VAPT vs. Penetration Testing — What's the Difference?

Published March 26, 2025 · 11 min read

CISOs ask "do we need a VAPT or a pentest?" almost every quarter. The two terms are often used interchangeably in RFPs, but they describe distinct activities with different scopes, deliverables, and price points. This article maps the differences against real audit frameworks (SOC 2, PCI DSS v4.0, ISO 27001:2022, DPDP Act 2023) so you can write a procurement spec that matches what you actually need — and avoid paying for a pentest when an auditor wanted a vulnerability assessment, or vice versa.

What VAPT actually means

VAPT — Vulnerability Assessment and Penetration Testing — is an umbrella term that bundles two distinct activities into one engagement. The vulnerability-assessment phase is breadth-first: authenticated and unauthenticated scans across the entire scope using tools like Nessus, Nuclei, OpenVAS, and Burp Suite Pro's active scanner. The penetration-testing phase is depth-first: chosen findings are weaponised into proofs-of-concept that demonstrate impact (data exfiltration, RCE, privilege escalation, lateral movement to a crown-jewel system).

The Indian regulator CERT-Inand the RBI's "Cyber Security Framework for Banks" specifically use the term VAPT in their advisories. If you operate in India and your auditor asks for VAPT, they want both phases documented, with executive summary, technical findings, CVSS v3.1 (or v4.0) scores, and retest evidence after remediation. CERT-In empanelled providers must follow the CERT-In empanelment guidelinesfor scope, methodology, and reporting format.

What "penetration testing" means in isolation

A standalone penetration test scopes a specific attack goal. The tester is given crown-jewel objectives — "prove you can read a row from customersin production" — and chains exploits to reach them. Scanners are used sparingly because noisy traffic burns SOC time and creates artefacts the test wants to control. Methodology follows PTES or OWASP WSTG for web, OWASP MASTG for mobile, OSSTMM for infra, and PTES for everything else. The report is narrative — it walks the kill chain so a non-technical reader can follow the impact story.

Side-by-side comparison

Methodology — what your tester actually does

A VAPT engagement typically follows this five-phase flow:

• Recon & asset discovery — Amass, Subfinder, port scanning, certificate transparency log monitoring, GitHub dorking for leaked secrets.
• Vulnerability scan — Nuclei + Burp + Nessus across all in-scope IPs and URLs, with authenticated coverage where credentials are provided.
• Manual validation — eliminate false positives, classify by CVSS v3.1, deduplicate against known issues.
• Exploitation — chosen findings converted to PoC (no destructive impact, no data exfiltration beyond proof).
• Reporting + retest — executive summary, technical detail, retest after fixes with diff against original findings.

# Typical VAPT recon stack
amass enum -d target.tld -active -o subs.txt
subfinder -d target.tld -all -o subs2.txt
sort -u subs.txt subs2.txt > all-subs.txt
httpx -l all-subs.txt -title -tech-detect -status-code -o live.txt
nuclei -l live.txt -severity medium,high,critical -o nuclei.txt
nmap -iL ips.txt -sV -sC -p- --min-rate 1000 -oA scan
nikto -h https://target.tld -Format json -o nikto.json

Audit framework mapping

Different compliance regimes require different evidence. Knowing which engagement satisfies which clause saves you from buying the wrong test and being told 60 days later by your auditor that the report does not meet the criterion.

Cost drivers

Pricing scales with asset count, complexity, and report rigour. A typical Indian SaaS VAPT for one web app + one API + 50 IPs runs INR 1.5-3 lakh. An e-commerce platform with 200+ endpoints, OAuth flows, payment integration, and PCI scope hits INR 5-8 lakh. A red-team engagement on a Tier-1 bank can cross INR 25 lakh. Other drivers:

• Authenticated coverage — auth flows multiply effort (every role has its own access matrix to test).
• API surface — REST per endpoint is cheap; GraphQL with introspection disabled requires schema reverse-engineering.
• Mobile — iOS + Android double the work; jailbroken / rooted analysis adds further days.
• Cloud config review — AWS / Azure / GCP misconfiguration sweeps with Prowler / ScoutSuite extend scope.
• Source-code-assisted (white-box) — adds 30-50% cost but typically finds 2-3x the issues.
• Retest cycles — first retest usually included; subsequent rounds billed.

Compare with our transparent pricing for a direct quote on AxVeil-managed engagements.

What a VAPT report should contain

1. Executive summary — risk in business language, board-readable.
2. Scope & out-of-scope — exact URLs, IPs, API endpoints, mobile builds, cloud accounts.
3. Methodology — references to PTES / OWASP WSTG / NIST SP 800-115 with deviations.
4. Findings — each with CVSS v3.1 vector, CWE ID, affected asset, reproduction steps, screenshots, recommended fix, and reference (CVE, OWASP, CIS).
5. Risk heat map — finding count by severity over the engagement.
6. Tooling appendix — versions of every scanner, manual proxy, exploit module used.
7. Retest results — original status, fix evidence, new status with diff.
8. Tester credentials — names, OSCP / CRTP / CREST certs, statement of independence.

If a vendor delivers a 6-page Nessus PDF and calls it a VAPT report, ask for your money back. Real reports run 60-200 pages and survive a regulator's sampling.

When to choose which

• Pick VAPT if your auditor wants "evidence of vulnerability management" — covers SOC 2 CC7.1, ISO 27001 A.8.8, DPDP Section 8(5).
• Pick standalone pentest if you have specific high-value targets (payment flow, admin console, signing service) and a real attacker would single them out.
• Pick red team if you need to test detection & response, not just controls — your maturity is past "do we have bugs?" and at "will we notice when someone walks in?"
• Pick continuous if you ship daily — schedule weekly automated scans + quarterly manual VAPT.
• Pick a chained programme if you have budget — quarterly VAPT, annual pentest, biennial red team, plus a public bug bounty.

Common procurement mistakes

• Buying VAPT and expecting a kill-chain narrative — the vendor priced for breadth, not depth.
• Buying pentest without giving credentials — testers spend the engagement on auth bypass instead of real bugs.
• No retest in the contract — fixed bugs without retest evidence don't close out audit findings.
• Paying by line item — incentivises false positive inflation; pay by engagement with quality criteria.
• Asking for a "100% clean" report — that's a red flag the vendor is hiding findings to make you happy.

What this means for your team

Map every audit clause your business is subject to in a single sheet, name the engagement that satisfies each, and put dates on each. If a clause needs a pentest annually and you only buy VAPT, you have a 12-month risk window. If a clause needs quarterly scans and you only run the annual VAPT, you fail the cadence test even when the technical controls are strong. The right engagement mix is whichever one matches your obligations on paper, your real attacker model, and the budget your CFO actually approved — usually a continuous VAPT layer plus a focused annual pentest on the crown-jewel surface.

FAQ