VAPT cost India quotes range from ₹40,000 to ₹15,00,000, and every Bangalore CTO who has bought services has stared at that spread and wondered what the difference actually is. The short answer: scope, methodology, and auditor pedigree. The longer answer is what this guide covers — a line-by-line breakdown of what each price tier buys, why CERT-In empanelment matters at the higher end, and how to write an RFP that gets apples-to-apples responses.
The article moves top-down: what VAPT means in the Indian regulatory context, the three price tiers, what is included and excluded at each level, and how to verify that the deliverable will satisfy your auditor, your regulator, and your board.
What VAPT actually means in India
VAPT — Vulnerability Assessment and Penetration Testing — is a combined engagement that identifies security weaknesses (vulnerability assessment) and attempts to exploit them (penetration testing) to demonstrate real-world impact. In the Indian regulatory context, VAPT is not optional; it is mandated by:
- CERT-In for government and regulated entities
- RBI for banks, NBFCs, and payment aggregators
- SEBI for stock brokers, AMCs, and Market Infrastructure Institutions
- IRDAI for insurers and insurance intermediaries
What VAPT is not:
- It is not a one-time checkbox — RBI expects quarterly or half-yearly cycles
- It is not an automated scan — a proper engagement includes manual exploitation
- It is not a guarantee of security — it is a point-in-time assessment
- It is not interchangeable with a code review — source-code audits are a separate discipline
Who needs VAPT in India
Bangalore SaaS with enterprise customers
Enterprise procurement teams increasingly request a current VAPT report. The report must be from a CERT-In empanelled firm to clear Indian-regulated buyer due diligence.
Mumbai banks and NBFCs
RBI’s Cyber Security Framework mandates annual VAPT by an empanelled auditor, with re-testing after remediation.
Chennai fintech payment gateways
PCI-DSS requires quarterly external network scans and annual penetration testing. The same firm can often scope both.
Hyderabad health-tech with hospital integrations
MoHFW and NABH expectations increasingly reference CERT-In empanelled VAPT as part of the security baseline.
Delhi-NCR government contractors
CERT-In Directions explicitly require empanelled auditors for government and PSU security assessments.
VAPT pricing tiers: ₹40K, ₹2.5L, ₹15L
Tier 1: ₹40,000 – ₹80,000 — Automated scan with light manual validation
| Included | Not included |
|---|---|
| Automated vulnerability scan (Nessus, OpenVAS, or equivalent) | Manual exploitation of complex vulnerabilities |
| PDF scan report with CVSS scoring | Business-logic flaw testing |
| Email summary of critical findings | Re-test after remediation |
| 1–2 days turnaround | Executive presentation to board |
| Remote delivery | On-site testing |
Best for: Startups with limited scope, internal security teams that can act on scan output, or pre-audit baseline checks.
Tier 2: ₹2,50,000 – ₹4,00,000 — Standard CERT-In empanelled engagement
| Included | Not included |
|---|---|
| Manual + automated testing | Source-code review |
| Web app, API, and infrastructure scope | Wireless network testing |
| Business-logic and IDOR testing | Social engineering |
| CVSS + risk-prioritised remediation report | 24/7 retainer support |
| One re-test cycle included | Red-team simulation |
| Executive summary for board / regulator | |
| On-site kickoff and exit meetings in Bangalore |
Best for: Most Indian SaaS, fintech, and mid-market BFSI entities that need a regulator-acceptable report.
Tier 3: ₹10,00,000 – ₹15,00,000 — Enterprise red-team + continuous validation
| Included | Not included |
|---|---|
| Everything in Tier 2 | Physical security testing |
| Red-team simulation with assumed-breach model | |
| Continuous vulnerability monitoring (12 months) | |
| Quarterly re-tests and trend analysis | |
| Custom exploit development for critical findings | |
| War-room support during remediation | |
| Direct partner-level reporting to board audit committee |
Best for: Large BFSI, stock brokers under SEBI CSCRF, crypto exchanges, and Series C+ SaaS with complex multi-cloud estates.
