VAPT

What is Penetration Testing? VAPT Explained for Indian Enterprises

C
Crewtec Security Team
Β· 5 September 2024 Β· 7 min read

A penetration test β€” also called a pen test or VAPT (Vulnerability Assessment and Penetration Testing) β€” is a controlled, authorised simulation of a cyberattack on your systems. The goal is to find exploitable vulnerabilities before a real attacker does.

Unlike a vulnerability scan (which lists known weaknesses), penetration testing actively attempts to exploit those weaknesses β€” chaining vulnerabilities together the way a skilled attacker would.

Penetration Testing vs Vulnerability Assessment: What’s the Difference?

These terms are often used interchangeably in India, but they are distinct exercises:

Vulnerability Assessment (VA)Penetration Testing (PT)
What it doesIdentifies and lists known vulnerabilitiesActively exploits vulnerabilities to prove impact
DepthWide β€” covers many systemsDeep β€” focuses on what can actually be breached
OutputList of CVEs with severity scoresDemonstrated attack path with business impact
Who performs itCan be automated toolingRequires skilled human testers
FrequencyMonthly or quarterlyAnnually or after major changes

VAPT (Vulnerability Assessment and Penetration Testing) combines both: a VA identifies the attack surface, and the PT proves which weaknesses are genuinely exploitable.

Why Does Penetration Testing Matter?

Every organisation has vulnerabilities. The question is whether an attacker will find them first or you will.

Without a penetration test, you are relying on:

  • Vendors telling you their products are secure (they have a conflict of interest)
  • Compliance checklists that check configuration boxes but don’t simulate real attacks
  • The assumption that no one is targeting you (increasingly false for Indian mid-market companies)

A penetration test gives you evidence: a specific attack path, a demonstrated impact, and a prioritised list of what to fix first.

Types of Penetration Tests

Network Penetration Testing

Tests your external and internal network infrastructure β€” firewalls, routers, servers, and segmentation controls. Identifies whether an attacker who gains a foothold on your network can move laterally to critical systems.

Web Application Penetration Testing

Tests your web applications for OWASP Top 10 vulnerabilities: SQL injection, cross-site scripting (XSS), broken authentication, insecure direct object references, and more. Critical for any organisation with customer-facing web applications.

API Penetration Testing

Tests REST, GraphQL, and SOAP APIs for authentication weaknesses, authorisation flaws, and data exposure. Often neglected β€” and increasingly targeted by attackers.

Mobile Application Penetration Testing

Tests Android and iOS applications for insecure data storage, weak cryptography, improper session management, and client-side vulnerabilities.

Social Engineering / Phishing Simulation

Tests your employees’ susceptibility to phishing emails, pretexting calls, and physical intrusion attempts. Human vulnerabilities are consistently the most exploited attack vector.

Red Team Assessment

A full-scope, adversary simulation that combines network, application, and social engineering techniques. A red team exercise tests your detection and response capability β€” not just whether you can be breached, but whether you can detect and contain a breach when it happens.

The Penetration Testing Methodology

Professional penetration testing follows a structured methodology, not ad-hoc guessing. Crewtec uses a methodology aligned to OWASP, PTES (Penetration Testing Execution Standard), and NIST guidelines.

Phase 1: Scoping and Rules of Engagement

Define the scope (which systems are in-scope), timing (testing hours), and rules of engagement (what actions are permitted). Critical to avoid disrupting production systems.

Phase 2: Reconnaissance

Gather intelligence about the target β€” DNS records, exposed services, employee information from LinkedIn, technology stack fingerprinting. Simulates what an attacker does before they attack.

Phase 3: Vulnerability Identification

Combine automated scanning with manual analysis to identify potential weaknesses. Automated tools catch known CVEs; skilled testers find logic flaws that scanners miss.

Phase 4: Exploitation

Attempt to actively exploit identified vulnerabilities β€” escalate privileges, extract data, move laterally, and demonstrate real-world impact. This is what distinguishes a pen test from a VA.

Phase 5: Post-Exploitation

Once access is gained, determine what data is accessible, how long access could be maintained, and what the blast radius of a real attack would be.

Phase 6: Reporting

Deliver a detailed report with:

  • Executive summary: business impact in plain language for leadership and the board
  • Technical findings: each vulnerability with CVSS severity score, proof of concept, and evidence
  • Remediation guidance: specific steps to fix each finding, prioritised by risk
  • Retest: verification that critical findings were properly remediated

What Does a Good Penetration Test Report Include?

