Automated VAPT vs Manual Pentest — Cost & Speed
Indian VAPT firms (Astra, CyberNX, SecureLayer7, Kratikal — see the vendor table above) use enterprise-bracket per-engagement fees and take 4-6 weeks from kickoff to report. Bachao.AI's automated VAPT tool for India is pay-per-use — it runs an AI-orchestrated scan in under 2 hours, validates each finding with a second AI pass to drop false positives, and ships a CERT-In aligned report immediately. The result: same coverage depth, materially lower total cost, and quarterly or monthly cycles instead of annual ones.
CERT-In Empanelled Auditor Requirements (2026)
CERT-In's directions require Indian organisations to retain audit logs, report incidents within 6 hours of detection, and maintain a documented vulnerability assessment programme. Empanelment is required to issue certificates for compliance submissions for some categories — for most SaaS, fintech, and SMB engagements the CERT-In alignment of the methodology is what auditors and customers ask for. Bachao.AI's reports follow the CERT-In methodology, OWASP Top 10, and PTES — accepted by procurement teams, ISO 27001 auditors, and DPDP-Act compliance reviewers.
VAPT Pricing for Indian SaaS Startups
Indian SaaS startups don't fit a flat-rate VAPT catalog. We scope each engagement around your data surface — number of web apps, APIs, cloud accounts, retesting cycles, and compliance frameworks to map. A typical seed-stage SaaS gets materially lower TCO than the manual market rate quoted above. We share the scope and engagement details on a 30-minute call. No per-seat fees, no annual lock-in.
Sample VAPT Report (OWASP + CERT-In Format)
Our sample VAPT report shows the structure your engineering team and compliance reviewer will actually see: executive summary, methodology (OWASP Top 10 / PTES), scope, CVSS v3.1 scored findings with reproduction steps, remediation written for your specific stack, and CERT-In alignment statement. Download or preview from the Sample Reports page.
How Long Does an Automated VAPT Take?
Wall-clock time for a typical web app + API target is under 2 hours from scan start to executive summary in your inbox. Full report (validated findings + remediation + compliance mapping) is delivered immediately after scan completion. Manual retesting after fixes — when scoped — completes within 7 business days, keeping the total engagement under two weeks.
CERT-In Aligned Methodology (OWASP ASVS + PTES)
Bachao.AI's scan methodology combines OWASP ASVS (Application Security Verification Standard) levels 1 and 2 with PTES (Penetration Testing Execution Standard) phases. OWASP ASVS drives the test-case library — 441 checks covering authentication, session management, access control, cryptography, and API security. PTES drives the engagement structure: intelligence gathering, threat modelling, exploitation, and reporting. CERT-In's directions on information security audit require a documented methodology — ours is stated explicitly in every report and verifiable against the published OWASP and PTES standards, so your auditor has a traceable basis, not just tool output.
DPDP Act 2023 Compliance Mapping
Every finding is cross-mapped to the DPDP Act 2023 Schedule I obligations it violates. Schedule I Obligation 1 — reasonable security safeguards — is the most directly relevant: any Critical or High vulnerability is automatically flagged as a Schedule I gap in the report. The compliance matrix shows which obligations are satisfied, which are at risk, and which require policy action (consent framework, breach response plan) rather than technical remediation. Your DPO or legal counsel gets a structured input they can work with — not a raw technical dump.
Sample VAPT Report (Redacted PDF)
A redacted sample report shows the exact structure your engineering team and compliance reviewer will receive: executive summary with risk score and finding counts by severity; methodology statement (OWASP ASVS + PTES + CERT-In alignment); scope; numbered findings with CVSS v3.1 vector string and score; reproduction steps; stack-specific remediation guidance; and a compliance mapping matrix covering DPDP Schedule I, RBI IT Framework, and OWASP Top 10. Download from the Sample Reports page or request a copy at ceo@bachao.ai before booking a scan.
Retest & Fix-Verification SLA
After your engineering team ships fixes, a targeted retest confirms closure. Retests run within 7 business days of your fix notification on paid engagements — scoped only to the previously open findings, not a full re-scan. The output is a closure certificate that names each resolved finding, the fix applied, and the retest result. This is the document auditors and enterprise customers ask for when they want proof that reported vulnerabilities were fixed, not just acknowledged. Retest is included in scoped engagements — discuss on your scope call.
Pricing by Asset Type & Scope
VAPT engagement cost depends on what you are scanning, how deep, and which compliance frameworks the report needs to cover. A single web app with OWASP Top 10 coverage and a CERT-In aligned summary is scoped differently from a 12-asset SaaS with authenticated deep scan, REST and GraphQL APIs, cloud configuration, and DPDP Act compliance mapping. We size the engagement on a 30-minute scope call before any work begins — no per-seat fees, no annual lock-in, no additional charge for retests within scope. Start with the free scan to understand your risk surface, then book a scope call to confirm the full engagement.