1. Know what you’re buying
A vulnerability assessment finds and rates known weaknesses (largely automated). A penetration test attempts to exploit them the way an attacker would (manual expertise). You usually want both — the "VA" for breadth, the "PT" for depth.
2. Scope by attack surface
- Web applications and APIs.
- Mobile applications.
- External and internal network / infrastructure.
- Cloud configuration.
- Thick-client, wireless, LLM or IoT where relevant.
3. Questions to ask a provider
- Is the testing manual or just an automated scan?
- Are testers certified (OSCP, CREST, etc.) and is the work CERT-In empanelled where needed?
- Do you get a retest after fixes?
- What methodology (OWASP WSTG/ASVS) do you follow?
4. Judge the report
A good report gives clear reproduction steps, CVSS ratings, business impact and prioritised remediation — not just tool output. It should help developers fix issues, not just list them.
How CyberSigma helps
We deliver CERT-In empanelled VAPT across your whole attack surface, with senior testers, OWASP-aligned methodology, a detailed report and a free retest after fixes.
This guide is educational and not legal advice. Requirements evolve — validate specifics against the current standard or regulation for your situation.
