A customer just asked for a “security assessment.” Your investor wants to see a “pentest report” before writing the next check. Your compliance team says you need a “VAPT certificate.” Everyone uses different words, and nobody seems sure what they actually want.
Here’s the problem: vulnerability assessment and penetration testing are two different things. They answer different questions, use different methods, and produce different outputs. But in India, they’ve been bundled together as “VAPT” for so long that most people treat them as one activity.
Let’s fix that.
Vulnerability Assessment: Scanning for Known Weaknesses
A vulnerability assessment (VA) is a systematic scan of your systems to identify known security weaknesses. Think of it as a health check-up. You’re looking for known problems across a broad surface area.
How it works:
- Automated scanners (Nessus, Qualys, OpenVAS) run against your infrastructure, applications, or network
- The scanner compares what it finds against databases of known vulnerabilities (CVEs)
- Results are classified by severity (Critical, High, Medium, Low)
- You get a report listing every finding with remediation guidance
What a VA finds:
- Unpatched software and outdated libraries
- Default credentials left in place
- Misconfigurations (open ports, weak TLS, permissive CORS)
- Known CVEs in your tech stack
- Missing security headers
A VA is broad but shallow. It tells you what’s exposed but not what an attacker can actually do with it.
Penetration Testing: Simulating a Real Attack
A penetration test (pentest) is a hands-on, manual exercise where a security professional tries to break into your system the way an attacker would. If VA is a health check-up, a pentest is a stress test.
How it works:
- Define scope and rules of engagement (what’s in, what’s out, what methods are allowed)
- Reconnaissance and enumeration (manual + automated)
- Exploitation: the tester chains vulnerabilities together to achieve impact (data access, privilege escalation, lateral movement)
- Post-exploitation: how far can the attacker go once they’re in?
- Report with proof-of-concept exploits, attack chains, and business impact
What a pentest finds:
- Business logic flaws (bypassing payment flows, accessing other users’ data)
- Authentication and authorization bugs that scanners miss
- Chained vulnerabilities: three “medium” findings that combine into a critical exploit path
- API-specific issues like broken object-level authorization
- Real-world impact: “we accessed 10,000 customer records” vs “port 443 is open”
A pentest is narrow but deep. It answers: can someone actually break in, and what happens if they do?
Side-by-Side Comparison
| Vulnerability Assessment | Penetration Testing | |
|---|---|---|
| Approach | Automated scanning | Manual testing + tools |
| Depth | Broad, shallow | Narrow, deep |
| Duration | Hours to 1-2 days | 5-15 days depending on scope |
| Output | List of known vulnerabilities by severity | Attack narratives with proof-of-concept exploits |
| Answers | ”What weaknesses exist?" | "Can an attacker exploit them?” |
| False positives | High (scanners over-report) | Low (findings are manually verified) |
| Skill required | Tool operation | Offensive security expertise |
| Cost | Lower (INR 15K-50K typical) | Higher (INR 75K-3L+ depending on scope) |
| Standards | NIST SP 800-115 | PTES, OWASP Testing Guide |
| Frequency | Monthly or quarterly | Annually or after major releases |
Why “VAPT” Is Everywhere in India
In the Indian market, most security vendors sell “VAPT” as a single package. There are a few reasons for this:
Regulatory bundling. RBI, SEBI, and CERT-In guidelines often reference “VAPT” as one activity. When the regulator says “conduct VAPT,” vendors package both together.
Price compression. Bundling lets vendors offer a lower price point while covering more ground. The trade-off: the “pentest” portion is often just a scanner run with a prettier report.
Ambiguous scope. When everyone calls everything “VAPT,” it’s hard for buyers to know what they’re getting. Some vendors run a Nessus scan and call it a pentest. Others do genuine manual testing but still label it “VAPT” because that’s what buyers search for.
The risk: if your “VAPT report” is actually just a vulnerability scan with no manual testing, it won’t catch the business logic flaws and chained exploits that real attackers use. And those are the findings that matter most for SaaS products.
What Investors and Customers Actually Ask For
When a customer or investor says they want a “security assessment,” here’s what they usually mean:
Enterprise customers (SOC 2, ISO 27001 requirements): They want a penetration test report from an independent third party. Specifically, they want to see that someone tried to break your application and either couldn’t, or that you fixed the issues they found. A VA report alone won’t satisfy this.
Investors (Series A and beyond): They want to know you’re not carrying obvious risk. A pentest report showing remediated findings signals maturity. Some will accept a VA, but a pentest carries more weight.
Regulated industries (fintech, healthtech): RBI and CERT-In typically require both VA and PT. You’ll need documented evidence of recurring vulnerability scans and periodic penetration tests.
Quick rule of thumb:
- If someone asks for a “pentest report” or “third-party security assessment,” they want a penetration test
- If someone asks for “vulnerability management,” they want recurring VA scans
- If someone asks for “VAPT,” clarify which one they actually need (or if they need both)
When You Need VA, When You Need PT, When You Need Both
Start with a VA if:
- You’ve never done any security testing before
- You want a baseline of your current exposure
- You need to run regular scans as part of compliance (SOC 2 continuous monitoring)
- Your budget is tight and you need to prioritize
Go straight to a pentest if:
- A customer or investor specifically asked for one
- You’re handling sensitive data (PII, financial, health records)
- You’ve shipped major features and want to validate your security posture
- You’ve done VAs before and want to test what scanners can’t find
You need both if:
- Regulatory requirements demand it (RBI, SEBI-regulated entities)
- You want ongoing VA (monthly scans) plus annual or biannual pentests
- You’re pursuing SOC 2 or ISO 27001 certification
A Real Example: What Each Misses
Consider a SaaS app with a multi-tenant architecture.
What a VA finds: The server is running an outdated version of nginx with a known CVE. SSL certificate uses a weak cipher suite. Three JavaScript libraries have known vulnerabilities.
What a VA misses: Tenant A can access Tenant B’s data by modifying an API parameter. The password reset flow can be bypassed by replaying a token. An admin API endpoint is exposed without authentication.
What a pentest finds: All of the above, plus a full attack chain: unauthenticated admin endpoint → access to internal API → enumerate all tenants → download customer data. The tester demonstrates the impact with screenshots and proof-of-concept code.
The VA findings are real and should be fixed. But the pentest findings are the ones that would make headlines.
How to Get Started
If you’re not sure where you stand, start with a free external scan. Our OpenEASD tool runs a non-intrusive external attack surface discovery against your domain. It takes 2 minutes and shows you what’s visible from the outside: exposed services, DNS records, SSL issues, and more. No sign-up wall.
When you’re ready for a proper pentest, our Startup Pentest plan covers one application scope in 7 days for INR 74,999. It’s founder-led (not outsourced to juniors), follows PTES and OWASP WSTG v5.0 methodology, and includes a retest after you fix the findings.
For a full breakdown of what our engagements cover, see our penetration testing services.
The worst outcome isn’t failing a pentest. It’s assuming a scanner report equals a security assessment, then finding out the hard way that it doesn’t.