I would like to cover some of the basics of VAPT, as we have received too many queries on VAPT like – what is VAPT, what are VAPT tools? What is the difference between VA and PT? How VAPT can be done internally, externally & by third party? What is black box VAPT, Grey box VAPT, and White box VAPT? Is VAPT mandatory in ISO 27001? How VAPT benefits the requirement of IT security or any IT compliance like ISO 27001, SOC, GDPR, HIPAA, HITRUST, PCI-DSS, etc. How to get VAPT certification? You can always refer our website as we briefly explained about basics of VAPT and also the methodology for the same https://certpro.in/vapt-certification/

VAPT – Evidence of Technical Security

What is VAPT? What is the difference between VA & PT?

VA – Vulnerability Assessment is a process set with a goal of finding loopholes in the IT infra, it could be in your application, software system, network, etc.  PT- Penetration Testing is the test conducted to investigate the severity of the loopholes found by VA testing.  Let me give you a simple example to understand better,  VA testing identifies weak cryptography in the host, to know how it will impact the system can be done by penetration testing tools, either it can be decoded and have access to the database possibly by phishing attack than that could be a threat. VA is a list of loopholes wherein PT is to identify the severity of each loopholes. 

What are the VAPT tools?

VAPT tools are tools that automatically identifies the vulnerability in the system and also generate report on penetration testing. It can limit to specific tasks, one of the popular tool is Nessus. VAPT tools work as an IT admin for small startups to identify the threats in the IT infra of organization. There is number of VAPT tools available, to know the better results; it’s advised to take VAPT professional opinion before optingany tools inhouse. 

Some of the pros and cons of VAPT Tools


  • Easily available, open-source applications are available. 
  • Time-consuming, on adding the IP addresses in few mins to hours reports are auto-generated 
  • Manual expertise is not required, as it runs automated & shows the end results in the form of reports
  • Helps to understand the IT environment for small scale companies, even a Non-IT can operate these tools 


  • Compromise with the data security as you will be sharing the access of IP to untrusted tools without any agreement. 
  • Free application results may not be accurate. 
  • Penetration testing could open the portals which may entertain the hackers, it is important to close all the portals after testing, where some tools fail to do so. 
  • Some of the tools are expensive to own and sensitive for the starters.

It’s always advised to consult a third-party professional with a formal agreement like a Non-disclosure agreement that holds good for both the parties in terms of service, time, resource and legal requirements. You can always reach us for any queries https://certpro.in/contact-us/

VAPT – Evidence of Technical Security

What is internal vulnerability assessment, external vulnerability assessment & Third-party Assessment In VAPT?

The process of testing your IT security internally, internal Vulnerability assessment evaluates IT security from inside the company (Internal software, network, employee competence, work environment & internal policy in terms of IT security, etc.)

External Vulnerability assessment evaluates IT security outside the company, mainly finding the loopholes in your network firewall, where the malicious outsiders can break in and attack your network and other related business confidential information. 

Both are done by the third party its always suggested companies to get done with third-party experts while doing technical audits. It is always suggested to get VAPT done externally regularly, internal VAPT assessment can be done for more accurate manual results, which includes identifying human errors and work etiquette. These professionals are well knowledgeable with the right tools to handle depending on the scope of work and your business scope. Its always advised to re-visit these loopholes once closed, professionals always suggest the industry best practices close these loopholes and re-asses for the better results. 

What is Black box testing, Grey testing & White box testing in VAPT?

  • Black box testing: Testing from the external network without the knowledge of the internal networks & the system. 
  • Grey box testing: Testing can be done either by external or internal networks, with the knowledge on internal network and system. Grey box testing is a combination of a black box and white box.
  • White box testing: Testing from the internal network with the knowledge of the internal network & the system.

It is advised to discuss with the professionals and understand which would be the relevant mode of testing to your organization. 

Is VAPT mandatory in ISO 27001 or any IT related standards? What are the benefits of VAPT in ISO or any standard compliance?

VAPT could be proof of evidence for many technical controls, as in ISO 27001:2013 information security management system (ISMS) statement of applicability (SOA) defines the controls under which A 12.6 speaks particularly about the vulnerability management, under the control A 12.6.1 defines the integrity, security, availability and the vulnerability associated with the internal and external threats. Testing is mandatory to identify the internal and external risks associated with it and appropriate measures to be taken. A 12.6.2 defines the controls on software, it is to be verified before opting for any useful work.

We can relate VAPT with many controls is ISO 27001, like A 13.1 Network security, A 14.2.3 Technical review of applications after operating platform changes, A14.2.9 System acceptance testing, etc.

A single report of VAPT can be proof of many technical controls of the organization, not just for ISO 27001 also with SOC, PCI-DSS, HITRUST, GDPR, HIPAA, etc.

What is the VAPT Report? How to get VAPT Certificate or VAPT Compliance? How frequently VAPT to be done?

VAPT Report addressing all the results of vulnerability assessments and penetrating testing, the report holds good to build the confidence of your clients. 

VAPT certificate is not in practice as a proof of VAPT conducted 3rd party gives an assessment certificate as VAPT compliance, having just a certificate would never value anything if the company really needs to know the risk in their IT Infrastructure. Always opt to get VAPT and report rather than cheap certificates. 

VAPT can be done on a daily, weekly, monthly, yearly basis based on the nature of work and need of VAPT. We would suggest you get it done twice a year along with your internal audits & technical audits. 

How to get VAPT compliance or VAPT certification?

VAPT – Evidence of Technical Security

Get In Touch 

have a question? let us get back to you.