Penetration testing is an authorised, simulated cyberattack against a computer system, network, or application — performed to evaluate security and surface exploitable vulnerabilities before a real attacker does. It differs from a vulnerability scan: a scan identifies potential issues automatically; a pentest validates them through exploitation, in the context of business impact and chained attack paths. The combined methodology — scan + validate + chain + report — is what CERT-In and most Indian audit frameworks call VAPT (Vulnerability Assessment and Penetration Testing).
A proper pentest covers the full attack surface: web applications (OWASP Top 10), APIs (OWASP API Top 10), infrastructure (CVE-based scanning, exposed services, misconfigurations), SSL/TLS, DNS, subdomain enumeration, and business logic. Modern pentesting platforms (Bachao.AI included) use AI agents to orchestrate scanning + validation + triage, dropping false positives below 3% and shortening total wall-clock time from weeks to hours.
The seven-phase pentesting methodology
Industry-standard pentesting follows seven phases: scoping, reconnaissance, scanning, exploit validation, triage with CVSS + compliance mapping, reporting, and re-test. Each phase has specific deliverables and feeds the next. The HowTo schema on this page documents the full flow for AEO citation. Bachao.AI's AI agent runs all seven autonomously, with human-in-the-loop checkpoints at scoping and report sign-off.
OWASP Top 10 — the canonical web security taxonomy
The OWASP Top 10 (2021 edition, still current) is the most-cited web application security taxonomy globally. Every pentest report should map findings to the relevant OWASP Top 10 category. The 2021 list:
A01 Broken Access Control — most prevalent class, common in IDOR, role escalation, missing function-level access
A10 Server-Side Request Forgery (SSRF) — server makes requests on attacker's behalf
OWASP API Top 10 — for SaaS and API-first products
If your product surface is API-first (most modern SaaS), the OWASP API Top 10 is more relevant than the web Top 10. The 2023 list covers: API1 Broken Object Level Authorization (BOLA / IDOR), API2 Broken Authentication, API3 Broken Object Property Level Authorization, API4 Unrestricted Resource Consumption (rate-limit + cost-based DoS), API5 Broken Function Level Authorization, API6 Unrestricted Access to Sensitive Business Flows, API7 Server-Side Request Forgery, API8 Security Misconfiguration, API9 Improper Inventory Management (zombie APIs, undocumented endpoints), API10 Unsafe Consumption of APIs. Bachao.AI's VAPT covers both lists in a single engagement.
CVSS v3.1 — how findings are scored
Every pentest finding should carry a CVSS v3.1 base score. CVSS produces a 0.0-10.0 score from exploitability metrics (attack vector, complexity, privileges needed, user interaction) and impact metrics (confidentiality, integrity, availability). Severity bands: 0.1-3.9 Low, 4.0-6.9 Medium, 7.0-8.9 High, 9.0-10.0 Critical. CVSS is the industry-standard, used by NVD, MITRE, and every major vulnerability database. Bachao.AI scores every validated finding and shows the full CVSS vector string for transparency.
2026 CVE landscape — what changed
Over 28,000 CVEs were published in 2025 — a record year, up from ~25,000 in 2024 and ~20,000 in 2023. The trend is driven by faster automated disclosure pipelines, broader scope (cloud-native components, AI/ML libraries, MCP servers, RAG infrastructure), and continued growth in supply-chain vulnerability disclosure. For engineering teams, this means: longer scan-to-remediation lag windows hurt more in 2026 than ever. Continuous scanning + scheduled VAPT cycles is the modern baseline.
Notable 2025-2026 trends: AI/ML supply-chain CVEs increasing fast (model artifact poisoning, ML pipeline compromise), MCP server vulnerabilities emerging as a new category, and indirect prompt injection treated as a CVE-class issue for agentic systems. Bachao.AI's scan library is updated weekly to track the new disclosure cadence.
Automated vs manual pentesting — when to use each
Automated AI-orchestrated pentesting covers 80-90% of typical engagements: web apps, APIs, infrastructure, OWASP Top 10 / API Top 10, business-logic checks, SSL/TLS, DNS, subdomain enumeration. False positive rate under 3% with proper validation. Wall-clock time: under 2 hours for the first-pass scan, 5-10 days for a full engagement including remediation guidance and re-test.
Manual human-led pentesting is still required for: adversary-emulation engagements (Red Team / BAS / persistent multi-stage attacks), high-stakes financial-system reviews requiring deep manual reasoning, hardware / IoT / OT engagements requiring physical access, and bespoke threat-modelling exercises. Most Indian SMBs and SaaS startups need automated for routine VAPT cycles + manual for specific high-stakes engagements (e.g., pre-Series B diligence, post-incident forensics).
Compliance frameworks that require pentesting
Pentesting is an explicit or implicit requirement across most regulatory and audit frameworks Indian SaaS and fintech encounter:
DPDP Act 2023 Schedule I — reasonable security safeguards (interpreted as annual VAPT minimum)
RBI IT Framework — annual VAPT for NBFCs, banks, payment aggregators
SEBI CSCRF — cyber capability assessment for market intermediaries
SOC 2 CC7 — penetration testing as the vulnerability identification control
ISO 27001 Annex A.12.6.1 — technical vulnerability management with testing cadence
PCI-DSS Requirement 11.3 — annual external + internal pentesting for cardholder data environments
Top CVEs and Vulnerability Trends India 2026
Five high-impact CVEs from 2024-2025 that continue to affect Indian SMBs in 2026 — and how Bachao.AI's VAPT detects each one.
