What VAPT means
VAPT — Vulnerability Assessment and Penetration Testing — is a procurement term widely used in Malaysian RFPs, ministry tenders and BNM-regulated environments. It bundles two distinct service categories under a single line item. Understanding the difference matters: it determines what you actually get, what the report shows, and whether your regulator will accept the output as evidence.
Vulnerability assessment (VA)
A vulnerability assessment is a broad, automated-led discovery of known weaknesses across the target environment. The methodology is heavy on scanning (Nessus, Qualys, Nexpose, Burp), light on manual exploitation. The output is a triaged inventory of CVEs, misconfigurations and known weaknesses, ranked by severity (typically CVSS), with remediation guidance.
VA is wide and shallow. It is cheap per host, fast, and ideal for inventory-style assurance — "what known weaknesses exist across these 800 servers right now?" It does not prove exploitability. Two findings rated CVSS 9.8 may behave very differently in your environment: one may be unreachable, the other may be the path into a privileged account. VA does not tell you which is which. See our VA service.
Penetration testing (PT)
A penetration test is a focused, manual-led exercise that combines automated discovery with skilled human exploitation. The methodology follows CREST, OWASP and PTES patterns: reconnaissance, mapping, vulnerability discovery, exploitation, post-exploitation, reporting. The deliverable is a narrative — "here is the attack path, here is the evidence, here is what an attacker would actually achieve".
PT is narrow and deep. It is more expensive per target, slower, and ideal for assurance-style questions — "does this system, in this environment, with these defenders, actually resist a competent attacker?". Subtypes include web application, mobile, API, network, cloud, wireless, social engineering, IoT, OT/ICS, red team and intelligence-led tests. See our penetration testing service.
Why VAPT became umbrella terminology
In Malaysian procurement, VAPT became shorthand because most engagements need both. A pure VA misses what an attacker actually does. A pure PT may miss the wide inventory questions a CISO has to answer for the board. Bundling them in a single scope makes commercial sense — but only if the RFP clearly specifies the depth and breadth expected of each component.
The risk of unclear VAPT scoping is well known to Malaysian buyers: providers can deliver a heavy VA with light manual validation, call it VAPT, and meet the letter of the procurement document while missing the assurance objective. The fix is to specify CREST methodology, lead-tester credentials and a minimum proportion of effort spent on manual exploitation in the contract.
BNM RMiT and PDPA expectations
Bank Negara Malaysia's RMiT Policy Document sets expectations for security testing across the technology risk lifecycle. The relevant chapters require regular vulnerability assessments and penetration tests, with frequency calibrated to risk, criticality and change. Examiners look for evidence of:
- Annual external-facing penetration tests at minimum
- Independent providers with recognised credentials (CREST or equivalent)
- Findings tracked to remediation with executive oversight
- Re-test or validation of high-severity findings
- Intelligence-led testing for critical systems under paragraph 10.49 — separate from baseline VAPT
The PDPA 2024 amendments raise the bar on data-protection accountability. While the Act does not prescribe a VAPT cadence, it expects organisations holding personal data to implement appropriate security measures — VAPT is the most defensible evidence of testing that obligation, especially in the context of a breach notification investigation.
Frequency cadence
- VA — monthly to quarterly on external attack surface; quarterly on internal critical estate; on-demand after major change.
- PT — at least annually on internet-facing systems and customer-facing applications; after major architectural change; after a significant deployment of new functionality.
- PCI DSS — Requirement 11.4 sets specific frequency expectations for cardholder data environments.
- Intelligence-led test — every 18-24 months for BNM-supervised entities, scope proportionate to threat profile.
What a good VAPT report looks like
A defensible VAPT report has — at minimum — the following structure:
- Executive summary (board-ready)
- Scope, methodology and tooling, with date and lead-tester credentials
- Findings with CVSS, business-impact rating, evidence (screenshots, requests, payloads), recommendation, retest status
- Attack narrative — chained finding sequences showing the path an attacker would take
- Remediation roadmap with priorities and time-bands
- Appendices: target inventory, tooling, false-positive log, regulator-mapped findings
Procurement tips
When you write a Malaysian VAPT tender, specify: CREST member firm requirement, lead-tester certifications (OSCP/CREST CRT minimum, CREST CCT for complex scope), report methodology, evidence of prior similar engagements (sector and regulatory environment), retest inclusion, indemnification limits, and the regulatory framework the report must support (RMiT, PCI DSS, ISO 27001, NIST). Avoid pure-price selection — the gap between a CREST pentest and a glorified scan is enormous, but it does not show until something fails. See our companion piece on VAPT service scoping.