23 June 2026·9 min read·guides

How to Read a VAPT Report: Guide for Indian Founders and Boards

Learn how to read a VAPT report: interpret CVSS scores, severity ratings, and remediation steps so Indian founders and boards make confident security decisions.

Bachao.AI Research Team

Cybersecurity Research

Know your vulnerabilities before attackers do

Free scan · No credit card required

Get Your Free VAPT Scan

What this means for your business

Indian SMBs without documented security controls face 3× higher breach costs. This guide helps you close that gap.

Bachao.AI Research Team

Cybersecurity Research

AI-powered security research and threat intelligence from the Bachao.AI team. Covering the latest vulnerabilities, CVEs, and cybersecurity developments affecting Indian businesses.

Get cybersecurity insights for Indian SMBs

Weekly vulnerability alerts, DPDP compliance tips, and security guides. No spam — unsubscribe anytime.

We respect your privacy. Your email is never shared.

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.

Run a free VAPT scan and get your risk score in minutes — no credit card required.

Book Your Free Scan

A VAPT report (Vulnerability Assessment and Penetration Testing report) is a structured document that tells you what weaknesses exist in your systems, how severe they are, and what to do about them. For Indian founders and boards, reading one is not a technical exercise — it is a governance and risk decision. The executive summary gives you the headline risk score; the findings section lists each vulnerability with its CVSS severity rating; the remediation section tells your team how to fix each issue; and the retest section confirms fixes were applied. This guide walks you through every section so you can ask the right questions and make the right calls.

What Is Inside a VAPT Report

A professional VAPT report delivered by a security firm — including those working with a CERT-In empanelled partner — follows a consistent structure. Understanding each section helps you act faster and ask sharper questions.

Executive Summary

The first two pages are written for you, not your CTO. They capture:

Overall risk rating — typically a single score (Critical / High / Medium / Low) or a numerical CVSS aggregate.
Scope — what systems, URLs, IPs, or applications were tested.
Test window — the dates testing was conducted. A gap between report date and test date matters.
Key findings count — a breakdown of how many Critical, High, Medium, and Low issues were found.
Top risks in plain English — a few sentences describing the most dangerous issues without jargon.

If the executive summary is missing or is longer than two pages, ask for a rewrite. A board member should be able to read it in three minutes.

Risk Score and CVSS

Every finding is assigned a severity using the Common Vulnerability Scoring System (CVSS), the global standard maintained by FIRST (Forum of Incident Response and Security Teams) at first.org/cvss. CVSS v3.1 scores range from 0.0 to 10.0 and map to severity bands:

CVSS Score	Severity	What it typically means
9.0 – 10.0	Critical	Immediate exploitation likely; data breach or full takeover possible
7.0 – 8.9	High	Significant impact; exploitable with moderate skill or from internet
4.0 – 6.9	Medium	Exploitable under specific conditions; still needs a fix plan
0.1 – 3.9	Low	Limited direct impact; address in regular maintenance
0.0	Informational	Observation or best-practice note; no fix required

The CVSS score is calculated from factors like attack vector (can it be done over the internet?), complexity (does it require special conditions?), and impact (does it expose data, allow code execution, or crash the service?). You do not need to compute it yourself — but you should verify that your vendor is using CVSS v3.1 or later, not an older version that underestimates modern attack surfaces. NIST maintains the National Vulnerability Database at nvd.nist.gov where you can look up CVSS scores for known CVEs if your report references them.

The Findings Section

Each finding in a professional report contains:

Finding ID — a reference number for tracking.
Title — a short description (e.g., "SQL Injection on Login Endpoint").
Severity — Critical / High / Medium / Low / Informational.
CVSS Score — the numeric score with the vector string.
Description — what the vulnerability is.
Impact — what an attacker can do if they exploit it.
Evidence — screenshots, payloads, or request/response logs showing the issue is real.
Remediation — specific steps to fix it.
References — links to CVE entries, OWASP categories, or vendor advisories.

The evidence section is important. It distinguishes a penetration test (where the tester actually demonstrated the exploit) from a pure automated scan (where the tool flagged a potential issue). Ask your vendor whether each Critical or High finding was manually verified with a proof-of-concept.

Remediation and Retest

The remediation section is where the report becomes actionable. Each finding should have:

Fix guidance — specific code or configuration changes, not generic advice like "update your software."
Effort estimate — optional but useful for prioritization.
Retest confirmation — after your team applies fixes, a responsible vendor will retest to confirm closure.