What drives VAPT cost in India
| Driver | Low impact | High impact |
|---|---|---|
| Scope (IP count, app count, API count) | 1 web app, 5 IPs | 10+ apps, 500+ IPs, multi-cloud |
| Testing depth | Automated + spot-check | Full manual, business-logic, red-team |
| Tester seniority | Junior analyst | Senior consultant + partner review |
| Re-test policy | None | Until findings close |
| Reporting granularity | CVSS table | Risk-prioritised, board-ready, regulator-formatted |
| On-site vs remote | Remote | On-site Bangalore / Mumbai / Delhi |
| Empanelment requirement | Not required | CERT-In empanelled mandatory |
Common VAPT procurement mistakes
- Buying on price without checking scope. A ₹40K scan and a ₹2.5L empanelled engagement are not the same service.
- Ignoring the re-test clause. Findings without verified closure are worthless for regulator reporting.
- Forgetting category-specific empanelment. A firm empanelled for “Information Security Audit” may not be empanelled for “Penetration Testing and Vulnerability Assessment.”
- Accepting a generic report. RBI, SEBI, and CERT-In each have specific reporting expectations. Generic output triggers re-work.
- Not involving the dev team during scoping. Scope ambiguity is the single largest cause of post-delivery disputes.
Vendor evaluation rubric for VAPT in India
- What percentage of the engagement is manual vs automated? We publish ours; any firm that cannot answer is selling a scan, not a test.
- Is re-testing included until findings close, or billed separately? Separate billing incentivises low-quality first-pass delivery.
- Will the report format satisfy RBI / SEBI / CERT-In expectations? The answer should be specific, not “we can customise.”
- Who signs the report, and are they the same person who attends regulator meetings? Partner accountability matters.
- Can you fix the fee in writing before kickoff? Variable billing is a red flag.
We answer all five specifically and in writing during scoping.
Industry-specific VAPT scope and cost variations
The headline tier pricing applies broadly, but each industry vertical introduces specific scope drivers that pull the engagement cost up or down. Below is the application of the framework to the verticals we deliver into most often from Bengaluru.
Bangalore SaaS — multi-cloud and API-heavy
Modern Bangalore SaaS engagements typically include 1–3 web applications, 1–2 mobile applications (iOS and Android), 30–80 API endpoints, multi-cloud infrastructure (AWS + GCP increasingly common), and 1–2 supporting services (admin portal, partner portal). The base VAPT engagement at ₹2,50,000–₹4,00,000 covers the web app + API + cloud config; adding mobile testing pushes to ₹4,50,000–₹6,50,000. Multi-cloud reviews add ₹1,50,000–₹3,00,000 for the second cloud. The variable that catches founders off-guard is API count — engagements scoped at “the main API” routinely discover 40–60 additional internal-facing APIs that the development team didn’t initially consider in scope.
BFSI — RBI-aligned reporting requirements
RBI-regulated entities require VAPT reports formatted to specific RBI expectations, including separate sections for governance compliance, third-party risk, and BCP/DR validation. The base engagement at ₹3,50,000–₹5,50,000 includes the RBI-formatted reporting overlay. Annual cycles are mandatory; quarterly cycles are increasingly expected for digital-channel-heavy entities. The major cost driver is breadth — banks and large NBFCs typically have 50+ in-scope applications, not the 1–3 a SaaS company has, which pushes engagements to ₹15,00,000+ at the comprehensive level.
Fintech and payment aggregators — PCI-DSS overlap
Payment aggregators and BIN-sponsoring fintechs face dual VAPT requirements: CERT-In empanelled VAPT for general security assurance, and PCI-DSS-aligned testing for payment card environments. The two can be delivered jointly to avoid duplication, with combined fees of ₹4,50,000–₹8,00,000. The PCI-DSS overlay adds approximately ₹1,50,000–₹2,50,000 to the base VAPT but eliminates a separate ASV-scan engagement.
Crypto exchanges and Web3
Indian crypto exchanges registered with FIU-IND face heightened expectations on wallet-specific testing, smart-contract review, and key-management validation. Engagement fees concentrate at ₹6,00,000–₹14,00,000 because the scope spans hot wallet, warm wallet, cold wallet, signing infrastructure, smart contracts (where applicable), and trading APIs.
