VAPT — short for Vulnerability Assessment and Penetration Testing — is the term most international security programs use to describe the one-two combination of a broad vulnerability scan and a focused, manual penetration test. The acronym is especially common in RFPs from Europe, the Middle East, India, and APAC, where auditors frequently require both deliverables as part of annual security hygiene. It is less commonly used in North America, where the two activities are usually procured as separate line items, but the underlying testing is the same.
This guide explains what VAPT actually includes, how the vulnerability assessment and pentest pieces fit together, where each finds value that the other can't, and how to structure a VAPT engagement that produces audit evidence without burning money on overlapping scope.
What Is VAPT?
VAPT is a single procurement label that covers two distinct testing activities.
The vulnerability assessment (VA) is a broad, mostly automated scan of a target environment designed to enumerate known vulnerabilities: unpatched software, missing configurations, weak ciphers, outdated libraries, exposed management interfaces, and default credentials. VA is coverage-driven — the goal is to check every asset against every known signature in a reasonable time window and output a prioritized list of defects.
The penetration test (PT) is a narrow, mostly manual assessment of a target where a tester plays the role of an adversary and attempts to exploit chains of vulnerabilities to achieve specific objectives — data theft, privilege escalation, lateral movement, impersonation. PT is depth-driven — the goal is to prove what an attacker could actually do, not catalog every weakness.
VAPT bundles both into a single engagement so that the customer receives a complete picture: everything the scanner caught, plus what a human attacker could do with that information. Buying them together is usually cheaper than buying them separately, because the VA phase supplies reconnaissance data that the pentester would otherwise have to gather manually.
For a deeper look at how the two approaches differ on their own, see our dedicated guide on penetration testing vs. vulnerability scanning.
What a VAPT Engagement Covers
A typical VAPT scope covers a combination of external, internal, and application layers depending on the customer's stack. The most common targets:
External network VAPT. All internet-facing IP ranges, domains, and cloud perimeters are enumerated, scanned against vulnerability databases, and manually exercised against findings the scanner can't confirm. Common deliverables cover exposed services, weak TLS, outdated web servers, default admin interfaces, subdomain takeover risks, and known-CVE exploitability.
Internal network VAPT. An authenticated scan plus a manual pentest of the internal network simulates an attacker who has already gained a foothold inside the perimeter. Findings cover unpatched systems, weak Active Directory configurations, excessive SMB shares, credential stuffing from cached NTLM hashes, and lateral movement paths.
Web application VAPT. Every web application and API in scope is scanned with tools like Burp Suite Pro or Acunetix, and then manually tested against the OWASP Top 10, OWASP API Security Top 10, and business-logic flaws that scanners miss. This is usually the highest-value slice of the engagement.
Cloud VAPT. Cloud accounts are scanned for misconfiguration (Prowler, ScoutSuite) and then manually tested for chained IAM and resource-policy attacks. See our cloud penetration testing guide for the depth of manual testing that complements the scan.
Mobile app VAPT. Android and iOS apps are analyzed statically, then manually pentested against the OWASP MASVS framework.
Methodology: How a VAPT Engagement Runs
A VAPT engagement typically follows seven phases. The exact timing varies by scope, but most engagements run two to six weeks end-to-end.
Phase 1: Scoping and agreement. The customer and vendor agree on asset inventories, acceptable testing windows, out-of-scope systems, authentication credentials for scans, and escalation paths.
Phase 2: Information gathering. The tester enumerates the target through passive reconnaissance (WHOIS, certificate transparency, OSINT) and active discovery (port scans, DNS enumeration, subdomain brute force).
Phase 3: Vulnerability assessment. Automated scanners (Nessus, Qualys, Nexpose, Burp Suite Enterprise) are run against the in-scope assets. Results are reviewed for false positives and deduplicated.
Phase 4: Exploitation and penetration testing. The tester manually validates findings, attempts exploitation, and chains vulnerabilities into attack paths. This is the phase that distinguishes VAPT from a pure scan.
Phase 5: Post-exploitation. Privilege escalation, data-access proof, and lateral movement are demonstrated on in-scope systems. Testers maintain detailed logs for every action.
Phase 6: Reporting. Findings from both the VA and PT phases are consolidated into a single report with executive summary, technical detail, CVSS scoring, evidence, and remediation guidance.
Phase 7: Remediation verification. After the customer fixes the findings, the vendor re-tests to confirm resolution. This retest is often included in the fixed fee.
VAPT Deliverables
A complete VAPT deliverable package usually includes an executive summary for leadership and auditors; a technical report with every VA and PT finding documented, severity-rated, evidenced, and mapped to remediation steps; raw scanner output for engineering teams that want it; an attestation letter suitable for client audits and compliance evidence; a remediation tracker (often as a spreadsheet) for ongoing fix management; and a retest report issued after remediation.
