Client FAQ

Answers to common client questions about VAPT timelines, remote testing, production safety, access, NDA, reports, retesting, and compliance support.

Answers to common questions organizations ask before starting a PentestHint security assessment. How long does VAPT take? Timelines depend on scope. Small web/API scopes may take days, while broader enterprise scopes can take multiple weeks. Is testing remote or onsite? Most application, API, cloud, and external infrastructure testing can be done remotely. Onsite activity can be discussed where applicable. Will production systems be impacted? Testing is planned using rules of engagement, safe payloads, and agreed windows to reduce operational risk. Do you provide retesting? Yes. Retesting can confirm remediation and document closure or residual risk. What access is required? Access depends on scope and may include test accounts, API collections, VPN, cloud read-only access, or documentation. Do you sign NDA? Yes. NDA can be signed before sensitive details are shared. What does the final report include? Reports include executive summary, findings, evidence, severity, business impact, remediation guidance, and retest status where applicable. Do you support compliance requirements? Yes. Reports can support customer assurance, audits, SOC 2, ISO 27001, PCI DSS, and related security review needs. Talk to PentestHint before your next assessment.