State of VAPT in India 2026.
240 engagements, one operator dataset.

Five numbers from the dataset.

• →Median Indian-market VAPT day-rate sits 38% below the cross-border equivalent — but the gap collapses once retest discipline is held constant.
• →Top-quartile vendors closed 91% of criticals within the standard 30-day retest window; bottom-quartile vendors closed 34%.
• →API and cloud-account surfaces produced 2.6x the critical-finding density of equivalent-spend web app engagements.
• →BFSI engagements ran 1.7x longer than comparable SaaS engagements at equivalent scope — driven by evidence-pack and regulator-facing reporting overhead.
• →Engagements that skipped the IAM boundary review surfaced an average of 4.2 additional criticals when the boundary was added in the retest window.

Preview of all twelve sections.

1. 01

   Executive summary

   Top-line findings across 240 engagements: median day-rate by surface, retest-pass-rate quartiles, the percentage of engagements that surfaced a critical inside the first 72 hours.

2. 02

   Methodology & dataset

   How the 240 engagements were selected, the anonymisation pipeline, the boundary cases we excluded, and the statistical caveats a reader should keep in mind when generalising from this sample.

3. 03

   Day-rate distribution by surface

   Per-surface day-rate histograms (web app, API, mobile, cloud account, AD forest, internal network) — Indian market vs. cross-border engagements, with the quartile and percentile breakdowns.

4. 04

   Fixed-fee bands by scope

   Where the market actually prices a single web app, a 20-microservice API estate, a multi-region AWS organisation, or a hybrid AD forest — and the scope variables that move price by 2-3x.

5. 05

   Finding-density benchmarks

   Critical / high / medium finding density per surface, per 1000 lines of API spec, per 100 IAM principals, per AD domain. Where the densest findings cluster and what that says about pre-test hygiene.

6. 06

   Retest performance — pass rates and closure latency

   Retest pass-rate quartiles by sector and by surface. The median days-to-closure for criticals and highs. The percentage of engagements that closed all criticals inside the standard 30-day retest window.

7. 07

   Sector deep-dive — BFSI

   How RBI cyber-resilience framework expectations shape BFSI engagements: scope depth, evidence-pack volume, the audit-committee reporting cadence, and the regulator-facing findings format.

8. 08

   Sector deep-dive — SaaS

   How SOC 2 and ISO 27001 audit windows pull VAPT timing earlier in the calendar year, the multi-tenancy findings that recur, and the cost compounding when a SaaS scope skips the IAM boundary review.

9. 09

   Sector deep-dive — Public sector

   Multi-month engagements across mixed government estates: scoping wave structure, the AD attack-path enumeration step, the exposure-reduction trajectory at retest, and the CERT-In submission interface.

10. 10

    Vendor performance — the structural separators

    What separates the top-quartile vendors from the rest: retest discipline, evidence-pack completeness, machine-readable export hygiene, the named-tester continuity rate across multi-quarter programmes.

11. 11

    Why cheap pentests stay cheap

    The three structural reasons a sub-market day-rate produces a sub-market finding set: tooling-led methodology, junior staffing, and the absent retest. With the spend-vs-outcome curve from the dataset.

12. 12

    Procurement guidance for FY26 / FY27

    Budget envelope guidance by company stage and surface mix, the five RFP questions that correlate most strongly with engagement outcome, and the contract clauses we have seen save programmes mid-engagement.

Written by the operators who ran the engagements.

Read alongside.