VAPT SERVICE

VAPT is a standalone technical service — independent vulnerability assessment and penetration testing producing a Technical Findings Report. Certification (Guardian SecureApp™) is an ISO/IEC 17065-accredited service producing an issued certificate, public directory listing, ongoing surveillance, and Mark Usage License. Both share the same evaluators, OWASP standards, and severity classification scheme. The difference is the procedural infrastructure that turns technical evaluation into procurement-grade attestation. VAPT serves technical-validation needs; certification serves procurement-grade-evidence needs.

No. Guardian Assessment Pvt. Ltd. holds UAF accreditation under ISO/IEC 17065:2012 (52605385601, valid until 05 May 2030) for the Guardian SecureApp™ product certification scheme. This accreditation does NOT extend to VAPT — VAPT is a non-accredited commercial service. Buyers comparing Guardian VAPT to other VAPT providers should evaluate on technical capability, evaluator quality, and methodology — accreditation does not differentiate VAPT engagements.

Not within 12 months. Per ISO/IEC 17065 Clause 4.2 (impartiality requirement), Guardian cannot accept an application for Guardian SecureApp™ certification of a product within 12 months of completing a VAPT engagement on the same product. The 12 months runs from the Technical Findings Report date (or final re-verification confirmation, whichever is later) to the certification application date. Most applicants who want pre-certification testing engage non-Guardian VAPT providers, then apply to Guardian for certification.

When your need is for technical security validation rather than procurement-grade attestation. Specific scenarios: pre-release product testing (no certification possible until release); internal security validation (third-party perspective without external attestation requirement); supplementary testing alongside non-Guardian certifications; one-off procurement requirements that accept VAPT reports rather than accredited certificates; routine periodic technical testing. If procurement requires accredited certification, regulatory frameworks reference 17065-accredited evidence, or you need public verifiability and ongoing surveillance, certification is the right path.

Substantively the same at the technical evaluation level — same evaluators, same OWASP standards (ASVS, Top 10, API Top 10), same severity classification scheme (Critical / High / Medium / Low / Informational), same finding-handling discipline. The differences are procedural: VAPT has lighter documentation review, no formal application review stage, no independent Decision Authority (because no certification decision is being made), and no certificate issuance. The technical depth at the matched depth tier (Focused / Standard / Comprehensive VAPT corresponding roughly to certification Levels 1 / 2 / 3) is comparable.

The cooling-off requirement exists to manage impartiality threats per ISO/IEC 17065 Clause 4.2. Even where the consultancy-adjacent service (VAPT) was conducted with rigorous separation — Guardian VAPT does not provide remediation guidance and does not advise beyond findings reporting — the structural relationship between provider and product creates an impartiality concern that procedural separation alone cannot fully resolve. The 12-month period allows the relationship between Guardian and the product to reset before certification can proceed without compromising the certification’s procurement-grade integrity.

The 12-month cooling-off rule precludes this for the same product. Where this scenario applies, you have several options: (1) skip Guardian VAPT and proceed directly to Guardian certification — certification’s Stage 4 Technical Evaluation provides substantively the same testing depth as VAPT; (2) engage non-Guardian VAPT for the pre-certification phase, then come to Guardian for certification; (3) defer the certification application to after the cooling-off period expires. The right option depends on your timeline and procurement-driver constraints.

Executive Summary; Engagement Overview (scope, methodology, timeline, evaluators); Findings Summary (severity-classified count, distribution across OWASP categories); Detailed Findings (the principal section, with per-finding ID, severity, affected component, description, reproduction steps, evidence, standards mapping including OWASP / CWE / MITRE references, and status); Methodology Appendix (testing tools, manual approach, OWASP standards versions); Limitations Appendix (out-of-scope items, time-constrained limitations, environment-specific factors). The report is delivered as a structured PDF document.

Bespoke per engagement. Indicative durations by depth tier: Focused VAPT typically 1–3 weeks; Standard VAPT typically 3–6 weeks; Comprehensive VAPT typically 6–12 weeks. End-to-end including initial enquiry, scoping, agreement, kickoff and delivery typically adds 3–4 weeks to testing duration. Combined-surface engagements (web app + API) and multi-product engagements run longer. Specific timing is confirmed in the Engagement Plan provided after scoping.

Scope-quoted only — there are no published starting figures for Guardian VAPT pricing. Tailored pricing for your specific engagement is provided in writing during scoping conversation. Scoping conversation is no-charge and no-commitment. Pricing reflects the bespoke scope, agreed depth tier, technology stack, and any specific applicant priorities. Initiate scoping at /quote with VAPT context flagged.

Re-verification is OPTIONAL in VAPT engagements (unlike certification, where one round is included as standard). Where applicants engage Guardian for re-verification, this is scoped and quoted as additional engagement effort. Many VAPT clients self-verify their own remediation rather than engaging Guardian for re-verification — the choice depends on internal capacity and external-validation requirements. If you want Guardian re-verification, request it in scoping conversation.

Yes — pre-release products are one of the principal scenarios where VAPT is appropriate. Certification is not available for pre-release products (Guardian SecureApp™ certifies released products at specific versions); VAPT is available for products at any state, including in development. Note the cooling-off implication: pre-release VAPT for a product that will subsequently be certified by Guardian creates the 12-month bar to that subsequent certification of the same product.

Yes. Guardian’s evaluators are protocol-experienced; OWASP API Security Top 10 (the principal API normative) is API-protocol-agnostic. Specific API protocols (REST, GraphQL, gRPC, SOAP, WebSocket) are scoped during scoping conversation, with the testing methodology adapted to each protocol’s specific risk patterns (GraphQL introspection and query complexity, gRPC schema and authentication, etc.).

No. Guardian VAPT is technical findings reporting; we do not provide remediation guidance as part of VAPT, just as we do not provide remediation guidance as part of certification. The boundary is the same: identify and document; do not advise. Where applicants need remediation guidance, that is appropriately engaged with independent security consultants or relies on internal engineering capability. The boundary protects the integrity of any subsequent certification engagement (after cooling-off) and reflects our consistent impartiality discipline across services.

Yes. The Technical Findings Report is delivered to the applicant as the engagement deliverable. The applicant owns the report and may share it with customers, auditors, regulators, or other parties at the applicant’s discretion under the Engagement Agreement’s confidentiality terms. Buyers and auditors reading a shared VAPT report should evaluate it on technical merit — VAPT does not carry procurement-grade attestation weight beyond what readers independently determine.

Initiate at /quote with VAPT selected as the service type, or contact Guardian via /contact with VAPT in the message subject. Initial Enquiry to scoping conversation typically runs 3–5 business days. The scoping conversation is no-charge and no-commitment; tailored pricing and engagement-specific details are provided after scoping.