Penetration Testing

The Complete Guide to VAPT

VAPT gets thrown around as a single acronym, but it is really two disciplines working together. Here is how a real engagement runs, what you should expect at each phase, and how to turn a report into fixes rather than a filing-cabinet PDF.

UUnnbugify Security Team February 12, 2026 12 min read

VAPT stands for Vulnerability Assessment and Penetration Testing. It is the structured process of finding security weaknesses in a system and then proving how far an attacker could actually take them. The two halves answer different questions: a vulnerability assessment asks "what could be wrong?" while a penetration test asks "what can an attacker really do with it?"

What VAPT means

A vulnerability assessment casts a wide net. Using automated scanners plus manual review, it enumerates as many known weaknesses as possible across the target and rates them by severity. It is broad, repeatable, and great for coverage - but a scanner cannot tell you whether a finding is genuinely exploitable in your environment or a harmless false positive.

A penetration test goes deep. A human tester chains findings together, bypasses controls, and demonstrates concrete impact - reading data they should not, escalating privileges, or pivoting deeper into the network. It answers the question executives actually care about: if someone tried, would they get in, and how bad would it be?

Assessment tells you where the cracks are. Penetration testing proves which cracks let the water in.

Assessment vs penetration testing

DimensionVulnerability AssessmentPenetration Test
GoalBreadth of coverageDepth of impact
MethodMostly automated + triageManual, creative, adversarial
OutputPrioritised list of weaknessesProven exploit paths + business impact
False positivesCommon, need triageValidated by exploitation
Best forContinuous hygienePoint-in-time assurance

They are complements, not competitors. Mature programmes run continuous assessments for hygiene and schedule periodic penetration tests for assurance and depth.

Types of VAPT

  • Network (external & internal): perimeter services, firewalls, VPNs, and - once "inside" - lateral movement and privilege escalation across the LAN.
  • Web application: the most common engagement. Authentication, access control, injection, business-logic flaws. Aligned to the OWASP Top 10 and beyond.
  • API: REST/GraphQL endpoints, where broken object-level authorization and excessive data exposure dominate.
  • Mobile: Android/iOS apps, local storage, certificate pinning, and the backends they talk to.
  • Cloud: misconfigured IAM, public buckets, exposed metadata, and over-permissioned roles in AWS/Azure/GCP.
  • Wireless & physical: rogue access points, badge cloning, and tailgating for the full-scope engagements.

The seven engagement phases

A professional engagement is not "run a scanner and export the results." It follows a repeatable lifecycle:

  1. Scoping & rules of engagement. Define targets, test windows, allowed techniques, and emergency contacts. Get written authorization - this is what separates a pentest from a crime.
  2. Reconnaissance. Map the attack surface: subdomains, technologies, endpoints, employees, and exposed assets. Passive first, then active.
  3. Scanning & enumeration. Fingerprint services and versions, spider the application, and identify candidate weaknesses.
  4. Exploitation. Safely prove the weaknesses are real - gain access, extract a controlled proof, escalate where authorized.
  5. Post-exploitation. Determine the blast radius: what data, systems, and privileges become reachable once a foothold exists.
  6. Reporting. Document every finding with reproduction steps, evidence, severity, business impact, and remediation guidance.
  7. Remediation & retest. The team fixes; the tester verifies. A finding is not closed until a retest confirms it.

The retest is the point. A report that never gets retested is a to-do list nobody checked off. Insist on a remediation retest in your statement of work.

Standards and methodologies

Reputable testing maps to recognised frameworks so results are consistent and defensible:

  • OWASP Testing Guide / Top 10 - the reference for web and API testing.
  • PTES (Penetration Testing Execution Standard) - end-to-end engagement structure.
  • NIST SP 800-115 - technical guide to security testing.
  • MITRE ATT&CK - a shared language for the tactics and techniques used post-compromise.

Reading the report

Severity is usually scored with CVSS (Common Vulnerability Scoring System), which rates a finding from 0.0 to 10.0:

RatingCVSSWhat it means for you
Critical9.0-10.0Drop everything. Likely full compromise.
High7.0-8.9Fix in the current sprint.
Medium4.0-6.9Planned remediation.
Low0.1-3.9Hardening / backlog.

But CVSS is only a starting point. A "medium" IDOR on your billing records may be a business-critical data breach, while a "high" on an isolated internal tool may be a shrug. Good reports translate the raw score into your business context. That translation is what you are really paying for.

How often to test

Point-in-time testing has a shelf life - every deploy can introduce new risk. A sensible cadence:

  • Annually at minimum, and after any major architectural change.
  • Continuous vulnerability scanning between penetration tests.
  • Before launch for any new internet-facing application.
  • On demand when compliance (ISO 27001, SOC 2, PCI-DSS, RBI, DPDP) requires evidence.

Key takeaways

  • VAPT = breadth (assessment) + depth (penetration testing). You want both.
  • A test without an authorization scope and a remediation retest is incomplete.
  • CVSS ranks the vulnerability; business context ranks the risk.
  • Testing is a cadence, not a one-off certificate.
Need professional assistance?

Unnbugify provides consent-based VAPT, red teaming, cloud and API security testing, and secure code review for organisations of every size.

Explore our services
U
Unnbugify Security Team
Offensive Security Research, Unnbugify Technologies

The Unnbugify team delivers VAPT, red teaming, and continuous security testing for organisations worldwide. We publish field notes from real engagements to help defenders stay ahead of attackers.