Home  /  Blog  /  Why Regular VAPT Is Critical for Business Security in 2026:

● VAPT

Why Regular VAPT Is Critical for Business Security in 2026: The Indian Business Guide

Every Indian business with internet-facing systems is being scanned, probed, and tested by attackers every single day. VAPT is the only way to know what they will find before they find it. Here is why annual VAPT is no longer optional, and why quarterly is becoming the new standard.

Published 05 March 2026 11 min read Codesecure Security Team VAPT

Key Takeaways

  • Indian businesses face 3-5x more cyberattack attempts in 2026 than 2023. Most are automated and indiscriminate, every system gets scanned.
  • DPDP Act mandates 'reasonable security safeguards' (Section 8). Without recent VAPT evidence, you cannot demonstrate reasonable safeguards.
  • ISO 27001, PCI DSS, RBI guidelines, APRA CPS 234, NCA ECC all require periodic VAPT, typically annual, sometimes more frequent for critical systems.
  • Quarterly VAPT for high-risk applications (banking, healthcare, fintech) is becoming the new standard. Annual is the minimum.
  • VAPT ROI is 20:1 or higher for Indian businesses, average cost of a serious breach in India is INR 17 crore, average annual VAPT spend is under INR 10 lakh.

The Threat Landscape Facing Indian Businesses in 2026

Three years ago, you could argue that small and mid-sized Indian businesses were below the radar of serious attackers. That argument is no longer defensible. Automated attack tooling, ransomware-as-a-service, AI-assisted vulnerability discovery, and state-sponsored threat actors targeting Indian economic interests have collectively eliminated the 'too small to attack' defense.

CERT-In reported a 215% increase in cybersecurity incidents affecting Indian organizations between 2023 and 2025. Ransomware attacks on Indian SMEs grew 400%. Phishing campaigns targeting Indian businesses sextupled. Most importantly: the time from a new CVE being published to exploitation in the wild dropped from 87 days (2023) to under 15 days (2025). Attackers move faster than your patching cycle.

Every internet-facing Indian business, whether it's a SaaS company in Bangalore, a fintech in Mumbai, a hospital in Chennai or a manufacturer in Pune, is in continuous reconnaissance by automated attack platforms. The question isn't whether you'll be scanned; the question is whether the scanners find anything exploitable. Regular VAPT is how you find out before the attackers do.

What VAPT Actually Finds (That Scanners Miss)

It's worth being clear about what VAPT is and isn't. A vulnerability assessment identifies known weaknesses in your systems, outdated software, missing patches, misconfigurations, default credentials. This is mostly automated and can be done with scanners like Nessus, Qualys, or open-source tools.

A penetration test is fundamentally different. It's manual, OSCP-led testing where a skilled human attempts to actually exploit weaknesses to gain access, escalate privileges, exfiltrate data, or pivot to other systems. Pentesting finds what scanners miss: business logic flaws, broken authorization, race conditions, chained vulnerabilities, and authentication bypasses.

Real breach examples from Codesecure engagements (sanitized):

  • Indian fintech (Mumbai): Scanner reported clean. Manual pentest discovered a broken object-level authorization (BOLA) bug in the API that let a customer access ANY other customer's transaction history by modifying a parameter. Severity: critical. Estimated breach cost if exploited: INR 200+ crore in fines and reputational damage.
  • Indian hospital network (Delhi): Scanner reported a few medium vulnerabilities. Manual pentest chained 4 minor findings into a path that gave full domain admin in 90 minutes. The hospital's patient records (HIPAA-equivalent data) were one phishing email away from total compromise.
  • Indian SaaS startup (Bangalore): Scanner missed it entirely. Manual pentest found a subdomain takeover that allowed phishing of the SaaS company's enterprise customers, looking like it came from the official SaaS domain. Discovered before exploitation, no breach. Without VAPT, the customer would have suffered cascading breaches.
  • Indian government supplier (Chennai): Scanner clean. Manual pentest found hardcoded AWS access keys in a public JavaScript file. Keys had administrative IAM permissions. Single API call from any attacker would have given full AWS account control.

Need a Fixed-Price VAPT for Your Business?

Codesecure delivers manual, OSCP-led VAPT to 150+ Indian businesses. Named consultants, fixed AED/INR/AUD/SGD pricing, signed NDA, ISO 27001:2022 certified delivery. Free retest of critical findings.

Get Free VAPT Quote →

Compliance Frameworks That Mandate Regular VAPT

Even if you ignore the business risk argument, the regulatory argument is now compelling. Every major compliance framework that affects Indian businesses now mandates regular VAPT or its equivalent.

DPDP Act 2023

Section 8 of the DPDP Act requires Data Fiduciaries to take 'reasonable security safeguards' to prevent personal data breaches. While the Act doesn't specify VAPT by name, the Data Protection Board's interpretation will inevitably include 'evidence of regular technical security testing' as a standard reasonableness benchmark. Without recent VAPT evidence, you cannot demonstrate reasonable safeguards to the Board.

