What is VAPT?
Vulnerability Assessment and Penetration Testing are two different things often bought together. Here is what each does and when you need them.
VAPT stands for Vulnerability Assessment and Penetration Testing. The two are complementary but distinct: a vulnerability assessment finds known weaknesses broadly, while a penetration test tries to exploit them to prove real-world impact. Together they give both coverage and depth.
VAPT is often a regulatory requirement in India and elsewhere, and a standing expectation of enterprise customers. This guide explains the difference, the types, and how a test runs.
- Vulnerability assessment is breadth: automated discovery of known weaknesses.
- Penetration testing is depth: skilled, often manual attempts to exploit and prove impact.
- Types include network, web application, API, mobile, and cloud testing.
- RBI, SEBI CSCRF, PCI DSS, and ISO 27001 all expect regular testing.
Assessment versus penetration test
A vulnerability assessment scans systems to enumerate known vulnerabilities and misconfigurations. It is broad and repeatable but does not confirm whether a weakness is truly exploitable. A penetration test picks up where the scan ends, with a tester attempting to chain and exploit findings the way an attacker would, to show real impact and false positives. Most mature programmes run assessments frequently and penetration tests periodically.
Common types of testing
VAPT is scoped to what you need to assure:
- Network testing, external and internal.
- Web application testing against issues like the OWASP Top 10.
- API testing for authentication, authorization, and data exposure.
- Cloud configuration and posture testing.
- Mobile application testing where relevant.
When it is required
Beyond good practice, VAPT is frequently mandated. RBI and SEBI CSCRF expect regular testing for regulated entities, PCI DSS requires it for card data environments, and ISO 27001 and SOC 2 assessments expect evidence of testing. Reports need to be clear enough to satisfy both auditors and engineering teams that will fix the findings.
Frequently asked questions
See what a test would find first
Start with a free outside-in view of your exposure, then scope the testing that matters.
Run a free check