PTaaS Pricing in INR: Continuous vs Annual Pentest TCO

If your team ships every week or fortnight, an annual pentest priced at INR 4 to 12 lakh per engagement is paying for a snapshot that goes stale in 14 days. Credit-pack PTaaS, billed in INR against asset count and release cadence, typically lands at INR 8 to 28 lakh per year for a mid-size SaaS or NBFC but covers 12 to 24 retest cycles, continuous attack surface review and audit evidence aligned to CERT-In, DPDPA and the RBI Cyber Security Framework. This post puts both models on the same spreadsheet and shows where each one wins.

The traditional Indian VAPT contract was built for an annual ISO 27001 audit cycle, not for a SaaS or fintech that pushes 40 to 200 production deployments a month. CERT-In's April 2022 Directions under Section 70B require regulated entities and their service providers to maintain logs and report incidents within six hours, which assumes the security posture between audits is actually known. It rarely is.

The math is simple. A typical annual external + web application pentest from a CERT-In empanelled firm costs INR 3.5 to 9 lakh for a single web app and one set of APIs, plus INR 75,000 to 1.8 lakh per retest after remediation. If your team merges 60 PRs a month, the report you signed in April reflects code that no longer exists by June. The auditor's evidence is valid; your runtime posture is not.

The RBI's Cyber Security Framework for UCBs and Master Direction on IT Governance require periodic VAPT and "continuous monitoring of risks," wording that an internal auditor will increasingly read as "you cannot defend a 12-month gap." SEBI's CSCRF for regulated entities is even more explicit on cadence for critical systems. The 2023 attack on AIIMS Delhi, the BigBasket credential leak, and the repeat ransomware hits on Indian co-operative banks all share a pattern: a pentest existed on paper, but the attack surface that got breached was deployed after it.

The argument for moving to continuous penetration testing services is not philosophical. It is that the unit economics of one-shot annual VAPT no longer match the release cadence of any serious Indian SaaS or BFSI engineering org.

Most Indian PTaaS vendors price one of three ways. Understanding the structure matters because the same scope can vary by 40 to 60 percent depending on the model.

Credit-pack PTaaS sells blocks of testing hours or "credits" that you draw down against scopes as you launch features. A single credit typically buys 4 to 8 hours of OSCP-led offensive engineering. Credit packs in India usually start at INR 4.5 to 6 lakh for 80 credits and scale to INR 22 to 30 lakh for 400 credits, with unused credits rolling for 12 months. This model fits teams whose release cadence is bursty: heavy in Q2 and Q4, quiet in Q1.

Flat-subscription PTaaS charges an annual or quarterly fee per asset, regardless of how often you test. Indian pricing typically lands at INR 90,000 to 1.6 lakh per asset per year, where an asset is a web app, mobile app, external network range, or microservice cluster up to a defined size. A 12-asset SaaS estate runs INR 11 to 19 lakh annually. This model fits teams that want a predictable line item and unlimited retests inside scope.

Hybrid PTaaS combines a baseline subscription (covering attack-surface monitoring, retest workflow, and the dashboard) with credits for deep manual engagements. This is what most Certbar BFSI clients buy because RBI and IRDAI examiners want named "annual comprehensive VAPT" plus continuous coverage, and hybrid maps cleanly to both line items. Pricing typically lands at INR 14 to 26 lakh per year for a regulated mid-market estate.

Three variables explain roughly 85 percent of the variance in PTaaS quotes we see across 1,200+ Certbar engagements. Anchor your buying conversation on these and the "request a demo" pricing fog clears fast.

Asset count and complexity. A "microservice" billed at 1 credit and a "microservice" with its own auth, payment integration and admin console billed at 4 credits are very different things. Ask the vendor for a written asset classification rubric. At Certbar we classify by OWASP ASVS Level (1, 2, or 3), authenticated role count, and data sensitivity under DPDPA Section 2(t) "personal data" definitions. A 40-microservice estate where 8 services touch payment data and 32 are internal CRUD will price closer to a 15-asset estate, not a 40-asset one.