Auditors typically expect VAPT reports to be no more than 12 months old and to cover the actual production environment, not a staging copy. Some frameworks (PCI DSS, SOC 2, ISO 27001) go further: PCI DSS explicitly requires both an annual VA and an annual PT with specific scope and frequency rules. Our penetration testing for compliance guide covers the framework-by-framework requirements.
VAPT vs. Standalone Penetration Testing
If you already have a mature vulnerability management program in place — continuous scanning, patch hygiene, and triage — adding a VA layer to a pentest engagement is mostly duplicative. You're paying for the vendor to scan things you already scan. A standalone pentest is cheaper and produces more attack-path value for the same budget.
VAPT makes sense when: the organization does not yet have continuous scanning in place; the auditor or client explicitly requires both; the environment is brand new and the vendor needs baseline scan data to build a scope; or the budget supports the full bundle and the customer values the complete catalog of findings.
A good middle ground for mature teams is a pentest that ingests the customer's own recent scanner output as input, rather than re-running the scans. The vendor saves time, the customer avoids duplicate work, and the resulting report integrates the existing vulnerability inventory with the pentester's attack findings.
Tooling Used in a VAPT
No single tool covers all of VAPT. The common stack includes Nessus, Qualys, or Rapid7 InsightVM for network and host vulnerability scans; Burp Suite Pro and OWASP ZAP for web and API testing; Nikto and custom scripts for web fingerprinting; Nmap and RustScan for discovery; SQLmap for SQL injection validation; Metasploit for exploitation where appropriate; BloodHound for Active Directory enumeration in internal VAPTs; Pacu, Prowler, and ScoutSuite for cloud accounts; MobSF and Frida for mobile apps.
Scanner output is a starting point, not a report. A credible vendor spends most engagement time on manual validation, exploitation, and chaining — not on tool operation.
Qualifying a VAPT Vendor
VAPT is a commodity label; the quality of what you actually receive varies wildly. A few qualifying questions:
What percentage of findings are manual vs. scanner output? A high-quality engagement should produce at least 40–60% manual findings beyond what Nessus or Burp Enterprise would show alone. Less than 20% manual content means the vendor is essentially reselling scanner output.
Who does the testing, and what are their credentials? Look for OSCP, OSWE, GPEN, CREST, GXPN, or equivalent. Ask specifically which tester will be on your engagement, not just the size of the bench.
What is the retesting policy? Retesting within the engagement fee (usually within 30–90 days of the original report) is a reasonable expectation.
What happens on a critical finding? A credible vendor has a documented early-disclosure process that notifies the customer of critical findings before the final report, not after.
Our detailed guide on how to choose a penetration testing vendor walks through the full qualifying checklist.
Cost and Timeline
VAPT pricing varies widely by scope. A focused external + internal + web application VAPT for a small-to-mid-size organization (10–50 external IPs, one AD forest, one primary web app) usually lands in the $12,000–$30,000 range and takes two to four weeks. Larger enterprise VAPTs that cover multiple business units, hundreds of assets, and several applications run $40,000–$150,000+ over six to ten weeks.
Red flags on the low end include “VAPT for $2,000” offerings that are pure scanner output with a cover page, and offshore vendors who generate reports without real testers touching the environment. If a quote comes in dramatically cheaper than the rest of the market, ask exactly how many tester-hours are included and who specifically performs the work.
Common VAPT Findings
Across hundreds of VAPT engagements, a predictable set of findings shows up again and again: exposed management interfaces (admin panels, VPN portals, RDP) reachable from the internet; outdated web server software with published CVEs; weak or missing TLS configurations; authentication flaws in custom applications (insecure password reset, session fixation, broken MFA); injection flaws (SQLi, command injection, template injection) in legacy code; business-logic flaws unique to the application; over-permissioned Active Directory accounts and unconstrained delegation; unprotected internal file shares with sensitive data; and in cloud environments, IAM misconfigurations and publicly accessible storage.
A good VAPT doesn't just list these — it explains how they chain together into realistic attack scenarios that matter for the specific organization.
Getting Started
If your organization needs VAPT for an audit, a client requirement, or a security baseline, start with a tight scope that matches what the auditor or client actually needs. Over-scoping inflates cost without adding much risk coverage. Under-scoping leaves gaps in the report that you'll have to explain later.
Penetration Testing Vendor runs VAPT engagements for regulated organizations in North America, Europe, and APAC, with testers holding OSCP, OSWE, and CREST credentials. If you're ready to scope a VAPT, request a quote and we'll come back with a scoped proposal within one business day.