HealthTech — PHI and biometric data
Hospital and telemedicine integrations introduce healthcare-specific test cases: PHI access controls, audit-log validation for clinical data access, biometric data handling under DPDP and DISHA expectations. Engagement fees concentrate at ₹3,50,000–₹7,00,000.
Government and PSU contractors
CERT-In Directions explicitly require empanelled auditors for government and PSU security assessments, with mandatory category-specific empanelment. The engagement format is often more rigid than commercial engagements, with specific report templates and sometimes on-site delivery requirements. Fees concentrate at ₹4,00,000–₹9,00,000 depending on system count and on-site requirements.
Red-team versus grey-box versus black-box
The pricing tiers above implicitly assume “grey-box” methodology — the auditor receives some application context, valid test credentials, and partial documentation. Other testing models exist with different cost profiles.
Black-box (assumed-breach)
Auditor receives only public-facing information; no credentials, no documentation. Most realistic to attacker perspective but slowest to demonstrate findings. Typically adds 30–40% to engagement cost because of higher reconnaissance effort. Recommended for organisations that have already completed grey-box testing and want to validate detection capability.
Grey-box (standard)
Auditor receives credentials, documentation, and architectural context. Best balance of coverage and cost. Default for most CERT-In empanelled engagements.
White-box (full-disclosure)
Auditor receives source code access, internal architecture documents, threat models, and previous-engagement findings. Fastest to deliver comprehensive findings; lowest cost-per-finding-found but typically only adds 10–15% to total cost. Recommended for first-time engagements where the goal is comprehensive coverage.
Red-team (objective-driven)
Tier 3 territory. Auditor operates under an “assume-breach” mandate with a specific objective (e.g., “exfiltrate the customer database”). Tests detection, response, and recovery in addition to control effectiveness. Engagement fees ₹10,00,000–₹25,00,000+ depending on scope and duration.
Re-test economics
The re-test clause is one of the most-misunderstood line items in VAPT contracts. Three common structures:
Included re-test (recommended). The engagement fee includes re-testing of identified findings until validated closure. Auditor incentive aligns with quality first-pass delivery. Typical structure for CERT-In empanelled engagements at ₹2,50,000+.
Capped re-test. Engagement includes one re-test cycle within 30 days of report delivery; subsequent re-tests are billed separately. Common for Tier 1 engagements at ₹40K–₹80K.
Billed re-test. Re-tests are entirely separate engagements, billed at hourly rates. The auditor incentive misaligns with quality first-pass delivery. Avoid this structure.
Procurement teams negotiating VAPT contracts should specifically ask whether re-test is included until closure, included with a cycle limit, or billed separately. The answer materially changes engagement economics.
Empanelment categories — what your tender clause actually requires
CERT-In empanelment is structured by service category (see our CERT-In Empanelled Auditor List 2026 for the full reference). Tender clauses sometimes reference “CERT-In empanelled” without specifying category, which can lead to procurement-time disputes. The categories most commonly referenced for VAPT engagements:
- Penetration Testing and Vulnerability Assessment — the canonical VAPT category
- Application Security Audits — for web and mobile application engagements
- Information Security Audit Services — broader baseline; some VAPT engagements fall here
- Source Code Audits — for code-review-inclusive engagements
- Wireless Network Audits — for engagements covering Wi-Fi or wireless infrastructure
- ICT Audits — for combined IT and security review
A firm empanelled for “Information Security Audit Services” but not for “Penetration Testing and Vulnerability Assessment” may not be acceptable for a tender that specifies the latter category. Verify category-specific empanelment before engagement.
Practical next steps
If you are writing an RFP, download our VAPT RFP Template for a pre-structured scope document. If you need to verify your shortlisted vendor’s empanelment, see the CERT-In Empanelled Auditor List 2026 guide. If you want to scope a specific engagement, our VAPT services page walks through the methodology and pricing transparency.
For organisations that want a thirty-minute scoping conversation with a partner, the contact form in the site footer books the call directly. We commit to written scope, fixed price in INR, and direct partner-level accountability through the engagement.
