























Follow ZDNET: Add us as a preferred source on Google.
ExpressVPN has announced the completion of 27 independent security audits, with two new products, ExpressMailGuard and Identity Defender, passing inspection.
Also: NordVPN isn't just a VPN anymore, but a full security suite - here's what you get now
The virtual private network service said Thursday that the latest audit, conducted by penetration testing firm Cure53, examined the source code of each product for security flaws, vulnerabilities, or hidden surprises that could cast doubt on ExpressVPN's security posture and no-logs policy.
Cure53 assessed ExpressMailGuard, an email masking service that allows users to generate unlimited anonymous email aliases, together with Identity Defender, a monitoring service for US users that scans public records, leaked online data dumps, and the dark web for indicators of identity theft.
This brings ExpressVPN's overall audit count to 27. A full list can be found on ExpressVPN's website, with audits performed by Cure53 and KPMG.
Also: Best VPN services 2026: Expert tested and recommended
"This milestone reflects ExpressVPN's long-standing belief that privacy cannot simply be promised-it must be enforced by architecture and verified by independent experts," the company says.
Security audits can take many forms. In the VPN industry, the following areas may be assessed:
Speaking to ZDNET, Shay Peretz, COO of ExpressVPN, commented:
"Independent audits matter to consumers because they are one of the strongest ways to build real trust. A VPN can say anything publicly, but an audit opens up its systems, processes, and assumptions to external scrutiny and proves those claims hold up under real-world testing.
It's not just the VPN protocol that needs to be looked at, either. The apps users download, the infrastructure the service runs on, and all the supporting systems a modern VPN relies on should all be subject to independent review."
So, you've seen some VPN providers say they have completed 27 independent audits, and others have published only two or three.
What's the difference?
Also: The best free VPNs of 2026: Expert tested and reviewed
VPN-related audits don't just assess VPN software. Instead, testing can be performed across the entire security stack, so audits may focus on specific areas or services. For example, ExpressVPN's latest audit relates to ExpressMailGuard and Identity Defender, rather than the firm's VPN service.
Keep this in mind when comparing VPNs and their audit trails. It's also important to note that some audits focus on no-logs policies but also extend to servers, configuration, and access, as these are all connected to safe user data management. Some audits focus on specific products, which, while valuable, can bring up overall counts.
Due to this, the overall number of audits might not be the most important factor; rather, frequency, transparent reporting, and items in scope are key. Here is how the top VPN providers of 2026 compare.
VPN provider | Audit number | Confirmed by ZDNET | Example audit scopes | Where to find reports | First audit date |
ExpressVPN | 27 | Yes | No-logs policy, user data management, server infrastructure, configurations, deployment, new services | 2018 | |
NordVPN | Six (working on the seventh) | Yes | No-logs policy, user data management, server infrastructure, configurations, deployment | 2018 | |
Surfshark | Seven (more planned this year) | Yes | No-logs policy, infrastructure, network, apps, servers, new protocol (Dausos) | 2018 | |
IPVanish | Two (working on the third, annual audits planned) | Yes | No-logs policies, user data management, systems, configurations, teams | 2022 | |
Private Internet Access | Three | Yes | Configuration, server management, IP handling, no-logs policy (ISAE 3000 (Revised) standard) | Blog posts: 2025/2026 | 2022 |
Show more
VPN providers, like any other software company, can promise you the sky -- but without independent audits and assessments, there's no way to back up or verify their claims. Without a published audit, you have no way of knowing whether privacy and security claims are just marketing ploys.
A security audit is not a guarantee of safety, but it is a strong indicator of how a VPN organization approaches user safety and data management.
It's also important for published audits to be thorough. They should clearly define the scope of the audit; what was tested, when, and how; any results -- either positive or negative; and how the client responded to feedback.
Also: We tested the most popular VPNs in New York, London, and Tokyo - this one is the best for traveling
No security solution is perfect, and there will always be ways to improve. So, if you're exploring a VPN service audit, you should take note of how the company responded, how quickly, and how transparent it is, as this often tells you more than anything else in an audit.
When choosing a new VPN provider, go beyond security audits; look for vulnerability disclosure reports, a no-logs policy, and whether it has achieved security certifications, such as ISO 27001.
You should always steer clear of VPNs without any transparent security reports, policies, or published audits. There are countless 'free' VPN services online, many of which promise the earth but do not back up their claims with independent research or security assessments, meaning they could be involved in shady practices or storing and sharing your data.
VPN audits must be independent; otherwise, they are worthless.
Also: ExpressVPN review: One of the fastest VPNs we've tested
When user privacy and security are at stake, it's not enough for a security solutions provider to say that internal assessments are enough evidence of the right approach to modern threats. With so many snake oil 'VPN' providers around, frequent, independent audits are one of the best ways for reputable companies to stand out from the crowd.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。