With the Digital Personal Data Protection (DPDP) Act, 2023 now in effect in India, and SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) mandating regular security audits, organizations are under increasing pressure to strengthen their cybersecurity posture. Vulnerability Analysis and Penetration Testing (VAPT) has therefore become a critical compliance requirement rather than an optional security measure. 

However, most organizations enter such engagements without understanding of the time required and way to prepare for it. This blog divides the overall penetration testing process and vulnerability assessment lifecycle so that teams can plan, budget, and execute with the confidence. 

Vulnerability Assessment vs. Penetration Testing: What’s the Difference?

These terms often get used interchangeably, but the penetration testing methodology differs significantly from a vulnerability assessment in cyber security. Here’s a quick comparison: 

Aspect  Vulnerability Assessment  Penetration Testing 
Objective  Identify and classify security weaknesses across systems  Actively exploit vulnerabilities to prove real-world business impact 
Approach  Automated scanning + manual validation  Manual exploitation using attacker techniques (MITRE ATT&CK) 
Depth  Broad coverage, surface-level identification  Deep-dive exploitation with privilege escalation 
Frequency  Quarterly for continuous monitoring  Annual or bi-annual for risk validation 
Cost Range  ₹2 to ₹10 lakhs for mid-sized environments  ₹8 to ₹25 lakhs for comprehensive testing 
Compliance Fit  DPDP Act Section 8, SEBI CSCRF  ISO 27001, PCI DSS Requirement 11.3 

Vulnerability assessment is a security health checkup, while Penetration testing is the stress test that shows if defences hold up. 

7 Penetration Testing Steps: What Happens and When

A professional penetration testing process follows a structured methodology. Here’s what each phase looks like and how long it typically takes: 

Phase  What Happens  Key Activities  Duration 
1  Pre-Engagement & Scoping  NDAs signed, IP ranges confirmed, testing windows agreed, success criteria defined  3–5 days 
2  Reconnaissance  OSINT gathering, network scanning, subdomain discovery, attack surface mapping  2–4 days 
3  Vulnerability Scanning  Automated scans (Nessus, Qualys), manual validation, false positive elimination  3–5 days 
4  Exploitation  Active breach attempts, password attacks, exploiting misconfigurations and unpatched software  5–10 days 
5  Post-Exploitation  Privilege escalation, lateral movement, data access simulation, compliance violation testing  2–4 days 
6  Reporting  Executive summary, technical findings with CVSS scores, remediation roadmap  5–7 days 
7  Remediation Validation  Re-testing critical findings, regression checks, final sign-off  2–3 days 

Total timeline: Expect 3–6 weeks for a comprehensive penetration testing engagement covering infrastructure and applications. 

What Does a Vulnerability Assessment Test Include?

The comprehensive vulnerability evaluation during cyber security is divided into four main sections:  

Related Read: DPDP Act vs GDPR: What Indian Businesses Can Learn from Europe

  1. Network Infrastructure: Unpatched systems, misconfigured firewalls, open ports, and vulnerabilities in wireless networks.  
  2. Applications: SQL injection, cross-site scripting, API vulnerabilities, and authentication bypass in web and mobile applications.  
  3. Configuration & Compliance: Gaps in CIS Benchmark, default credentials, and gaps in control against DPDP Act or SEBI CSCRF requirements.  
  4. Cloud & SaaS: Open S3 buckets, unrestricted IAM roles, container security issues across AWS, Azure, or GCP.  

The recommended best practice is to target to cover 100 percent of internet-facing assets and at least 25 to 30 percent of internal systems, as programme matures. 

Five Types of Vulnerability Assessment

Not all assessments are the same. You might require one or all these depending on your surrounding:  

  1. Network-based Assessment: Routers, switches, firewalls, and VPNs. Suitable for external perimeter security validation.  
  2. Host-based Assessment: Single servers and workstations, verifying OS vulnerabilities and installed software.  
  3. Application Assessment: Web applications, mobile applications, and API tested against OWASP Top 10 and more.  
  4. Database Assessment: Oracle, SQL server, MongoDB- particularly where there is personal data in the DPDP Act.  
  5. Cloud Configuration Assessment: Continuous monitoring of AWS, Azure, and GCP infrastructure to identify misconfigurations.  

