How Much Does VAPT Cost in India in 2026? Complete Buyer's Guide

Published May 3, 2026 · 13 min read

The first question almost every Indian security buyer asks is the same: what does a VAPT actually cost?The honest answer is a range, not a number, because Vulnerability Assessment and Penetration Testing pricing depends on scope, regulator alignment, depth of testing, and how the deliverable will be consumed. This guide gives the realistic 2026 ranges in INR (and USD), explains what changes the price, and benchmarks against the alternatives Indian buyers consider — PtaaS subscriptions, Big-4 audits, freelance pentesters, and building an internal red team. All ranges below are exclusive of 18% GST unless stated otherwise; we flag the GST footprint where it materially changes the budgeting picture.

What is the typical VAPT price in India in 2026?

For a credible CERT-In empanelled or CREST-aligned engagement delivered by a senior operator, expect three broad bands: a Starter engagement on a single asset between ₹1.5L and ₹3L ($2k–$4k), a Professional multi-asset engagement between ₹4L and ₹12L ($5k–$15k), and an Enterprise or regulator-grade programme starting at ₹15L ($20k+). These bands match the AxVeil service-engagement tiers. Anyone quoting materially below the Starter floor is either scoping a thin scan rebadged as a pentest or running the engagement with a junior tester they cannot keep on retest.

Ranges reflect AxVeil's 2026 service tiers and observed market pricing across CERT-In empanelled and CREST-aligned vendors operating in India. Numbers exclude 18% GST.

What does a Starter VAPT (₹1.5L–₹3L) include?

A Starter engagement is built for one asset — a single web application, mobile app, or API. It is the right fit for a founder or solo security engineer preparing for a SOC 2 readiness review, an ISO 27001 stage-1 audit, or a vendor questionnaire that demands a recent pentest report. At this price point you should expect black-box plus grey-box testing on the asset, full OWASP Top 10 and ASVS Level 1 coverage, a PDF report with CVSS v3.1 scoring and reproducible proofs of concept, a live engineer debrief, and one free retest within 30 days. What you should notexpect is deep business-logic exploitation, multi-tenant chaining, or a full mobile-plus-API pairing — those justify the Professional tier.

What does a Professional VAPT (₹4L–₹12L) cover?

The Professional tier is where most Series A to Series C SaaS and fintech buyers land. It typically covers up to five assets — a web application, an admin portal, a mobile app, a public API, and selected supporting infrastructure — with both authenticated and unauthenticated testing, OWASP API Top 10 coverage, ASVS Level 2 alignment, and compliance mapping (SOC 2 CC7.1, ISO 27001 A.8.28, PCI DSS 11.4, DPDP Act 2023). Deliverables include an executive report, a technical report, and one free retest per finding within 30 days. The middle of this band (₹6L–₹8L) is the most common quote for a healthy Series-B SaaS preparing its annual SOC 2 Type 2 evidence cycle.

When does an Enterprise engagement (₹15L+) make sense?

Enterprise pricing kicks in when scope crosses external plus internal estate, includes Active Directory and cloud, demands MITRE ATT&CK adversary emulation, or carries a regulator-ready report pack for RBI, SEBI, CERT-In, or regional MENA frameworks. Banks, insurers, and large enterprises with legacy footprints land here. The number scales with the number of internal subnets, AD forests, cloud accounts, mobile platforms, and the depth of red-team versus VAPT in the deliverable. Multi-quarter rolling programmes for BFSI buyers regularly exceed ₹50L ($60k+) annual contract value when the cadence includes wave-based retest and a named SOC liaison.

What changes the price within a tier?

Two engagements at the same headline tier can differ by 2–3x because of the variables below. When you receive a quote, ask your vendor which lever moved the number.

• Asset count and complexity. One simple CRUD web app is not the same as one complex multi-tenant SaaS with role-based access, payments, and a partner API. Operators scope by hours, not by checkbox.
• Authentication coverage. Anonymous-only testing is cheap. Adding a tested user, an admin, and a multi-tenant cross-tenant test triples the access-control surface.
• Regulator mapping. A report mapped to SOC 2 plus ISO 27001 plus PCI DSS plus DPDP Act 2023 takes a senior operator extra writing time. RBI / SEBI / CERT-In mapping for BFSI requires regulator-fluent reporting that is not a template fill.
• Timeline pressure. A two-week sprint to hit an audit deadline costs more than a four-week comfortable scope — you are paying for compressed senior calendar time.
• Retest scope. One retest within 30 days is standard. Multi-wave retests across 90 days, with each fix verified, scales linearly.
• Languages and stack. A Java Spring web app with a Flutter mobile front-end and a GraphQL API draws a different operator profile than a Django app with a REST API.
• Reporting deliverables. Some buyers need a single PDF; others need a regulator pack, a board-deck summary, a developer-ready Jira import, and a customer-facing trust-page extract.
• Onsite versus remote. Most VAPT is delivered remotely. When a regulator or SOC mandates on-premises testing, factor in travel, accommodation, and operator daily rate uplift.

