or iOS)
- Business-logic & authorization testing
- Authentication & session deep dive
- Integration and third-party exposure review
- Detailed CVSS report + executive summary
- Live engineering debrief
- 2 free re-tests within 60 days
- Timeline: 4–5 weeks
- Full infrastructure & perimeter testing
- Internal network with AD exploitation
- Multi-cloud configuration review
- Web, API, and mobile estate coverage
- Phishing & social engineering (optional)
- Assumed-breach scenario testing
- Board-ready strategic report
- Quarterly retainer option
- Timeline: 6–10 weeks
What you actually receive.
Artefacts you can hand to engineers, leadership, auditors, and customers on day one after delivery.
Deliverables
Executive summary
A one-page board briefing with risk posture, critical findings, and a 90-day remediation recommendation.
Technical findings report
CVSS v3.1 scored issues with reproduction steps, HTTP requests, screenshots, and impact narratives.
Remediation playbook
Per-finding fixes with code snippets, configuration samples, and compensating controls mapped to OWASP.
Attestation letter
A formal letter you can share with enterprise customers, auditors, and procurement teams.
CSV finding tracker
A finding tracker that imports cleanly into Jira, Linear, or GitHub Issues.
Re-test certificate
Once fixes are validated, you receive a signed re-test certificate confirming closure of critical issues.
VAPT questions.
Straight answers on scope, pricing, timelines, and deliverables.
How much does a VAPT cost in India?
RingSafe VAPT starts at ₹85,000 for a single web application, ₹2,50,000 for a combined web-API-mobile engagement, and ₹6,00,000+ for full-stack enterprise red-team style engagements. All prices are fixed-scope and exclude GST.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is automated tooling output. A penetration test is a human-led exercise where an expert attempts to chain findings into real impact: account takeover, data extraction, privilege escalation. RingSafe engagements always include manual testing.
How long does a VAPT take?
A Starter web application engagement runs 2 weeks. Professional engagements covering web, API, and mobile run 4 to 5 weeks. Enterprise engagements with internal network, Active Directory, and cloud coverage run 6 to 10 weeks depending on scope.
Do you sign NDAs and follow Rules of Engagement?
Yes. Every engagement starts with a signed NDA and a formal Rules of Engagement document specifying scope, targets, test windows, out-of-scope assets, and emergency contacts. Testing never begins until both are counter-signed.
Will testing affect production systems?
We favour staging or UAT wherever possible. Where production testing is required, we coordinate test windows, throttle aggressive techniques, and maintain a real-time rollback channel with your operations team.
Do you provide a re-test after we fix the findings?
Yes. Every engagement includes at least one free re-test within 30 days (Starter) or 60 days (Professional). Enterprise engagements include retest passes through to closure.
Is the report acceptable for SOC 2, ISO 27001, and customer audits?
Yes. Our report format is recognised by SOC 2 auditors, ISO 27001 certification bodies, and enterprise procurement teams. You also receive a formal attestation letter for customer-facing sharing.
Do you test against DPDP Act and Indian regulatory requirements?
Yes. Findings are mapped to DPDP obligations, CERT-In directions, and RBI guidelines where relevant. This is especially useful for fintech, healthtech, and data-fiduciary organisations.