How to Read a VAPT Report: A CTO's Guide
You just received a 60-page VAPT report from your security vendor. It's full of CVE numbers, CVSS scores, and screenshots of Burp Suite. Your board meeting is in 3 days, and you need to present the security posture of your application.
Sound familiar? You're not alone. Having worked with dozens of Indian startups and enterprises, I've seen this scenario play out repeatedly. This guide will teach you how to read a VAPT report like a pro — even if you're not a security engineer.
- 78% of Indian CTOs surveyed said they struggle to interpret VAPT findings (DSCI 2025)
- ₹17.6 crore — average cost of a data breach in India (IBM Cost of Data Breach Report 2025)
- 65% of critical vulnerabilities found in VAPT reports go unpatched for 90+ days
- 3 out of 5 Indian startups have never conducted a VAPT assessment
Understanding the Report Structure
Every professional VAPT report follows a standard structure. Here's what to expect:
flowchart TD
A[VAPT Report] --> B[Executive Summary]
A --> C[Scope & Methodology]
A --> D[Findings]
A --> E[Risk Matrix]
A --> F[Remediation Plan]
B --> B1[Risk Score]
B --> B2[Key Stats]
B --> B3[Business Impact]
D --> D1[Critical]
D --> D2[High]
D --> D3[Medium]
D --> D4[Low]
D --> D5[Informational]
F --> F1[Quick Wins]
F --> F2[Short Term]
F --> F3[Long Term]1. Executive Summary — Start Here
The executive summary is your 2-minute briefing. It should tell you:
- Overall risk score (typically 0-100 or a letter grade)
- Total findings count broken down by severity
- Top 3-5 critical issues in plain English
- Business impact — what could actually happen if exploited
TIP
If your VAPT report doesn't have a clear executive summary, that's a red flag about the vendor. A good security partner translates technical findings into business risk.
2. Scope & Methodology
This section tells you what was tested and how. Key things to verify:
| Element | What to Check | Why It Matters |
|---|---|---|
| Target URLs | Were all your subdomains included? | Missing scope = missing vulnerabilities |
| Test Type | Black-box, grey-box, or white-box? | Determines depth of testing |
| Authentication | Was authenticated testing done? | 70% of vulns are behind login |
| API Coverage | Were all API endpoints tested? | APIs are the #1 attack surface |
| Methodology | OWASP, PTES, NIST? | Ensures industry-standard testing |
| Duration | How many days of testing? | 1-day tests miss a lot |
WARNING
A common vendor trick: testing only the login page and calling it a "comprehensive VAPT." Always verify the scope covers your actual attack surface — every subdomain, every API endpoint, every user role.
3. The Findings Section — Where the Action Is
Each finding typically includes:
Title: SQL Injection in User Search
Severity: Critical (CVSS 9.8)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Location: GET /api/v1/users?search=
Description: The search parameter is vulnerable to SQL injection...
Impact: Full database access, data exfiltration
Evidence: [Screenshots, request/response pairs]
Remediation: Use parameterized queries...Understanding CVSS Scores
CVSS (Common Vulnerability Scoring System) is the industry standard for rating vulnerability severity. Here's the breakdown:
| Score Range | Severity | What It Means | Action Timeline |
|---|---|---|---|
| 9.0 - 10.0 | Critical | Immediate exploitation possible, full system compromise | Fix within 24-48 hours |
| 7.0 - 8.9 | High | Significant impact, exploitation likely | Fix within 1 week |
| 4.0 - 6.9 | Medium | Moderate impact, requires some conditions | Fix within 1 month |
| 0.1 - 3.9 | Low | Limited impact, difficult to exploit | Fix within 1 quarter |
| 0.0 | Informational | Best practice recommendations | Plan for next sprint |
Reading the CVSS Vector
The CVSS vector string looks cryptic but tells a story:
bash
# Example: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N = Attack Vector: Network (remotely exploitable)
AC:L = Attack Complexity: Low (easy to exploit)
PR:N = Privileges Required: None (no login needed)
UI:N = User Interaction: None (no clicking required)
S:U = Scope: Unchanged
C:H = Confidentiality Impact: High (data leaked)
I:H = Integrity Impact: High (data modified)
A:H = Availability Impact: High (service down)SECURITY
The most dangerous combination is AV:N/AC:L/PR:N/UI:N — this means anyone on the internet can exploit it easily without any login or user interaction. If you see this in your report, escalate immediately.