**CVE-2024-6387 — OpenSSH regreSSHion (CVSS 8.1 / High)**
A race condition in OpenSSH's signal handler allows unauthenticated remote code execution on Linux servers running glibc. Indian SMBs running unpatched Ubuntu, Debian, or RHEL servers with SSH exposed to the internet are directly in scope. This affects the majority of cloud-hosted Indian SaaS infrastructure. Bachao.AI's network VAPT scans the SSH version banner, probes for the affected glibc signal-handler path, and flags any instance of OpenSSH 4.4p1 through 9.7p1 (excluding the patched 9.7p1-1 and 9.8p1 builds) as critical.
**CVE-2024-3400 — Palo Alto PAN-OS Command Injection (CVSS 10.0 / Critical)**
Unauthenticated remote code execution in Palo Alto Networks GlobalProtect Gateway via a crafted request to the HTTPS management interface. India has one of the largest installed bases of PAN-OS firewalls among mid-market enterprises. Exploited in the wild before patch availability — a true zero-day window. Bachao.AI's external scan fingerprints PAN-OS version strings exposed on management interfaces and checks for the specific URI path that triggers the vulnerability.
**CVE-2024-21887 — Ivanti Connect Secure Command Injection (CVSS 9.1 / Critical)**
Chained with CVE-2023-46805 (auth bypass), this command injection in Ivanti Connect Secure allowed full unauthenticated RCE. Indian IT services companies and BPOs using Ivanti VPN concentrators were targeted in coordinated campaigns. Bachao.AI's VAPT tests both the auth bypass and the downstream injection endpoint, reporting them as a chained critical finding rather than two isolated medium issues — matching how attackers actually exploit it.
**CVE-2025-21298 — Windows OLE Remote Code Execution (CVSS 9.8 / Critical)**
A zero-click vulnerability in Windows Object Linking and Embedding (OLE) triggered by opening a malicious .rtf file or email. Indian enterprises with large Windows desktop estates and unpatched Outlook deployments are high-risk. Bachao.AI's internal network scan checks for unpatched Windows patch levels and flags missing KB5050009 across discovered Windows hosts, cross-referenced with domain-joined machines in scope.
**CVE-2024-4577 — PHP CGI Argument Injection (CVSS 9.8 / Critical)**
Argument injection in PHP CGI mode on Windows systems allows unauthenticated remote code execution. Indian shared hosting providers and legacy PHP applications running in CGI mode on Windows servers are directly affected. Bachao.AI's web VAPT probes PHP version endpoints, checks the CGI invocation mode via the PHP info disclosure tests, and validates whether the specific character encoding path (Best-Fit mapping) that enables the exploit is reachable.
Scan your web app for these vulnerabilities — free: bachao.ai/vapt
Why VAPT Cadence Matters in 2026
Running a single VAPT cycle is no longer sufficient. The 2025 CVE disclosure rate (28,000+ per year) means your attack surface changes faster than an annual pentest cycle can track. Compliance frameworks have different minimum cadence requirements — and most Indian SMBs are unaware that some mandate quarterly testing.
Compliance cadence by framework:
**DPDP Act 2023 (India):** No explicit frequency mandated, but the Ministry of Electronics and Information Technology and CERT-In guidance interprets 'reasonable security safeguards' as requiring at least quarterly automated scanning plus annual full VAPT. Data fiduciaries with significant personal data volumes should default to quarterly.
**RBI NBFC IT Framework:** Annually as a minimum for NBFCs, banks, and payment aggregators. RBI's IT Examination explicitly asks for the date of the last external penetration test and expects a finding-to-remediation cycle. Quarterly for high-risk systems handling payment data.
**ISO 27001:2022:** VAPT frequency is determined per risk assessment cycle — typically annual for standard environments. Annex A.8.8 (management of technical vulnerabilities) requires timely identification and remediation; for most implementations this translates to quarterly automated scanning.
**PCI DSS v4.0:** Quarterly external vulnerability scans are mandatory for all merchants and service providers (Requirement 11.3.2). Quarterly internal scans are required for SAQ-A-EP and higher. Annual external penetration testing (Requirement 11.4.1) plus annual internal pentesting. High-risk findings from scans must be remediated and re-scanned before they age to the next quarter.
**SEBI CSCRF (Cybersecurity and Cyber Resilience Framework):** Annual cyber capability assessment for all SEBI-regulated market intermediaries — brokers, AMCs, depositories, registrars. The CSCRF specifically calls for vulnerability assessment and penetration testing as part of the annual security audit. High-frequency trading platforms and depositories should run additional quarterly assessments given their systemic risk designation.
The practical recommendation for most Indian SaaS, fintech, and e-commerce companies: continuous automated scanning (Bachao.AI's ASM + RASP runs this 24/7) plus a full VAPT at least quarterly. Annual VAPT alone leaves a 9-month window where a new CVE like OpenSSH regreSSHion could persist undetected.
Scan your web app for these vulnerabilities — free: bachao.ai/vapt
Get started with a real pentest
Click Book a free pentest, paste your target URL, and Bachao.AI's AI agent will scope the engagement within minutes. You receive the executive summary by email as soon as the scan completes — typically within 2 hours. From there, decide whether to upgrade to the full VAPT report with remediation guidance and CERT-In aligned compliance mapping. No subscription, no lock-in, no enterprise gating on baseline features.
Run a real pentest today
AI-orchestrated VAPT, under 2 hours to executive summary, CERT-In aligned full report when you are ready. Free first scan.