Skip to content
Infilux AppSec Logo
Glossary · VAPT

What is VAPT?

VAPT — Vulnerability Assessment and Penetration Testing — is a two-phase security exercise that first scans an asset for known weaknesses (the VA phase) and then attempts to exploit them under controlled conditions to confirm real-world impact (the PT phase). It produces a prioritized risk report with proof-of-concept evidence, severity scoring (CVSS), and remediation guidance. Used by banks, fintechs, SaaS, and healthcare to meet ISO 27001, SOC 2, RBI, and PCI-DSS testing requirements.

VAPT is the standard term in enterprise procurement for an end-to-end security test. The 'VA' half is an automated breadth-first sweep — running CVE scanners, configuration analyzers, and dependency auditors against the in-scope asset to enumerate weaknesses. The 'PT' half is the manual depth phase — a qualified tester (typically OSCP-, eCPPT-, or OSCE-certified) attempts to exploit the highest-impact findings to demonstrate real-world business risk.

The pair matters because either phase alone is misleading. A VA report by itself overstates risk: it lists every known CVE without confirming exploitability. A pure pen-test understates breadth: testers prioritize what they can chain, ignoring lower-hanging vulns that an opportunistic attacker would pick first. VAPT combines both, then ranks findings by exploited-impact rather than CVSS alone.

A typical VAPT engagement at Infilux runs 5–10 working days for a single web application or 3–7 days for an internal network. It produces an executive summary, a technical findings register with CVSS v3.1 scoring, a chained-exploit narrative, and a remediation matrix. All engagements include a complimentary retest within 30 days to verify the fixes landed correctly.

Key points

  • Two-phase: breadth-first scan (VA) followed by depth-first exploit (PT).
  • Standard requirement under ISO 27001 A.5.30, SOC 2 CC7.1, PCI-DSS 11.4, RBI Cyber Security Framework.
  • Deliverables: executive summary, technical findings register, exploit proof-of-concepts, remediation roadmap, retest verification.
  • Typical scope: web apps, mobile apps, APIs, internal/external networks, cloud (AWS / Azure / GCP), thick clients, source code.
  • Run by certified offensive practitioners (OSCP, eCPPT, OSCE, CRTP).

Frequently asked

Is VAPT the same as a penetration test?+
No. A penetration test is the second half of a VAPT. The first half — Vulnerability Assessment — is an automated breadth scan that enumerates all known weaknesses. VAPT combines both so you get both coverage (everything that's broken) and depth (what an attacker would actually do with it).
How long does a VAPT take?+
A standard web-application VAPT takes 5–10 business days. Internal network assessments run 3–7 days. Mobile applications and thick-client assessments are 4–8 days. The exact duration depends on the asset's size, the number of integrated APIs, and whether authentication, multi-tenancy, or financial workflows are in scope.
How often should we run VAPT?+
Annually at minimum for production systems; after every significant change (new feature release, infrastructure migration, third-party integration, or M&A); and before every major audit (ISO 27001, SOC 2, PCI-DSS). High-risk financial workloads (RBI-regulated banks, NBFCs) require quarterly VAPT.
Will VAPT disrupt our production systems?+
No — we coordinate the test plan so destructive payloads (e.g. DoS proof-of-concepts, exploit chains that modify data) run only against pre-agreed staging environments or during agreed maintenance windows. All testing requires written authorization, and we maintain a kill-switch contact for the duration.

Related services

Web Application VAPTNetwork Infrastructure VAPTMobile App VAPT

Continue learning

EASMRed TeamingSOC as a ServiceDark Web MonitoringGRC ComplianceISO 27001SOC 2Zero TrustMITRE ATT&CK