We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Cybersecurity blog

How to Choose a VAPT Provider in India: 7 Questions to Ask Before You Sign

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

How to Choose a VAPT Provider in India: 7 Questions to Ask Before You Sign

Here is a truth most vendors will never tell you: a large share of the VAPT reports we see during audits are automated scanner output wearing a suit. Someone pointed a tool at your IP range, exported the findings, changed the logo, and invoiced you two lakh rupees. VAPT stands for Vulnerability Assessment and Penetration Testing, and the difference between those two words is exactly where most Indian buyers get quietly robbed.

You are not buying a PDF. You are buying the judgement of a person who tried to break into your systems the way a real attacker would, and then told you honestly what they found. If your provider cannot demonstrate that judgement in the sales call, no certificate they issue is worth the paper it prints on. This guide is written from the other side of the audit table — what actually separates a real testing firm from a scan-and-ship shop, and the questions that flush the difference out in twenty minutes.

Why the wrong provider costs you more than money

A bad VAPT does not just waste your budget. It gives you a false green light. You show the certificate to your bank, your enterprise customer, your CERT-In filing, or your cyber-insurance underwriter, and everyone downstream assumes someone competent looked at your systems. When a breach happens through a hole the scanner never touched — a broken authentication flow, an IDOR in your API, a business-logic bug in your payment path — that certificate becomes evidence that you were told your system was secure. In an incident post-mortem, and increasingly in DPDP-related regulatory questions, that is a very bad place to stand.

There is also the regulatory reality. Under the CERT-In directions of April 2022, service providers, intermediaries, data centres and body corporates must report cyber incidents within six hours and maintain security practices. RBI, SEBI and IRDAI all now expect periodic VAPT of critical and internet-facing systems, and several of them specifically ask for a CERT-In empanelled auditor. If your report is thin, your regulator will notice on the very first review, and you will pay for the exercise twice.

CERT-In empanelment: necessary, not sufficient

CERT-In, the Indian Computer Emergency Response Team, maintains a public list of empanelled information security auditing organisations. For a lot of Indian compliance needs — RBI cyber-security framework filings, SEBI CSCRF, IRDAI, government tenders — the auditor must be on that list. So empanelment is your first hard filter. If a provider is not empanelled and your regulator asks for one, the conversation is over regardless of how good they are.

But here is the part the marketing pages omit. Empanelment is issued to the organisation, not to the specific engineer sitting on your engagement. A firm can be genuinely empanelled and still staff your test with a fresher running a licensed scanner. Empanelment tells you the company cleared CERT-In's process at least once. It tells you nothing about who touches your systems next Tuesday. Verify empanelment on the CERT-In site directly using the organisation's exact registered name — never trust a logo on a slide — and then keep asking questions.

What empanelment guaranteesWhat it does not guarantee
The firm cleared CERT-In's vetting at least onceThat your specific tester is experienced or certified
Acceptance of the report by most Indian regulatorsManual testing depth beyond automated scans
A registered legal entity you can hold accountableRetesting, or that fixes were verified
Familiarity with the CERT-In reporting formatCoverage of business-logic and API flaws

Vulnerability Assessment versus Penetration Testing — and why VAPT hides a con

A Vulnerability Assessment is breadth. A tool enumerates known weaknesses across your estate and produces a ranked list. It is useful, it is cheap, and it is almost entirely automated. A Penetration Test is depth. A human takes those findings plus everything the scanner cannot see, chains them together, and demonstrates real impact — actual unauthorised access, actual data exfiltration, actual privilege escalation.

The con lives in the ampersand. Selling VAPT lets a vendor charge penetration-test prices for vulnerability-assessment work. You get a Nessus or Acunetix export with a CVSS column, zero exploitation, zero business-logic testing, and a cover page that says penetration test. The tell is the findings themselves: if every issue maps cleanly to a CVE number and a public plugin, and nothing describes a flaw specific to your application's logic, you paid for a scan. Real penetration test findings read like a story — this input reached that function, which trusted this token, which let me become that user.

SignalScan-and-ship vendorReal testing firm
FindingsOnly CVE-mapped scanner outputChained exploits and logic flaws unique to you
Proof of exploitationCVSS score, no PoCScreenshots, request/response, reproduction steps
Scoping callAsks only for IP rangesAsks about roles, workflows, data sensitivity
Duration for a web app1-2 days, mostly automated5-15 days with manual testing
False positivesPassed straight through from the toolManually validated and removed

What actually happens in a good scoping call

Scoping is where quality is decided, long before any packet is sent. Watch how the provider behaves here. A weak vendor asks for your IP list and a start date. A serious tester wants to understand what they are protecting and how it can be abused.

