What VAPT actually means
VAPT stands for Vulnerability Assessment and Penetration Testing, and it is the same service Western vendors sell as a penetration test. If you are comparing a “VAPT provider” in Colombo against a “pentest firm” in London or Austin, you are comparing the same engagement under two names.
The term dominates procurement language across South Asia. Tenders, vendor questionnaires, and audit checklists in Sri Lanka, India, and Bangladesh ask for VAPT; the equivalent US or UK document asks for penetration testing. Global cost guides, methodologies, and report standards apply to both because they are one market.
The name is actually useful, because it spells out the two halves of the work: the vulnerability assessment (VA) and the penetration test (PT). Understanding the difference between those halves is the single most important thing a buyer in this region can do, because the most common failure mode here is paying for both and receiving one.
The VA half, the PT half, and the regional trap
A vulnerability assessment finds potential weaknesses with automated tools; a penetration test proves which of them are actually exploitable. They are complementary, not interchangeable.
The VA half is breadth: scanners sweep your application for known weaknesses and misconfigurations and produce a list of candidates, false positives included. The PT half is depth: a human being attacks the application, tests authentication and business logic, chains low-severity findings into real intrusion paths, and writes reproduction steps for each confirmed issue. Scanners cannot do the PT half. No scanner will notice that user A can read user B's invoices by changing a number in a URL, or that your discount logic can be replayed.
The regional trap: a meaningful share of “VAPT” sold in this market is a scanner export with a new cover page. That is the VA half sold at PT prices. You can detect it in the deliverable: no reproduction steps, no business-logic findings, no named methodology, and hundreds of informational items padding the page count.
We wrote a full comparison in penetration testing vs vulnerability scanning. The short version: if nobody with hands on a keyboard attacked your app, you did not buy a penetration test.
What VAPT should cost
Published 2026 cost guides from DeepStrike, Blaze Infosec, Intruder, and Astra put a typical web application pentest at roughly $5,000 to $35,000 and up; a quote dramatically below every published range is usually the VA half in disguise.
PUBLISHED MARKET RANGES (2026, ATTRIBUTED)
$5,000 to $35,000+ typical web-app pentest (DeepStrike, Blaze Infosec, Intruder, Astra guides)
$1,000 to $3,000/day consultancy day rates (Intruder)
~$5,000 / $15,000 to $30,000 compliance-grade vs quality engagements (Fractional CISO)
$1,999 to $5,999/yr per-target subscription tiers (Astra published pricing)
4 to 6 weeks typical end-to-end engagement, scoping to report
For reference, our own number sits below those ranges by design: a fixed $2,499 for a web and API engagement, retest included, detailed on the pentest page. The structure that makes it possible (one senior engineer plus heavy scanner automation, Colombo cost base, fixed scope) is covered in our full penetration testing cost guide.
Indicative LKR conversion (orientation only): $2,499 is roughly LKR 750,000 at about LKR 300 to the US dollar as of July 2026. We quote and bill in USD; the LKR figure moves with the exchange rate and is not a second price.
The PDPA angle, honestly
Sri Lanka's Personal Data Protection Act No. 9 of 2022 does not mandate penetration testing. It requires security safeguards and a Data Protection Management Programme; a pentest is how you evidence both, not a line-item legal obligation.
This matters because “PDPA-mandated VAPT” has become a sales line in this market, and it is not what the Act says. The PDPA obliges controllers and processors to implement appropriate security safeguards for personal data and to maintain a Data Protection Management Programme. It does not name penetration testing as a required control.
What a pentest gives you under the PDPA is evidence. If a regulator, a client, or your own board asks how you know your safeguards work, a dated report from an independent tester, with findings, fixes, and a retest, is a concrete answer. “We installed a firewall” is a claim; a pentest report is proof the claim was tested. Buy it for that reason, not because someone told you the law forces you to.
ISO 27001 is the real certification driver
In practice, the document that pushes most Sri Lankan companies into buying a pentest is not the PDPA. It is ISO 27001, because regional enterprise and outsourcing contracts increasingly require the certification.
ISO 27001:2022 control A.8.8 (management of technical vulnerabilities) lists periodic penetration testing among the accepted methods for identifying vulnerabilities, and A.8.29 covers security testing in development and change. Certification auditors routinely ask what your vulnerability-identification method is, and a periodic pentest with a signed report is the cleanest answer available.
If ISO 27001 is what is actually driving your purchase, read our dedicated ISO 27001 penetration testing page for the control-by-control mapping. Companies selling into the US market should note the parallel: SOC 2 also does not explicitly require a pentest, but auditors expect one as monitoring evidence, commonly mapped to CC4.1.
What Sri Lanka CERT|CC actually says
Sri Lanka CERT|CC recommends periodic security assessments, at least annually, and published Web Application Security Guidelines for government organizations in 2022.
Two practical takeaways. First, the at-least-annual cadence is a sensible default for any organization, not just government: an assessment older than a year describes an application that no longer exists. Second, if you sell software or services to Sri Lankan government organizations, the 2022 guidelines define the web application security baseline your buyers are told to hold you to, so testing against it before procurement asks is cheaper than scrambling after.
For the broader picture of what we do locally, see our Sri Lanka page.
