Penetration testing is a structured security assessment where a certified human tester simulates real attacker behavior against your application to find vulnerabilities that automated scanners cannot detect, including business logic flaws, access control bypasses, and chained exploits. It typically costs INR 74,999 to INR 1,79,999 for SaaS startups in India and takes 7 to 10 calendar days. The deliverable is a detailed report your enterprise prospects, SOC 2 auditor, and investors will accept as evidence of independent security testing.
Your enterprise prospect asks for a pentest report. Your SOC 2 auditor needs evidence of security testing. Your investor’s technical advisor wants to know if your application has been tested by someone other than your own team.
You need a penetration test. Here is what that actually means, what happens during one, how it differs from scanners, and how to decide what you need.
What Is a Penetration Test?
A penetration test is a structured security assessment where a certified tester (OSCP, CREST, or CompTIA PenTest+) simulates real attacker behavior against your application. The tester studies how your product works, identifies where security controls are weak or missing, and attempts to exploit those weaknesses the same way an attacker would.
The difference between a pentest and running a scanner: a scanner checks for known vulnerabilities using pattern matching. A pentester understands your business logic and tests whether your access controls, payment flows, role permissions, and API boundaries actually enforce what they should.
Scanners find outdated libraries. Pentesters find that your API returns any user’s billing data if you change the user ID in the URL.
The pentest produces evidence auditors, enterprise customers, and investors accept. A scanner report alone usually does not satisfy any of those audiences.
Types of Penetration Testing (Black Box, Gray Box, White Box)
The amount of information you give the tester upfront defines the type of engagement. The right type depends on what you are simulating.
| Type | What the tester knows | Simulates | When to use |
|---|---|---|---|
| Black box | Nothing internal. Just the public URL or app. | External attacker with zero prior access | Pre-launch readiness, exposure to anonymous attackers, fastest realism check |
| Gray box | User credentials for each role, basic architecture overview, no source code | Attacker who compromised a low-privileged account, or insider threat | Most SaaS engagements. Best coverage per day spent because the tester does not waste time on reconnaissance you can hand them. |
| White box | Full source code, architecture diagrams, internal documentation, all credentials | Comprehensive security review with full context | Pre-IPO due diligence, high-stakes compliance audits, security code review combined with pentest |
For most SaaS startups, the answer is gray box. Black box looks impressive in marketing but wastes the first three days on reconnaissance the tester could just be told. White box is overkill unless you have a specific reason (source code review, regulator request, M&A diligence).
What you should be told before the engagement starts: which type your vendor proposes, why that type, and what trade-offs you accept by choosing it.
What Gets Tested
The scope depends on what you need. Most SaaS startups start with one or two of these:
Web Application Pentest Your main product. The tester maps every endpoint, tests authentication flows, checks authorization on every API call, and looks for injection vulnerabilities, XSS, CSRF, and business logic flaws specific to your application.
API Pentest REST, GraphQL, or gRPC. Focuses on authentication, authorization between endpoints, rate limiting, input validation, and data exposure. If your product is API-first, this is where most vulnerabilities live.
Mobile Application Pentest Android or iOS. Covers local data storage, certificate pinning, reverse engineering, runtime manipulation, and how the app communicates with your backend.
Cloud Security Assessment AWS, GCP, or Azure. Reviews IAM policies, storage bucket permissions, network segmentation, logging configuration, and whether your infrastructure follows least-privilege principles.
AI Application Pentest LLM apps, agentic AI systems, AI-powered APIs. Tests prompt injection, model jailbreaks, training data leaks, and unsafe tool use. This is a newer category that traditional pentest firms often handle poorly.
How Penetration Testing Works (The Process Step by Step)
Here is the actual process, start to finish:
1. Scoping (before the engagement starts) We agree on what gets tested: which application, which environments (staging or production), which user roles, and what is out of scope. You provide test accounts and access credentials. This is also where the type (black, gray, white) gets locked.
2. Reconnaissance and mapping The tester studies your application architecture, maps all endpoints, identifies user roles, and understands how data flows through your system. This is where a manual tester adds value over a scanner. Understanding your product means testing it like someone who wants to break it, not someone running a checklist.
3. Testing (the core engagement) The tester works through your application systematically, following OWASP WSTG v5.0 methodology and mapping findings to MITRE ATT&CK techniques where applicable:
- Authentication: can login be bypassed? Are password reset flows secure?
- Authorization: can a regular user access admin functions? Can user A see user B’s data?
- Input validation: SQL injection, XSS, command injection, file upload abuse
- Business logic: can pricing rules be bypassed? Can workflows be executed out of order?
