VAPT Execution SOP
Standard Operating Procedure for Vulnerability Assessment and Penetration Testing
VAPT Execution SOP
| Field | Value |
|---|---|
| Document ID | SOP-007 |
| Classification | Internal |
| Owner | SRE + External Auditor |
| Effective Date | April 2026 |
| Review Cycle | Semi-Annual |
Owner: CTO / DevOps | Review: Annual | Effective: April 2026
Purpose
Process for planning, executing, and reporting VAPT across Wealthy’s infrastructure and applications.
Scope
- Web applications (wealthy.in, partner portals, backoffice tools)
- Mobile apps (Hive, Hail — Android/iOS)
- Public and partner-facing APIs
- Infrastructure (GKE, Cloud SQL, Redis, VPN)
- Cloud configuration (GCP/AWS IAM, VPC, firewall rules)
VAPT Schedule
- Annual VAPT — Conducted once every year
- Ad-hoc VAPT — Performed based on audit requirements, security incidents, major changes, or business needs
Vendor Requirements
- CERT-In empaneled
- Certified testers
- NDA signed
Pre-Assessment Setup
DevOps prepares:
- Target list (URLs, APIs, IP ranges, app packages)
- Dedicated test accounts
- Temporary IP whitelisting for testers
- VPN access (if needed)
- Enhanced logging during testing
Rules of engagement:
- No DoS/DDoS
- No production data changes
- Immediate notification for critical findings
- All test artifacts removed after testing
Testing Methodology
- Recon — Enumeration, fingerprinting, port scanning
- Vulnerability Assessment — Automated scanning, config review
- Penetration Testing — Auth, privilege escalation, injection, business logic, API, mobile
- Post-Exploitation (if authorized) — Lateral movement, impact validation
Vulnerability Classification
| Severity | Examples |
|---|---|
| Critical | RCE, SQL injection, auth bypass |
| High | Privilege escalation, stored XSS, SSRF |
| Medium | Reflected XSS, CSRF, info disclosure |
| Low | Missing headers, verbose errors |
Report Requirements
Vendor report must include:
- Executive summary with key findings
- Detailed findings with severity, steps to reproduce, and fix recommendations
- Vulnerability summary by severity
- Remediation roadmap
Delivery: Draft within 1 week → Review meeting → Final report within 1 week
Handling: Confidential — shared only with CTO and remediation team.
Post-Testing Cleanup
Within 24 hours:
- Revoke tester accounts and VPN access
- Remove IP whitelisting
- Verify no test artifacts remain
Re-Testing
| Severity | Fix Deadline | Re-Test |
|---|---|---|
| Critical | 15 days | 1 week after fix |
| High | 30 days | 2 weeks after fix |
| Medium | 60 days | Next VAPT cycle |
| Low | 90 days | Next VAPT cycle |
Failed re-tests go back to remediation.
Roles
| Role | Responsibility |
|---|---|
| CTO | Strategy, vendor approval, report sign-off |
| DevOps | Scoping, coordination, access, testing support, cleanup |
| Engineering | Application support, remediation |
| VAPT Vendor | Testing, reports, re-tests |
Contact: security@wealthy.in