How long does a SaaS pentest take in India?

Typical durations: single web app 1–2 weeks; web + API 2–3 weeks; full stack including mobile and cloud 4–6 weeks. Pricing scales accordingly — ₹1.5L for the simplest scope, ₹6L–₹12L for full-stack engagements.

Black-box, grey-box, or white-box — which is right for SaaS?

Grey-box is the sweet spot for most B2B SaaS — the tester has credentials for typical user roles and tests authenticated flows + privilege escalation. Add white-box (with source access) for critical modules like authentication and billing. Pure black-box misses too many business-logic issues to be cost-effective.

How often should we get pentested?

Minimum annually for production SaaS. After every major release. Before SOC 2 or ISO 27001 audits. Continuous (monthly) for SaaS handling payment data, PHI, or financial data — or shipping weekly. The right cadence depends on attack surface and risk tolerance.

Is a vulnerability scan the same as a pentest?

No. A scan is automated and finds known patterns. A pentest is a human assessing business logic, multi-tenant isolation, privilege escalation, and chained exploits that scanners miss. Both are useful — scans for continuous monitoring, pentests for deep assessments.

Do pentest reports satisfy SOC 2 / ISO 27001 requirements?

Yes, when done by a qualified firm with documented methodology, findings, remediation plans, and re-test verification. Auditors want to see active vulnerability management — not just one report sitting in a folder.

Penetration Testing Checklist for Indian SaaS Companies (2026)

Most Indian SaaS founders treat penetration testing as a compliance check-box — something to do once before the enterprise sales cycle demands an attestation. That's a missed opportunity. A good pentest finds real exploitable issues that would have cost you the customer, the data, and the reputation. A bad pentest finds 47 informational-severity items, none of them exploitable, and gives you a 200-page PDF nobody acts on.

Here's a checklist for getting the good kind. Use it to scope your next engagement, evaluate vendors, and know what to demand.

Before scoping: get the basics right

Pre-pentest hygiene that vendors will quietly thank you for and that materially improves what they find:

Patch your dependencies. Run npm audit / pip-audit / bundle audit. Fix anything high or critical before the test starts. Otherwise the report wastes half its space on known CVEs.
Run an SCA scan (Snyk, Dependabot, GitHub Security). Fix obvious misconfigurations.
Check your own basics: HTTPS everywhere, secure cookies, CSP headers, HSTS, no debug pages in production, no `.git` exposed, no `.env` in the build.
Audit your secrets. git secrets or trufflehog on your repos. Fix any leaks before handing the codebase to anyone.

This costs you nothing and dramatically raises the signal-to-noise ratio of the findings.

Scoping — the most important conversation

Bad pentests start with bad scoping. Get these right:

1. Define the target precisely

Not "our SaaS product." Specifically: which URLs, which API endpoints, which mobile apps, which infrastructure (cloud account, Kubernetes cluster, VPC). Provide a written inventory. The narrower the scope, the deeper the test goes.

2. Pick the depth model

Black-box: tester knows nothing, simulates external attacker. Tests perimeter and obvious flaws. Misses business-logic issues.
Grey-box: tester has credentials for typical user roles. Tests authenticated flows and privilege escalation. Sweet spot for most SaaS.
White-box: tester has source code access and architecture diagrams. Deepest test. Best ROI for complex business logic.

For most B2B SaaS: grey-box with multiple user roles. Add white-box on critical modules (auth, billing, data access).

3. Define what's in scope and what's not

In scope: web app, API, mobile apps, cloud infra. Out of scope: physical security, social engineering (unless explicitly asked), third-party services you don't control.

Get this in writing. Saves arguments later.

4. Decide on disclosure approach

Standard: tester reports findings at end of engagement. You fix in your own time.
Real-time disclosure: tester flags critical findings immediately. You can patch during the test. Better for production systems.
Continuous: ongoing engagement with monthly reports. Right for SaaS that ships weekly.

