In every fifth Indian RFP we receive, the buyer uses "VAPT", "pen test", and "vulnerability assessment" interchangeably. They are not interchangeable. They produce different work, different deliverables, and different prices — and ordering the wrong one is the most common scoping mistake in Indian information security buying.
1. Vulnerability assessment (VA) — breadth, not depth
A vulnerability assessment is the systematic enumeration of known weaknesses across a defined surface. It is mostly automated. A scanner like Nessus, Qualys, Nexpose or OpenVAS hits the target, fingerprints services, checks each one against a CVE database, and produces a list. A human reviewer triages the false positives, normalises severities, and writes a report.
VA answers the question: "Which publicly-known vulnerabilities, today, are present on these assets?"
It is the right choice when you have a large surface (a /16 IP range, a thousand endpoints, a SaaS estate) and need a fast, recurring read on patch hygiene. It is the wrong choice when the target is a single application with custom business logic — because scanners cannot reason about your auth flow, your access control, or your business rules.
2. Penetration test — depth, not breadth
A penetration test is a focused, manual, goal-oriented attempt to compromise a defined target. A pentester does not stop at "this is a known vulnerability" — they prove it is exploitable in your environment, chain it with other findings, and report the impact of a real attack path.
Penetration tests answer the question: "What can an attacker actually achieve in this system?"
A network pen test will discover Domain Admin from an unauthenticated foothold. A web app pen test will pivot from an IDOR to a full account takeover. An API pen test will combine a BOLA, a missing rate limit, and weak password reset to harvest the user table. None of this comes out of a scanner.
3. VAPT — the Indian term that bundles both
"VAPT" is the term you see in Indian RBI circulars, SEBI directions, CERT-In advisories, Indian government tenders, and almost every Indian InfoSec job description. It stands for Vulnerability Assessment and Penetration Testing — and that "and" is doing a lot of work.
In Indian regulatory practice VAPT means: "do the breadth scan, then do a manual penetration test on top of it, and combine the results into one report." That is the deliverable the RBI's Cyber Security Framework and SEBI's CSCRF expect. It is the deliverable a Stage 2 ISO 27001 auditor asks to see under Annex A.8.8.
So when an Indian buyer says "we need VAPT", they are usually right — they need both. The mistake is treating the "VA" component as the whole thing, accepting a scanner PDF, and calling it a pen test.
4. Which one does your business actually need?
| Situation | Order this |
|---|---|
| Quarterly patch hygiene on 500 endpoints | Vulnerability assessment (recurring) |
| Annual ISO 27001 / SOC 2 evidence requirement | VAPT (combined) |
| Pre-launch test of a new customer portal | Web application pen test |
| RBI Cyber Security Framework annual audit | VAPT — application + network + API |
| Validation that your last fix actually closed the bug | Free retest (we include one) |
| Realistic "can someone breach us?" exercise | Red team — not a pen test |
5. Writing a VAPT scope that is not vague
The five things to specify, in order:
- Asset list. URLs, IP ranges, mobile app bundle IDs, API base URLs. With versions.
- Test type per asset. Web pen test, network VA + PT, mobile MASVS-L2, API VAPT.
- Access level. Black-box, grey-box, white-box. Number of user roles to provide.
- Compliance overlay. ISO 27001, RBI CSF, SEBI CSCRF, DPDP, PCI DSS, SOC 2 — pick one.
- Re-test policy. Free retest after fixes? After how many days? On which findings?
If your RFP answers those five questions, you will get comparable quotes. If it does not, you will get a price range of 3× across vendors — and the cheapest one will be running a scanner.
If you are an Indian business and unsure, default to VAPT. The combined methodology covers regulator language, satisfies most certification auditors, and produces both the breadth artifact (the VA list) and the depth artifact (the exploit narrative). A real practice will run both in the same engagement at no extra cost.
For an end-to-end methodology walk-through, see our approach. For the test plan we use on web applications, see the 47-test web application checklist.
Need a VAPT engagement scoped against this?
Tell us the asset and the compliance overlay. We will come back with a scope, timeline, and fixed-fee quote within 24 hours. Engagements start at USD 500. Free retest included.
Book a 20-minute call →BERRY9 IT SERVICES — VAPT Practice
Hyderabad-based ISO 27001 + 9001 certified offensive-security team. Since 2015 we have run 500+ engagements for 100+ clients across pharma, BFSI, healthcare, VFX, and enterprise SaaS. Every engagement includes a free retest.