The CTO's Prioritization Framework
Not all findings are created equal. Here's how I recommend CTOs prioritize:
quadrantChart
title Vulnerability Prioritization Matrix
x-axis Low Exploitability --> High Exploitability
y-axis Low Business Impact --> High Business Impact
quadrant-1 Fix Immediately
quadrant-2 Plan This Sprint
quadrant-3 Monitor
quadrant-4 Schedule Fix
SQL Injection: [0.9, 0.95]
Broken Auth: [0.85, 0.9]
XSS Stored: [0.7, 0.7]
Missing Headers: [0.3, 0.2]
Info Disclosure: [0.5, 0.4]
CORS Misconfig: [0.6, 0.6]Priority 1: Data Breach Risk (Fix in 24-48 hours)
- SQL Injection
- Authentication Bypass
- IDOR (Insecure Direct Object References)
- Server-Side Request Forgery (SSRF)
Priority 2: Account Takeover Risk (Fix in 1 week)
- Stored XSS
- Broken Session Management
- Password Reset Flaws
- JWT Vulnerabilities
Priority 3: Configuration Issues (Fix in 1 month)
- Missing Security Headers
- CORS Misconfigurations
- Verbose Error Messages
- Directory Listing
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Present VAPT Results to Your Board
Your board doesn't care about CVE numbers. They care about:
- Can we get breached? — Yes/No, with probability
- What's the financial exposure? — In rupees
- Are we compliant? — DPDP Act, PCI-DSS, SOC 2
- What's the fix timeline? — With milestones
- What's the budget needed? — For remediation
Sample Board Presentation Slide
Security Posture Summary — Q1 2026
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Risk Score: 72/100 (High Risk)
Critical Findings: 3
High Findings: 7
Compliance: DPDP Act — 60% aligned
Top Risk: SQL Injection in payment API
Business Impact: Potential ₹2-5 crore exposure
Fix Timeline: 2 weeks (in progress)
Budget Required: ₹3.5 lakh (one-time)INFO
Under the DPDP Act 2023, a data breach resulting from known but unpatched vulnerabilities can attract penalties up to ₹250 crore. Your VAPT report is legal evidence that you were aware of the risks.
Common VAPT Report Red Flags
Watch out for these signs of a low-quality VAPT:
| Red Flag | What It Means |
|---|---|
| Only automated scan results | No manual testing was done |
| No proof-of-concept (PoC) | Findings may be false positives |
| Generic remediation advice | Vendor doesn't understand your stack |
| No business impact analysis | Just technical findings, no context |
| Single-day engagement | Complex apps need 5-10 days minimum |
| No retest included | How will you verify fixes? |
Action Plan Template
After reading your VAPT report, create an action plan:
bash
# Create a tracking spreadsheet or Jira board with these columns:
Finding ID | Severity | Title | Owner | Deadline | Status
VAPT-001 | Critical | SQLi in /api/search | Backend Team | Mar 22 | In Progress
VAPT-002 | High | Broken auth tokens | Auth Team | Mar 25 | Assigned
VAPT-003 | Medium | Missing CSP header | DevOps | Apr 15 | BacklogKey Takeaway
Key Takeaways for CTOs:
- Always start with the Executive Summary — it's your 2-minute brief
- Focus on CVSS 9.0+ findings first — these are active breach risks
- Map findings to business impact — boards understand rupees, not CVE numbers
- Demand authenticated testing — unauthenticated-only VAPTs miss 70% of issues
- Budget for retesting — a VAPT without retest verification is incomplete
- Use your VAPT report as DPDP Act compliance evidence
- If your vendor can't explain findings in plain English, find a better vendor
Need a VAPT assessment that's actually readable? Try Bachao.AI's automated scan — we generate reports designed for CTOs, not just security engineers.