Pricing for VAPT in India varies by a factor of ten across vendors for the same scope. This is not a market inefficiency — it reflects ten different things being sold under the same label. Here is what drives price honestly, with real 2026 INR and USD ranges.
The four cost drivers
- Scope size. Number of endpoints, number of user roles, number of business workflows.
- Depth. Scanner output (1 day) vs manual exploitation (5–15 days) vs red team (20–40 days).
- Engineer seniority. Fresher with a CEH (sub-USD 30/hr) vs OSCP/OSCE (USD 80–150/hr) vs OSEP/CRTO (USD 150–250/hr).
- Compliance overlay. Plain VAPT vs RBI/SEBI/PCI/SOC 2 reporting requires extra documentation and attestation overhead.
Real 2026 ranges — Indian market
| Engagement | Scanner-only | Manual VAPT | Premium (OSCP+) |
|---|---|---|---|
| Web app (1 app, 2 roles) | ₹25–60k | ₹1.2–2.5 lakh | ₹3–6 lakh |
| API (≤30 endpoints) | ₹20–50k | ₹1.0–2.0 lakh | ₹2.5–5 lakh |
| Mobile (iOS + Android) | ₹40–80k | ₹1.8–3.2 lakh | ₹4–8 lakh |
| External network (/24) | ₹15–40k | ₹80k–1.5 lakh | ₹2–4 lakh |
| Internal network (/16) | ₹50k–1 lakh | ₹2.5–5 lakh | ₹6–12 lakh |
| Source code review (50k LOC) | — | ₹2–4 lakh | ₹5–10 lakh |
| Red team (4-week) | — | — | ₹10–25 lakh |
For context, B9ITS engagements start at USD 500 (₹42,000) for a focused scope, and the typical Indian SME web-app VAPT lands in the ₹1.5–2.5 lakh band. Premium pricing applies when the asset is complex (microservices), the compliance overlay is heavy (RBI CSF, SEBI CSCRF), or the seniority requirement is hard (red team, banking infra).
What the scanner-only column actually buys you
Scanner-only is a category that exists because regulators historically accepted a Nessus or Acunetix PDF as evidence. Some still do. What the scanner cannot find:
- Anything in your business logic (the discount-stacking race, the coupon replay, the wrong-tenant data).
- Access control bugs (IDOR, BOLA, privilege escalation between roles).
- Authentication chain weaknesses (JWT alg confusion, password-reset replay).
- Any second-order vulnerability (where the trigger is in feature A but the impact is in feature B).
- SSRF in URL fetchers, blind XXE, race conditions, prototype pollution gadgets.
It will find: unpatched CVEs on exposed services, default credentials, expired certs, missing security headers. Useful — and the right artifact for a quarterly cycle — but never sufficient as your annual VAPT.
What manual VAPT actually buys you
The 1.5–3 lakh band buys a 5–10 working-day engagement with one or two engineers, threat-modelled scope, manual exploitation, chained findings, business-logic testing, an engineer-written report with reproducible steps, and a re-test after your fixes.
This is the sweet spot for most Indian businesses and the band we recommend defaulting to unless there is a specific reason to scale up or down.
What premium pricing buys you
OSCP / OSCE / OSEP / CRTP / CRTO certified engineers. Adversary-emulation engagements (red team, purple team, assumed-breach). Specialty work — automotive, OT/ICS, hardware, embedded firmware. Custom reporting against frameworks like MITRE ATT&CK, NIST SP 800-115, PCI DSS 4.0.
Three things that should not affect the quote
- Whether you are in Hyderabad or anywhere else in India. Modern VAPT is remote-first. Geography should not change the number.
- Whether you have a "well-known" brand. Some vendors discount on logo value. The engineering cost does not.
- Whether they include the re-test. A free retest after your fixes should be table stakes. If a vendor charges for it, walk away.
Any Indian VAPT quote below ₹40,000 for a real web application is a scanner run with a logo on the PDF. Any quote above ₹6 lakh for a single small web app, with no red-team or compliance overlay, is overpriced. The middle is honest.
To get an exact quote for your specific scope, tell us what the asset is and we will come back within 24 hours.
Need a VAPT engagement scoped against this?
Tell us the asset and the compliance overlay. We will come back with a scope, timeline, and fixed-fee quote within 24 hours. Engagements start at USD 500. Free retest included.
Book a 20-minute call →BERRY9 IT SERVICES — VAPT Practice
Hyderabad-based ISO 27001 + 9001 certified offensive-security team. Since 2015 we have run 500+ engagements for 100+ clients across pharma, BFSI, healthcare, VFX, and enterprise SaaS. Every engagement includes a free retest.