10 questions to ask any VAPT provider
These ten questions separate a real VAPT from a scanner run in one phone call. We answer each one for ourselves below, so you can hold us to the same standard.
1. Who actually performs the testing?
Our answer: One senior engineer plus PhantomDragon, our scanner with 50 modules, a 17-phase pipeline, and 75+ scanners. Every finding is verified by a human before it enters the report.
2. Is there manual testing, or is this a scanner run?
Our answer: Both halves. The scanners provide breadth; the engineer does authentication, business logic, and attack chaining. A provider who cannot describe what the human does is selling you the VA half.
3. What methodology do you follow?
Our answer: OWASP and NIST. Ask for the standard by name; “industry best practices” is not an answer.
4. Exactly what is in scope, and what is not?
Our answer: We test web applications and APIs. We do not test mobile apps, internal networks, or physical security, and we do not run red-team exercises. We say this before you pay, not after.
5. Can I see a sample report before I commit?
Our answer: Yes. An anonymized sample is at /pentest/sample-report. Any provider who refuses to show one is hiding the deliverable you are buying.
6. Is a retest included, and what does it cost?
Our answer: One free retest after you fix, with an updated report. A pentest without a retest leaves you unable to prove remediation.
7. What does the deliverable contain?
Our answer: An executive PDF in 5 to 7 days with severity-ranked findings, reproduction steps for each confirmed issue, and a signed attestation letter you can hand to an auditor.
8. How is the price structured?
Our answer: Fixed: $2,499 for the web and API engagement, no hourly meter, no change orders. Expedited 72-hour delivery is available; the current price for it is on the pentest page.
9. Will the report satisfy my auditor or enterprise customer?
Our answer: The report and attestation letter map findings to OWASP, and serve as vulnerability-identification evidence under ISO 27001 A.8.8 and monitoring evidence for SOC 2 (commonly CC4.1). For PCI DSS we cover only the external application-layer slice of requirement 11.4 (11.4.3 plus the 11.4.4 retest loop), not internal or segmentation testing, and we say so plainly.
10. What happens if you find something critical mid-test?
Our answer: We pause, notify your point of contact within the hour, and confirm before continuing. Critical findings never sit waiting for the final report.
Red flags
Three patterns account for most bad VAPT purchases in this market: certification mills, scanner-dump reports, and quotes without a retest.
Certification mills: a wall of logos and acronyms you cannot verify. Skip the badge theater; judge the sample report and ask who, by name, will test your application.
Scanner-dump reports: raw tool output with a new cover page. Tells: no reproduction steps, no business-logic findings, no named methodology, hundreds of informational items inflating the page count.
No retest in the quote: without a retest you cannot prove your fixes worked, which defeats the point of buying evidence in the first place.
A price far below every published market range with no structural explanation (fixed scope, automation, cost base) for how it gets there. Cheap is fine; unexplained is not.
Refusal to put scope exclusions in writing. A provider who will not say what they do not test will also not tell you what they did not find.
Local vs global providers
A Colombo provider gives you working-hours access and local context; a global firm gives you reach. The practical question is whether you can get both without paying twice.
Ghost Protocol (Pvt) Ltd is registered in Colombo, founded in 2024, and delivers worldwide. For Sri Lankan buyers that means scoping calls in your working day and a counterparty under local law; for overseas buyers it means a Colombo cost base priced in USD. All delivery is in English: the report, the walkthrough call, and the 30-day Q&A. We do not offer Sinhala or Tamil deliverables, and we would rather say that here than let you discover it at delivery.
One scope note that matters when comparing local firms: our engagement covers web applications and APIs only. If you need on-site work (internal network testing, physical assessments), that requires a provider with people in your building, and you should scope it separately. Our full local service breakdown is on the penetration testing in Sri Lanka page.
Before you spend anything: run the free scan
The cheapest first step in any VAPT purchase is free: run the Ghost Scan on your own domain before you talk to any provider, including us.
It checks your public surface across 9 categories in minutes, with no card and no signup. It is not a penetration test and we will never call it one, but it answers the question every buyer should ask first: what does my application look like from the outside right now? If you want more depth without a full engagement, a one-time $499 deep scan runs 75+ scanner modules and delivers an executive PDF in about 48 hours.
When you do need the PT half (an ISO 27001 audit, an enterprise security questionnaire, a launch, a board asking for proof), the fixed-price penetration test is the next rung: one engineer, 75 scanner modules, 5 to 7 days, free retest.
Frequently asked questions
Do Sri Lankan clients pay in LKR or USD?
We quote and bill in USD. The pentest is $2,499 fixed. The single indicative LKR conversion in the cost section of this guide is for orientation only; exchange rates move, and the USD figure is the price.
How long does a VAPT engagement take?
Published 2026 cost guides put a typical market engagement at 4 to 6 weeks from scoping to report. Our fixed-scope web and API engagement runs 5 to 7 days from kickoff to executive PDF, with a free retest after you fix.
What language is the report in?
English. All delivery is in English: the report, the walkthrough call, and the 30-day Q&A. We do not offer Sinhala or Tamil deliverables.
Does the PDPA require a penetration test?
No. The Personal Data Protection Act No. 9 of 2022 requires security safeguards and a Data Protection Management Programme, but it does not explicitly mandate penetration testing. A pentest is dated, independent evidence that your safeguards exist and were tested.