What about the 18% GST?

Indian buyers pay 18% GST on professional cybersecurity services under HSN 998313. A ₹4L Professional VAPT invoiced by an Indian LLP becomes ₹4.72L all-in. If your entity is GST-registered, the input tax credit is recoverable; if you are an unregistered NGO, individual founder, or a foreign-domiciled entity buying from India, the GST is a real outflow. International buyers contracting through their offshore entity against a USD invoice with W-8BEN-E paperwork avoid the GST overlay entirely, which is why some Indian startups with US Delaware parents structure cybersecurity spend through the parent.

VAPT vs PtaaS subscription — which is cheaper?

Pentest-as-a-Service platforms (Cobalt, HackerOne Pentest, Synack) market a credit-based subscription model that looks attractive on a per-asset basis but adds up quickly when you have more than two or three applications. Public marketing pages from these vendors price credits in the $1k–$2k range (verify current pricing on each vendor's site). For a single-asset annual cadence the comparison is close. For a regulated buyer who needs the same named operator across testing and retest, a consultant-led engagement gives more depth per rupee. See our AxVeil vs Cobalt comparison for the trade-off in detail.

VAPT vs Big-4 audit pricing — what is the gap?

Big-4 firms (Deloitte, EY, KPMG, PwC) price cybersecurity audits and VAPT through their advisory practice. The same scope that an operator-led firm delivers for ₹6L–₹10L often arrives from a Big-4 at ₹15L–₹40L. The premium covers brand, audit-committee acceptability, and the partner-leverage model (one partner, several managers, many juniors). Big-4 reports are well-formatted and audit-committee-ready but the testing depth is typically lighter than an operator-led engagement at the same headline price. The honest framing for most CISOs: hire the operator-led firm for the actual testing, present the report to the audit committee with confidence, and use Big-4 advisory for board-strategy work where their brand and benchmarking are the genuine value.

VAPT vs freelance pentester — what is the trade-off?

A skilled Indian freelance pentester quotes ₹50k–₹2L for a single web app. The work can be excellent. What you give up: liability cover, NDA enforceability against an LLP rather than an individual, audit-committee acceptability of the deliverable, retest commitment, and the ability for your auditor to call the firm two years later for evidence. For a side-project or a one-off internal check, freelance is cost-effective. For an engagement that goes to your SOC 2 auditor or your bank's RBI file, the freelance route fails the procurement standard at most regulated buyers.

Internal team vs outsourced VAPT — the CAC question

A senior offensive security engineer in India costs ₹35L–₹70L per year fully loaded. To match the output of a professional VAPT vendor you need at least two full-timers plus tooling (Burp Suite Pro licences, Cobalt Strike or Outflank, lab infrastructure, training budget). The build-versus-buy crossover sits around five to seven engagements per year — below that, outsourcing is cheaper and gives you adversarial diversity. Above that, hiring in-house plus a quarterly external testing cadence for fresh perspective is the typical mature pattern.

Cost benchmarks across alternatives (single-asset annual)

How do I avoid being underquoted?

Underquoting is the single biggest procurement risk in Indian VAPT. A vendor that quotes ₹50k for a scope a sensible operator priced at ₹4L is not winning the deal on efficiency — they are winning it by quietly dropping authenticated testing, mobile, the API, or by assigning a junior tester. Three questions to ask:

• How many person-days are in the quote, and at what seniority?
• Is retest included — for how long, how many waves, and against the same operator?
• Will the named lead operator on the engagement also be available for the retest and any auditor follow-up call twelve months later?

If the answers are vague, the price is misleading. Ask for a written scope before the quote, not after.

A worked example — Series-B fintech

A typical Series-B Indian fintech buyer wants annual VAPT covering: customer-facing web app, admin web app, customer mobile (iOS + Android), partner API, and a payment-gateway integration test. SOC 2 Type 2 evidence is required and an RBI-aligned report for an upcoming PA-PG licensing review. Realistic 2026 quote band:

• Professional VAPT base: ₹6L–₹8L (multi-asset, both authenticated and unauthenticated).
• Mobile (iOS + Android) MASVS-aligned add-on: ₹1.5L–₹2.5L.
• RBI / regulator-aligned report pack uplift: ₹50k–₹1L.
• Retest wave (covered) within 30 days of remediation: included.
• Total band: ₹8L–₹11.5L plus 18% GST = ₹9.4L–₹13.6L invoiced.

Where AxVeil fits in the price stack

AxVeil ships engagements at the three tiers above. The engagement is led by a named senior operator who stays on the file across testing, reporting, and retest. The deliverable is mapped to whichever frameworks your audit committee or regulator needs — SOC 2, ISO 27001, PCI DSS 4.0, RBI, SEBI CSCRF, DPDP Act 2023, or MENA regional regulators. Indian buyers receive a GST-compliant invoice from AxVeil LLP; international buyers receive a USD invoice with W-8BEN-E available. For a quote against your specific scope, see the /pricing page or talk to a senior operator.

FAQ