ExpressVPN racks up 27 audits—Cure53 checks new tools

ExpressVPN completes – ExpressVPN says it has completed 27 independent security audits, with two newer products—ExpressMailGuard and Identity Defender—passing inspection by Cure53. The company’s audit record and how it compares with rivals is now being put under the spotlight for co

For ExpressVPN, the security pitch now comes with a growing paper trail—and this time it’s tied to the company’s newest products.

The virtual private network service said Thursday it has completed 27 independent security audits. Two of those audits cover ExpressMailGuard and Identity Defender, both of which have passed inspection.

The latest review was conducted by penetration testing firm Cure53. According to ExpressVPN, the audit examined the source code of each product for security flaws, vulnerabilities, or hidden surprises that could cast doubt on the service’s security posture and its no-logs policy.

ExpressMailGuard is described as an email masking service that allows users to generate unlimited anonymous email aliases. Identity Defender is framed as a monitoring service for US users that scans public records, leaked online data dumps, and the dark web for indicators of identity theft.

Cure53 assessed both products in the audit. That brings ExpressVPN’s overall audit count to 27, and the company says a full list is available on its website. ExpressVPN also points to audits performed by Cure53 and KPMG.

The company is tying this milestone to a belief that privacy can’t be treated like a promise—it has to be verified. “This milestone reflects ExpressVPN’s long-standing belief that privacy cannot simply be promised-it must be enforced by architecture and verified by independent experts. ” the company says.

That message lands in a market where “security audits” can mean very different things depending on what’s actually tested.

A security audit can take multiple forms. In VPN-related audits. infrastructure may be examined when it’s in scope—covering server security. data storage and management. encryption. authentication controls. and network configuration. Audits may also assess source code for inherent or hard-coded vulnerabilities, weaknesses, the use of default credentials, or programming errors.

VPN apps can come under scrutiny too. That can include desktop, mobile, and browser extensions for coding issues, vulnerabilities, poor encryption, exposed credentials, or user data—plus whether features perform safely and as advertised.

No-logs policies are another common focus. Audits should consider what, if any, user data is logged or stored, how long records are retained, whether user activity is monitored, and whether any user data is shared or sold.

Encryption protocols may be checked as well. because errors in how encryption standards are upheld—or implemented—can undermine the very protection users think they’re buying. DNS is part of that risk picture too: DNS leaks can expose information or browsing activity to an ISP. meaning a VPN isn’t properly masking online actions and DNS leaks should be flagged.

Some audits expand when new products are launched or when significant updates are made to VPN software, since changes can introduce new security issues or weaknesses that weren’t there before.

For ExpressVPN. this latest push is also about explaining why audits matter for ordinary people trying to trust a tool they can’t personally verify. Speaking to ZDNET. Shay Peretz. COO of ExpressVPN. commented: “Independent audits matter to consumers because they are one of the strongest ways to build real trust. A VPN can say anything publicly. but an audit opens up its systems. processes. and assumptions to external scrutiny and proves those claims hold up under real-world testing. It’s not just the VPN protocol that needs to be looked at, either. The apps users download. the infrastructure the service runs on. and all the supporting systems a modern VPN relies on should all be subject to independent review.”.

What looks simple at first—“number of audits”—gets messy fast when you zoom out.

VPN-related audits don’t always test the VPN service itself. Testing can be performed across an entire security stack, and audits may focus on specific areas or services. In this case, ExpressVPN’s latest audit relates to ExpressMailGuard and Identity Defender, rather than the firm’s VPN service. That’s a key detail when comparing audit counts between companies.

Even then, audits aren’t always apples-to-apples in what they cover. Some focus tightly on no-logs policy but also extend to servers. configuration. and access because those pieces are connected to user data management. Other audits target specific products. which can inflate a company’s overall count even if the VPN core isn’t the only thing being examined.

ExpressVPN’s own audit comparison list (as presented in the source) shows how audit tallies differ across providers. ExpressVPN is listed at 27 audits. confirmed by ZDNET. with example audit scopes including no-logs policy. user data management. server infrastructure. configurations. deployment. and new services. ExpressVPN Trust Center lists the first audit date as 2018.

NordVPN is shown with six audits (working on the seventh), confirmed by ZDNET. Its example audit scopes include no-logs policy, user data management, server infrastructure, configurations, and deployment. Nord Accounts is listed with a first audit date of 2018.

Surfshark is shown with seven audits (more planned this year), confirmed by ZDNET. Example scopes include no-logs policy, infrastructure, network, apps, servers, and a new protocol (Dausos). Surfshark Trust Center and accounts are listed, with a first audit date of 2018.

IPVanish is shown with two audits (working on the third, annual audits planned), confirmed by ZDNET. Example scopes include no-logs policies, user data management, systems, configurations, and teams. IPVanish account portal is listed with a first audit date of 2022.

Private Internet Access is shown with three audits, confirmed by ZDNET. Example scopes include configuration, server management, IP handling, and no-logs policy, with an audit standard listed as ISAE 3000 (Revised). Blog posts are listed for 2025/2026, and a first audit date of 2022.

The takeaway isn’t that an audit number alone proves safety. It’s that published, independent testing can give consumers more to rely on than marketing claims.

A security audit is not described as a guarantee of safety. but it is presented as a strong indicator of how a VPN organization approaches user safety and data management. For audits to be meaningful. the scope should be clearly defined: what was tested. when. and how; any results; and how the company responded to feedback—positive or negative.

The source also emphasizes that when a company answers findings. or how quickly it adjusts. can matter as much as the audit itself. No security solution is perfect, and improvement is expected. Still. users are urged to look at transparency: what’s in scope. how the results are published. and whether the company reacts to what auditors find.

There’s also a wider shopping checklist beyond audits: vulnerability disclosure reports, a no-logs policy, and security certifications such as ISO 27001 are mentioned as additional signals. Users are warned to avoid VPNs without transparent security reports, policies, or published audits.

ExpressVPN’s own latest milestone is positioned inside that reality: a world where “free” VPN services can promise a lot but don’t always back it up with independent research or security assessments, and where companies that stand out may do so by running frequent, independent audits.

In that context, ExpressVPN’s 27-audit claim—and the fact that the newest items, ExpressMailGuard and Identity Defender, were brought under Cure53’s review—reads like more than a vanity metric. It’s a bet that consumers will want verification, not just assurances.

ExpressVPN Cure53 independent security audits ExpressMailGuard Identity Defender VPN security no-logs policy privacy audits penetration testing NordVPN Surfshark IPVanish Private Internet Access