Release cadence. Weekly releases need named, on-demand retests within 5 business days; fortnightly cadence can tolerate a 10-day SLA; monthly cadence works fine on a 15-day SLA. Faster SLAs add 15 to 25 percent to the base. This is where annual pentest math truly breaks — you cannot retest 24 times a year at INR 1.2 lakh per retest without exceeding any PTaaS subscription.

Compliance regime. A CERT-In empanelled report (we are listed on the official CERT-In empanelled auditors list) for a SaaS export deal is a different artefact from an RBI Cyber Security Framework attestation for a Payment Aggregator or an SEBI CSCRF report for a stock broker. Mapping to OWASP ASVS, MITRE ATT&CK, ISO 27001:2022 Annex A.8.29 and the client's framework adds 8 to 15 percent in reporting time but is non-negotiable for regulated buyers. DPDPA-aligned data-flow review for personal data processors became table stakes after the Act's enforcement rules.

A clean INR quote tells you, line by line: assets in scope (with classification), credits or retests included, SLA for retest, frameworks the report maps to, and the rate card for out-of-scope work. If a vendor cannot put that in writing, the "saving" you are negotiating is imaginary.

Consider a Bengaluru-headquartered B2B SaaS, ARR around INR 60 crore, that runs 40 microservices behind a single tenant API gateway. They release fortnightly. Their buyer in Germany wants a SOC 2 Type II report; their Indian enterprise buyers want CERT-In empanelled VAPT for DPDPA evidence. They had been paying for one annual web + API pentest and ad-hoc retests.

Annual model TCO (real numbers from a 2025 engagement):

• Comprehensive web + API pentest: INR 7.5 lakh
• External network + cloud config review: INR 2.2 lakh
• Mobile (iOS + Android) pentest: INR 3.4 lakh
• Retests across the year (8 cycles at INR 1.1 lakh each): INR 8.8 lakh
• Two emergency out-of-cycle tests (Black Friday + post-incident): INR 4.6 lakh
• Total: INR 26.5 lakh with stale findings between cycles and audit gaps in Q3.

PTaaS hybrid model TCO for the same scope:

• Baseline subscription (attack surface monitoring, dashboard, unlimited retests, CERT-In + SOC 2 + DPDPA mapping): INR 14 lakh
• Credit pack of 160 credits for deep manual engagements: INR 8.5 lakh
• Overage cushion: INR 1.5 lakh
• Total: INR 24 lakh with 26 retest cycles, continuous coverage and quarterly board-ready briefs.

The headline saving is only 9 percent. The real value is that the team retired five P1 vulnerabilities in 11 days that would otherwise have lived for 90 to 180 days under the annual model. Certbar's web application penetration testing workflow on the same client cut median time-to-fix from 41 days to 9.

A Mumbai-headquartered NBFC with a digital lending product, asset book around INR 1,200 crore, falls under the RBI's Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (November 2023). They process Aadhaar-linked KYC data, so DPDPA exposure is significant. Their internal auditor requires named annual comprehensive VAPT plus evidence of continuous testing on the lending APIs.

Annual-only model:

• Annual comprehensive VAPT (web, mobile, network, cloud): INR 11.5 lakh
• Quarterly external + DAST sweeps (4 x INR 1.8 lakh): INR 7.2 lakh
• Retests (6 cycles): INR 6.6 lakh
• Pre-RBI inspection focused test: INR 3.5 lakh
• Source code review for one critical service: INR 4 lakh
• Total: INR 32.8 lakh

PTaaS hybrid for the same scope:

• BFSI baseline subscription with RBI Cyber Security Framework + DPDPA + ISO 27001:2022 Annex A.8.29 mapping: INR 18 lakh
• Annual comprehensive VAPT named line item (still required for examiner): INR 6.5 lakh inside contract
• Credit pack for source code review and red-team adversarial test: INR 5 lakh
• Total: INR 24.5 lakh

The NBFC saved 25 percent and, more importantly, walked into its 2026 RBI IT examination with a 12-month continuous testing log instead of one report and four DAST PDFs. Inspectors who have read the December 2024 RBI guidance on operational resilience now expect that log.

