Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesFundamentals

What is VAPT?

Vulnerability Assessment and Penetration Testing are two different things often bought together. Here is what each does and when you need them.

6 min read

VAPT stands for Vulnerability Assessment and Penetration Testing. The two are complementary but distinct: a vulnerability assessment finds known weaknesses broadly, while a penetration test tries to exploit them to prove real-world impact. Together they give both coverage and depth.

VAPT is often a regulatory requirement in India and elsewhere, and a standing expectation of enterprise customers. This guide explains the difference, the types, and how a test runs.

Key takeaways
  • Vulnerability assessment is breadth: automated discovery of known weaknesses.
  • Penetration testing is depth: skilled, often manual attempts to exploit and prove impact.
  • Types include network, web application, API, mobile, and cloud testing.
  • RBI, SEBI CSCRF, PCI DSS, and ISO 27001 all expect regular testing.

Assessment versus penetration test

A vulnerability assessment scans systems to enumerate known vulnerabilities and misconfigurations. It is broad and repeatable but does not confirm whether a weakness is truly exploitable. A penetration test picks up where the scan ends, with a tester attempting to chain and exploit findings the way an attacker would, to show real impact and false positives. Most mature programmes run assessments frequently and penetration tests periodically.

Common types of testing

VAPT is scoped to what you need to assure:

  • Network testing, external and internal.
  • Web application testing against issues like the OWASP Top 10.
  • API testing for authentication, authorization, and data exposure.
  • Cloud configuration and posture testing.
  • Mobile application testing where relevant.

When it is required

Beyond good practice, VAPT is frequently mandated. RBI and SEBI CSCRF expect regular testing for regulated entities, PCI DSS requires it for card data environments, and ISO 27001 and SOC 2 assessments expect evidence of testing. Reports need to be clear enough to satisfy both auditors and engineering teams that will fix the findings.

Frequently asked questions

How often should we run VAPT?
At least annually, and after significant changes, with more frequent testing for higher-risk or regulated environments. Many frameworks specify or imply a cadence.
Is a vulnerability scan the same as a penetration test?
No. A scan enumerates known weaknesses automatically; a penetration test attempts to exploit them to prove real impact. VAPT combines both.
Does VAPT satisfy RBI and SEBI requirements?
Regular VAPT is a core expectation under RBI and SEBI CSCRF, alongside other controls. The report and remediation evidence are what auditors look for.
How does NMT deliver VAPT?
NMT provides network, web, API, and cloud penetration testing with audit-ready reports mapped to RBI, SEBI, ISO 27001, and SOC 2, and helps you track remediation to closure.

See what a test would find first

Start with a free outside-in view of your exposure, then scope the testing that matters.

Run a free check
Related
VAPT solution Guide: What is External Attack Surface Management? Guide: SEBI CSCRF compliance