ISO/IEC 27001:2022

Annex A control 8.8 (Management of technical vulnerabilities) and 8.29 (Security testing in development and acceptance) explicitly require periodic vulnerability assessment and penetration testing. Auditors check for at least annual VAPT evidence during Stage 2 audits. Without it, you'll face a non-conformity.

PCI DSS v4.0.1

Requirement 11.3 mandates internal and external penetration testing at least annually and after any significant change. Requirement 11.3.2 requires segmentation testing where the cardholder data environment is segmented from other networks. For Indian businesses handling cardholder data, banks, fintechs, large retailers, this is non-negotiable.

RBI / SEBI / IRDAI Guidelines

RBI's Master Directions on IT Outsourcing, SEBI's Cybersecurity Framework for Market Infrastructure Institutions, and IRDAI's Information and Cyber Security Guidelines all require regulated entities (banks, NBFCs, broking firms, insurers) to conduct periodic VAPT. Frequency requirements vary but annual is the minimum; critical systems often require semi-annual or quarterly.

How Often Should You Run VAPT?

The right cadence depends on your risk profile, regulatory requirements, and rate of change in your systems. Here's the practical guidance we give our customers:

  • Annual VAPT (minimum): Required by every major compliance framework. Suitable for low-change, low-risk environments, internal corporate applications, simple brochure websites, established systems with infrequent updates.
  • Semi-annual VAPT: Recommended for mid-risk environments, customer-facing SaaS with regular feature releases, e-commerce platforms, healthcare applications.
  • Quarterly VAPT: Required for high-risk environments, banking applications, payment processors, fintech wallet platforms, large healthcare networks, applications handling sensitive personal data at scale.
  • After every major release: Any significant architectural change, new feature affecting authentication/authorization, new integration with sensitive data, or migration to a new platform should trigger a focused pentest.
  • Continuous (red team / bug bounty): Mature security programs combine periodic full VAPT with continuous testing through bug bounty platforms (HackerOne, Bugcrowd) and red team engagements.

The Real ROI of Regular VAPT for Indian Businesses

VAPT ROI is genuinely strong for Indian businesses, but most don't actually calculate it. Let's do the math.

Annual VAPT investment for an Indian SME with 3-5 applications and a moderate network: INR 6-15 lakh per year. For a larger fintech with 10+ applications: INR 15-30 lakh. For a major Indian enterprise: INR 30-80 lakh.

Average cost of a serious data breach in India in 2025: INR 17 crore (IBM Cost of a Data Breach Report). For BFSI: INR 22+ crore. Healthcare: INR 19 crore. Other: INR 15 crore. The breakdown includes incident response, regulatory fines, customer notification, business disruption, legal fees, brand damage, and customer churn.

Even if VAPT only prevents one breach every 10 years, the ROI is 10:1 to 20:1. In practice, regular VAPT finds and remediates 5-15 serious vulnerabilities per year for most Indian businesses. The cumulative risk reduction is enormous.

Need Annual VAPT for ISO 27001 / DPDP / PCI DSS Compliance?

Codesecure VAPT reports are mapped to OWASP, ASVS, CVSS, ISO 27001 Annex A, DPDP Act, PCI DSS v4.0.1, and APRA CPS 234. Auditor-ready evidence pack included.

Book VAPT Consultation →

How to Choose a Quality VAPT Provider in India

Indian VAPT market quality varies wildly. Cheap scanner reports rebadged as 'pentests' are everywhere. Here's what to look for in a quality provider:

  • OSCP at minimum, OSCE / OSWE preferred: Offensive Security certifications validate real hands-on offensive capability. Resume listing 'Cyber Security Expert' is not a substitute.
  • Manual testing, not scanner output: Ask the provider how much of their methodology is manual vs automated. If they can't answer specifically, it's automated.
  • Named consultants in the proposal: Insist on knowing who will actually do the testing. Boutique firms hide behind 'our team of experts' because the actual testing is often outsourced.
  • Sample report quality: Ask to see a sanitized sample report. Look for: clear executive summary, technical findings with proof-of-concept, CVSS scoring, remediation guidance, retest verification.
  • ISO 27001 certified or equivalent: If the firm doesn't take its own security seriously, it can't credibly test yours.
  • Signed NDA and data handling protocols: Quality firms use encrypted vaults, 90-day data deletion, and signed NDAs as standard practice, not optional add-ons.
  • Free retest of critical findings: Top-tier firms include retest in the engagement price.
SHARE

Frequently Asked Questions

What's the difference between vulnerability assessment and penetration testing?