Three cost lines never appear in the annual proposal but always appear in the final invoice. Buyers who only compare headline numbers consistently underestimate annual TCO by 30 to 45 percent.

Retest fees. Most Indian boutique vendors price retests at 15 to 25 percent of the original engagement value. Fix a P1 SQL injection in 48 hours, raise a retest ticket, and you pay INR 1 to 2 lakh to confirm the fix. PTaaS subscriptions bundle this. Over a year, retests alone can hit INR 8 to 12 lakh on a mid-size estate.

Stale findings. A finding discovered in March and "closed" in the April report may have been re-introduced by a refactor in July. Without continuous retesting, that finding is unknown until the next annual cycle. The IBM Cost of a Data Breach Report consistently puts the average global cost of a breach above USD 4 million, with India-specific figures rising year on year and a known correlation between time-to-detect and total cost. Every month a known-fixed-then-regressed vulnerability lives in production is uninsured exposure.

Audit gaps. SOC 2 CC7.1, ISO 27001:2022 Annex A.8.29 and the RBI framework all require evidence of testing across the audit period, not just at a point in time. Buyers regularly fail SOC 2 Type II observations because they ran one pentest in month 1 of a 12-month window. The remediation is either an unplanned mid-year pentest (INR 4 to 8 lakh) or a qualified opinion that costs the next enterprise deal. PTaaS subscriptions produce period-of-time evidence by default.

A defensible annual TCO calculation includes all three. Once you add them, the headline saving over PTaaS usually disappears or inverts.

PTaaS is not the answer for every Indian buyer, and saying otherwise is the marketing fluff this blog explicitly rejects. There are at least four scenarios where a one-shot annual engagement is the right call.

Single product, quarterly or slower releases. A traditional enterprise software product on a 90 to 180 day release cycle does not need 24 retests. One thorough annual pentest plus one pre-release test covers the actual risk surface. PTaaS overhead is wasted spend.

Pre-investment due diligence. Acquirers and PE diligence teams want a single, time-stamped, named-partner report. A focused 6 to 10 day engagement with a board-ready brief and a technical appendix is the right artefact. We deliver this as a fixed-scope penetration testing services engagement, not a subscription.

Single regulated checkbox. If your only driver is the once-a-year line item on an ISO 27001 surveillance audit or a one-off PCI DSS 4.0 11.4.3 external pentest for a low-transaction merchant, the annual engagement maps cleanly to the requirement. Buying a subscription would over-engineer the compliance need.

Greenfield product before launch. Pre-production code with no live traffic does not need continuous testing. It needs one comprehensive pre-launch test and a threat model, mapped to OWASP Top 10 and the relevant data protection regime. Move to PTaaS once you have production users and a release cadence faster than quarterly.

The decision rule we give clients is simple: if you release faster than once a quarter, or you are in BFSI under RBI / SEBI / IRDAI continuous-testing language, or you sell into enterprise buyers who want period-of-time SOC 2 evidence, PTaaS economics win. Otherwise, a well-scoped annual engagement is the right buy. Honest scoping beats a clever subscription.

Certbar publishes its INR rate card to qualified buyers under NDA on the first call, mapped to your asset count, release cadence and compliance regime. There is no "request a demo" pricing fog. If you want a worked TCO comparison for your specific estate, including a named CERT-In empanelled report and mapping to your audit framework, talk to our team via Certbar's penetration testing services hub. We will tell you on the first call whether PTaaS or an annual engagement is the right buy — even when the answer means a smaller contract.