VAPT vs Penetration Testing: Which Do You Actually Need?

"VAPT" appears in roughly nine out of ten Indian security RFPs we read. Most procurement teams use it as a synonym for penetration testing. Most vendors don't push back, because the work overlaps. But there is a real distinction, and getting the scope wrong means either overpaying for a vulnerability scan or underpaying for what you actually need.

What VAPT formally means

VAPT stands for Vulnerability Assessment and Penetration Testing. The two halves are different activities:

Vulnerability assessment is breadth-first. You scan the entire scope, generate a list of every potential weakness the tooling can detect, and rank them by CVSS severity. Output: a long list of findings, mostly automated. Time: hours to a day or two depending on scope. Coverage: wide but shallow.

Penetration testing is depth-first. You take a smaller scope, attempt to exploit weaknesses to demonstrate real impact, chain vulnerabilities together, and document attack paths. Output: fewer findings, but each one has reproducible exploit steps. Time: 5 to 15 business days for a typical web application. Coverage: deep but selective.

The combination is what regulators and most enterprise procurement teams actually want — a broad inventory of known issues plus expert validation of the high-impact ones.

Where the Indian market gets it wrong

Three patterns we see in RFPs:

1. VAPT priced as a scanner run. A vendor quotes ₹40,000 for a "VAPT" of a web application. What you'll get is a Nessus or Acunetix report, lightly cleaned up, with no manual exploitation. This satisfies the line item on a compliance checklist but doesn't tell you whether the application is actually exploitable.

2. Penetration test priced as a one-week sprint with no scoping. The vendor agrees to test "the entire portal" in five days. Without proper scope discovery, the team spends day one mapping what exists, days two through four hunting low-hanging issues, and day five writing a report. Business logic and authorisation flaws get missed because there's no time.

3. No retesting included. The original test surfaces 30 findings, your dev team fixes them, and there's no budget to verify the fixes worked. This is the most common reason "remediated" findings remain exploitable in supervisory follow-up.

What a proper engagement looks like

A scoped VAPT for a meaningful enterprise web application typically runs 8–12 business days. A reasonable phasing:

• Days 1–2: scoping, environment access, application mapping
• Days 3–6: manual penetration testing — auth, authorisation, business logic, input handling
• Days 5–7 (in parallel): controlled automated scanning
• Days 7–8: AI-augmented coverage validation, attack chain assembly
• Days 8–9: multi-layer review (auditor → senior consultant → architect)
• Days 9–10: report draft, walkthrough, remediation guidance
• Days 11–12 (after fix): retesting, security certificate

Anything materially shorter is either out-of-scope or under-tested.

When you actually need only one half

There are real scenarios where one or the other is correct:

• Quarterly hygiene scans of a known asset inventory: vulnerability assessment alone is fine.
• Pre-launch security validation of a brand-new application: penetration test, not assessment — there's no inventory yet.
• Post-incident forensic assessment: neither — that's incident response.
• Annual audit for RBI / SEBI / PCI: both, in the same engagement.

How to ask for the right thing

In your RFP, separate the line items. Specify the scope (URLs, endpoints, environments). Specify whether retesting is included. Specify the report format your auditor or board wants. Ask the vendor to walk you through their methodology before committing — anyone running a real penetration test will have one to show.

If you'd like to discuss what your specific application or estate needs, request a scoping call.