The VAPT Process Explained: A Step-by-Step Walkthrough of How Professional VAPT Is Conducted

You've decided your organisation needs VAPT. You understand what vulnerability assessment and penetration testing is. You know the difference between vulnerability assessment and penetration testing. You've evaluated VAPT service providers and selected one. Now what?

What actually happens during a VAPT engagement? What does the process look like from day one to final deliverable? What is your team responsible for at each stage? What should you expect from your testing provider at every phase?

Most VAPT content explains what VAPT is or why you need it. This guide explains how VAPT is actually done. Every phase, every step, every deliverable, every decision point from initial scoping through final retesting.

Understanding the VAPT process helps organisations prepare for engagements, set accurate expectations, evaluate provider quality during execution, and ensure they extract maximum security value from their VAPT investment.

The VAPT Process: Overview

The VAPT process follows a structured lifecycle with distinct phases, each producing specific deliverables that feed into the next stage.

Phase 1: Scoping and Planning defines what will be tested and how. 

Phase 2: Information Gathering and Reconnaissance maps the target environment. 

Phase 3: Vulnerability Assessment identifies security weaknesses systematically. 

Phase 4: Penetration Testing exploits validated vulnerabilities, proving real risk. 

Phase 5: Analysis and Impact Assessment determines business consequences. 

Phase 6: Reporting documents findings with evidence and remediation guidance. 

Phase 7: Remediation Support helps your team fix identified issues. 

Phase 8: Retesting and Validation confirms fixes are effective.

Each phase builds on the previous one. Skipping phases or rushing through them compromises the value of subsequent stages. A VAPT engagement that cuts reconnaissance short produces a penetration test that misses attack surface. A penetration test without proper vulnerability assessment targets the wrong weaknesses. A report without remediation support produces findings without fixes.

Quality VAPT providers execute every phase thoroughly. The VAPT process differentiates genuine security assessment from automated scanning repackaged as penetration testing.

Phase 1: Scoping and Planning

Scoping is the most important phase of the VAPT process. Everything that follows depends on getting scope right.

What Happens During Scoping

Asset identification. Define exactly which systems, applications, APIs, networks, cloud environments, and infrastructure fall within the VAPT scope. This includes web applications, APIs (REST, GraphQL, SOAP), mobile applications (iOS, Android), cloud infrastructure (AWS, Azure, GCP), internal networks, and external perimeter systems.

Testing approach selection. Choose black box, white box, or grey box methodology based on testing objectives. Black box VAPT provides no information to testers, simulating an external attacker. White box provides complete information including source code and architecture, enabling the deepest assessment. Grey box provides partial information such as user credentials, simulating an authenticated user or insider.

Compliance alignment. Identify which regulatory frameworks the VAPT must address. PCI DSS, SOC 2, ISO 27001, HIPAA, MAS TRM, RBI, and other frameworks each have specific testing expectations. Compliance requirements influence scope, depth, and reporting format. See our comprehensive penetration testing compliance guide for framework-specific requirements.

Rules of engagement. Establish testing boundaries including permitted testing hours, excluded systems or techniques, escalation contacts, communication procedures, and critical finding notification requirements.

Timeline and milestones. Agree on testing schedule, milestone check-ins, draft report delivery, final report delivery, and retesting window.

What Your Team Should Provide

During scoping, your organisation provides target system inventory (IP ranges, domains, subdomains, application URLs), testing credentials if grey box or white box approach selected, architecture documentation and data flow diagrams if available, compliance requirements and frameworks the report must address, internal contacts available during testing, testing windows and any blackout periods, and previous VAPT reports if available (enabling year-over-year comparison).

Scoping Deliverable

A formal scope document capturing everything agreed: target systems, testing methodology, compliance requirements, rules of engagement, timeline, and responsibilities. Both parties sign off before testing begins.

Common Scoping Mistakes

Scoping too narrowly. Testing only the primary web application while excluding APIs, cloud infrastructure, or supporting systems that process the same data. Attackers don't respect artificial scope boundaries.

