What is VAPT Testing? Complete Indian Compliance Guide 2026

If you're building software in India, you've probably heard the term VAPT thrown around in security meetings, RFPs, and government tenders. But what does it actually mean — and why does it matter to your business?

This guide covers everything: what VAPT is, who mandates it, how much it costs, how long it takes, and how TestForge automates the entire process for zero cost.

What is VAPT?

VAPT stands for Vulnerability Assessment and Penetration Testing. It's a two-phase security audit:

• Vulnerability Assessment (VA): Automated scanning of your application, servers, and network to identify known vulnerabilities — SQL injection, XSS, misconfigured headers, exposed ports, outdated libraries.
• Penetration Testing (PT): Manual or automated exploitation of discovered vulnerabilities to confirm they're real and measure actual impact. A penetration tester acts like an attacker — but with permission.

Together, VA+PT gives you a complete picture of your application's security posture.

Who Mandates VAPT in India?

Several Indian regulatory bodies require periodic VAPT audits:

• CERT-In (Indian Computer Emergency Response Team): Under the IT Act 2000, all organizations must report security incidents within 6 hours. CERT-In guidelines recommend quarterly VAPT for critical infrastructure.
• RBI (Reserve Bank of India): Banks, NBFCs, and payment gateways must conduct annual VAPT audits by CERT-In empaneled auditors.
• IRDAI: Insurance companies and intermediaries must do VAPT every 6 months.
• SEBI: Stock exchanges, brokers, and mutual funds require annual security audits including VAPT.
• DPDP Act 2023: The Digital Personal Data Protection Act requires "reasonable security safeguards" — VAPT is the de facto standard to demonstrate compliance.

What Does a VAPT Audit Cover?

A comprehensive VAPT audit typically checks 162+ controls across these domains:

• OWASP Top 10 — SQL Injection, XSS, Broken Authentication, Sensitive Data Exposure, XXE, Broken Access Control, Security Misconfiguration, Insecure Deserialization, Components with Known Vulnerabilities, Insufficient Logging
• Network Security — Open ports, firewall rules, DDoS resilience, SSL/TLS configuration
• API Security — Rate limiting, authentication, authorization, input validation
• Authentication & Authorization — Password policies, MFA, session management, RBAC
• Data Protection — Encryption at rest, encryption in transit, PII handling, data retention
• Cloud Security — S3 bucket permissions, IAM roles, security groups

How Much Does VAPT Cost?

Traditional VAPT is expensive because it relies on human penetration testers:

• Manual VAPT by individual consultant: ₹50,000 – ₹2,00,000 per audit
• CERT-In empaneled agency: ₹2,00,000 – ₹10,00,000 per audit
• Annual retainer (quarterly audits): ₹5,00,000 – ₹25,00,000/year
• TestForge automated VAPT: ₹0 on the Free tier, ₹2,999/month for unlimited audits

How Long Does VAPT Take?

• Manual audit: 2–6 weeks (depending on application complexity)
• TestForge automated: 15–120 seconds (first pass) + iterative deep scans

The STQC Connection

STQC (Standardisation Testing and Quality Certification Directorate) is the Indian government's official testing body. Many government contracts require STQC-certified security audits. TestForge's 162-check compliance suite maps directly to STQC requirements, generating auditor-ready reports.