Mature security programmes combine all five as a single vulnerability management platform to centralise prioritisation of risks. 

Who Needs What? Testing by Business Model

Related Read: How is GDPR Helping Indian Businesses?

Testing priorities vary depending on where the infrastructure is hosted and the specific security responsibilities assigned to the organization. A SaaS company faces very different risks than a manufacturer running on-premises servers.  

Here’s how vulnerability assessment and penetration testing requirements break down: 

  Priority Testing Areas  Key Risks  Recommended Focus 
SaaS Companies  Application-layer pen testing, API security, multi-tenant isolation, authentication & access controls  Customer data exposure across tenants, API abuse, session hijacking, OWASP Top 10 vulnerabilities  Quarterly app-level VA + bi-annual pen test on APIs and tenant boundaries. DPDP Act compliance critical for customer PII. 
PaaS Providers  Platform runtime security, container and orchestration testing, CI/CD pipeline security, dependency scanning  Supply chain attacks, container breakout, insecure deployment pipelines, shared resource exploitation  Continuous container VA + annual infrastructure pen test. Focus on Kubernetes security and image scanning. 
IaaS Providers  Hypervisor security, network segmentation, IAM policy review, storage access controls, cloud configuration assessment  VM escape, cross-tenant network access, misconfigured security groups, exposed storage buckets  Continuous cloud config VA + quarterly network pen test. CIS Benchmarks for AWS/Azure/GCP are essential. 
Traditional / On-Premises  Network infrastructure pen testing, host-based VA, physical security testing, Active Directory assessment, database security  Unpatched legacy systems, flat network architecture, weak AD configurations, insider threats, outdated firmware  Monthly network VA + annual full-scope pen test including AD attack paths. Legacy system patching is typically the biggest gap. 


The shared responsibility model matters here. Most of the infrastructure security is handled by the SaaS provider, but application logic, access controls and data handling are all the user’s responsibility. In IaaS, the user possesses nearly all that lies above the hypervisor. On-premises companies of the traditional type own the entire stack.  

In any case, anybody who is processing the personal data of an individual as per the DPDP Act, the compliance obligation remains with them and not the cloud provider. The scope of penetration testing shall depend upon the relative control and accountability of the data held. 

The Connection to DPDP Act Compliance 

Section 8 of the DPDP Act stipulates that personal data must be provided with reasonable security safeguards. The DPDP Rules 2025 further explain that Significant Data Fiduciaries are obliged to perform annual security audits. The basis of this compliance requirement is vulnerability assessment and penetration testing.  

The findings of penetration testing need to be translated directly into Data Protection Impact Assessments (DPIAs) which helps quantify the risk of breaches, validate security controls, and demonstrate the proactive management of risks in front of the Data Protection Board.  

Conclusion

An effective VAPT programme is an ingredient of any sound cybersecurity stance. From a compliance standpoint, statutory audits mandate that Vulnerability Assessment and Penetration Testing reports be issued exclusively by CERT-In empanelled auditors. When the assessment is completed, organisations need to undertake a systematic review of all the identified observations, prioritize remediation activities based on assigned risk ratings, and address vulnerabilities in a systematic and time-bound manner. Where remediation is not possible because of operational or business reasons, sufficient compensating controls should be in place to reduce residual risk to an acceptable level.

Related Read: DPDP Act of India: Complete Guide to Data Protection

A post-remedial re-scan is an indispensable part of this process and is documented proof that all the vulnerabilities identified are duly addressed. Although VAPT is technical in nature, organisational leaders need not have strong technical knowledge to effectively manage it. What is needed is a clear comprehension of the process, responsibility at every step, and an understanding of cybersecurity as a continuous governance requirement and not a periodic compliance exercise. 

Why Choose Ascentium?

Ascentium’s Cybersecurity Assessment Services combine deep regulatory expertise across 8+ Asia-Pacific jurisdictions with practitioner-led penetration testing methodologies. Our OSCP/CREST-certified team delivers audit-grade vulnerability assessments and penetration testing that satisfy DPDP Act, SEBI CSCRF, and ISO 27001 requirements. To learn more about our services, you can write to us at info@incorpadvisory.in or reach out to us at (+91) 77380 66622. 

Authored by:
Narasimhan Elangovan | Cybersecurity

FAQs