// faq

Common Questions.Straight Answers.

Everything you need to know before starting an engagement. Still have questions? Reach out and we'll respond within 4 hours.

Before the Engagement

Scope, timing, certifications, and the contracts that protect you.

VAPT (Vulnerability Assessment and Penetration Testing) proactively identifies and exploits weaknesses in your systems before real attackers do. Any business handling user data, running a web or mobile application, or operating in a regulated industry should undergo regular VAPT to protect assets and maintain compliance.
Yes. VAPT.PK serves clients in 10+ countries. All engagements are fully remote, come with a signed authorization letter, NDA upon request, and a full report delivered within the agreed timeframe.
Hassan holds an ISO/IEC 27001 Information Security Associate certification (Skillfront, Aug 2022) and is an AppSec Practitioner. He has active rankings on Bugcrowd (#465, 89.3% accuracy, 1,189 points), YesWeHack (#406), Bug Bounty Switzerland (#33), and HackenProof (#308), with Hall of Fame entries at Samsung, Binance, cPanel, F5, and 90+ programs in total.
Timelines depend on scope. A focused web application test typically takes 3–5 business days. Mobile or API engagements range from 4–7 days. Full-scope cloud or network assessments may take 1–2 weeks. A clear timeline is confirmed during the scoping call before any work begins.
Every report includes an executive summary, full technical findings with CVSS scores, reproducible proof-of-concept steps, screenshot evidence, and prioritized remediation guidance — aligned with OWASP and ISO 27001. A re-test is included to verify fixes after remediation.
Yes. An NDA can be signed before any work begins. All testing is conducted within the explicitly agreed scope and authorization. No data is retained after the engagement is closed.
Yes. On request, we issue a formal attestation that an independent VAPT was performed, which can be shared with auditors, customers, and partners for SOC 2, ISO 27001, and security questionnaire responses.
For international clients we typically engage via Upwork (100% Job Success Score, ID Verified). Direct contracts with bank transfer or escrow are also supported. Payment terms are agreed in writing before the engagement begins.
Yes — that's the core use case we design reports around. Findings are mapped to OWASP Top 10, OWASP ASVS, and ISO/IEC 27001 Annex A controls; severity follows CVSS v3.1; and we provide a signed letter of attestation you can attach to a client questionnaire or share with their security review team. Reports are routinely accepted as third-party VAPT evidence by SOC 2, ISO 27001, and customer-due-diligence reviewers.
Yes to both. We invoice in PKR for local clients (or USD via Upwork/escrow when your end-customer prefers a Western billing trail). For projects that benefit from in-person scoping, threat-modelling workshops, or developer-side debrief sessions, we travel to your office in Karachi, Lahore or Islamabad. Most engagements run fully remote.

Talk to us directly.

A free 30-minute call. Bring your scope, timeline, and concerns.