Scoping without compliance input. Defining scope based on technical considerations only, then discovering post-engagement that compliance frameworks required additional systems to be tested.

Not involving development teams. Developers understand application architecture, user roles, and business logic better than anyone. Their input during scoping ensures testing covers the most relevant attack vectors.

Phase 2: Information Gathering and Reconnaissance

Reconnaissance maps the target environment, identifying attack surface, technologies, and potential entry points before active testing begins.

Passive Reconnaissance

Gathering information without directly interacting with target systems. This includes DNS records and subdomain enumeration, WHOIS data and domain registration details, certificate transparency log analysis, technology identification from job postings, public documentation, and social media, leaked credentials in breach databases, and public code repositories containing organisation assets.

Passive reconnaissance often discovers assets organisations don't know are publicly exposed: forgotten staging environments, legacy applications, shadow IT deployments, and decommissioned systems still accessible.

Active Reconnaissance

Directly probing target systems to discover services, configurations, and technologies. Port scanning identifies open services across target IP ranges. Service fingerprinting determines software versions and configurations. Web application crawling maps site structure, functionality, and input vectors. API endpoint discovery identifies accessible API resources. Technology stack identification reveals frameworks, servers, and libraries in use.

Reconnaissance Deliverable

A target profile documenting the complete attack surface: all discovered systems, services, technologies, potential entry points, and preliminary observations about security posture. This profile guides vulnerability assessment and penetration testing focus.

Why Reconnaissance Matters in the VAPT Process

The quality of reconnaissance directly determines the quality of subsequent testing. Shallow reconnaissance means testers miss portions of the attack surface. Thorough reconnaissance ensures every accessible system, service, and endpoint receives appropriate assessment.

Automated scanners skip meaningful reconnaissance. They scan the IP addresses and URLs they're given without discovering what else exists. Manual penetration testing includes human-driven reconnaissance that discovers the assets automated tools never examine.

Phase 3: Vulnerability Assessment

Vulnerability assessment systematically identifies security weaknesses across the target environment using both automated scanning and manual review.

Automated Vulnerability Scanning

Automated scanners check systems against databases containing tens of thousands of known vulnerabilities. Scanning covers known CVEs across operating systems, applications, and services, missing security patches, insecure configurations and default settings, weak encryption and protocol issues, exposed services and unnecessary ports, and cloud misconfigurations (IAM, storage, networking).

Scanning tools include Nessus, Qualys, and OpenVAS for infrastructure scanning, plus Burp Suite and OWASP ZAP for web application scanning.

Manual Vulnerability Review

Automated scanning is necessary but insufficient. Manual review adds critical value.

False positive elimination. Scanners flag potential vulnerabilities that aren't genuine in context. Manual review validates each finding, removing false positives that would waste remediation effort. Quality VAPT delivers zero false positives because every finding receives manual validation.

Scanner gap coverage. Automated tools miss business logic flaws, complex authorisation issues, configuration-specific vulnerabilities, and chained weaknesses. Manual review identifies vulnerabilities requiring human reasoning.

Contextual severity assessment. Scanner severity ratings don't consider business context. A medium CVSS vulnerability on a payment processing system may represent critical business risk. Manual review adds business context to severity assessment.

Vulnerability Assessment Deliverable

A validated vulnerability inventory: confirmed security weaknesses with false positives removed, severity ratings considering both technical and business context, and affected systems for each finding. This inventory becomes the target list for penetration testing.

How This Phase Relates to Penetration Testing

Vulnerability assessment and penetration testing are complementary but distinct. Assessment identifies what might be vulnerable. Penetration testing (Phase 4) proves what's actually exploitable. This is the fundamental distinction that makes VAPT more valuable than either assessment type alone.

For deeper understanding, see our detailed guide on vulnerability assessment vs. penetration testing.

Phase 4: Penetration Testing

This is where the VAPT process delivers its highest value. Expert testers manually exploit validated vulnerabilities, demonstrating real-world risk through proof-of-concept attacks.