- Session management: are tokens secure? Do sessions expire properly?
- API security: are all endpoints authenticated? Is rate limiting enforced?
4. Reporting You get a detailed report with every finding documented: what was found, how it was reproduced (exact HTTP requests), what the business impact is, and how to fix it. Findings are rated by severity (Critical, High, Medium, Low, Informational) and mapped to SOC 2 and ISO 27001 controls.
5. Remediation support and retest Your developers fix the findings using the reproduction steps in the report. We retest to confirm the fixes work. Both our pentest plans include a free retest within 30 days, and the Growth plan adds a sanity retest 15 days after that to verify final fixes hold.
When Your Startup Needs a Penetration Test
Not every startup needs a pentest on day one. Here is when it becomes necessary:
- An enterprise prospect asks for one. This is the most common trigger. No pentest report means no deal.
- SOC 2 or ISO 27001 audit. Your auditor needs evidence of independent security testing. An automated scan report usually does not satisfy this. See what SOC 2 auditors specifically expect.
- Investor due diligence. Technical advisors check for pentest reports, especially Series A and beyond. Security gaps that surface during due diligence can delay or kill rounds.
- CERT-In or RBI directive applies to you. If your company is in banking, payments, insurance, healthcare, or operates critical infrastructure, regulatory requirements may mandate periodic pentesting. Always check your specific sector’s requirements.
- DPDP Act compliance preparation. The Data Protection Act enforcement is ramping in 2026. Significant Data Fiduciaries face stricter security obligations. See our DPDP compliance checklist.
- Major release or new product launch. You shipped a new payment flow, a new API, or a new user role system. These are where access control bugs hide.
- You have never had one. If your application handles user data and has never been tested by someone outside your team, you have an untested attack surface.
India Regulatory Context for Penetration Testing
If your startup is in a regulated sector or sells into India enterprises, regulatory requirements may shape what kind of pentest you need.
CERT-In (Indian Computer Emergency Response Team) issues advisories and operates an empanelment program for cybersecurity auditors. CERT-In empanelment is required for government departments, public sector undertakings, and specific regulated industries. For most private SaaS startups including those selling to enterprise customers, CERT-In empanelment is not a requirement. A qualified non-empanelled vendor with OSCP or CREST credentials is acceptable. Always verify what your specific buyer or auditor actually requires before paying empanelment-premium pricing.
RBI (Reserve Bank of India) mandates regular security assessments for banks, NBFCs, payment processors, and certain fintech operators. Frequency is typically annual or after major changes. Reports must be retained for regulatory inspection. If you are in payments or fintech, treat the RBI directive as the floor, not the ceiling.
SEBI (Securities and Exchange Board of India) requires cybersecurity audits for stock brokers, depositories, and market intermediaries on a defined cadence.
DPDP Act 2023 is being enforced through 2026. Significant Data Fiduciaries (SDFs) face stricter independent security audit requirements, including mandatory appointment of independent data auditors. Pentest reports are often part of SDF audit evidence.
For most SaaS startups, the most common India regulatory triggers are SOC 2 + ISO 27001 (for global compliance), DPDP for India consumer data, and customer-mandated security questionnaires that cite specific frameworks.
5 Questions to Ask a Pentest Vendor Before Signing
The pentest market is full of automated-scanner-with-logo vendors selling at pentest prices. Asking these 5 questions before signing protects you from paying for testing that does not match what you actually need.
1. Who specifically will run the engagement, and what are their credentials? Ask for the lead pentester’s name in writing. Ask whether they personally run the engagement or hand it to junior staff. Verify their OSCP, CREST, or CompTIA PenTest+ certification on the issuing body’s public registry. Junior testers running expensive engagements is a documented problem in the Indian pentest market.
2. What methodology do you follow, and which version? Acceptable answers: OWASP WSTG v5.0 (web), OWASP API Top 10 (API), PTES (general), NIST SP 800-115. If the vendor cannot name a specific methodology or specifies an outdated version, that is a red flag. Methodology is the difference between systematic coverage and ad hoc poking.
3. Will the report include reproduction steps, business impact, and remediation guidance, or just CVSS scores? Request a sample report (redacted) before signing. A real pentest report shows exact HTTP requests to reproduce each finding, plain-language business impact (not just CVSS), and code-level remediation guidance. A generic scanner report with a logo is not the same thing, even if priced similarly. See what a real sample report looks like.
4. What is your retest policy? Acceptable: one free retest within 30 days, with the report updated to reflect fixes. Better: a sanity retest 15 days after the full retest to verify final fixes. Worst: no retest, or retests billed separately at scanner prices.