What a real pentest must cover

The OWASP Top 10 (still relevant in 2026)

Broken Access Control — IDOR, privilege escalation, horizontal access between tenants. Critical for multi-tenant SaaS.
Cryptographic Failures — weak password hashing, secrets in URLs, unencrypted PII at rest.
Injection — SQLi, NoSQLi, command injection, LDAP injection. Less common in 2026 but still happens.
Insecure Design — the category for architecture-level issues that no scanner finds.
Security Misconfiguration — exposed admin panels, default credentials, verbose errors, missing headers.
Vulnerable and Outdated Components — libraries with known CVEs.
Identification and Authentication Failures — weak password policies, broken session management, missing MFA on admin.
Software and Data Integrity Failures — unsigned updates, untrusted CI/CD plugins, deserialization issues.
Security Logging and Monitoring Failures — events not logged, no audit trail, no detection of incidents.
Server-Side Request Forgery (SSRF) — particularly nasty in cloud environments.

SaaS-specific tests beyond OWASP

Multi-tenant isolation. Can user A from tenant 1 access tenant 2's data via any path? Test IDOR exhaustively.
API authentication and rate limiting. Can someone brute-force endpoints? Are there public endpoints that shouldn't be?
Billing and pricing bypass. Can users access features they didn't pay for? Manipulate quotas?
File upload and processing. Path traversal, server-side rendering exploits, XXE in document parsing.
Webhook security. Are incoming webhooks verified? Outgoing webhooks rate-limited?
OAuth and SSO implementations. Common source of subtle vulnerabilities.

Cloud and infra-specific

IAM permissions audit (overly broad roles, unused privileges, shared keys)
S3 / blob storage permissions (public buckets, unintended access)
Network segmentation (services exposed beyond intended scope)
Secrets in environment variables, CI/CD pipelines, code
Container security (base images, runtime privileges)
Kubernetes RBAC and network policies (if applicable)

What to demand in the report

A useful pentest report has these sections. Reject ones that don't.

Executive summary — written for non-technical readers, 1 page
Scope and methodology — exactly what was tested, what wasn't, and how
Findings — each with: title, severity, CVSS score, business impact (not just technical), reproduction steps, affected components, recommended remediation
Proof-of-concept evidence — screenshots, request/response examples, video where relevant
Risk-prioritised remediation plan — what to fix first, what can wait, what's defensible to accept
Re-test offer — confirming fixes works. Often bundled.

What to push back on: reports padded with informational-severity items that aren't exploitable. Reports that conflate "lack of security header X" with "exploitable vulnerability." Reports without business-context impact. Reports that don't tell you how to fix things.

Pricing reality for Indian SaaS pentests

Realistic 2026 ranges from competent India-based security firms:

Scope	Typical price	Duration
Single web app, grey-box	₹1.5L–₹3.5L	1–2 weeks
Web + API, grey-box, multiple roles	₹2.5L–₹5L	2–3 weeks
Web + API + 2 mobile apps	₹4L–₹7L	3 weeks
Cloud infrastructure audit (AWS/Azure/GCP)	₹2L–₹6L	1–2 weeks
Full stack: web + API + mobile + cloud	₹6L–₹12L	4–6 weeks
Continuous (monthly retainer)	₹80K–₹2L/mo	Ongoing

Below ₹1L for a real web app pentest is usually a junior with a vulnerability scanner — fine for the first round of cheap-checking, useless for serious findings.

How often should you pentest?

Before launch. Always.
Annually. Minimum for production SaaS handling any sensitive data.
After major release. New features = new attack surface.
Before SOC 2 / ISO 27001 audit. Auditors expect a recent pentest report.
Continuous for any SaaS that ships weekly or handles payment/PHI/financial data.

Acting on findings

A pentest report has zero value if nothing happens after. The post-test workflow that works:

Within 24 hours: read the executive summary and review critical findings
Within a week: assign owners and target dates for critical and high findings
Within 30 days: fix all critical findings, most high findings
Within 90 days: re-test to confirm fixes
Ongoing: include security regression checks in CI/CD for the issues found

If your team can't commit to this, you don't need a pentest yet — you need a security plan. Pentests are for organisations ready to fix what they find.

For more on our security services, see the cybersecurity overview.