VAPT (Vulnerability Assessment and Penetration Testing) in India costs roughly $1,200–$4,500 for a single web application, scoped by endpoint count and test depth. That is the number a CISO can take into a budget meeting. Most “pentest cost in India” pages answer with “it depends” and stop. This post gives the per-scope bands, then the line items that move the price.

Here is the opinion this post defends. The cheapest quote is rarely the right buy — what matters is whether the test is manual and standards-based, or an automated scanner re-skinned as a “pentest.” The full service breakdown sits on the AB7 cybersecurity service page. The math below is what you take into procurement.

The four common VAPT scopes and their 2026 India bands

Price tracks scope and test depth, not vendor size. Four bands AB7 sees most often.

A web application pentest runs about $1,200–$4,500 for one app, depending on authenticated-user roles, API surface, and whether it is a re-test or first pass. A 3-role SaaS app with a REST API sits near the top of that band.

A mobile app pentest (one platform, iOS or Android) runs about $1,500–$5,000, because the tester reverses the binary, checks local storage, and tests the API the app talks to.

A network/infrastructure pentest is priced per live IP — roughly $150–$400 per IP for external, less per host at volume. A 30-host external range lands around $4,500–$8,000.

A cloud security assessment (AWS, Azure, or GCP config review plus IAM) runs about $3,000–$9,000, scoped by account count and service spread.

What actually moves the price

Three line items decide whether you pay the low or the high end of each band.

Test depth is the biggest lever. A black-box automated scan with Nessus or OWASP ZAP, lightly reviewed, is cheap and shallow. A manual test by an OSCP-certified engineer using Burp Suite Pro and Metasploit, mapped to the OWASP Top 10 and PTES, costs more and finds the logic flaws scanners miss.

Re-test policy matters next. A first-pass test plus one free re-test after you fix the findings is worth more than a single report you cannot verify against. Ask whether the re-test is included or billed again.

Compliance framing is the third. A test that produces an ISO 27001 or SOC 2 evidence package, or a CERT-In-aligned report, costs more than a raw finding list, because the report is written to satisfy an auditor.

Why India is cheaper — and where it is not

The honest answer: India runs 50–70% below US or UK rates for the same manual test, because engineer salaries are lower, not because the work is thinner. A web app pentest that costs $12,000 from a London firm runs $3,000–$4,000 from a Mohali-based team using the same Burp Suite Pro workflow and OWASP mapping.

Where India is not automatically cheaper is the bottom of the market. A $400 “VAPT” is almost always an unattended scanner export. That is not a penetration test — no human tried to chain two medium findings into a breach. For a Canary Wharf CISO signing off a SOC 2 audit, that report fails the auditor and the budget is wasted twice.

The dedicated-pod alternative to one-off tests

For a company that ships every two weeks, a single annual pentest leaves ten months of un-tested releases. AB7’s model for that buyer is a dedicated security specialist from $1,500/month, or a small AppSec pod from $4,500/month, who tests each release instead of one big-bang audit a year.

That security specialist works your timezone — a Mohali engineer on a 06:00–14:00 GMT shift overlaps a London or US-East team for most of the working day. The pod runs Splunk Cloud and CrowdStrike Falcon telemetry alongside the testing, so findings tie back to what the SOC actually sees. AB7 is a reseller for 26 security vendors, so tooling is sourced at partner rates, not marked up per seat.

The hidden costs to screen for

Ask four questions before you sign a VAPT statement of work. One: is the test manual or scanner-only — and who holds the certification (OSCP, CEH, OSWE)? Two: is one re-test included after remediation? Three: does the report map to a named framework (OWASP, ISO 27001, SOC 2, CERT-In), or is it a raw finding dump? Four: who signs the report, and will they brief your auditor? Get all four in writing. The pricing page shows AB7’s published per-specialist and pod tiers.

The short version

A real web app pentest in India runs $1,200–$4,500; mobile $1,500–$5,000; network $150–$400 per IP; cloud $3,000–$9,000. Anything far below those bands is a scanner, not a pentest. For continuous coverage, a dedicated specialist from $1,500/month beats a once-a-year audit on both risk and cost.

Talk to a team that scopes a fixed number

If you want a fixed VAPT figure scoped to your real app and API surface — not a “$400, depends” — AB7 will scope it and put the re-test and framework terms in writing. See the AB7 cybersecurity service page, then call +1 (321) 341-7733, email director@ab7solutions.com, or book a 30-minute call with Ashok.