How Penetration Testing Works Within VAPT

Testers select high-value targets from the validated vulnerability inventory based on severity, exploitability, and potential business impact. For each target, testers develop an exploitation approach, attempt exploitation using professional techniques, document success or failure with evidence, and when successful, assess what further access or damage exploitation enables.

Exploitation Techniques by Target Type

Web applications. Testers exploit injection vulnerabilities (SQL, command, template), authentication bypasses, authorisation failures (IDOR, privilege escalation), business logic flaws, and session management weaknesses. Testing covers the OWASP Top 10 and application-specific attack vectors. For methodology details, see our web application penetration testing guide.

APIs. Testers exploit broken authentication, broken object-level authorisation (BOLA), broken function-level authorisation (BFLA), injection through API parameters, and excessive data exposure. See our API penetration testing guide.

‍Networks. Testers exploit unpatched services, weak authentication, misconfigurations, and segmentation failures to gain initial access, move laterally, and escalate privileges. See our network penetration testing guide.

Cloud environments. Testers exploit IAM misconfigurations, storage exposure, network security group weaknesses, and cloud-native attack vectors across AWS, Azure, and GCP.

Mobile applications. Testers exploit insecure data storage, weak encryption, authentication flaws, and mobile-to-backend communication weaknesses. See our mobile application penetration testing guide.

Vulnerability Chaining

Individual vulnerabilities often seem low or medium severity in isolation. The VAPT process reveals how they combine into critical attack paths.

For example: an information disclosure vulnerability reveals internal API endpoints (low severity). One API endpoint lacks authorisation (medium severity). Through that endpoint, a tester accesses a database connection string (high severity). Using those credentials, the tester accesses the customer database containing PII (critical impact).

No individual finding warranted emergency remediation. The chain enables complete data breach. Vulnerability chaining is the primary reason manual penetration testing produces higher-impact findings than automated scanning. Scanners test individual vulnerabilities. Human testers think in attack chains.

Penetration Testing Deliverable

Exploitation evidence for every validated finding: screenshots, request/response captures, reproduction steps, and impact demonstration. Successful attack chains documented end-to-end showing how initial exploitation leads to maximum achievable impact.

Phase 5: Analysis and Impact Assessment

After exploitation, the VAPT process transitions from technical testing to business impact analysis.

What Analysis Covers

Business impact assessment. For every exploited vulnerability, determine what business damage would result from real-world exploitation. Data exposure scope (how many records, what data types). Financial impact potential (regulatory fines, breach costs, business disruption). Operational impact (system availability, process disruption). Reputational impact (customer trust, brand damage).

Risk prioritisation. Rank findings by combined technical severity and business impact. A technically severe vulnerability in a test environment may warrant lower priority than a medium-severity vulnerability in a payment processing system. Business context determines remediation urgency.

Compliance impact mapping. Map findings to applicable compliance framework controls. An authentication bypass maps to PCI DSS Requirement 8, SOC 2 CC6, ISO 27001 A.8.5, and MAS TRM authentication requirements. This mapping enables organisations to understand compliance implications of each finding.

Root cause analysis. Identify underlying patterns causing multiple vulnerabilities. If twelve findings trace back to insufficient input validation practices, the root cause is a development process gap, not twelve individual bugs. Root cause analysis drives systemic improvement rather than point fixes.

Analysis Deliverable

Prioritised findings with business context, compliance mapping, and root cause identification. This analysis transforms technical vulnerabilities into business intelligence that stakeholders across the organisation can understand and act on.

Phase 6: Reporting

The VAPT report is the primary engagement deliverable. Report quality determines whether VAPT findings drive security improvement or gather dust in a shared drive.

What a Quality VAPT Report Contains

Executive summary. Non-technical overview communicating overall security posture, critical risks, and strategic recommendations. Written for board members, executives, and non-technical stakeholders who need to understand business risk without reading technical details.

Scope and methodology documentation. What was tested, how testing was conducted, testing approach (black/white/grey box), tools and techniques used, and any scope limitations.

