What is the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment (VA) scans your systems for known vulnerabilities and produces a list of findings — typically using automated scanning tools to identify software versions with known CVEs, misconfigurations, and missing patches. It tells you what weaknesses exist. A penetration test (PT) goes further: a human tester actively attempts to exploit those vulnerabilities to demonstrate real business impact. It tells you which weaknesses are actually exploitable and what damage a real attacker could cause. VAPT combines both: automated scanning for comprehensive coverage, followed by manual exploitation for the highest-risk findings.

How often should we conduct penetration testing?

Best practice and most security frameworks (PCI-DSS, ISO 27001, Cyber Essentials Plus) require at minimum annual penetration testing. However, we recommend testing after any significant change to your environment — a major application release, infrastructure migration, or architectural change can introduce new vulnerabilities that your last test did not cover. High-risk environments (financial services, healthcare, critical infrastructure) benefit from bi-annual testing as their attack surface and threat landscape evolve faster than annual testing can keep pace with.

What does the VAPT report look like and who can read it?

Our VAPT report is structured in two sections: an executive summary written for non-technical leadership (business impact, overall risk rating, top three findings, recommended immediate actions) and a technical findings section written for IT and development teams (CVSS score, finding description, evidence screenshots, step-by-step reproduction instructions, and remediation guidance). Each finding is rated Critical, High, Medium, Low, or Informational based on CVSS v3.1 scoring combined with our assessment of real-world exploitability in your specific environment.

Do you conduct testing in a way that could disrupt our live systems?

Safety of production systems is a priority. Before testing begins, we agree a scope of work that defines exactly which systems are in scope, testing hours (typically non-business hours for network testing), activities that require prior approval (DoS testing, social engineering involving senior leadership), and emergency stop procedures if testing causes unexpected disruption. We use careful, calibrated exploitation techniques designed to confirm vulnerabilities without causing outages. For particularly sensitive production systems, we can test on a staging environment first.

What is included in the free re-test?

After receiving our VAPT report, your team will work through the findings and implement remediations. The free re-test covers all Critical and High severity findings from the original test — we re-test specifically those vulnerabilities that you have addressed to confirm the remediations are effective and the attack paths are genuinely closed. Re-tests are conducted within 90 days of the original report delivery date. Medium, Low, and Informational findings can be included in a follow-up engagement if required.

Do we need VAPT for compliance with PCI-DSS or ISO 27001?

Yes. PCI-DSS Requirement 11.3 explicitly mandates annual external and internal penetration testing and penetration testing after any significant infrastructure or application upgrade. ISO 27001 Annex A control A.12.6.1 requires assessment and management of technical vulnerabilities, which most auditors expect to be satisfied through regular penetration testing. For businesses pursuing Cyber Essentials Plus certification, a vulnerability scan is mandatory. Our VAPT reports are structured to provide the evidence documentation required for all of these frameworks.

VAPT & Penetration Testing

VAPT & Penetration Testing — Find Weaknesses Before Attackers Do.

The only way to know how much damage a real attacker could do to your organisation is to let a trusted team try. Infraspine's VAPT service uses the same tools, techniques, and mindset as real attackers — operating under a strict scope agreement and within legal boundaries — to find the weaknesses in your network, applications, and people before a criminal does. CVSS-scored findings, free re-test, and report delivery within 48 hours of engagement completion.

CVSS

Scored Findings

Free

Re-test Included

OWASP

Methodology

48hr

Report Delivery

Book a VAPT Assessment Request Sample Report

The Business Case

Attackers Test Your Defences Whether You Do or Not

Automated scanning tools probe every internet-connected IP address on the planet continuously. The moment you deploy a new server or application, it is being scanned for vulnerabilities within minutes. Attackers are testing your defences whether you invite them to or not — the difference between a penetration test and a real attack is intent, scope, and what happens with the findings.

The distinction between vulnerability assessment and penetration testing matters. A vulnerability scan tells you what software versions are running and which CVEs theoretically apply. A penetration test tells you which vulnerabilities are actually exploitable in your specific environment configuration, how far an attacker can get once they have initial access, and what the real business impact would be. It is the difference between knowing a door might be unlocked and watching someone walk through it and access your data.

Compliance requirements create additional urgency. PCI-DSS mandates annual penetration testing for any organisation that handles card data. ISO 27001 expects regular technical vulnerability assessment. Cyber Essentials Plus requires a hands-on vulnerability scan. And increasingly, enterprise customers and insurers are asking for penetration test evidence before signing contracts or issuing cyber insurance policies. A VAPT report from a credible provider is no longer optional for organisations operating in regulated sectors.