5. Will you map findings to SOC 2 or ISO 27001 controls if I need audit evidence? If you are preparing for SOC 2 or ISO 27001, the report needs to be auditor-ready. Control mapping should come standard for the audit-prep tier, not as an upsell.
If the vendor cannot answer all 5 confidently, walk away. The cost of a bad pentest is not just the wasted spend. It is the false sense of security plus the audit failure or breach that follows.
What a Pentest Report Looks Like
Every report we deliver includes:
- Executive summary that a CTO or founder can read in 5 minutes
- Detailed findings with exact reproduction steps, HTTP request/response evidence, and screenshots
- Business impact statements explaining what each vulnerability means in plain language, not just CVSS scores
- Remediation guidance specific to your codebase and stack
- SOC 2 and ISO 27001 control mapping so you can hand the report directly to your auditor (Growth plan)
- Brand Protection Snapshot checking for typosquatting domains, fake apps, and leaked credentials (both plans)
See a sample pentest report to understand exactly what you receive.
Penetration Test vs Vulnerability Assessment vs DAST Scanner
These three are often confused or sold as the same thing. The differences matter when an auditor, investor, or enterprise customer asks for one specifically.
| DAST Scanner | Vulnerability Assessment | Penetration Test | |
|---|---|---|---|
| Method | Automated dynamic scan against the running app | Automated scanning tools across infrastructure + app | Human-led, manual testing with methodology |
| Time per assessment | Minutes to hours | A few hours to a day | 7 to 10 calendar days |
| Finds | Known web vulnerabilities, injection patterns, weak configurations visible to the scanner | Known CVEs, misconfigurations, missing headers, outdated software | Business logic flaws, access control bypasses, chained exploits, authorization issues, plus everything a scanner finds |
| Misses | Anything requiring business context. Authorization issues. Multi-step workflows. | Application-specific logic. Custom authorization. | Almost nothing within the agreed scope (scanners run as part of the engagement) |
| Output | Generic tool report with CVE references | Tool-generated report with generic fix suggestions | Custom report with reproduction steps, code-level fixes, business impact |
| Accepted by SOC 2/ISO 27001 auditors | No, unless paired with a pentest | Sometimes, as a baseline | Yes, standard audit evidence |
| Accepted by enterprise security questionnaires | No | Sometimes | Yes |
| Typical cost | INR 5K to 50K (or free open-source) | INR 30K to 1L | INR 75K to 5L+ for SaaS |
Most credible engagements include automated scanning as part of the process. The pentest adds the manual, human-led analysis that scanners cannot do. For a deeper comparison, read manual penetration testing vs automated scanning.
How Much Does a Pentest Cost in India?
| Plan | Scope | Duration | Price |
|---|---|---|---|
| Startup Pentest | 1 scope (web app, API, or mobile) | 7 days | INR 74,999 |
| Growth Pentest | 2 scopes | 10 days | INR 1,79,999 |
| Additional scope | +1 scope added to either plan | +3 days | INR 44,999 |
Both plans include a detailed report, executive summary, free retest within 30 days, and Brand Protection Snapshot. The Growth plan adds SOC 2 + ISO 27001 audit prep evidence, a sanity retest 15 days after the full retest, and real-world attack simulation beyond OWASP Top 10.
For a deeper breakdown of what drives pentest pricing, including how larger firms justify 3 to 10 times these prices, read penetration testing cost in India.
Community: Cyber Secify is a Community Partner for BSides Bangalore 2026. Bengaluru’s flagship community-driven cybersecurity conference (July 9, Sheraton Grand). 1200+ attendees, original research, hands-on tracks, women-led sessions. Includes 20% discount for our community.
Our Penetration Testing Services
We test across every application type SaaS startups ship:
- Web Application Penetration Testing: OWASP Top 10, business logic, authentication flaws
- API Penetration Testing: REST, GraphQL, gRPC security assessment
- Android Application Penetration Testing: APK analysis, runtime manipulation
- iOS Application Penetration Testing: Keychain, jailbreak bypass, binary analysis
- Cloud Penetration Testing: AWS, Azure, GCP misconfigurations
- AI Application Penetration Testing: Prompt injection, model security
Every engagement is founder-led. Rathnakara (OSCP, CompTIA PenTest+, M.Sc Cyber Security) personally leads every pentest. No juniors, no handoffs, 6 clients per month maximum.
View pricing | See a sample report | Get a free security snapshot
Built for AI-first and API-first SaaS startups. Founder-led from Bengaluru. If you have a specific compliance ask, enterprise requirement, or pentest decision to make, book a 30-minute call with the founders or start with Security on Demand for a focused 4-hour engagement.