Newsletter · Edition #10 · VAPT · 3 min read
VAPT vs a real attacker: where reports fall short
A clean pentest report is not the same as being hard to breach.
A vulnerability report is a snapshot of a scoped moment. An attacker doesn’t respect your scope, your timebox, or your change freeze. The gap between the two is where real incidents live.
Scope is the tell
If the test covered three apps but your attack surface is thirty, the report tells you about three. Chained, low-severity issues — the bread and butter of real intrusions — often get downplayed individually when together they’re a clear path in.
Retest, don’t shelve
The value of VAPT is in what you fix, then re-verify. A finding marked “remediated” without a retest is a hope, not a control. Insist on the retest — reputable providers include it.
The bottom line
Judge a pentest by realistic scope and whether fixes were re-verified — not by how few findings it lists.
Get the next edition in your inbox
Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.