Know exactly what damage a real attacker could cause before they try

OWASP methodology ensuring systematic, complete coverage

Free re-test confirms your remediations actually closed the gaps

PCI-DSS, ISO 27001, and Cyber Essentials Plus compliance evidence

Finding Severity Scale (CVSS v3.1)

CriticalCVSS 9.0–10.0

Immediate exploitation possible, full compromise likely

HighCVSS 7.0–8.9

Significant impact, remediation within 72 hours recommended

MediumCVSS 4.0–6.9

Moderate risk, remediate within 30 days

LowCVSS 0.1–3.9

Limited impact, schedule into next maintenance cycle

InformationalCVSS 0.0

Best practice gap, no direct exploitability

Testing Capabilities

Six VAPT Service Areas

Covering every layer of your attack surface from network perimeter to source code.

External Network Penetration Testing

External penetration testing simulates an attacker who has no prior access to your organisation — exactly how real-world attackers approach their targets. Our testers enumerate your internet-facing attack surface (IP ranges, domains, subdomains, exposed services), identify vulnerabilities in web servers, VPN gateways, mail servers, and publicly accessible applications, and attempt exploitation to demonstrate real business impact. The result is a clear picture of exactly how much of your perimeter can be compromised by a motivated external attacker.

Internet-facing asset enumeration and attack surface mapping
Vulnerability identification and exploitation (web, VPN, mail)
Service version fingerprinting and CVE-based exploitation
Clear business impact demonstration for each confirmed finding

Internal Network Penetration Testing

Internal penetration testing answers a critical question: if an attacker gets inside your network — through phishing, a compromised vendor, or a malicious employee — how far can they go? Starting from an assumed-breach position (simulating a standard employee laptop on your internal network), our testers attempt to escalate privileges, move laterally across network segments, compromise domain controllers, and access sensitive data. Internal testing consistently reveals misconfigurations invisible from the outside, including Active Directory weaknesses and flat network architectures.

Assumed-breach testing from internal network position
Active Directory and domain controller attack scenarios
Lateral movement and privilege escalation testing
Network segmentation effectiveness validation

Web Application Testing (OWASP Top 10)

Web applications are the most common breach point for organisations with an online presence. Our web application testing methodology follows the OWASP Testing Guide and covers all OWASP Top 10 vulnerability categories: injection flaws, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfigurations, cross-site scripting, insecure deserialisation, components with known vulnerabilities, and insufficient logging. Testing is conducted both in authenticated and unauthenticated states to mirror real attacker capabilities.

Full OWASP Top 10 vulnerability coverage
Authenticated and unauthenticated testing perspectives
Business logic flaw identification beyond automated scanning
API security testing for REST and GraphQL endpoints

Mobile Application Security Testing

Mobile applications handle sensitive user data, authentication tokens, and business transactions — and they run on devices outside your network perimeter that you cannot fully control. Our mobile application testing follows the OWASP Mobile Application Security Verification Standard (MASVS) and covers both iOS and Android platforms. We perform static analysis of the application binary, dynamic analysis during runtime, and network traffic interception to identify issues in data storage, authentication, session management, and API communication.

iOS and Android application testing to OWASP MASVS standard
Static binary analysis and dynamic runtime testing
Sensitive data storage and leakage identification
Network traffic interception and API security review

Social Engineering Assessment

Technology controls only protect against technical attacks. Social engineering assessments test the human element of your security — the most unpredictable and often weakest link. We conduct controlled phishing simulations targeting your staff, measure click rates, credential submission rates, and reporting rates, and provide detailed analysis of which departments and roles are most susceptible. Vishing (voice phishing) assessments can also be conducted to test whether phone-based social engineering can extract sensitive information from staff.

Controlled phishing simulation campaigns targeting all staff
Click rate, credential submission, and malware download rate measurement
Department and role-based susceptibility analysis
Post-assessment security awareness training recommendations

Source Code Review

Penetration testing finds vulnerabilities from the outside looking in. Source code review finds them from the inside out — examining the actual code for security flaws before they can be exploited. Our secure code review covers common vulnerability patterns including SQL injection, command injection, insecure cryptography, hardcoded credentials, path traversal, XML injection, and authentication weaknesses. Review findings include the exact file and line number of each vulnerability alongside a recommended remediation with code examples.

SAST (static analysis) tool-assisted review with manual verification
OWASP-aligned vulnerability pattern coverage
Exact file/line number and severity for every finding
Remediation code examples provided for each vulnerability

Security Testing Tools We Use

Burp Suite ProMetasploit FrameworkNessus ProNmapOWASP ZAPKali LinuxQualys VMDRRapid7 InsightVMBloodHoundMimikatzNiktoSQLmap

FAQs

VAPT Questions Answered

Common questions from organisations planning their first penetration test.

Let's Work Together

Book Your VAPT Assessment Today

Find your vulnerabilities before attackers do. Get CVSS-scored findings, a free re-test, and a report your board and auditors will accept.

Book an Assessment Call Us Now

No obligation consultation

Response within 2 hours

10+ years enterprise experience