A report without a retest provision is incomplete for governance purposes. CERT-In guidelines and board audit requirements typically expect evidence that vulnerabilities were actually remediated, not just acknowledged.

How to Interpret Severity for Business Decisions

The severity bands tell you urgency, not just technical impact. Here is how to translate them into business action:

graph TD
    A[Finding Identified in VAPT Report] --> B{What is the Severity?}
    B --> C[Critical or High]
    B --> D[Medium]
    B --> E[Low or Informational]
    C --> F{Is it internet-facing or affects customer data?}
    F --> G[YES - Fix within 24 to 72 hours]:::danger
    F --> H[NO - Fix within 1 week and monitor]:::danger
    D --> I{Does it chain with a Critical or High finding?}
    I --> J[YES - Escalate priority]:::danger
    I --> K[NO - Schedule in next sprint]:::normal
    E --> L[Add to maintenance backlog]:::normal
    G --> M[Retest and close ticket]:::success
    H --> M
    J --> M
    K --> M
    L --> M

    classDef danger fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    classDef normal fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    classDef success fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

🚨

DANGER

A Critical finding on an internet-facing endpoint — your login page, payment API, or file upload — means your customer data is exposed right now. Do not wait for a sprint cycle. Escalate to your CTO and ask for an emergency patch or temporary WAF rule within 24 hours.

⚠️

WARNING

Medium findings are the most commonly under-prioritized. In isolation they look manageable, but an attacker who chains three Medium findings — one information disclosure, one weak session token, one predictable password reset link — can build a full account takeover. Ask your security team to map chains explicitly.

Typical Finding Distribution

Real-world VAPT reports on Indian web applications tend to cluster findings in a characteristic pattern. The chart below reflects typical distributions seen across assessments of SME and startup applications:

pie title Typical VAPT Finding Distribution by Severity
    "Low" : 45
    "Medium" : 30
    "High" : 18
    "Critical" : 7

Growing shareof Indian organizations reported a significant cyberattack in the last two years (DSCI Cyber Security Landscape Report 2023)

68%of data breaches involved the human element including phishing and credential abuse (Verizon DBIR 2024)

277average days to identify and contain a data breach globally (IBM Cost of a Data Breach Report 2023)

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Questions to Ask Your Security Team

When your CTO or security lead presents the VAPT report to you, here are specific questions that reveal whether the situation is under control:

On scope:

Was the test black-box (no credentials), grey-box (limited credentials), or white-box (full access)? Grey-box tests of authenticated APIs reveal more business-logic bugs than unauthenticated scans.
Were all production systems in scope, or only a subset? What was excluded and why?

On Critical and High findings:

Has each Critical or High been manually verified with a working exploit, or is it from an automated scan?
What is the earliest a patch can be deployed for the top three findings?
Is there a temporary compensating control (WAF rule, IP allowlist, rate limit) that can reduce exposure while the fix is developed?

On evidence:

Can you show me the actual HTTP request and response that demonstrates this vulnerability?

On remediation:

Is the fix a one-line config change or a code rewrite?
Who owns each finding — frontend, backend, DevOps, or a third-party vendor?

On retest:

When is retest scheduled, and who signs off on closure?

What "False Positive" and "Accepted Risk" Mean

False Positive

A false positive is a finding that the scanner flagged but that does not actually exist in your system. Automated tools generate false positives regularly — a scanner might flag a login endpoint as vulnerable to SQL injection because the response time varied, when in reality your application uses parameterized queries throughout.

💡

TIP

When your team marks a finding as a false positive, ask them to document the evidence that proves it is false — not just their assertion. A code reference, a WAF log, or a manual test result showing the issue is not reproducible is the correct standard.

False positives inflate your finding count and can make a clean system look risky. A professional penetration tester manually eliminates false positives before delivering the report. If your vendor's report has more than 20% of findings marked as informational or false positive without evidence, push back.

Accepted Risk

An accepted risk is a real vulnerability that your organization has decided not to fix — typically because the cost or disruption of fixing it outweighs the likelihood and impact of exploitation. This is a legitimate business decision, but it must be documented formally.

Accepted risk documentation should include:

The finding ID and severity.
The business reason for accepting it.
The owner (name and role) who approved the decision.
A review date (typically 6 or 12 months).
Any compensating controls in place.