VAPT cost FAQ
Why is there such a wide price range for VAPT in India? The range reflects genuine differences in scope, depth, methodology, and auditor pedigree. ₹40K engagements deliver automated scans; ₹15L engagements deliver red-team-style manual exploitation. They are not the same service.
Can I get a free VAPT? Some firms offer “free” preliminary scans to win larger engagements. The free portion is typically a Nessus or OpenVAS scan output without manual analysis. Useful as a baseline; not sufficient for regulator submission.
Does VAPT cost include the re-test? It depends on the engagement structure. Reputable CERT-In empanelled engagements include re-testing until findings close. Lower-cost engagements often bill re-tests separately. Verify before signing.
How does VAPT differ from a vulnerability scan? A vulnerability scan is automated tool output. VAPT combines vulnerability assessment (identification) with penetration testing (manual exploitation and impact validation). The “PT” component is what produces business-relevant findings.
Can I run VAPT on my production environment? Yes, with appropriate scope rules and rate limiting. Most CERT-In empanelled engagements are conducted on production with documented rules of engagement to prevent service impact.
Do I need separate VAPT for AWS, Azure, and GCP? If your environment spans multiple clouds, the engagement scope should cover all of them. Each cloud has different service models and configuration patterns; per-cloud test plans may be needed.
How often should I conduct VAPT? Annual minimum for general SaaS; quarterly for BFSI per RBI Cyber Security Framework expectations; quarterly + on-major-release for SEBI-regulated entities; per-major-release for crypto exchanges.
What is the cheapest legitimate CERT-In empanelled VAPT? ₹2,50,000 for a single web app + API + cloud config + external network scope, with manual-led methodology and re-test included. Below this band, you are typically not getting CERT-In-grade quality.
Do all CERT-In empanelled firms charge similarly? No. Variations of 50–100% on similar scope are common. Differentiating factors: partner-level accountability, manual-effort percentage, India regulator engagement experience, sector-specific track record.
Can a Big-4 firm be cheaper than a boutique? Rarely. Big-4 firms typically price at the high end of the range due to cost-base structure. Boutique CERT-In empanelled firms with strong technical depth often deliver comparable quality at 30–50% lower cost.
Does the engagement cost include a board-ready presentation? Most engagements include an executive summary; a full board presentation is sometimes a separate deliverable. Specify in the SOW if you need a 30-minute board-pack walkthrough.
Is on-site testing more expensive than remote? Yes, by approximately 15–25% due to travel and time costs. Remote testing is typically sufficient for cloud-native environments; on-site is needed for internal-network testing or environments without remote access.
What separates a great VAPT engagement from an adequate one
Beyond price-tier comparison, qualitative differentiators emerge during execution.
Threat-modelling depth. Great engagements begin with a structured threat model — review of architecture diagrams, data-flow analysis, attacker-perspective mapping. Adequate engagements skip threat modelling and go straight to scanning.
Manual exploitation depth. Great engagements demonstrate exploitability through chained findings — combining a low-severity issue with a medium issue to produce high-severity impact. Adequate engagements list findings independently without exploitation chains.
Business-context relevance. Great engagements understand your business and prioritise findings by business impact. “BOLA on payment-history endpoint” is a high-priority finding for a fintech; “BOLA on user-preferences endpoint” is lower-priority. Adequate engagements treat all BOLA findings as equivalent.
Remediation-engineering depth. Great engagements provide specific remediation guidance — code-level changes, configuration changes, architectural recommendations. Adequate engagements provide generic OWASP remediation links.
Communication during execution. Great engagements have daily check-ins surfacing findings as they emerge. Adequate engagements report at the end without intermediate communication.
Documentation quality. Great engagements produce reports your engineering team actually reads and uses. Adequate engagements produce reports filed in compliance archives without operational impact.
Multi-cycle engagement economics
Annual VAPT cycles produce learnings that compound over multiple years.
Year 1. Baseline assessment, often higher finding count, substantial remediation effort.
Year 2. Year-1 remediation validated; new findings concentrate on changes since Year 1. Lower remediation effort.
Year 3. Continuous improvement loop established. New findings often relate to product features added that year.
Year 5+. Findings concentrate on emerging threat patterns and architectural decisions. The annual cadence becomes operational hygiene rather than discovery exercise.
