VAPT Cost in India 2026: What Penetration Testing Should Actually Cost

A web application VAPT for a typical SaaS-scale scope costs ₹40,000–₹1.5 Lakh in India in 2026, with mobile, API, network, and cloud assessments each carrying their own bands — all indicative market ranges that we break down in the table below. Where you land within a band depends on five things: how big the scope is, whether testing is grey-box or black-box, how much of it is genuinely manual, how many retest rounds are included, and who is actually doing the testing.

I review penetration test reports for a living — they land on my desk as evidence in ISO 27001 and SOC 2 audits — and the spread in quality is wider than the spread in price. I've seen ₹12,000 "penetration tests" that were a vulnerability scanner's PDF export with the vendor's logo on it, and I've seen ₹80,000 engagements that found authorization flaws a scanner could never reach. This guide is about telling those two apart before you pay.

What Does VAPT Cost in India in 2026?

All figures below are indicative market ranges for engagements by competent, manual-first teams. Enterprise scopes — dozens of roles, hundreds of endpoints, regulated environments — go higher.

Scope	Indicative Range (INR)	What Moves the Number
Web application	₹40,000 – ₹1.5 Lakh (typical SaaS scope); enterprise scopes higher	Number of screens/endpoints, user roles, and workflows; single-page-app complexity; payment or document-handling flows
Mobile application	₹50,000 – ₹1.5 Lakh per platform	Android and iOS are separate efforts; local storage, API backend in or out of scope, root/jailbreak and tamper resistance testing
API	₹40,000 – ₹1.2 Lakh	Endpoint count, auth model (keys, OAuth, multi-tenant), documentation quality — undocumented APIs cost more to test properly
External network	₹30,000 – ₹1 Lakh	Number of public IPs and exposed services; whether exploitation is permitted or it stops at validation
Internal network	₹60,000 – ₹2 Lakh	Subnet and host count, Active Directory in scope, assumed-breach vs perimeter start, on-site vs VPN-based testing
Cloud configuration review	₹50,000 – ₹1.5 Lakh per environment	Accounts/subscriptions/projects in scope, services in use, IAM complexity, benchmark depth (CIS alignment vs full attack-path review)

A combined programme — web + API + cloud for a typical SaaS company — usually lands at ₹1.5–4 Lakh (indicative), with multi-asset enterprise programmes going well beyond that.

What Actually Drives the Price?

• Scope size. Testers price in person-days. Fifty endpoints across four user roles is simply more days than ten endpoints with one role. A vendor who quotes without asking for role counts, endpoint counts, or a walkthrough is quoting blind — and will recover the gap by testing shallow.
• Grey box vs black box. Grey-box testing (you provide credentials and context) finds more per rupee, because testers spend their hours attacking logic instead of guessing at the perimeter. Black-box simulates an external attacker more faithfully but costs more time for less coverage. For most compliance and assurance purposes, grey box is the right spend.
• Retest rounds. Finding vulnerabilities is half the engagement; verifying your fixes is the other half. One retest round within 30–90 days should be included. "Retest charged separately" is how a cheap quote becomes an expensive engagement.
• Manual depth vs automated scans. The single biggest quality variable — and the easiest corner to cut invisibly, which is why it gets its own section below.
• Tester seniority and accountability. Certifications (OSCP and the like), named testers in the report, and a methodology you can read beat a brand name on the cover. Ask who, specifically, will be on your engagement.

Why Does Manual-First Testing Matter?

Because the vulnerabilities that actually hurt you are invisible to scanners. Automated tools are good at what they do — known CVEs, missing headers, outdated components, obvious misconfigurations — and any honest tester runs them as the first pass. But the findings that end up in breach post-mortems live in business logic:

• Changing an ID in an API call and reading another customer's invoices (IDOR/broken object-level authorization)
• A password-reset flow that can be replayed against any account
• Privilege escalation by replaying a low-privilege token against an admin endpoint
• A payment amount manipulated client-side and honored server-side
• Three low-severity findings chained into one account takeover

No scanner finds these, because no scanner understands what your application is supposed to do. A human reading the workflow does. That human costs money — which is exactly why a full web application "pentest" quoted at ₹10,000–₹15,000 is, as an indicative rule of thumb, a scan export. You're not buying a cheaper version of the same product; you're buying a different product with the same name.