For DPDP Act compliance and board governance, undocumented accepted risks are a liability. If a breach later occurs through an accepted-risk finding, the absence of formal documentation signals negligence. Your DPDP compliance posture depends in part on demonstrating that risk decisions were made deliberately and reviewed periodically.

How VAPT Reports Support Governance

DPDP Act 2023 Compliance

India's Digital Personal Data Protection Act 2023 (governed by MeitY) places obligations on Data Fiduciaries to implement reasonable security safeguards to protect personal data. While the Act does not prescribe specific technical controls, regulators interpreting "reasonable security" will look for documented evidence of security testing and remediation. A dated VAPT report with a retest confirmation is exactly that evidence.

ℹ️

INFO

The DPDP Act 2023 penalties are significant and tiered by violation type (see MeitY guidance for the current penalty schedule). A VAPT report that shows you identified and fixed vulnerabilities before a breach is your strongest defense against a claim of negligence. Learn more about managing DPDP obligations on our DPDP compliance page.

CERT-In Compliance

CERT-In (the Indian Computer Emergency Response Team under MeitY) mandates that organizations in certain sectors report cyber incidents within six hours and maintain security audit records. For organizations seeking formal CERT-In empanelled VAPT, the audit must be conducted by a CERT-In empanelled security auditor. If your current vendor is not empanelled, ask them to deliver the assessment with a CERT-In empanelled partner to ensure the report meets regulatory requirements.

Board Reporting

A VAPT report presented to a board should surface three things:

Current risk posture — how many Critical and High findings were open at the time of the report.
Trend — are findings increasing or decreasing since the last assessment?
Remediation velocity — what percentage of findings from prior assessments were closed before this one?

Boards do not need to read every finding. They need the executive summary, the trend, and a signed confirmation from the CISO or CTO that Critical and High findings have a remediation plan with dates. That confirmation, filed in board minutes, is meaningful governance evidence.

🎯Key Takeaway

A VAPT report is not a technical document you hand to your CTO and forget. It is a risk register that requires your sign-off on priorities, your approval of accepted risks, and your evidence of remediation for regulators and investors. The two numbers that matter most are: how many Critical and High findings exist today, and when will they be fixed.

Running Your First VAPT

If your organization has not yet conducted a formal VAPT assessment, the first step is a baseline scan to understand your current exposure. Bachao.AI, built by Dhisattva AI Pvt Ltd, provides a free VAPT scan that gives you an initial risk score and findings summary — useful as a starting point before commissioning a full assessment with a CERT-In empanelled partner.

Browse the Bachao.AI blog for more guidance on security testing, DPDP compliance, and incident response for Indian businesses.

Frequently Asked Questions

How often should an Indian startup get a VAPT done?

At minimum, annually — and after any major infrastructure change, new product launch, or significant code release. If you handle financial data, healthcare records, or personal data at scale, quarterly or semi-annual testing is prudent and increasingly expected by enterprise customers and regulators.

What is the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment is a systematic scan that identifies known weaknesses. A penetration test goes further — a tester manually attempts to exploit those weaknesses to demonstrate real impact. A full VAPT combines both: automated scanning for breadth, manual exploitation for depth. Reports that only contain automated scan output are less reliable for board governance.

Our developer says all VAPT findings are false positives. Is that normal?

Some false positives are normal in automated scans, but if your developer is marking every finding as a false positive without evidence, that is a red flag. Ask for specific technical justification for each dismissal — a code reference or a manual test result showing the issue is not reproducible. A professional penetration tester should have already eliminated obvious false positives before delivering the report.

Does a VAPT report help with DPDP Act compliance?

Yes. While the DPDP Act 2023 does not mandate VAPT specifically, it requires Data Fiduciaries to implement reasonable security safeguards. A dated VAPT report with documented remediation is strong evidence of due diligence. It is particularly important if a breach investigation later scrutinizes whether you took security seriously.

What should a board resolution say about VAPT findings?

The resolution should record: (1) the date and scope of the assessment, (2) the number of Critical and High findings at the time of the report, (3) the board's directive to remediate Critical and High findings by a specific date, and (4) the name and role of the accountable executive. This creates a governance paper trail that demonstrates the board exercised oversight.

What is a retest and why does it matter?

A retest is a follow-up check by the same security vendor to confirm that fixes your team applied actually close the reported vulnerabilities. Without a retest, you have only your developer's word that an issue is resolved. For CERT-In compliance and investor due diligence, a retest confirmation letter from the vendor is the standard of proof that a finding is closed.