Multi-year VAPT relationships with the same firm produce cumulative environmental knowledge that one-off engagements lose. Most BFSI clients we engage with are multi-year relationships precisely for this reason.
Cost optimisation for multi-asset Bangalore SaaS
For Bangalore SaaS companies with multiple in-scope assets (web app, mobile, multiple APIs, multiple cloud accounts), several cost-optimisation strategies apply.
Combined-scope discount. Most VAPT firms offer combined-scope discounts of 15-25% for engagements covering 5+ asset types. Negotiate combined-scope rather than per-asset engagements.
Annual contract with quarterly delivery. Annual contracts with quarterly delivery cycles produce better unit economics than per-quarter engagements. Most BFSI VAPT cycles operate this way.
Continuous-engagement structure. Beyond traditional quarterly cycles, some firms offer continuous-engagement pricing where testing happens continuously rather than in distinct cycles. Cost is comparable to annual contracts but produces faster discovery.
Joint VAPT and IR retainer. Some firms offer combined VAPT + IR retainer pricing that produces 10-20% saving versus separate engagements. The same firm’s environmental knowledge benefits both.
In-CI security testing supplementation. Investing in CI-time security testing reduces VAPT finding load, which in turn reduces the engagement effort and cost.
Indian regulatory cost-allocation considerations
For Indian regulated entities, VAPT cost allocation has specific considerations.
Capitalisation. VAPT engagements are typically expensed rather than capitalised. Some major projects (initial certification, M&A diligence) may justify capitalisation; consult tax counsel.
GST implications. Domestic VAPT firms charge 18% GST on services. International firms may have different structures. Input-tax-credit availability depends on entity structure.
Transfer pricing for multinationals. Multinationals with VAPT engagements crossing entities require transfer-pricing documentation. Major consulting firms handle this routinely.
Regulatory reporting. RBI and SEBI reports may include cybersecurity spend; categorisation matters for regulator submissions.
Insurance recovery. Some cyber-insurance policies cover post-incident VAPT costs; pre-incident voluntary VAPT typically excluded.
VAPT engagement payback timeline
For Bangalore organisations evaluating VAPT investment, payback timelines vary by use case.
Compliance-driven engagement. Payback is regulatory-acceptance — engagement enables continued operations or specific tenders. Payback timeline equals time-to-acceptance, typically immediate.
Buyer-driven engagement. Payback is enterprise deal closure — engagement enables specific deal completion. Payback timeline equals time to close gated deals, typically 2-6 months.
Risk-driven engagement. Payback is incident avoidance or severity reduction. Quantitative payback hard to measure; qualitative payback through reduced incident exposure.
Investor-driven engagement. Payback is fundraising round closure. Payback timeline equals time to close round, typically 3-6 months.
Insurance-driven engagement. Payback is premium reduction. Annual premium reduction often exceeds engagement cost over multi-year horizon.
The payback frame helps right-size investment to specific business objective.
VAPT cost benchmarking against alternative security investments
For Bangalore CTOs allocating security budget, comparing VAPT to alternative investments helps prioritise.
VAPT vs SAST/DAST tooling. ₹2-4 lakh annual VAPT vs ₹3-8 lakh annual SAST/DAST. Different value: VAPT finds runtime issues; SAST/DAST finds development-time issues. Both valuable; not substitutes.
VAPT vs SIEM/SOC. ₹2-4 lakh annual VAPT vs ₹15-40 lakh annual SIEM with analyst capability. Different value: VAPT is point-in-time assessment; SIEM is continuous monitoring. Both valuable; complementary.
VAPT vs bug bounty. ₹2-4 lakh annual VAPT vs ₹5-15 lakh annual bug-bounty programme. Different value: VAPT is structured methodology with regulator acceptance; bug-bounty is open-ended researcher engagement. Both valuable; complementary.
VAPT vs internal security team. ₹2-4 lakh annual VAPT vs ₹40-80 lakh annual internal security engineer. Different value: VAPT is external perspective; internal team provides continuous coverage. Both valuable; complementary.
The combined investment portfolio across these categories produces robust security posture; choosing only one category produces gaps.