PTaaS Pricing in INR: Continuous vs Annual Pentest TCO

Rajan Kumbhani
By Rajan KumbhaniFeb 20, 202614 Min Read

In 2026, the median Indian B2B SaaS pushes 60 to 200 production deployments a month, and CERT-In's April 2022 Directions under Section 70B still expect regulated entities to maintain logs, report incidents inside six hours, and know their security posture between audits. The annual pentest contract your CFO signed in April was built for a once-a-year ISO 27001 cycle. By June, half the code it reviewed no longer exists, the auditor's evidence is valid but your runtime posture is not, and the next enterprise buyer is asking for SOC 2 Type II period-of-time evidence you cannot produce. So which model actually costs less once retest fees, stale findings, and audit gaps are on the same spreadsheet? This post puts credit-pack PTaaS, flat subscriptions, hybrid PTaaS, and a traditional annual engagement side by side in INR, with two worked TCO examples from real 2025 engagements, and tells you exactly when each one wins.

Why the annual pentest math is broken for weekly-release teams

The traditional Indian VAPT contract was built for an annual ISO 27001 audit cycle, not for a SaaS or fintech that pushes 40 to 200 production deployments a month. CERT-In's April 2022 Directions under Section 70B require regulated entities and their service providers to maintain logs and report incidents within six hours, which assumes the security posture between audits is actually known. It rarely is.

The math is simple. A typical annual external plus web application pentest from a CERT-In empanelled firm costs INR 3.5 to 9 lakh for a single web app and one set of APIs, plus INR 75,000 to 1.8 lakh per retest after remediation. If your team merges 60 PRs a month, the report you signed in April reflects code that no longer exists by June. The auditor's evidence is valid; your runtime posture is not. The RBI's Cyber Security Framework for UCBs and Master Direction on IT Governance require periodic VAPT and "continuous monitoring of risks," wording that an internal auditor will increasingly read as "you cannot defend a 12-month gap." SEBI's CSCRF for regulated entities is even more explicit on cadence for critical systems. The 2023 attack on AIIMS Delhi, the BigBasket credential leak, and the repeat ransomware hits on Indian co-operative banks all share a pattern: a pentest existed on paper, but the attack surface that got breached was deployed after it. The argument for moving to continuous penetration testing services is not philosophical. It is that the unit economics of one-shot annual VAPT no longer match the release cadence of any serious Indian SaaS or BFSI engineering org.

One annual pentest leaves 11 months of post-audit code unverified for SaaS teams pushing 60 to 200 deployments a month.
One annual pentest leaves 11 months of post-audit code unverified for SaaS teams pushing 60 to 200 deployments a month.

The three PTaaS pricing models you will see in Indian quotes

Most Indian PTaaS vendors price one of three ways. Understanding the structure matters because the same scope can vary by 40 to 60 percent depending on the model.

Credit-pack PTaaS sells blocks of testing hours or "credits" that you draw down against scopes as you launch features. A single credit typically buys 4 to 8 hours of OSCP-led offensive engineering. Credit packs in India usually start at INR 4.5 to 6 lakh for 80 credits and scale to INR 22 to 30 lakh for 400 credits, with unused credits rolling for 12 months. This model fits teams whose release cadence is bursty: heavy in Q2 and Q4, quiet in Q1. Flat-subscription PTaaS charges an annual or quarterly fee per asset, regardless of how often you test. Indian pricing typically lands at INR 90,000 to 1.6 lakh per asset per year, where an asset is a web app, mobile app, external network range, or microservice cluster up to a defined size. A 12-asset SaaS estate runs INR 11 to 19 lakh annually. This model fits teams that want a predictable line item and unlimited retests inside scope. Hybrid PTaaS combines a baseline subscription (attack-surface monitoring, retest workflow, dashboard) with credits for deep manual engagements. This is what most Certbar BFSI clients buy because RBI and IRDAI examiners want named "annual comprehensive VAPT" plus continuous coverage, and hybrid maps cleanly to both line items. Pricing typically lands at INR 14 to 26 lakh per year for a regulated mid-market estate.

Three Indian PTaaS pricing structures with their annual INR ranges, mapped to the buyer profile each one fits.
Three Indian PTaaS pricing structures with their annual INR ranges, mapped to the buyer profile each one fits.

The three inputs that drive your INR quote

Three variables explain roughly 85 percent of the variance in PTaaS quotes we see across 1,200+ Certbar engagements. Anchor your buying conversation on these and the "request a demo" pricing fog clears fast.

Asset count and complexity. A "microservice" billed at 1 credit and a "microservice" with its own auth, payment integration, and admin console billed at 4 credits are very different things. Ask the vendor for a written asset classification rubric. At Certbar we classify by OWASP ASVS Level (1, 2, or 3), authenticated role count, and data sensitivity under DPDPA Section 2(t) "personal data" definitions. A 40-microservice estate where 8 services touch payment data and 32 are internal CRUD will price closer to a 15-asset estate, not a 40-asset one. Release cadence. Weekly releases need named, on-demand retests within 5 business days; fortnightly cadence can tolerate a 10-day SLA; monthly cadence works fine on a 15-day SLA. Faster SLAs add 15 to 25 percent to the base. This is where annual pentest math truly breaks. You cannot retest 24 times a year at INR 1.2 lakh per retest without exceeding any PTaaS subscription. Compliance regime. A CERT-In empanelled report (we are listed on the official CERT-In empanelled auditors list) for a SaaS export deal is a different artefact from an RBI Cyber Security Framework attestation for a Payment Aggregator or an SEBI CSCRF report for a stock broker. Mapping to OWASP ASVS, MITRE ATT&CK, ISO 27001:2022 Annex A.8.29, and the client's framework adds 8 to 15 percent in reporting time but is non-negotiable for regulated buyers. DPDPA-aligned data-flow review for personal data processors became table stakes after the Act's enforcement rules.

A clean INR quote tells you, line by line: assets in scope (with classification), credits or retests included, SLA for retest, frameworks the report maps to, and the rate card for out-of-scope work. If a vendor cannot put that in writing, the "saving" you are negotiating is imaginary.

Asset complexity, release cadence, and compliance regime explain roughly 85 percent of the variance in any Indian PTaaS
Asset complexity, release cadence, and compliance regime explain roughly 85 percent of the variance in any Indian PTaaS quote.

Worked example: a 40-microservice Indian SaaS on fortnightly releases

Consider a Bengaluru-headquartered B2B SaaS, ARR around INR 60 crore, that runs 40 microservices behind a single tenant API gateway. They release fortnightly. Their buyer in Germany wants a SOC 2 Type II report; their Indian enterprise buyers want CERT-In empanelled VAPT for DPDPA evidence. They had been paying for one annual web plus API pentest and ad-hoc retests.

Annual model TCO (real numbers from a 2025 engagement): Comprehensive web plus API pentest: INR 7.5 lakh External network plus cloud config review: INR 2.2 lakh Mobile (iOS plus Android) pentest: INR 3.4 lakh Retests across the year (8 cycles at INR 1.1 lakh each): INR 8.8 lakh Two emergency out-of-cycle tests (Black Friday plus post-incident): INR 4.6 lakh Total: INR 26.5 lakh with stale findings between cycles and audit gaps in Q3. PTaaS hybrid model TCO for the same scope: Baseline subscription (attack surface monitoring, dashboard, unlimited retests, CERT-In plus SOC 2 plus DPDPA mapping): INR 14 lakh Credit pack of 160 credits for deep manual engagements: INR 8.5 lakh Overage cushion: INR 1.5 lakh Total: INR 24 lakh with 26 retest cycles, continuous coverage, and quarterly board-ready briefs. The headline saving is only 9 percent. The real value is that the team retired five P1 vulnerabilities in 11 days that would otherwise have lived for 90 to 180 days under the annual model. Certbar's web application penetration testing workflow on the same client cut median time-to-fix from 41 days to 9.

