Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- ExpressVPN says it has passed 27 independent security audits.
- Cure53 audited ExpressMailGuard and Identity Defender.
- Here’s how ExpressVPN’s audit record compares to rivals.
ExpressVPN has announced the completion of 27 independent security audits, with two new products, ExpressMailGuard and Identity Defender, passing the inspection.
Too: NordVPN is no longer just a VPN, but a full security suite – here’s what you get now
The latest audit conducted by penetration testing firm Cure53 examined each product’s source code for security flaws, vulnerabilities or hidden surprises that could cast doubt on ExpressVPN’s security posture and no-logs policy, the virtual private network service said Thursday.
Cure53 evaluated ExpressMailGuard, an email masking service that allows users to generate unlimited anonymous email aliases, as well as Identity Defender, a monitoring service for US users that scans public records, leaked online data dumps, and the dark web for indicators of identity theft.
This brings the total number of audits for ExpressVPN to 27. The full list can be found on ExpressVPN websiteWith audits conducted by Cure53 and KPMG.
Also: Best VPN Services 2026: Expert Tested and Recommended
The company says, “This milestone reflects ExpressVPN’s long-standing belief that privacy cannot be promised – it must be enforced by architecture and verified by independent experts.”
What is a VPN security audit?
Security audits can take many forms. In the VPN industry, the following areas can be evaluated:
- infrastructure: A VPN provider’s infrastructure is often one of the first things examined in a security audit, provided it is in scope. Security experts can look at a wide range of factors, including server security, data storage and management, encryption, authentication controls, and network configuration.
- source code: Sometimes, VPN providers will allow auditors to assess the source code of their software for built-in or hard-coded vulnerabilities, vulnerabilities, use of default credentials, or programming errors.
- vpn apps: An assessment can also detect desktop, mobile, and browser extensions for coding issues, vulnerabilities, poor encryption, exposed credentials or user data, and whether their features function securely and as advertised.
- no-log policies: Audits should consider VPN providers’ no-log policies and user data management practices. They should include what – if any – user data is logged or stored, how long the VPN provider keeps records, whether user activity is monitored, and whether any user data is shared or sold.
- encryption protocol: A security audit can examine which encryption standards are upheld and how encryption protocols are implemented, as errors can affect their effectiveness.
- DNS: DNS leaks can expose your information or browser activity to ISPs. If this happens, your VPN is not properly hiding your online activities, so any DNS leaks should be flagged.
- New product lines and changes: The above areas may be evaluated when a VPN provider launches a new product or makes a significant update to its VPN software. As software changes, new security issues or vulnerabilities may inadvertently jeopardize user privacy.
What does the audit mean for ExpressVPN?
Speaking to ZDNET, ExpressVPN COO Shay Peretz commented:
“Independent audits matter to consumers because they are one of the strongest ways to build real trust. A VPN can say anything publicly, but an audit opens its systems, processes, and assumptions to external scrutiny and proves that these claims hold up to real-world testing.
It’s not just the VPN protocol that needs attention, either. The apps users download, the infrastructure on which the service runs, and all the supporting systems on which a modern VPN depends should all be subject to independent review.”
VPN audit records compared
So, you may notice that some VPN providers say they’ve completed 27 independent audits, and others have only published two or three.
How does it matter?
Also: Best Free VPNs of 2026: Expert Tests and Reviews
VPN-related audits don’t just evaluate VPN software. Instead, testing can be performed on the entire security stack, so audits can focus on specific areas or services. For example, ExpressVPN’s latest audit related to ExpressMailGuard and Identity Defender rather than the firm’s VPN service itself.
Keep this in mind when comparing VPNs and their audit trails. It is also important to note that some audits focus on no-log policies, but also extend to servers, configuration, and access, as these are all tied to secure user data management. Some audits focus on specific products, which, while valuable, may bring higher overall calculations.
Because of this, the total number of audits may not be the most important factor; Rather, frequency, transparent reporting and scoping are key. Here’s how the top VPN providers of 2026 compare.
|
vpn provider |
audit number |
Confirmed by ZDNET |
Example Audit Area |
where to get the report |
first audit date |
|
expressvpn |
27 |
Yes |
No-log policy, user data management, server infrastructure, configuration, deployment, new services |
2018 |
|
|
nordvpn |
six (work on the seventh) |
Yes |
No-logs policy, user data management, server infrastructure, configuration, deployment |
2018 |
|
|
Surfshark |
Seven (more planned this year) |
Yes |
No-logs policy, infrastructure, network, apps, servers, new protocol (DOSOS) |
2018 |
|
|
ipvnish |
Two (working on third, annual audit planned) |
Yes |
No-Log Policies, User Data Management, Systems, Configuration, Teams |
2022 |
|
|
private internet access |
Three |
Yes |
Configuration, Server Management, IP Handling, No-Log Policy (ISAE 3000 (Revised) Standard) |
blog post: 2025/2026 |
2022 |
show more
Do VPN security audits matter?
VPN providers, like any other software company, may make you a lot of promises – but without independent audits and evaluations, there is no way to support or verify their claims. Without published audits, you have no way of knowing whether privacy and security claims are merely marketing ploys.
A security audit is not a guarantee of security, but it is a strong indicator of how well a VPN organization approaches user security and data management.
It is also important for the published audit to be complete. They should clearly define the scope of the audit; what was tested, when and how; Any result – either positive or negative; And how the customer responded to the feedback.
Too: We tested the most popular VPNs in New York, London, and Tokyo – it’s the best for travel
No security solution is perfect, and there will always be ways for improvement. So, if you’re looking for a VPN service audit, you should pay attention to how the company responded, how quickly, and how transparent it is, as this often tells you more than anything else in the audit.
When choosing a new VPN provider, proceed with a security audit; See things like vulnerability disclosure reports, no-logs policy, and whether it has obtained security certifications ISO 27001.
You should always stay away from VPNs without any transparent security reports, policies, or published audits. There are countless ‘free’ VPN services online, many of which make earthier promises but don’t back up their claims with independent research or security assessments, meaning they may be involved in questionable practices or storing and sharing your data.
the key is freedom
VPN audits should be independent; Otherwise, they are useless.
Too: ExpressVPN review: One of the fastest VPNs we tested
When user privacy and security are at stake, it is not enough for a security solution provider to say that an internal assessment is sufficient evidence of the right approach to modern threats. With so many snake oil ‘VPN’ providers out there, frequent, independent audits are one of the best ways for reputable companies to stand out from the crowd.
