Our VAPT Scope & Methodology
The single most common reason VAPT engagements fail is poor scoping. This page documents exactly how Digital Defense scopes, executes, reports and re-tests a VAPT — for buyers who want full transparency before signing the SOW.
Who needs this
Security buyers comparing VAPT vendors
CISOs preparing an internal VAPT RFP
Procurement teams checking depth-of-testing claims
Auditors and consultants validating VAPT scope before signing-off
Engineering leaders running a first VAPT and wanting to scope correctly
Problems we solve
- 01
Vendors quoting cheaper because they only run an authenticated scanner
- 02
Reports that don't differentiate between scanner-found issues and human-validated exploits
- 03
Scope that misses key flows (admin panels, integration partners, internal services)
- 04
Inadequate proof-of-exploit, making fix prioritization a guessing game
- 05
No re-test or closure letter — leaving compliance evidence incomplete
Our methodology
- 1
Pre-engagement
Asset inventory, scoping interview, threat-model brief, rules of engagement, NDA, data-handling agreement.
- 2
Threat modelling
STRIDE-based threat model per critical flow; data-flow diagrams; trust boundaries.
- 3
Reconnaissance & enumeration
Passive + active fingerprinting, attack-surface mapping, tech-stack identification.
- 4
Manual + tool-assisted testing
OWASP Top 10, ASVS L2/L3, MASVS, API Top 10, NIST SP 800-115, PTES — manual validation of every finding.
- 5
Exploitation & post-exploitation
Proof-of-exploit chains; lateral movement and impact analysis; data-exfil simulation where in-scope.
- 6
Reporting
Executive summary + technical report + CVSS scores + fix guidance + auditor sign-off.
- 7
Re-test & closure
30-day re-test window, closure letter, optional quarterly retainer for high-velocity teams.
What you receive
Scoping document with explicit in-scope / out-of-scope list
Threat-model output: data-flow diagram + STRIDE table
VAPT report (executive + technical) with CVSS + fix guidance
Proof-of-exploit walkthroughs + recorded videos for critical findings
CERT-In Empanelled auditor sign-off + closure letter
Frequently asked questions
How is your VAPT different from a vulnerability scan?
A scan finds known signatures. Our VAPT manually validates each finding, chains exploits, and proves business impact. ~60% of our reportable findings are NOT detectable by scanners alone.
Do you do black-box, grey-box or white-box testing?
We default to grey-box (authenticated, no source code) — best ROI for buyers. We do black-box for external-only scoping, and white-box (with source) for high-assurance engagements like fintechs and banks.
What standards do you align to?
OWASP Top 10, ASVS, MASVS, API Top 10, NIST SP 800-115, PTES, MITRE ATT&CK, and CERT-In Information Security Audit Guidelines.
How are findings prioritized?
CVSS v3.1 base score + exploitability + business impact. We provide a fix order recommendation, not just a list of CVEs.
Is re-test included?
Yes — one free re-test within 30 days of report delivery, plus a closure letter you can share with auditors.
Ready to scope this engagement?
Talk to Digital Defense — India's CERT-In Empanelled cybersecurity team.
Book a consultationDigital Defense
Online | Typically replies instantly
Hi there! 👋 Welcome to Digital Defense. I'm here to help you with your cybersecurity needs. How can I assist you today?