Newsletter · Edition #10 · VAPT · 3 min read

VAPT vs a real attacker: where reports fall short

A clean pentest report is not the same as being hard to breach.

A vulnerability report is a snapshot of a scoped moment. An attacker doesn’t respect your scope, your timebox, or your change freeze. The gap between the two is where real incidents live.

Scope is the tell

If the test covered three apps but your attack surface is thirty, the report tells you about three. Chained, low-severity issues — the bread and butter of real intrusions — often get downplayed individually when together they’re a clear path in.

Retest, don’t shelve

The value of VAPT is in what you fix, then re-verify. A finding marked “remediated” without a retest is a hope, not a control. Insist on the retest — reputable providers include it.

The bottom line

Judge a pentest by realistic scope and whether fixes were re-verified — not by how few findings it lists.

Get the next edition in your inbox

Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.

Compliance insights, no spam. Unsubscribe anytime.

← Browse all editions

Free tool
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →