VAPT Sample Report — CERT-In Aligned

What a Bachao.AI VAPT Report Actually Looks Like

CVSS v3.1 ratings, proof-of-concept evidence, AI-generated fix code, compliance mapping, and a retest closure certificate. Not a checkbox exercise — an actionable security document.

Download Full Sample Report See a sample finding

What the report contains

Six sections. Every section has a job. None of it is filler.

Executive Summary

One-page board-ready risk overview. Overall risk rating (Critical / High / Medium / Low), total findings count, most critical asset exposure, and recommended remediation priority.

Scope & Methodology

Exact scope — URLs, APIs, IP ranges tested. Methodology attestation: OWASP Testing Guide v4.2, CERT-In aligned, Nuclei + ZAP + Nmap. Test window, tester IDs, and scan environment.

Findings — CVSS v3.1 Rated

Each vulnerability gets: CVE reference, CVSS v3.1 base score, attack vector, proof-of-concept evidence, affected endpoint, and business impact statement.

Remediation Guidance

Fix instructions in plain English + AI-generated fix code for your exact tech stack (Node.js, Python, Java, Go, PHP). Not generic advice — code you can deploy.

Compliance Mapping

Every finding mapped to: DPDP Act 2023 Schedule I, OWASP Top 10, CERT-In advisory controls, and RBI IT Framework / SEBI CSCRF where applicable.

Retest & Closure Certificate

After you remediate, we retest each fixed finding. Confirmed fixes earn a closure certificate — a single signed document accepted by auditors, investors, and regulators.

Sample finding — redacted

This is a realistic but fabricated example showing the exact format of a Bachao.AI finding. Full report available after booking a scan.

BACH-2026-0047CriticalCVSS 9.8CWE-89

SQL Injection in /api/users/login

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Endpoint

POST /api/users/login

Vulnerable Parameter

Description

The login endpoint accepts unsanitised user input in the email field. An unauthenticated attacker can inject SQL syntax to bypass authentication, extract the full users table, or drop database objects.

Evidence

[REDACTED — Full report includes screenshot + HTTP request/response transcript]

Business Impact

Complete authentication bypass. Exfiltration of all user PII including hashed passwords, email addresses, and phone numbers. DPDP Act Schedule I Clause 8(3) violation.

Remediation — AI-Generated Fix (Node.js)

Use parameterised queries or prepared statements. Example (Node.js + pg):

  const result = await db.query(
    'SELECT * FROM users WHERE email = $1',
    [req.body.email]   // $1 bound separately — never interpolated
  );

Do not use string concatenation or template literals to build SQL queries.

DPDP Act Mapping

Schedule I — Technical Safeguard 3: Protection against SQL injection

CERT-In Reference

CERT-In Advisory CA-2023-004

This is a sample finding with fabricated data for illustration. Full reports contain real evidence from your actual application.

Why auditors accept this report

✓CERT-In aligned methodology and report format

✓CVSS v3.1 industry standard scoring

✓Accepted by RBI and SEBI auditors for compliance submissions

✓Retest closure certificate signed by Bachao.AI

✓DPDP Act Schedule I compliance mapping included

✓AI-validated findings — under 3% false positive rate

VAPT report sample — what to look for

What makes a VAPT report useful vs decorative

Many VAPT reports are PDF documents that look impressive and say nothing actionable. A report that lists 'SQL Injection found' with no reproduction steps, no code-level fix, and no compliance mapping is decoration. A useful report tells your developer exactly what to change in which file on which line, tells your compliance team which regulation was violated, and tells your CEO what the business impact is if this finding is exploited. That is what Bachao.AI produces.

CVSS v3.1: what the score actually means

CVSS v3.1 (Common Vulnerability Scoring System) is the industry standard for rating vulnerability severity on a 0-10 scale. A score of 9.8 (as in the sample finding above) means: network-reachable, no special privileges needed, no user interaction required, high impact on confidentiality, integrity, and availability. The score is not arbitrary — it is derived from a defined formula using attack vector, complexity, privileges required, user interaction, scope, and CIA impact. Bachao.AI calculates CVSS v3.1 for every finding and includes the full vector string so you can verify the calculation independently.

Why auditors accept Bachao.AI reports

RBI IT examination teams and SEBI inspection units have standard expectations for VAPT evidence: scope documentation, methodology attestation, CVSS-rated findings with evidence, remediation records, and a retest certificate. Bachao.AI reports include all six components in a single package. The report format follows CERT-In advisory guidelines on vulnerability assessment documentation. Banking and financial sector auditors have accepted Bachao.AI reports as compliance evidence in recent examination cycles.

The closure certificate: what it is and why it matters

A closure certificate is a signed document confirming that each critical and high finding in the original VAPT report has been retested and confirmed remediated. It is the last step of a VAPT engagement. Investors doing due diligence, enterprise procurement teams, and regulatory auditors specifically ask for the closure certificate — not the findings report. The findings report shows what was wrong. The closure certificate proves it was fixed. Bachao.AI issues closure certificates for every remediated finding, with the retest date, tester ID, and confirmation of fix effectiveness.

AI-generated remediation code: what this means in practice

When Bachao.AI identifies a SQL injection in a Node.js + PostgreSQL application, the remediation section does not say 'use parameterised queries'. It shows the exact code change needed — including the import, the query pattern, and the before/after diff. When it finds an insecure deserialization in a Java Spring Boot application, it shows the Jackson ObjectMapper configuration change. This is AI-generated fix code reviewed by the analyst before inclusion in the report. It compresses remediation time from days to hours for most findings.

Explore more products

Bachao.AI covers your entire security surface — from code to cloud to compliance.

API Security Testing

OWASP API Top 10 coverage for REST and GraphQL endpoints.

Learn more →

Cloud Security Audit

AWS, Azure & GCP misconfiguration detection with DPDP mapping.

Learn more →

Dark Web Monitoring

Credential leak detection, brand impersonation & Telegram scanning.

Learn more →

Get your own VAPT report in under 2 hours

Book a free scan. See your risk in hours. Full report with CVSS ratings, fix code, and closure certificate available on request.

Download Full Sample Report Book a call

What the report contains

Six sections. Every section has a job. None of it is filler.

Executive Summary

One-page board-ready risk overview. Overall risk rating (Critical / High / Medium / Low), total findings count, most critical asset exposure, and recommended remediation priority.

Scope & Methodology

Exact scope — URLs, APIs, IP ranges tested. Methodology attestation: OWASP Testing Guide v4.2, CERT-In aligned, Nuclei + ZAP + Nmap. Test window, tester IDs, and scan environment.

Findings — CVSS v3.1 Rated

Each vulnerability gets: CVE reference, CVSS v3.1 base score, attack vector, proof-of-concept evidence, affected endpoint, and business impact statement.

Remediation Guidance

Fix instructions in plain English + AI-generated fix code for your exact tech stack (Node.js, Python, Java, Go, PHP). Not generic advice — code you can deploy.

Compliance Mapping

Every finding mapped to: DPDP Act 2023 Schedule I, OWASP Top 10, CERT-In advisory controls, and RBI IT Framework / SEBI CSCRF where applicable.

Retest & Closure Certificate

After you remediate, we retest each fixed finding. Confirmed fixes earn a closure certificate — a single signed document accepted by auditors, investors, and regulators.

Sample finding — redacted

This is a realistic but fabricated example showing the exact format of a Bachao.AI finding. Full report available after booking a scan.

BACH-2026-0047CriticalCVSS 9.8CWE-89

SQL Injection in /api/users/login

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Endpoint

POST /api/users/login

Vulnerable Parameter

Description

Evidence

[REDACTED — Full report includes screenshot + HTTP request/response transcript]

Business Impact

Complete authentication bypass. Exfiltration of all user PII including hashed passwords, email addresses, and phone numbers. DPDP Act Schedule I Clause 8(3) violation.

Remediation — AI-Generated Fix (Node.js)

Use parameterised queries or prepared statements. Example (Node.js + pg):

  const result = await db.query(
    'SELECT * FROM users WHERE email = $1',
    [req.body.email]   // $1 bound separately — never interpolated
  );

Do not use string concatenation or template literals to build SQL queries.

DPDP Act Mapping

Schedule I — Technical Safeguard 3: Protection against SQL injection

CERT-In Reference

CERT-In Advisory CA-2023-004

This is a sample finding with fabricated data for illustration. Full reports contain real evidence from your actual application.

Why auditors accept this report

✓CERT-In aligned methodology and report format

✓CVSS v3.1 industry standard scoring

✓Accepted by RBI and SEBI auditors for compliance submissions

✓Retest closure certificate signed by Bachao.AI

✓DPDP Act Schedule I compliance mapping included

✓AI-validated findings — under 3% false positive rate

What makes a VAPT report useful vs decorative

CVSS v3.1: what the score actually means

Why auditors accept Bachao.AI reports

The closure certificate: what it is and why it matters

AI-generated remediation code: what this means in practice