The test to apply: ask the vendor what percentage of effort is manual, ask for a sanitized sample report, and look for findings a scanner cannot produce — logic flaws with step-by-step reproduction, chained exploits, authorization matrix testing. If every finding has a CVE number or a plugin ID, you have your answer.

What Should a Good VAPT Report Contain?

The report is the product — it's what your customers, auditors, and engineers will actually use. A report worth paying for contains:

1. Executive summary a non-technical buyer can read: overall risk posture, what was tested, the headline issues in business terms.
2. Scope and methodology: exact assets, roles, dates, approach (grey/black box), standards followed (OWASP Testing Guide, PTES), and what was excluded.
3. Severity-rated findings with CVSS scores and a contextual rating — a "medium" on an internet-facing payment flow is not a medium.
4. Reproduction steps and evidence: requests, responses, screenshots — enough for your engineer to reproduce the issue in ten minutes without emailing the tester.
5. Business impact per finding, in plain language: what an attacker actually gets.
6. Remediation guidance specific to your stack, not a pasted OWASP paragraph.
7. Retest annex and attestation: verified-fixed status per finding, plus a summary letter or certificate you can hand to customers and auditors without disclosing the findings themselves.

How Often Should You Test?

The baseline that satisfies both attackers' tempo and auditors' expectations: a full VAPT at least annually, plus targeted retesting after every major change — new modules, authentication changes, infrastructure migrations, big releases. Between full tests, continuous automated scanning keeps the known-CVE surface covered; it supplements the annual manual test, it doesn't replace it.

Compliance frameworks force the cadence anyway:

• SOC 2: penetration testing isn't named as a mandatory control, but CPA firms expect it as evidence of vulnerability management and monitoring — a Type II window without a pentest in it invites questions.
• ISO 27001: control A.8.8 (management of technical vulnerabilities) requires you to identify and treat technical vulnerabilities; for any internet-facing product, auditors — me included — expect periodic penetration testing as part of how you satisfy it.
• RBI and regulated entities: RBI-supervised institutions and their critical vendors face explicit periodic VAPT expectations, and regulators frequently require testing by CERT-In empanelled organisations. TCSA delivers such engagements with CERT-In empanelled partners, so the report carries the empanelment your regulator or enterprise customer asks for.

Frequently Asked Questions

How much does a web application VAPT cost in India?

Indicatively, ₹40,000–₹1.5 Lakh for a typical SaaS scope in 2026, scaling with endpoints, roles, and workflow complexity. Enterprise applications with many roles and integrations run higher.

Why do quotes for the same application vary so much?

Because the product varies. The low end is usually automated scanning with minimal human validation; the upper end is days of manual testing against your business logic, with a retest round included. Compare methodology and sample reports, not just numbers.

Is VAPT mandatory for SOC 2 or ISO 27001?

Neither standard names "penetration test" as a mandatory control, but in practice both require it: SOC 2 auditors expect it as vulnerability-management evidence, and ISO 27001's A.8.8 is very hard to satisfy for an internet-facing product without periodic testing.

Do I need a CERT-In empanelled test?

If you're RBI-supervised, serve government or BFSI customers, or your client contract names it — yes, the report should come from a CERT-In empanelled organisation. TCSA delivers these engagements with CERT-In empanelled partners.

How long does a VAPT take?

A typical web application engagement runs 1–3 weeks of testing plus reporting, with the retest a few weeks later once fixes ship. Multi-asset programmes run 4–8 weeks. Book 6–8 weeks ahead of any audit deadline the report needs to feed.

What's the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment identifies and prioritizes weaknesses, largely tool-driven and broad. A penetration test exploits them — manually validating what an attacker can actually reach and chain. VAPT, done properly, is both: scan for breadth, then test by hand for depth.

---

Parth Chauhan is an ISO 27001, ISO 27701, and ISO 42001 Lead Auditor (CEH, BE — BITS Pilani) at Tranquility Cybersecurity. TCSA has delivered 500+ audits across India, USA, UK, Australia and UAE, with security testing engagements delivered with CERT-In empanelled partners. See our security testing services for scoping and a sample report.