Findings section. Each finding documented with clear vulnerability description, CVSS severity rating with business context justification, affected systems and components, proof-of-concept exploitation evidence (screenshots, payloads, request/response captures), complete reproduction steps enabling verification, business impact assessment, compliance framework mapping (PCI DSS, SOC 2, ISO 27001, MAS TRM, RBI), and specific remediation guidance with implementation steps.

Attack path documentation. Chained vulnerabilities presented as complete attack narratives showing how initial exploitation escalates to maximum impact.

Remediation roadmap. Findings prioritised by combined severity and business impact with recommended remediation sequence. Critical exploitable vulnerabilities affecting customer data receive highest priority.

Appendices. Testing methodology details, tool outputs supporting findings, and scope confirmation documentation.

For detailed reporting standards, see our penetration testing reports guide.

Report Quality Indicators

Reports that indicate quality VAPT: every finding has proof-of-concept evidence, remediation guidance is specific to your technology stack (not generic), business impact assessment goes beyond CVSS scores, compliance mapping is present for every applicable framework, and attack chains are documented showing compound risk.

Reports that indicate scanner-repackaged output: findings lack exploitation evidence, remediation advice is generic ("apply vendor patches"), no business context beyond CVSS, no compliance mapping, and no attack chain documentation.

Understanding how to evaluate penetration testing quality helps organisations assess whether their VAPT report reflects genuine manual testing or automated output.

Phase 7: Remediation Support

The VAPT process doesn't end with report delivery. Quality VAPT includes active support while your team implements fixes.

What Remediation Support Includes

Findings debrief. A walkthrough session where testers explain findings to your security, development, and operations teams. Testers answer questions, clarify exploitation methods, and discuss remediation approaches in context that written reports can't fully convey.

Developer Q&A. Ongoing availability for developers implementing fixes to ask questions about specific findings, validate proposed remediation approaches, and get guidance on secure implementation patterns.

Fix review. Testing team reviews proposed fixes before implementation, confirming the approach addresses the root cause rather than just the symptom. A fix that blocks the specific test payload but doesn't address the underlying vulnerability provides false security.

Prioritisation guidance. Helping your team sequence remediation when resource constraints prevent fixing everything simultaneously. Which findings should be addressed first? Which can wait? What compensating controls can reduce risk while permanent fixes are developed?

Remediation Support Duration

Quality VAPT providers include 30 to 90 days of remediation support following report delivery. This window should be sufficient for most organisations to address critical and high-severity findings before retesting.

Phase 8: Retesting and Validation

The final phase of the VAPT process validates that remediation actually worked.

What Retesting Covers

Testers re-examine every remediated finding using the same exploitation techniques from the original test. For each finding, retesting confirms the vulnerability is no longer exploitable, the fix doesn't introduce new vulnerabilities (regression testing), the remediation addresses the root cause, not just the specific test case, and compensating controls (if applied instead of full fixes) effectively mitigate risk.

Retesting Deliverable

A retesting report documenting the status of every original finding: resolved (vulnerability no longer exploitable), partially resolved (risk reduced but not eliminated), unresolved (vulnerability remains exploitable), or regressed (fix introduced new issues).

This retesting evidence is particularly valuable for compliance. ISO 27001 auditors evaluate the Plan-Do-Check-Act cycle. SOC 2 auditors assess control effectiveness. PCI DSS requires evidence of vulnerability remediation. Retesting documentation satisfies these requirements.

Why Retesting Matters

Without retesting, the VAPT process is incomplete. Organisations invest in identifying and fixing vulnerabilities without ever confirming whether fixes work. This is equivalent to diagnosing a disease, taking medication, and never checking whether the patient recovered.

Retesting also provides the satisfaction of closing the loop: confirmed evidence that your security investment produced measurable improvement.

What Drives Timeline Variation

Scope complexity. More applications, APIs, and infrastructure segments require more testing time. A single web application takes less time than an enterprise environment with ten applications, multiple APIs, cloud infrastructure, and internal networks.

