Most Indian companies treat VAPT as a checkbox — something to do once before a compliance audit and forget about for two years. That approach leaves critical vulnerabilities undetected for months, and in 2026, with DPDP Act enforcement and RBI cybersecurity directives tightening, it’s increasingly a liability. This guide gives you a practical VAPT frequency framework based on your industry, compliance requirements, and actual risk profile.
The Short Answer: It Depends on Three Things
VAPT frequency is determined by: (1) your regulatory requirements, (2) how fast your infrastructure changes, and (3) your risk exposure. Here’s a quick framework:
| Company Type | Minimum Frequency | Recommended Frequency | Regulatory Driver |
|---|---|---|---|
| Banks / NBFCs / Payment Companies | Annually | Half-yearly | RBI IT Framework, SEBI Cybersecurity Framework |
| SaaS / Product Companies | Annually | Quarterly (web app) | SOC 2 Type II, ISO 27001, enterprise customer SLAs |
| E-commerce / D2C | Annually | Bi-annually + before peak sales | PCI DSS (if processing cards), DPDP Act |
| Healthcare / Healthtech | Annually | Bi-annually | DPDP Act (health data = sensitive), HIPAA if US clients |
| IT Services / Outsourcing | Annually | Annually + on major releases | ISO 27001, client contracts |
| Enterprise (non-regulated) | Annually | Annually + network VAPT | ISO 27001 A.12.6, cyber insurance requirements |
What Compliance Frameworks Actually Require
| Framework | VAPT Requirement | Specifics |
|---|---|---|
| ISO 27001:2022 | Implied under A.8.8 (vulnerability management) | No explicit frequency; auditors expect documented evidence of periodic testing |
| SOC 2 Type II | Required for CC7.1 (vulnerability detection) | Annual minimum; quarterly preferred for a clean Type II report |
| PCI DSS v4.0 | Mandatory — Requirements 11.3 (internal) and 11.4 (external) | At least annually + after significant infrastructure changes |
| RBI IT Framework (Banks) | Mandatory periodic testing | Half-yearly for internet-facing systems; CERT-IN empanelled firm required |
| DPDP Act 2023 | Implied under “reasonable security safeguards” | No specific frequency; evidence of testing reduces liability in breach investigations |
| HIPAA (for US healthcare clients) | Required under Security Rule §164.306 | Annual evaluation; VAPT report serves as technical safeguard evidence |
The “Change-Triggered” Rule: When to Test Outside Your Schedule
Regular scheduled VAPT is the baseline. But vulnerability windows often open between scheduled tests. You should trigger an unscheduled VAPT after:
🚀
Major Product Launch
New features, APIs, or user-facing modules often introduce new attack surfaces not covered by previous tests.
☁️
Cloud Migration
Moving to AWS/Azure/GCP or a new data centre changes your network topology and security controls entirely.
🔗
New Integration / API Partner
Third-party integrations extend your attack surface to their security posture. Test the connection points.
⚠️
Security Incident or Near-Miss
After containing an incident, a VAPT reveals whether the root cause or related vulnerabilities persist elsewhere.
👥
Key Security Personnel Change
A departing engineer may have left misconfigurations or backdoors. Test after significant IT team turnover.
📋
Pre-Compliance Audit
Run a VAPT 4–8 weeks before your ISO 27001, SOC 2, or PCI DSS audit to find and fix issues before auditors do.
What Type of VAPT Should You Run Each Time?
Not every VAPT cycle needs to cover everything. Scope it based on what changed and what the compliance requirement covers:
| VAPT Type | Run When | Typical Cost |
|---|---|---|
| Web Application VAPT | After every major release; quarterly for SaaS | ₹75K–₹2L |
| Network/Infrastructure VAPT | Annually; after cloud migration | ₹1L–₹3L |
| Mobile App VAPT | After major app updates; annually minimum | ₹75K–₹2.5L |
| API Security Testing | After new API versions; pre-partner onboarding | ₹50K–₹1.5L |
| Cloud Configuration Review | After cloud migration; annually | ₹75K–₹2L |
The Cost of Not Testing: Real Breach Impact
Compare the cost of a VAPT against the cost of a breach it might have prevented:
- Average cost of a data breach in India (2024): ₹19.5 crore (IBM Cost of a Data Breach Report)
- DPDP Act maximum penalty for a single violation: ₹250 crore
- Average time to detect a breach without active testing: 207 days
- Annual cost of a VAPT programme covering web app + network: ₹2–5L
The math isn’t complicated. The question is whether a vulnerability exists today — not whether you expect one.
📘 In-Depth Guide
VAPT Services in India — Types, Pricing & Compliance Coverage
Full breakdown of what’s included in a VAPT engagement, how to evaluate a provider, and what your compliance frameworks actually require.
Frequently Asked Questions
Ready to schedule your VAPT?
Get a scoped proposal from our team within 24 hours. We cover web, mobile, network, API, and cloud — with CERT-IN empanelled partners for regulated sectors.
