VAPT · Vulnerability Assessment & Penetration Testing · India 2026

Everything about VAPT in India — in one place

VAPT (Vulnerability Assessment + Penetration Testing) is the core security testing discipline behind RBI / SEBI / IRDAI / DPDP audits, customer security questionnaires, and compliance for any Indian business that processes regulated data. This hub explains what VAPT is, who needs it, what scope to ask for, what to expect from a real engagement — and links to every RingSafe resource on the topic.

Book a scoping call Explore the hub
Scope domains
7
Methodology
CERT-In
Exploitation
Manual
Cadence
Annual
01 · Definition

What VAPT actually is

Vulnerability Assessment identifies weaknesses systematically — automated scans, configuration review, version checks. Penetration Testing goes further — a qualified human attempts to actually exploit the weaknesses, chain them, and demonstrate impact. The two are paired ("VAPT") because the assessment without exploitation often misses business-logic flaws and chained vulnerabilities, and exploitation without prior assessment is unsystematic.

VAPT done right produces a report a board, an auditor, and an engineering team can all use — with reproduction steps, business impact, prioritised remediation, and a re-test letter once findings are closed.

How a real engagement chains Recon Map the surface Exploit Weaponise flaws Escalate Gain privilege Pivot Move laterally Impact Prove blast radius

What VAPT is — and isn't

Most "VAPT reports" floating around the Indian market fail one of these tests. Use this as a buyer-side smell check before you sign a PO.

What VAPT IS

  • Manual exploitation by qualified humans, not just scanner output.
  • Actionable reporting — reproduction steps, business impact, prioritised fix list.
  • Annual minimum, plus re-tests after high/critical fixes and material changes.
  • A discipline that complements SAST/SCA/threat-modelling — not replaces them.
  • Re-test letter on auditor letterhead once findings are closed.

What VAPT IS NOT

  • Not a Nessus / Nikto / OpenVAS scan emailed back as a "report".
  • Not a 200-page PDF that the engineering team can't act on.
  • Not a one-time tickbox event — point-in-time only goes stale fast.
  • Not your whole security programme — it validates it, doesn't replace SDLC controls.
  • Not "compliance theatre" — if no fixes ship after the report, it had zero value.
02 · Audience

Who needs VAPT in India in 2026

  • RBI-regulated entities — banks, NBFCs, payment aggregators, NBFC-AAs. Annual VAPT mandated by RBI Cyber Security Framework.
  • SEBI Regulated Entities — stock brokers, RIAs, AMCs, MFs, depositories, KRAs. Annual VAPT under CSCRF; bi-annual for MIIs.
  • IRDAI-licensed insurers — annual VAPT under cyber guidelines.
  • UIDAI / Aadhaar entities (AUA / KUA / Sub-AUA) — annual third-party audit including VAPT.
  • NPCI participants — UPI, IMPS, NACH; periodic security testing required.
  • SDFs under DPDP §10 — Significant Data Fiduciaries; independent data audit and DPIA expected.
  • SOC 2 / ISO 27001 / PCI-DSS organisations — annual pen-test under their certification scheme.
  • SaaS selling to enterprise — customer security questionnaires almost always require recent pen-test report.
03 · Scope
VAPT scope domains

What you can scope

Real VAPT covers seven distinct domains. A "comprehensive" VAPT is rarely all seven at once — typically 2-4 per engagement, scoped to actual exposure.

Web Application

OWASP Top 10, business-logic, authentication, authorisation, session, file uploads, race conditions.

Mobile (Android / iOS)

Static + dynamic analysis, certificate pinning bypass, IPC, secure storage, MASVS-aligned testing.

API

OWASP API Top 10, broken object-level auth, rate-limiting, mass assignment, GraphQL specifics.

Network (External / Internal)

Service enumeration, version vulnerabilities, default creds, misconfig, segmentation testing.

Cloud (AWS / Azure / GCP)

IAM misconfig, public-bucket / blob exposure, metadata service, IaC drift, key management.

Active Directory

Kerberoasting, AS-REP, ACL abuse, GPO, ADCS, certificate templates, domain trust enumeration.

Red Team / Adversary Simulation

Goal-based, multi-vector, social-engineering optional, EDR-evasion, MITRE ATT&CK aligned.

04 · Resources
RingSafe VAPT resources

Everything you need to scope, run, and report a VAPT

Pillar-and-spoke navigation — services, guides, free tools, readiness, and deep-dive technical content.

Service

VAPT Services — Web, Mobile, API, Network, Cloud, AD

Practitioner-led VAPT engagements with manual exploitation, CERT-In-empanelled-style methodology, and audit-ready reporting.

See services →
Buyer's Guide

The VAPT Buyer's Guide for Indian Procurement Teams

How to scope, evaluate vendors, read a quote, and compare proposals. RFP template, red flags, pricing benchmarks.

Read the guide →
Readiness · 5 min

VAPT Readiness Checklist

Twenty practitioner-grade questions to test whether your environment is ready for a meaningful VAPT — or whether it'll surface noise.