Testing depth. White box testing with source code review takes longer than black box testing. Deeper manual testing adds time but produces higher-value findings.

Compliance requirements. Multi-framework compliance mapping adds reporting time. Engagements requiring PCI DSS, SOC 2, and ISO 27001 mapping simultaneously take longer to report than single-framework assessments.

Environment accessibility. Testing environments that require VPN access, scheduled availability windows, or complex authentication add coordination time.

Continuous VAPT: Beyond Point-in-Time Process

The traditional VAPT process described above produces a point-in-time snapshot. Between assessments, new vulnerabilities can be introduced with every code deployment, infrastructure change, or configuration modification.

Continuous penetration testing extends the VAPT process from periodic assessment to ongoing validation. Continuous VAPT identifies vulnerabilities as they're introduced rather than discovering them months later during annual testing.

Pentesting as a service (PTaaS) provides flexible access to the VAPT process on demand, enabling testing when your environment changes rather than waiting for scheduled assessment cycles.

For enterprises managing multiple applications and complex environments, our VAPT for enterprises guide covers building programmatic VAPT across large-scale organisations.

For guidance on how often to run the VAPT process, see our detailed guide on how often to do penetration testing.

How AppSecure Executes the VAPT Process

AppSecure delivers every phase of the VAPT process through expert-led manual assessment producing zero false positives.

Thorough Scoping

AppSecure invests significant time understanding your environment, business context, and compliance requirements before testing begins. Scoping ensures testing covers what matters most and produces results aligned with your specific objectives.

Expert Manual Testing

Certified professionals (OSCP, GXPN, CREST) conduct hands-on testing at every phase. Vulnerability assessment receives manual validation eliminating false positives. Penetration testing involves genuine exploitation with proof-of-concept evidence. Analysis includes business impact assessment and compliance mapping.

Zero False Positives

Every finding is manually validated through exploitation. Your team receives results they can trust and act on immediately. Zero false positives means zero wasted remediation effort.

Comprehensive Coverage

The VAPT process covers web applications, APIs, mobile platforms, cloud infrastructure, and networks. Application security assessment provides end-to-end coverage through offensive security testing.

Multi-Framework Compliance Mapping

Reports map findings to PCI DSS, SOC 2, ISO 27001, HIPAA, MAS TRM, PDPA, RBI guidelines, DPDP Act, and GDPR. One VAPT engagement, one report, multiple compliance frameworks addressed.

3-Week Delivery

Standard VAPT engagements complete the active testing process within three weeks from scoping to report delivery.

90-Day Remediation Support and Complimentary Retesting

Post-delivery support includes findings debrief, developer Q&A, fix review, and complimentary retesting validating that every vulnerability is properly resolved. The complete VAPT process from identification through verified remediation.

Flexible Delivery Models

Point-in-time VAPT for annual compliance, continuous penetration testing for ongoing validation, and PTaaS for flexible access. Red teaming provides adversary simulation beyond standard VAPT scope.

Ready for VAPT executed with the depth and rigour your security requires?

Contact AppSecure:

• Schedule VAPT Engagement
• Application Security Assessment
• VAPT Testing Services Guide

Frequently Asked Questions

1. What is the VAPT process?

The VAPT process is the structured methodology for conducting Vulnerability Assessment and Penetration Testing. It consists of eight phases: scoping and planning (defining what to test), reconnaissance (mapping the target environment), vulnerability assessment (identifying weaknesses through scanning and manual review), penetration testing (exploiting validated vulnerabilities proving real risk), analysis and impact assessment (determining business consequences), reporting (documenting findings with evidence and remediation guidance), remediation support (helping teams fix issues), and retesting (validating fixes are effective). Each phase produces specific deliverables feeding into the next stage.

2. How long does the VAPT process take?

The active testing phases of the VAPT process typically take two to three weeks for standard engagements. Scoping takes two to three days. Reconnaissance and vulnerability assessment take four to six days. Penetration testing takes five to seven days. Analysis and reporting take three to five days. Remediation support extends 30 to 90 days after report delivery. Retesting requires two to three additional days after fixes are implemented. Complex environments with multiple applications and compliance requirements may require longer.

