Penetration testing is an authorised, simulated cyber-attack against your systems, run by security engineers to find and safely exploit vulnerabilities before real attackers do. VAPT — Vulnerability Assessment and Penetration Testing — pairs broad automated vulnerability discovery with deep manual exploitation, then reports each finding with a business-risk rating and a fix. This guide covers the types, the methodology, timelines, cost drivers, deliverables and how to choose a CERT-In empanelled provider in India.
This is written for the person who has to buy or pass a test: a CISO, IT head, compliance lead or founder who has been told to get a VAPT done for a regulator, a customer security review, or a product launch. We keep it practical — what each term means, what a real engagement looks like, what it should cost and how long it takes, and how to tell a genuine test from a rebadged scanner report.
What is the difference between vulnerability assessment and penetration testing?
The two words in VAPT describe two different activities that are often sold together. A vulnerability assessment is about breadth: automated and semi-automated scanning enumerates as many known weaknesses as possible across a large surface, producing a prioritised list. A penetration test is about depth: a human tester manually verifies findings, chains them together, and exploits them to prove real business impact — data access, privilege escalation, lateral movement. A scanner tells you a door looks unlocked; a penetration test walks through it and shows you what is inside.
- Breadth over depth — wide coverage of many hosts/apps
- Largely automated (authenticated + unauthenticated scans)
- Lists known/CVE-based weaknesses; low false-negative for the known
- No exploitation — findings are potential, not proven
- Fast and repeatable; ideal for continuous/quarterly cadence
- Depth over breadth — proves exploitability and impact
- Manual, tester-led; finds logic and chained flaws scanners miss
- Business-risk rated with evidence / proof-of-concept
- Exploitation, privilege escalation, lateral movement
- Point-in-time; ideal before launch, after major change, annually
Most regulator-facing engagements need both, which is why the industry sells them as VAPT: the assessment gives coverage and the penetration test gives proof. If a provider offers you only an automated scan and calls it a penetration test, it is not one.
What types of penetration testing are there?
Penetration testing is scoped by the surface being attacked. Each type has its own methodology and reference standard, and a mature program rotates through the ones relevant to its risk profile.
| Type | What it targets | Primary standard |
|---|---|---|
| Network (external / internal) | Internet-facing and internal infrastructure, services, hosts | PTES · NIST SP 800-115 |
| Web application | Web apps, portals, authentication, business logic | OWASP WSTG · OWASP Top 10 |
| API | REST / GraphQL / SOAP endpoints, authorization | OWASP API Security Top 10 |
| Mobile application | Android / iOS apps, local storage, transport | OWASP MASVS · MASTG |
| Cloud | AWS / Azure / GCP configuration, IAM, exposure | CIS Benchmarks · CSA CCM |
| Active Directory / internal | AD, privilege escalation, lateral movement | MITRE ATT&CK |
| Wireless | Wi-Fi, rogue APs, segmentation | PTES wireless |
| Social engineering | Phishing, pretexting, physical access | MITRE ATT&CK (Initial Access) |
| Red team | Full-scope adversary emulation across all of the above | MITRE ATT&CK · TIBER-style |
Common penetration-testing types and their reference standards
For a deeper look at specific surfaces, see our guides on Active Directory penetration testing and the top penetration-testing tools for 2026. Where full adversary emulation is the goal rather than coverage, read VAPT vs red team and red team vs penetration testing.
How does a penetration test work? The seven phases
A professional test follows a repeatable methodology — most commonly the Penetration Testing Execution Standard (PTES), aligned with OWASP for applications and NIST SP 800-115 for infrastructure. The phases are the same whether the target is a web app or an entire network:
- Scoping and rules of engagement — agree targets, test windows, black/grey/white-box level, escalation contacts and legal authorisation (the ROE). Nothing is touched before this is signed.
- Reconnaissance and OSINT — map the attack surface: domains, subdomains, exposed services, technologies, leaked credentials, employee footprint.
- Threat modelling and attack-surface mapping — turn recon into hypotheses: which assets are most valuable, which paths an attacker would take.
- Vulnerability analysis — combine authenticated/unauthenticated scanning with manual verification to separate real issues from scanner noise.
- Exploitation — safely exploit confirmed vulnerabilities to prove impact, respecting the ROE (no destructive actions on production without written sign-off).
- Post-exploitation and lateral movement — escalate privileges, pivot, and demonstrate how far a foothold reaches: the difference between one bug and a full compromise.
- Reporting, remediation support and retest — deliver an evidence-backed report with business-risk ratings and fixes, support the fix, then retest to confirm closure.
What is black-box, grey-box and white-box testing?