Vulnerability assessment (VA) is mostly automated scanning that identifies known weaknesses, outdated software, missing patches, default credentials. Penetration testing (PT) is manual, human-led testing that attempts to actually exploit weaknesses to demonstrate real impact. VAPT combines both: scanners find the breadth of issues quickly, while manual testing finds the deep, chained, business-logic vulnerabilities that scanners can't detect. Quality VAPT is 60-80% manual work.

How long does a typical VAPT engagement take?

A web application pentest typically runs 5-10 business days of active testing plus 3-5 days of reporting. A mobile app pentest covering iOS + Android plus backend APIs is similar. External network pentest: 3-7 days. Internal network: 5-10 days. Cloud security audit: 5-10 days. Red team engagement: 4-8 weeks. Most Indian SMEs complete a comprehensive VAPT covering 3-5 systems in 4-6 weeks total.

How much does VAPT cost in India?

Codesecure publishes transparent INR price bands. A standard web application pentest runs INR 1.5-4 lakh fixed price. Mobile app pentest INR 2-4.5 lakh. API-only pentest INR 1.5-3 lakh. External network pentest INR 1-2.5 lakh. Internal network pentest INR 2-4 lakh. Cloud security audit INR 2.5-5 lakh. Red team engagement INR 8-25 lakh. Most Indian SMEs invest INR 6-15 lakh per year for comprehensive VAPT across all critical systems.

Should we do annual VAPT or quarterly?

Annual is the minimum required by ISO 27001, PCI DSS, and most other frameworks. Quarterly is recommended for high-risk applications, banking, payment processing, healthcare, fintech wallets, applications handling sensitive personal data at scale. The trigger for quarterly is when the cost of a breach significantly exceeds 4x the cost of a single VAPT. Many of our Indian banking and fintech clients run quarterly VAPT on customer-facing systems and annual on internal.

Will VAPT impact our production systems?

Quality VAPT is designed not to impact production. We use safe-testing techniques, coordinate testing windows with your operations team, exclude destructive tests, and maintain real-time communication during testing. Less than 1% of our VAPT engagements have any production impact, and impact is always recoverable within minutes. Cheap or inexperienced testers cause more outages, another reason to choose quality.

How do we prepare for a VAPT engagement?

Brief preparation makes the test 30-50% more productive: (1) Define scope clearly, what systems, what user roles, what timing windows. (2) Provide test accounts at each privilege level. (3) Whitelist tester IP addresses on firewall/WAF if needed. (4) Identify key stakeholders for any urgent findings. (5) Document expected normal behavior so testers can spot anomalies. (6) Sign the NDA and rules of engagement before testing starts. Codesecure provides a structured pre-engagement checklist.

What does a good VAPT report look like?

Quality VAPT report contains: Executive summary (1-2 pages for leadership), Technical findings (each with severity, CVSS score, business impact, technical details, proof-of-concept, screenshots, remediation guidance), Mapping to compliance frameworks (OWASP, ISO 27001, DPDP, PCI DSS), Retest verification section, Methodology and scope appendix. A 30-40 page report covering all of this is typical. Less than 20 pages usually indicates scanner output dressed up. More than 80 pages is often padding.

CS

Codesecure Security Team

OSCP-Certified Penetration Testers

Codesecure Solutions delivers manual, OSCP-led VAPT to 150+ Indian banks, fintechs, SaaS firms, hospitals and government suppliers. ISO/IEC 27001:2022 certified. Named consultants on every engagement, fixed pricing, signed NDAs, and reports mapped to OWASP, ASVS, CVSS, ISO 27001, DPDP, PCI DSS and APRA CPS 234.

✓ ISO/IEC 27001:2022 Certified

Get Your Annual VAPT Done with India's Trusted Manual Testing Firm

Codesecure has delivered VAPT to 150+ Indian businesses across BFSI, healthcare, SaaS, government, maritime and retail. Named OSCP-certified consultants, fixed INR pricing, signed NDA, 90-day data deletion, free retest of critical findings, and audit-ready reports.

Get Free VAPT Quote Talk to OSCP Pentester

Related Articles

VAPT

Mobile Application Security Testing: A Practical Guide

OWASP Mobile Top 10, static and dynamic analysis, common iOS/Android vulnerabilities, and how to scope a mobile pentest.

Read article →
Compliance

India's DPDP Act 2023: The Complete Compliance Guide

DPDP Act Section 8 requires reasonable security safeguards. VAPT is the standard evidence. Complete guide.

Read article →
Service

VAPT Services in Chennai, India

Codesecure's flagship VAPT service, manual, OSCP-led, fixed INR pricing, signed NDA, free retest.

Read article →
Codesecure footer background
Codesecure

Codesecure Solutions delivers manual, OSCP-led VAPT, ISO 27001, SOC 2 and DPDP compliance to businesses across India, UAE, Australia, Singapore and the Middle East with named consultants and fixed-price proposals.

ISO/IEC 27001:2022 Certified

Copyright ©2026 Codesecure All Rights Reserved