Picture the call. You run a lending platform. The competent tester does not ask how many IPs you have. They ask: how many user roles exist, and what can a borrower do that a collections agent cannot? Where does money actually move, and who authorises it? Is there an admin panel reachable from the internet? Do you have an API that mobile apps consume, and is it separately authenticated? What is the one screen that, if breached, ends your business? Then they scope test users at each privilege level, because the interesting bugs live in the gaps between roles — the borrower who can approve his own loan, the agent who can read another customer's KYC. A scanner never finds that. It has no idea your business exists.

If the scoping conversation never leaves the network layer, you are about to buy an infrastructure scan dressed as an application penetration test.

Methodology: ask which standard, then ask them to prove it

Any credible provider will name a methodology. The honest ones can then walk you through it. For web and API work the reference is the OWASP standards — the OWASP Top 10, the OWASP Application Security Verification Standard (ASVS), and the OWASP Web Security Testing Guide (WSTG). For a broader engagement, the Penetration Testing Execution Standard (PTES) and NIST SP 800-115 describe the phases. Mobile work should reference the OWASP Mobile Application Security Verification Standard (MASVS).

Naming a standard is easy. Ask the follow-up: for the ASVS, which verification level are you testing against — Level 1, 2 or 3? For an API, are you testing the OWASP API Security Top 10 specifically, including broken object-level authorisation and broken function-level authorisation? For each, ask what a real finding under that category looked like on a recent engagement. A firm that tests manually can answer instantly with a war story. A scan shop starts talking about their tool's coverage, because the tool is all they have.

  • Web application: OWASP Top 10, ASVS (ask which level), WSTG for test cases
  • API: OWASP API Security Top 10 — insist on BOLA and BFLA testing by hand
  • Mobile: OWASP MASVS and the Mobile Application Security Testing Guide
  • Network and infrastructure: NIST SP 800-115, PTES phases
  • Cloud: CIS Benchmarks for your provider plus IAM and misconfiguration review

Reading a report like an auditor does

The report is the product, and you can grade a provider by asking for a sample redacted report before you sign. This one document exposes more than any sales deck. Here is what a report worth paying for contains, and what junk reports skip.

Report elementWhy it matters
Executive summary in plain business languageYour board and regulator read this, not the CVSS table
Scope statement — exactly what was and was not testedA finding-free report on a two-URL scope is meaningless
Per-finding reproduction steps and evidenceProves it is real and lets your developers fix it
Business impact, not just CVSS severityA medium CVE on your payment path outranks a high elsewhere
Concrete, code-level remediation guidanceGeneric advice like update your software helps no one
Methodology and tools used, with test datesShows what was manual versus automated
Named tester and their certificationAccountability, and a signal of who did the work

One quick test: open the sample report and find a high-severity finding. Can your own developer reproduce it from the report alone, without emailing the tester? If yes, the report is real work. If the finding is one line saying SQL injection possible on login page with a CVSS of 9.8 and no request shown, it came out of a tool and nobody verified it.

The retest clause everyone forgets to negotiate

Finding vulnerabilities is only half the job. The point is to close them and confirm they are closed. Many buyers discover after the fact that the quote covered a single round of testing and the retest — the round that verifies your fixes actually worked — is a separate invoice. Now you have a report full of open findings, a bank or customer asking for a clean bill, and no budget line to prove you remediated anything.

Settle this in the contract. A fair engagement includes at least one free retest of confirmed findings within a defined window, commonly 30 to 90 days after the report. Get the window, the number of retest cycles, and what counts as in-scope for retest in writing. Ask specifically: if I fix these and you retest, do you issue a revised report and a clean closure certificate at no extra cost? That certificate is often the artefact your customer or regulator actually wants.

  • How many retest cycles are included, and at what cost after that
  • The retest window in days from report delivery
  • Whether a revised report and closure certificate are issued free
  • Whether newly introduced issues during fixing are in scope or billed separately

What good VAPT actually costs in India

Pricing is where the market is wildest. You will see the same scope quoted at a five-fold spread, and the cheapest number is almost always a scan. Real testing is priced on person-days, because it is human labour. As a rough guide for the Indian market — treat these as directional, not fixed — here is where honest work tends to land.

Engagement typeTypical effortIndicative cost (INR)
Single web application (grey-box)5-10 person-days60,000 - 2,50,000
REST API (moderate complexity)4-8 person-days50,000 - 2,00,000
Mobile app (Android or iOS)5-10 person-days75,000 - 2,50,000
Network / infrastructure (per 50 IPs)3-7 person-days40,000 - 1,50,000
Full-scope for RBI / SEBI filingVaries widely3,00,000 - 15,00,000+

If a quote for your customer-facing web application comes in at fifteen thousand rupees, understand exactly what you are getting: a licensed scanner run and a report. That may be fine for an internal baseline. It is not fine as the penetration test your enterprise customer's vendor-security questionnaire is asking for. Price on person-days and certified testers, not on the lowest line.