The box colour describes how much the tester knows before starting. Black-box means no prior knowledge — the tester attacks like an outside adversary, which is realistic but spends time on discovery. White-box means full access to source, credentials and architecture — the most thorough coverage per rupee, best for pre-launch assurance. Grey-box sits in between (typically a low-privilege account plus basic documentation) and is the usual sweet spot for application testing: it mirrors an authenticated attacker or malicious insider while keeping coverage efficient.
How are vulnerabilities scored and prioritised?
Findings are rated so you can fix the right things first. The industry standard is CVSS (Common Vulnerability Scoring System) v4.0, which combines a base score (how the flaw works) with threat and environmental metrics (how exploitable and how impactful it is in your context). Each finding is also classified by CWE (the weakness type) and, increasingly, weighted by EPSS — the probability the flaw is exploited in the wild. A good report translates all of this into a plain business-risk rating.
How long does a penetration test take?
Testing time scales with scope and complexity. These are typical field durations for a single engagement (add two to five working days for reporting and one for a retest):
| Engagement | Typical testing window |
|---|---|
| Single web application (grey-box) | 5–10 working days |
| External network (up to ~50 hosts) | 5–8 working days |
| Internal network / Active Directory | 8–15 working days |
| Mobile application (one platform) | 6–10 working days |
| API (REST / GraphQL) | 4–8 working days |
| Cloud configuration review | 4–8 working days |
| Full red-team engagement | 4–8 weeks |
Indicative testing durations (excludes reporting and retest)
How much does VAPT cost in India?
There is no flat price because the effort is driven by scope, not by a licence. The main cost drivers are:
- Scope size — number of applications, hosts, APIs, roles and environments.
- Complexity — a simple brochure site vs a multi-tenant fintech platform with dozens of workflows.
- Box type — white-box needs more setup but gives more coverage; black-box spends time on discovery.
- Report format — a CERT-In-format, regulator-ready report with attestation is more effort than a bare findings list.
- Retest and remediation support — included closure retesting adds a few days but is essential for compliance.
- Onsite vs remote — internal/AD tests may require onsite or VPN access and scheduling.
What deliverables should a VAPT report include?
The report is the product. A regulator-ready VAPT deliverable should contain:
- Executive summary — risk posture in business language for leadership and the board.
- Scope and methodology — exactly what was tested, when, and to which standard (PTES/OWASP/NIST).
- Detailed findings — each with a CVSS score, CWE classification, evidence / proof-of-concept, and affected assets.
- Business-risk rating — severity in your context, not just raw CVSS.
- Remediation guidance — specific, actionable fixes with references (OWASP/CWE/vendor).
- Retest / closure status — verification that fixes actually worked.
- Compliance mapping — findings mapped to CERT-In, ISO 27001, PCI-DSS or RBI/SEBI expectations as relevant.
- Auditor attestation — a signed letter, and a safe-to-host certificate where the engagement calls for it.
How often should you run a penetration test?
The baseline is at least annually and after any major change — a new application, a significant architecture change, or a merger. Regulation usually sets a stricter cadence. RBI's Cyber Security Framework expects VAPT before go-live and periodically thereafter; SEBI's CSCRF mandates graded VAPT for regulated entities; PCI-DSS 4.0 requires annual testing and after significant change; ISO 27001 control A.8.8 expects technical vulnerability management; and the DPDP Act's reasonable-security-safeguards duty is hard to evidence without regular testing. Many of these must be signed off by a CERT-In empanelled auditor — see our companion CERT-In empanelled audit guide.
How to choose a VAPT provider in India
The credential that separates a regulator-ready firm from the rest is CERT-In empanelment. Beyond that, look for substance over slideware:
- CERT-In empanelment — verify it on the official CERT-In empanelled-auditor list, not just a logo on a website.
- Manual depth — ask what percentage of the test is manual and to see a redacted sample report.
- Certified testers — OSCP / OSCE / OSWE / CREST-registered testers on the actual engagement.
- Retest included — closure verification should be in scope, not a paid extra.
- Clear scope and fixed price — a written scope before a number, not after.
- Data handling — NDA, secure evidence storage, and defined data-retention/destruction.
Macksofy is a CERT-In empanelled provider delivering manual-led VAPT across web, API, mobile, network, cloud and Active Directory — with CERT-In-format reports and closure retesting. Fixed-price proposal within 48 hours of scope.
Common penetration-testing mistakes to avoid
- Treating a vulnerability scan as a penetration test — coverage is not proof.
- An out-of-date scope that misses the systems that actually matter.
- No retest — an unremediated finding is an open door, and regulators check closure.
- Testing production without a signed ROE and escalation path.
- Ignoring business-logic and authorization flaws because scanners cannot find them.
- No remediation follow-through — a report that gathers dust changes nothing.
If you need broad coverage for a compliance deadline, start with VAPT. If you need to prove how far a determined attacker could get, scope a targeted penetration test. Macksofy will help you pick the right depth for your risk and your regulator.
