What is VAPT?
VAPT is a combined security strategy that identifies and then attempts to exploit weaknesses.
VAPT cycle:
Vulnerability Assessment (VA): The “Scanning” phase. This is the process of identifying, ranking,and reporting known security gaps in an environment. It tells the client what is broken.Penetration
Penetration Testing (PT): The “Attack” phase. This is a simulated, authorized attack where you (the consultant) attempt to exploit those gaps to gain access. It tells the client how much damage can be done.
What is a CVE?
CVE (Common Vulnerabilities and Exposures) is a standardized list of publicly disclosed cybersecurity vulnerabilities.
Each CVE has a unique ID, a description, and at least one public reference. It is a universal language used by security tools to communicate.
VAPT Lifecycle: The 6-Stage Security Framework
1. Preparation and Planning (Scoping)
Asset Inventory: Catalog hardware, software, and cloud assets.
Define Scope & Rules of Engagement (ROE): Define what is “Off-Limits” (e.g., legacy medical equipment that might crash during a scan) and the testing window.
Threat Modeling: Identify likely attackers and their entry points.
2. Discovery and Reconnaissance
Attack Surface Mapping: Map exposed ports, hidden subdomains, and APIs.
Vulnerability Scanning: Execute authenticated and unauthenticated scans to find CVEs and missing patches.
Information Gathering: Use OSINT (Open Source Intelligence) to find leaked credentials or employee data.
3. Analysis & Exploitation
False Positive Filtering: Manually verify scanner results.
Exploitation: Attempt to exploit the identified vulnerabilities (by frameworks like Metasploit or manual scripts).
Privilege Escalation: If gain low-level access, can you become a Domain Admin?
Lateral Movement: Once inside one server, can you move to the Database or other system?
4. Post-Exploitation & Impact Assessment
Evidence Collection: Take screenshots of successful exploits (without touching sensitive patient data) as proof.
Risk Contextualization: Use the CVSS score but adjust it for the “Business Logic.” (e.g., A “Medium” vulnerability on a core dialysis controller is more dangerous than a “Critical” on an isolated guest Wi-Fi).
5. Remediation and Mitigation
Priority Patching: Apply fixes for the most “Exploitable” paths found in Analysis Phase.
Compensating Controls: Use Web Application Firewall (WAF) rules or VLAN isolation for systems that cannot be patched.
Validation Testing: Re-run the exploit to prove the hole is actually closed.
6. Reporting and Continuous Security
Executive Summary: A high-level view for management.
Technical Breakdown: Detailed evidence for the IT team.
Continuous Monitoring: Approach where security is integrated into the daily IT System/ Network operations.
VAPT Service Engagement Framework
| Service Tier | Focus & Methodology | Primary Deliverables | Pricing Guidance |
|---|---|---|---|
| Foundation (VA) | Automated vulnerability scanning + Manual false-positive validation. | Vulnerability Report & Remediation Roadmap. | Entry Level (Fixed-Scope) |
| Comprehensive (VAPT) | Full identification + Active Exploitation + Lateral Movement simulation. | Proof of Concept (PoC) & Attack Chain Analysis. | Market Rate (Asset-Based) |
| Strategic (Expert) | Hybrid-Cloud + AI Governance + Infrastructure Audit. | Executive Strategy & Compliance Attestation. | Consultative (Scope-Based) |
Engagement Scoping Variables
To provide an accurate estimate, final engagement fees are based on the following:
- Infrastructure Density: Total count of unique IP addresses, subdomains, and live endpoints.
- Architectural Complexity: Presence of containerized environments or specialized legacy hardware.
- Operational Risk: Requirements for testing within specific maintenance windows or on live production systems.
- Compliance Frameworks: Reporting tailored for specific regulatory standards (e.g., HIPAA, PIPEDA, PCI-DSS).