The questions that flush out a scan shop in one call

You do not need to be technical to expose a weak provider. You need the right questions and the discipline to listen for a real answer versus a deflection. Ask these directly.

  • Who exactly will test my systems, and what certifications do they hold — OSCP, CREST, GPEN?
  • What proportion of this engagement is manual testing versus automated scanning?
  • Can I see a redacted sample report from a similar client before I sign?
  • Walk me through one business-logic flaw you found on a recent app like mine.
  • Is retest included, how many cycles, and do I get a closure certificate free?
  • How do you validate findings so I am not handed a page of false positives?
  • Confirm your CERT-In empanelment under your exact registered name.
  • Will you test authorisation between user roles, not just the login page?

The pattern is simple. A real firm answers the person, the manual-versus-automated ratio, and the business-logic question with specifics and stories. A scan shop redirects every one of these back to their tooling and their price.

Your provider-selection checklist

Before you sign anything, run this list. If you cannot tick most of it, keep looking.

  • Verified CERT-In empanelment on the official site under the exact legal name
  • Named, certified testers assigned to your engagement — not just the firm
  • A scoping call that asked about roles, workflows and business impact
  • A stated methodology mapped to OWASP / NIST, with level specified
  • A redacted sample report reviewed, with reproducible high-severity findings
  • Manual testing depth confirmed in writing, not just scanner coverage
  • Retest cycles, window and free closure certificate in the contract
  • Pricing based on person-days that is plausible for the scope
  • A signed NDA and clear rules of engagement before any testing starts
  • Clarity on data handling — where your findings and any captured data are stored

Closing thought

Come back to where we started. You are not buying a PDF and you are not buying a logo. You are buying the honest judgement of someone who tried to break in and told you the truth. The certificate is a by-product. If you choose your provider on price and empanelment alone, you will get a document that satisfies a checkbox and protects nothing. Choose on people, method, evidence and retest, and you get something rarer — a clear picture of how you would actually be attacked, and the confidence to stand behind your certificate when it matters.

At CyberSigma we are CERT-In empanelled and we run these engagements hands-on — the same auditors who sit in the room also write every finding — so if you want a scoping conversation that starts with your business and not your IP list, we are happy to have it.

FAQs

Is CERT-In empanelment mandatory for VAPT in India?

Not for every case. It is effectively mandatory when your regulator or tender requires it — most RBI cyber-security framework filings, SEBI CSCRF submissions, IRDAI requirements and government contracts specifically ask for a CERT-In empanelled auditor. For a purely internal security exercise it is not legally required, but empanelment is a reasonable quality filter regardless. Always verify it on the official CERT-In list under the firm's exact registered name.

How long should a VAPT engagement take?

For a single web application expect roughly five to ten working days of testing plus a few days for reporting. APIs and mobile apps are similar. Anything finished in a day or two is almost certainly an automated scan rather than a manual penetration test. Full-scope engagements for regulatory filings run several weeks depending on the number of applications and IP ranges in scope.

What is the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment is automated breadth — a tool lists known weaknesses across your estate. A penetration test is manual depth — a human exploits and chains those weaknesses to demonstrate real impact, and finds business-logic and authorisation flaws no scanner can see. VAPT bundles both, but some vendors sell only the assessment at penetration-test prices, so confirm how much of the work is actually manual.

How much does VAPT cost in India?

It varies with scope and depth. A grey-box web application test typically runs from about sixty thousand to two and a half lakh rupees; APIs and mobile apps are broadly similar; network testing is priced per block of IPs; and full-scope engagements for RBI or SEBI filings can run several lakhs and up. Honest pricing is based on certified-tester person-days. A quote far below this range usually means an automated scan.

Should retesting be included in the price?

It should, and you should negotiate it explicitly. A fair engagement includes at least one free retest of confirmed findings within a defined window — often thirty to ninety days after the report — along with a revised report and a closure certificate at no extra cost. Get the number of cycles and the window in writing, because that closure certificate is frequently the artefact your customer or regulator actually wants to see.

How do I know if a report is real work or just a scanner dump?

Open a sample report and check whether a high-severity finding includes reproduction steps, a request-and-response or screenshot, and business impact rather than only a CVE and a CVSS score. Ask whether your own developer could reproduce and fix it from the report alone. Genuine penetration test findings describe flaws specific to your application's logic and authorisation; scan dumps map every issue to a public CVE and prove nothing.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205