VAPT

Why VAPT Is No Longer Optional for Indian Businesses in 2025

If you are running a business in India in 2025 and you have not conducted a professional Vulnerability Assessment and Penetration Testing engagement in the last 12 months, you are taking a risk that could end your business. That is not fear-mongering — it is the reality of the Indian cybersecurity landscape today.

The Regulatory Landscape Has Changed Completely

Three years ago, VAPT was something only banks and large IT companies worried about. Today, the regulatory environment in India has changed dramatically. CERT-In's 2022 directives — which have been progressively enforced — now require organisations to report cyber incidents within 6 hours. But here is the part most businesses miss: CERT-In also expects organisations to have conducted regular security assessments. If you suffer a breach and cannot demonstrate that you had a proactive security testing programme, the regulatory consequences multiply.

RBI has expanded its cybersecurity framework beyond traditional banks. NBFCs, payment aggregators, digital lending platforms, and UPI-based services are all now expected to conduct regular penetration testing. The RBI's Master Direction on Information Technology Governance explicitly calls for vulnerability assessment as part of IT risk management.

SEBI's Cybersecurity and Cyber Resilience Framework applies to stock brokers, depository participants, mutual funds, and asset management companies. And the Digital Personal Data Protection Act (DPDP) — while still in implementation phase — creates additional obligations for any business processing personal data of Indian citizens.

The Real Cost of Ignoring VAPT

Let us talk numbers that matter to business owners. According to IBM's Cost of a Data Breach Report, the average cost of a data breach for an Indian organisation reached ₹17.9 crore in 2024. For small and medium businesses, the impact is often existential — studies consistently show that 60% of SMBs that suffer a major breach shut down within six months.

But the direct cost of a breach is only part of the picture. Consider the indirect costs that Indian businesses face: regulatory penalties from CERT-In and sector-specific regulators, loss of customer trust in a market where digital trust is still fragile, contract violations with enterprise clients who require security compliance, legal liability under emerging data protection regulations, and business disruption during incident response and recovery.

A single VAPT engagement typically costs between ₹2 lakh to ₹15 lakh depending on scope. Compare that to the ₹17.9 crore average breach cost, and the return on investment becomes absurdly clear.

What Good VAPT Actually Looks Like

Here is where most Indian businesses get it wrong. They hire the cheapest vendor, get an automated scan report with 200 findings sorted by CVSS score, hand it to their IT team, and call it done. Six months later, they repeat the same exercise and get roughly the same report. Nothing actually improves.

Good VAPT starts with understanding your business — not running a scanner. A proper engagement should begin with a discovery phase where the testing team learns about your business model, revenue flows, data sensitivity, and regulatory requirements. Only then should they design test cases that target the vulnerabilities that actually matter to YOUR business.

The report should be actionable. Not 200 pages of CVSS scores that your developers cannot understand. It should include root cause analysis, exploitation walkthroughs that demonstrate real impact, and specific remediation guidance in your technology stack. And the engagement should not end with the report — good VAPT includes re-testing to verify that fixes actually work.

The Business Logic Gap That Scanners Cannot Fill

Automated vulnerability scanners are essential tools, but they have a fundamental limitation: they cannot understand your business logic. They can find SQL injection. They can find cross-site scripting. They can flag known CVEs in your software versions. But they cannot find that your payment gateway allows amount manipulation through hidden field tampering. They cannot find that your coupon system has no server-side validation. They cannot find that your multi-tenant SaaS platform has tenant isolation failures.

In Verentix's experience testing Indian applications, business logic vulnerabilities account for over 60% of critical findings. These are the vulnerabilities that lead to direct financial loss, regulatory action, and customer data exposure. And they can only be found through manual, expert-driven testing by professionals who understand both security and business operations.

What Should You Do Right Now?

If you have not conducted VAPT in the last 12 months, start the process today. If your last VAPT was an automated scan with no manual testing, that does not count — get a proper assessment that includes business logic testing. If you are in a regulated industry — banking, insurance, fintech, healthcare — verify that your VAPT programme meets the specific requirements of your regulator.

The cost of prevention is always lower than the cost of recovery. And in 2025's India, the question is not whether your business will face a cyber attack — it is whether you will be ready when it happens.