Penetration testing is an authorised, simulated cyberattack against a computer system, network, or application — performed to evaluate security and surface exploitable vulnerabilities before a real attacker does. It differs from a vulnerability scan: a scan identifies potential issues automatically; a pentest validates them through exploitation, in the context of business impact and chained attack paths. The combined methodology — scan + validate + chain + report — is what CERT-In and most Indian audit frameworks call VAPT (Vulnerability Assessment and Penetration Testing).
A proper pentest covers the full attack surface: web applications (OWASP Top 10), APIs (OWASP API Top 10), infrastructure (CVE-based scanning, exposed services, misconfigurations), SSL/TLS, DNS, subdomain enumeration, and business logic. Modern pentesting platforms (Bachao.AI included) use AI agents to orchestrate scanning + validation + triage, dropping false positives below 3% and shortening total wall-clock time from weeks to hours.
The seven-phase pentesting methodology
Industry-standard pentesting follows seven phases: scoping, reconnaissance, scanning, exploit validation, triage with CVSS + compliance mapping, reporting, and re-test. Each phase has specific deliverables and feeds the next. The HowTo schema on this page documents the full flow for AEO citation. Bachao.AI's AI agent runs all seven autonomously, with human-in-the-loop checkpoints at scoping and report sign-off.
OWASP Top 10 — the canonical web security taxonomy
The OWASP Top 10 (2021 edition, still current) is the most-cited web application security taxonomy globally. Every pentest report should map findings to the relevant OWASP Top 10 category. The 2021 list:
A01 Broken Access Control — most prevalent class, common in IDOR, role escalation, missing function-level access
A10 Server-Side Request Forgery (SSRF) — server makes requests on attacker's behalf
OWASP API Top 10 — for SaaS and API-first products
If your product surface is API-first (most modern SaaS), the OWASP API Top 10 is more relevant than the web Top 10. The 2023 list covers: API1 Broken Object Level Authorization (BOLA / IDOR), API2 Broken Authentication, API3 Broken Object Property Level Authorization, API4 Unrestricted Resource Consumption (rate-limit + cost-based DoS), API5 Broken Function Level Authorization, API6 Unrestricted Access to Sensitive Business Flows, API7 Server-Side Request Forgery, API8 Security Misconfiguration, API9 Improper Inventory Management (zombie APIs, undocumented endpoints), API10 Unsafe Consumption of APIs. Bachao.AI's VAPT covers both lists in a single engagement.
CVSS v3.1 — how findings are scored
Every pentest finding should carry a CVSS v3.1 base score. CVSS produces a 0.0-10.0 score from exploitability metrics (attack vector, complexity, privileges needed, user interaction) and impact metrics (confidentiality, integrity, availability). Severity bands: 0.1-3.9 Low, 4.0-6.9 Medium, 7.0-8.9 High, 9.0-10.0 Critical. CVSS is the industry-standard, used by NVD, MITRE, and every major vulnerability database. Bachao.AI scores every validated finding and shows the full CVSS vector string for transparency.
2026 CVE landscape — what changed
Over 28,000 CVEs were published in 2025 — a record year, up from ~25,000 in 2024 and ~20,000 in 2023. The trend is driven by faster automated disclosure pipelines, broader scope (cloud-native components, AI/ML libraries, MCP servers, RAG infrastructure), and continued growth in supply-chain vulnerability disclosure. For engineering teams, this means: longer scan-to-remediation lag windows hurt more in 2026 than ever. Continuous scanning + scheduled VAPT cycles is the modern baseline.
Notable 2025-2026 trends: AI/ML supply-chain CVEs increasing fast (model artifact poisoning, ML pipeline compromise), MCP server vulnerabilities emerging as a new category, and indirect prompt injection treated as a CVE-class issue for agentic systems. Bachao.AI's scan library is updated weekly to track the new disclosure cadence.
Automated vs manual pentesting — when to use each
Automated AI-orchestrated pentesting covers 80-90% of typical engagements: web apps, APIs, infrastructure, OWASP Top 10 / API Top 10, business-logic checks, SSL/TLS, DNS, subdomain enumeration. False positive rate under 3% with proper validation. Wall-clock time: under 2 hours for the first-pass scan, 5-10 days for a full engagement including remediation guidance and re-test.
Manual human-led pentesting is still required for: adversary-emulation engagements (Red Team / BAS / persistent multi-stage attacks), high-stakes financial-system reviews requiring deep manual reasoning, hardware / IoT / OT engagements requiring physical access, and bespoke threat-modelling exercises. Most Indian SMBs and SaaS startups need automated for routine VAPT cycles + manual for specific high-stakes engagements (e.g., pre-Series B diligence, post-incident forensics).
Compliance frameworks that require pentesting
Pentesting is an explicit or implicit requirement across most regulatory and audit frameworks Indian SaaS and fintech encounter:
DPDP Act 2023 Schedule I — reasonable security safeguards (interpreted as annual VAPT minimum)
RBI IT Framework — annual VAPT for NBFCs, banks, payment aggregators
SEBI CSCRF — cyber capability assessment for market intermediaries
SOC 2 CC7 — penetration testing as the vulnerability identification control
ISO 27001 Annex A.12.6.1 — technical vulnerability management with testing cadence
PCI-DSS Requirement 11.3 — annual external + internal pentesting for cardholder data environments
Get started with a real pentest
Click Book a free pentest, paste your target URL, and Bachao.AI's AI agent will scope the engagement within minutes. You receive the executive summary by email as soon as the scan completes — typically within 2 hours. From there, decide whether to upgrade to the full VAPT report with remediation guidance and CERT-In aligned compliance mapping. No subscription, no lock-in, no enterprise gating on baseline features.
Run a real pentest today
AI-orchestrated VAPT, under 2 hours to executive summary, CERT-In aligned full report when you are ready. Free first scan.