In depth
Vulnerability Assessment and Penetration Testing (VAPT) is the discipline of finding security weaknesses in an application, API, network or cloud environment and then proving which of those weaknesses an attacker can actually chain into business impact. The "VA" half uses authenticated scanning, configuration review and template-driven discovery — typical tooling includes Nuclei, Burp Suite Pro's active scanner, and dependency-graph CVE correlation against a Software Bill of Materials. The "PT" half is human-driven: a tester walks every authenticated user journey, exercises business logic that scanners cannot reason about, validates each candidate finding, and builds working proof-of-concept exploits that demonstrate account takeover, tenant-boundary breach, data exfiltration or lateral movement.
Engagements are typically scoped against a standard the customer needs to satisfy. A SaaS company pursuing SOC 2 Type 2 usually asks for OWASP ASVS Level 2 coverage across the production application plus a perimeter network test. A card-handling merchant under PCI DSS v4.0 needs Requirement 11.4.x coverage with quarterly external and annual internal segmentation testing. An RBI-regulated entity in India needs an annual penetration test plus a CERT-In-aligned report format. The deliverable is a single signed report (typically 60–120 pages) plus machine-readable JSON, every finding mapped to CWE, CVSS v3.1/v4.0, OWASP ASVS and OWASP API Top 10. AxVeil ships a free retest of every Critical, High and Medium finding within a 30-day remediation window and issues a Letter of Attestation on PASS.
VAPT is not a scanner subscription. A genuine engagement requires a named lead tester, a documented Rules of Engagement, written authorisation for any invasive checks, and a draft-report walkthrough call before the final PDF lands. AxVeil VAPT aligns to CREST CHECK, NIST SP 800-115 and PTES; see VAPT vs. penetration testing for the practical difference and VAPT cost in India 2026 for current pricing benchmarks.
Engagements are typically scoped against a standard the customer needs to satisfy. A SaaS company pursuing SOC 2 Type 2 usually asks for OWASP ASVS Level 2 coverage across the production application plus a perimeter network test. A card-handling merchant under PCI DSS v4.0 needs Requirement 11.4.x coverage with quarterly external and annual internal segmentation testing. An RBI-regulated entity in India needs an annual penetration test plus a CERT-In-aligned report format. The deliverable is a single signed report (typically 60–120 pages) plus machine-readable JSON, every finding mapped to CWE, CVSS v3.1/v4.0, OWASP ASVS and OWASP API Top 10. AxVeil ships a free retest of every Critical, High and Medium finding within a 30-day remediation window and issues a Letter of Attestation on PASS.
VAPT is not a scanner subscription. A genuine engagement requires a named lead tester, a documented Rules of Engagement, written authorisation for any invasive checks, and a draft-report walkthrough call before the final PDF lands. AxVeil VAPT aligns to CREST CHECK, NIST SP 800-115 and PTES; see VAPT vs. penetration testing for the practical difference and VAPT cost in India 2026 for current pricing benchmarks.