Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

Glossary · AppSec

Vulnerability Assessment and Penetration Testing (VAPT)

A combined engagement that pairs breadth-first vulnerability scanning with depth-first penetration testing to produce a catalog and a proof set.

Explainer

What it is#

describes a single engagement that runs two techniques back-to-back. Vulnerability assessment sweeps the estate for known defects using signature and heuristic checks; penetration testing then targets the highest-impact findings and chains them into business-level impact. The pairing is common in regulated industries, where auditors expect both a populated finding register and at least one demonstrated exploit path per release.

Why it matters#

Scanners surface a lot of noise, and testers alone cannot scale across large attack surfaces. closes the gap by using breadth to prioritise depth: the scanner narrows the field, the tester proves what matters. Done well, it produces a shortlist of findings that ship with replayable proof-of-concept evidence rather than a CVSS score alone.

Mitigation direction#

Treat as a continuous motion, not an annual event. Wire scan output into a triage queue, gate release trains on proof-verified findings, and keep sample-safe PoCs alongside fixes so regression tests catch reintroductions.

Related terms

  • Cross-Site Request Forgery (CSRF)

    A defect where a cross-origin page tricks the browser into sending an authenticated request to a target site, relying on automatic cookie inclusion.

  • Race Condition

    A defect where correctness depends on the timing of concurrent operations, exploited by rapid parallel requests that bypass a business-logic check.

← Back to the glossary

Site search

↑↓ navigateEnter openEsc close