Side by side, the hybrid PTaaS saves 9 percent in headline TCO while cutting median time-to-fix from 41 days to 9.
Side by side, the hybrid PTaaS saves 9 percent in headline TCO while cutting median time-to-fix from 41 days to 9.

Worked example: a mid-size NBFC under RBI plus CERT-In scope

A Mumbai-headquartered NBFC with a digital lending product, asset book around INR 1,200 crore, falls under the RBI's Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (November 2023). They process Aadhaar-linked KYC data, so DPDPA exposure is significant. Their internal auditor requires named annual comprehensive VAPT plus evidence of continuous testing on the lending APIs.

Annual-only model: Annual comprehensive VAPT (web, mobile, network, cloud): INR 11.5 lakh Quarterly external plus DAST sweeps (4 x INR 1.8 lakh): INR 7.2 lakh Retests (6 cycles): INR 6.6 lakh Pre-RBI inspection focused test: INR 3.5 lakh Source code review for one critical service: INR 4 lakh Total: INR 32.8 lakh PTaaS hybrid for the same scope: BFSI baseline subscription with RBI Cyber Security Framework plus DPDPA plus ISO 27001:2022 Annex A.8.29 mapping: INR 18 lakh Annual comprehensive VAPT named line item (still required for examiner): INR 6.5 lakh inside contract Credit pack for source code review and red-team adversarial test: INR 5 lakh Total: INR 24.5 lakh The NBFC saved 25 percent and, more importantly, walked into its 2026 RBI IT examination with a 12-month continuous testing log instead of one report and four DAST PDFs. Inspectors who have read the December 2024 RBI guidance on operational resilience now expect that log. Pair the testing log with 24/7 SOC monitoring evidence and the examiner conversation gets shorter still.

Stacked TCO bars for a Mumbai NBFC show a 25 percent saving plus a 12-month continuous testing log for RBI examiners.
Stacked TCO bars for a Mumbai NBFC show a 25 percent saving plus a 12-month continuous testing log for RBI examiners.

The hidden costs that hide inside every annual proposal

Three cost lines never appear in the annual proposal but always appear in the final invoice. Buyers who only compare headline numbers consistently underestimate annual TCO by 30 to 45 percent.

Retest fees. Most Indian boutique vendors price retests at 15 to 25 percent of the original engagement value. Fix a P1 SQL injection in 48 hours, raise a retest ticket, and you pay INR 1 to 2 lakh to confirm the fix. PTaaS subscriptions bundle this. Over a year, retests alone can hit INR 8 to 12 lakh on a mid-size estate. Stale findings. A finding discovered in March and "closed" in the April report may have been re-introduced by a refactor in July. Without continuous retesting, that finding is unknown until the next annual cycle. The IBM Cost of a Data Breach Report consistently puts the average global cost of a breach above USD 4 million, with India-specific figures rising year on year and a known correlation between time-to-detect and total cost. Every month a known-fixed-then-regressed vulnerability lives in production is uninsured exposure. Audit gaps. SOC 2 CC7.1, ISO 27001:2022 Annex A.8.29, and the RBI framework all require evidence of testing across the audit period, not just at a point in time. Buyers regularly fail SOC 2 Type II observations because they ran one pentest in month 1 of a 12-month window. The remediation is either an unplanned mid-year pentest (INR 4 to 8 lakh) or a qualified opinion that costs the next enterprise deal. PTaaS subscriptions produce period-of-time evidence by default.

A defensible annual TCO calculation includes retest fees, regression risk, and audit-window evidence. Once you add all three, the headline saving over PTaaS usually disappears or inverts. The buyer error is not choosing the wrong model. It is comparing the wrong line items.

Retest fees, stale findings, and audit gaps add 30 to 45 percent to the headline annual proposal once the final invoice
Retest fees, stale findings, and audit gaps add 30 to 45 percent to the headline annual proposal once the final invoice arrives.

When the annual model still wins (the honest anti-PTaaS scenarios)

PTaaS is not the answer for every Indian buyer, and saying otherwise is the marketing fluff this blog explicitly rejects. There are at least four scenarios where a one-shot annual engagement is the right call.

Single product, quarterly or slower releases. A traditional enterprise software product on a 90 to 180 day release cycle does not need 24 retests. One thorough annual pentest plus one pre-release test covers the actual risk surface. PTaaS overhead is wasted spend. Pre-investment due diligence. Acquirers and PE diligence teams want a single, time-stamped, named-partner report. A focused 6 to 10 day engagement with a board-ready brief and a technical appendix is the right artefact. We deliver this as a fixed-scope penetration testing services engagement, not a subscription. Single regulated checkbox. If your only driver is the once-a-year line item on an ISO 27001 surveillance audit or a one-off PCI DSS 4.0 11.4.3 external pentest for a low-transaction merchant, the annual engagement maps cleanly to the requirement. Buying a subscription would over-engineer the compliance need. Greenfield product before launch. Pre-production code with no live traffic does not need continuous testing. It needs one comprehensive pre-launch test and a threat model, mapped to OWASP Top 10 and the relevant data protection regime. Move to PTaaS once you have production users and a release cadence faster than quarterly.

The decision rule we give clients is simple: if you release faster than once a quarter, or you are in BFSI under RBI, SEBI, or IRDAI continuous-testing language, or you sell into enterprise buyers who want period-of-time SOC 2 evidence, PTaaS economics win. Otherwise, a well-scoped annual engagement is the right buy. Honest scoping beats a clever subscription.

Four buyer profiles where the annual model still wins, paired against four PTaaS-winning scenarios from the same blog.
Four buyer profiles where the annual model still wins, paired against four PTaaS-winning scenarios from the same blog.

How to read an INR rate card without falling for "request a demo" fog

A defensible PTaaS rate card answers six questions on the first call, in writing, without an NDA dance that delays your buying timeline.

Assets in scope, with classification. OWASP ASVS Level, authenticated role count, and DPDPA Section 2(t) data sensitivity for each. No flat "per asset" pricing without a rubric. Credits or retests included. A number, not a vague "unlimited within reason." If credits, the conversion rate to testing hours and the rollover policy. Retest SLA in business days. 5, 10, or 15. Anything faster is a premium line item. Frameworks the report maps to. CERT-In, SOC 2 CC7.1, ISO 27001:2022 Annex A.8.29, RBI Cyber Security Framework, SEBI CSCRF, DPDPA, PCI DSS 4.0. Mapping is reporting work; it should be costed, not free. Rate card for out-of-scope work. Red-team adversarial test, source code review, AI risk assessment , mobile, cloud config review. INR per credit or per day. Examiner-ready artefacts. The named "annual comprehensive VAPT" PDF that an RBI or IRDAI inspector will accept, separate from the continuous dashboard.

If a vendor refuses to put any of those six in writing on the first call, the cheapest line item in their proposal is the most expensive part of the contract. Certbar publishes its INR rate card to qualified buyers under NDA on the first call, mapped to your asset count, release cadence, and compliance regime. There is no "request a demo" pricing fog. If you want a worked TCO comparison for your specific estate, including a named CERT-In empanelled report and mapping to your audit framework, talk to our team via Certbar's penetration testing services hub. We will tell you on the first call whether PTaaS or an annual engagement is the right buy, even when the answer means a smaller contract.

Rajan Kumbhani
Rajan KumbhaniProfessional Service Manager
linkedin

Rajan Kumbhani, distinguished cybersecurity professional excelling in web app penetration testing and IoT. Project Manager at Certbar Security, passionate about community initiatives in Seaside Goa.

Share

Share to Microsoft Teams

Related security services

FAQs

Frequently Asked Questions

For a mid-size Indian SaaS with 10 to 40 assets and fortnightly releases, expect INR 14 to 26 lakh per year for a hybrid PTaaS subscription with unlimited retests, CERT-In empanelled reporting and mapping to SOC 2 plus DPDPA. Pure credit-pack models start lower at INR 4.5 lakh but scale with consumption.