Take the checklist →
Free Tool

VAPT Scope Calculator

Estimate days, vendor cost, and what your VAPT scope should cover based on your environment, regulatory drivers, and last test date.

Open the calculator →
Compliance

CERT-In April 2022 Direction

Log retention, time sync, designated POC, 6-hour incident reporting — and how VAPT timelines fit alongside.

Read the direction guide →
Sector · BFSI

RBI Cyber Framework — VAPT cadence

Annual VAPT mandated by the RBI Cyber Security Framework; what scope, who can audit, and what the report should look like.

Read the framework →
Sector · Capital Markets

SEBI CSCRF — Annual + manual exploitation

CSCRF expects annual VAPT with manual exploitation by CERT-In empanelled vendors; quarterly external scans alongside.

Read CSCRF →
Academy

Red Team Operations

Goal-based adversary simulation — beyond pen-test scope, with EDR-evasion, lateral movement, and ATT&CK-aligned reporting.

Open the module →
Web · Blog

SQL Injection in 2026 — Why It's Still in 40% of Pentests

Modern SQLi variants — blind, time-based, second-order, NoSQL, ORM injection — that still hit Indian web app audits.

Read →
Web · Blog

JWT Attacks in 2026 — alg:none, RS256-to-HS256

Seven JWT attack variants that still work in production: alg:none, algorithm confusion, weak HMAC, JWKS injection, kid injection.

Read →
Cloud · Blog

AWS IAM Privilege Escalation — 7 Paths

From a leaked low-privilege key to administrator: CreateLoginProfile, AttachUserPolicy, PutUserPolicy, PassRole-Lambda, and more.

Read →
Mobile · Academy

Mobile Pentesting — Android + iOS

Static + dynamic analysis, Frida instrumentation, certificate pinning bypass, IPC, secure storage validation.

Open the module →
05 · FAQ
FAQ

VAPT — questions we get

How long does a VAPT take? +

A typical web-app VAPT runs 5-10 working days for execution, plus 2-3 days for reporting and 1 day for re-test. Mobile, API, and cloud VAPTs are similar. Network external scope can be 3-5 days. Internal AD assessment 7-10 days. Red team engagements run 2-6 weeks depending on goals. The Scope Calculator gives you a more precise estimate based on your environment.

Should I hire a CERT-In empanelled vendor? +

For RBI / SEBI / IRDAI / NCIIPC / NPCI workloads, yes — the framework explicitly references CERT-In empanelment. For SOC 2 / ISO 27001 / customer-driven testing, empanelment is not strictly required but a credentialed firm with CISSP / OSCP / OSCE / CRTP staff and a quality-controlled methodology is what to look for. RingSafe operates with CERT-In-empanelled-style methodology.

What's a fair price for a VAPT in India? +

Web-app VAPT pricing for a moderate-complexity application typically ranges ₹1.5-4 lakh per scope. Mobile + iOS ₹2-5 lakh combined. Cloud + AWS-IAM dive ₹2.5-5 lakh. Internal AD + lateral 5-8 lakh. Red team engagements 12-30 lakh. Lower than the bottom of these ranges usually means automated-only; higher than the top usually means brand premium. The Buyer's Guide explains how to evaluate quotes.

How often should we run VAPT? +

Annual minimum is the regulatory floor. Material changes (major release, new infra, M&A) trigger an out-of-cycle test. High-risk customer-facing services often run quarterly external + annual internal. Re-test after high/critical findings are remediated, with a re-test letter for audit evidence.

Will VAPT find every vulnerability? +

No. VAPT is point-in-time and time-boxed. It maximises coverage in the time available, but it doesn't substitute for SDLC security (SAST, SCA, threat modelling, code review) or runtime defences (WAF, EDR, monitoring). Use VAPT to validate your security programme, not to be your security programme.

What's the difference between VAPT and red team? +

VAPT is breadth-first within a defined scope: find as many vulnerabilities as possible, demonstrate exploitability, prioritise. Red team is goal-driven: simulate a real adversary trying to achieve a specific objective (data exfiltration, ransomware impact, executive-account compromise) using whatever techniques are realistic, including social engineering and EDR evasion. Red team tests detection & response; VAPT tests defenses.

Do you provide a re-test letter? +

Yes — re-test of high/critical findings within 30 days post-remediation is standard, with a signed re-test letter on auditor letterhead confirming the closure. Auditors expect this.

Can VAPT be done remotely? +

Mostly yes — most external, web, mobile, API, and cloud VAPT is performed remotely with VPN access where needed. Internal AD assessments can be remote-via-VPN or via a hardware drop-box delivered to your facility. Physical / social-engineering scope of red team requires on-site presence.

Free 30-min scoping call

Need a real-world VAPT — not a tool dump?

Tell us your environment, regulatory drivers, and last test date. We'll come back with a scoped proposal and timeline within 48 hours. No sales pitch, practitioner-led.