3. What is the difference between VAPT process phases and a vulnerability scan?

A vulnerability scan executes only one step: automated scanning against known vulnerability databases. The VAPT process includes scanning as a component within Phase 3 but adds seven additional phases: scoping, reconnaissance, manual penetration testing, impact analysis, compliance-mapped reporting, remediation support, and retesting. The scanning phase alone cannot validate exploitability, chain vulnerabilities into attack paths, test business logic, provide compliance mapping, or confirm remediation effectiveness. The complete VAPT process delivers all of these.

4. What should organisations prepare before the VAPT process begins?

Prepare target system inventory (IP ranges, domains, application URLs), testing credentials if grey box approach is selected, architecture documentation if available, compliance requirements the report must address, internal contacts available during testing, testing windows and blackout periods, and previous VAPT reports for year-over-year comparison. Do not temporarily harden systems before testing since the goal is assessing actual security posture.

5. What deliverables does each VAPT process phase produce?

Phase 1 produces a signed scope document. Phase 2 produces a target profile documenting the complete attack surface. Phase 3 produces a validated vulnerability inventory with false positives removed. Phase 4 produces exploitation evidence for every validated finding. Phase 5 produces prioritised findings with business impact and compliance mapping. Phase 6 produces the comprehensive VAPT report. Phase 7 provides ongoing remediation assistance. Phase 8 produces a retesting report confirming remediation status for every finding.

6. How does the VAPT process differ for web applications vs networks vs cloud?

The eight-phase structure remains consistent, but specific techniques vary by target. Web application VAPT emphasises OWASP Top 10 testing, business logic analysis, and authentication/authorisation validation. Network VAPT focuses on service exploitation, segmentation validation, and lateral movement. Cloud VAPT targets IAM misconfigurations, storage exposure, and cloud-native attack vectors. API VAPT covers authentication, authorisation (BOLA/BFLA), and injection vulnerabilities. The VAPT process adapts techniques to each target type while maintaining consistent methodology.

7. What makes the penetration testing phase different from vulnerability assessment?

Vulnerability assessment (Phase 3) identifies potential weaknesses through scanning and review. Penetration testing (Phase 4) actively exploits those weaknesses proving they're genuinely exploitable and demonstrating business impact. Assessment says "this might be vulnerable." Penetration testing says "here's proof it's exploitable, and here's what an attacker achieves." This distinction is why VAPT combining both delivers more value than either alone.

8. Can the VAPT process be conducted continuously?

Yes. Traditional VAPT follows the eight-phase process as a point-in-time engagement. Continuous VAPT extends this through ongoing testing identifying vulnerabilities as they're introduced. PTaaS (Pentesting as a Service) provides flexible access to the VAPT process on demand. The optimal approach combines continuous automated monitoring with periodic comprehensive manual VAPT for both breadth and depth.

9. How does compliance mapping work within the VAPT process?

Compliance mapping occurs during Phase 5 (Analysis) and Phase 6 (Reporting). Every finding is mapped to applicable compliance framework controls. An SQL injection maps to PCI DSS Requirement 6, SOC 2 CC6, ISO 27001 A.8.25, and similar controls in other frameworks. This mapping enables auditors to trace from VAPT findings directly to control effectiveness without interpretation. Multi-framework mapping from a single VAPT engagement satisfies overlapping compliance requirements efficiently.

10. Why is retesting important in the VAPT process?

Retesting (Phase 8) validates that remediation actually resolved identified vulnerabilities. Without retesting, organisations invest in fixing vulnerabilities without confirming whether fixes work. Retesting also catches regression issues where fixes introduce new vulnerabilities. For compliance, retesting demonstrates the Plan-Do-Check-Act cycle that ISO 27001, SOC 2, and PCI DSS auditors evaluate. VAPT without retesting is an incomplete process.