A professional pen test report is not just a list of CVEs from an automated scanner. It should include:

  1. Attack narrative: a walk-through of the actual attack path taken
  2. Risk-rated findings: each finding rated Critical / High / Medium / Low / Informational using CVSS 3.1
  3. Proof of concept: screenshots and evidence proving exploitability (not theoretical)
  4. Business impact: what data was accessible, what an attacker could do with it
  5. Remediation steps: specific, actionable fixes β€” not just β€œpatch your systems”
  6. Retest commitment: a follow-up test to verify critical findings were fixed

When Do You Need a Penetration Test?

You need a penetration test when:

  • Annually as a baseline: most security frameworks (ISO 27001, SOC 2, PCI-DSS) require annual penetration testing
  • Before a major launch: before releasing a new application, API, or infrastructure change to production
  • After a significant change: major cloud migration, merger/acquisition, or infrastructure redesign
  • After a breach or incident: to understand how you were compromised and what else may be exposed
  • For compliance: RBI, SEBI, CERT-In guidelines, ISO 27001, SOC 2, and PCI-DSS all require periodic penetration testing
  • For a large enterprise customer or investor: many enterprise sales cycles and due diligence processes require a recent pen test report

How Much Does Penetration Testing Cost in India?

Penetration testing costs vary based on scope, depth, and the type of test:

Test TypeApproximate Cost (India)
Web application pen test (single app)β‚Ή75,000 – β‚Ή2,50,000
Network pen test (external only)β‚Ή1,00,000 – β‚Ή3,00,000
Network pen test (external + internal)β‚Ή2,00,000 – β‚Ή5,00,000
Mobile app pen testβ‚Ή75,000 – β‚Ή2,00,000
Full VAPT (network + web + API)β‚Ή3,00,000 – β‚Ή8,00,000
Red team assessmentβ‚Ή8,00,000 – β‚Ή20,00,000+

Prices vary significantly by scope, number of IP addresses or applications, and the seniority of testers. Be cautious of very low prices β€” a cheap pen test often means an automated scan repackaged as a manual test.

What to Look for in a Penetration Testing Vendor

Not all pen test vendors are equal. When evaluating providers:

Credentials matter: Look for testers with OSCP (Offensive Security Certified Professional), CEH, or GPEN certifications. These require passing practical hands-on exams β€” not just multiple-choice questions.

Manual testing, not just tools: Ask what percentage of the engagement is manual versus automated. A genuine pen test requires skilled human testers who can think like attackers.

Methodology transparency: A good vendor will share their methodology upfront. Ask which standard they follow (OWASP, PTES, NIST).

Report quality: Ask for a sample report (redacted). The report is the deliverable β€” if it reads like an automated scanner output with no attack narrative or business impact, that’s a red flag.

Retest included: Critical and high findings should be retested after remediation at no extra charge. This is standard practice.

References: Ask for references from clients in your sector, particularly if your compliance requirements are sector-specific (RBI for banking, CERT-In guidelines, etc.).

Penetration Testing and Compliance

Multiple Indian regulatory frameworks and international standards require penetration testing:

  • ISO 27001: Annex A.8.8 requires vulnerability management; penetration testing is the standard method of demonstrating control effectiveness
  • RBI cybersecurity framework: Requires periodic VAPT for banks, NBFCs, and payment system operators
  • SEBI cybersecurity circular: Requires annual VAPT for market infrastructure institutions and registered intermediaries
  • PCI-DSS: Requires annual penetration testing of the cardholder data environment and after any significant changes
  • SOC 2: Penetration testing results are commonly requested as evidence by SOC 2 auditors
  • CERT-In guidelines: Recommends periodic security testing for critical information infrastructure

How Crewtec Approaches Penetration Testing

Crewtec’s VAPT practice is built on a genuine offensive security methodology β€” not automated scanner output:

  • All engagements are scoped carefully to avoid disrupting production systems
  • Testers hold OSCP and other offensive security certifications
  • Reports are written for two audiences: the board (executive summary, business impact) and the technical team (finding detail, remediation steps)
  • Critical and high findings are retested after remediation β€” included in the engagement cost
  • Findings are presented in a debrief session so your team understands the attack paths, not just the list of vulnerabilities

The output of a Crewtec pen test is not a document that sits in a folder β€” it is a prioritised remediation roadmap.

Book a free VAPT scoping call β†’

Tags

penetration testing VAPT cybersecurity ethical hacking India

In This Article

Navigate to sections as you read.

Need Help?

Talk to a Crewtec Specialist

Get personalised guidance on implementing strategies discussed in this article for your enterprise.

Book Free Consultation