ExpressVPN blows away the competition on security audits - but what do they mean? | ZDNET
X Tech Why you can trust ZDNET : ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission. Our process 'ZDNET Recommends': What exactly does it mean? ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form. Close Home Tech Security VPN ExpressVPN blows away the competition on security audits - but what do they mean? Ever wonder what a VPN audit is or why they're always announced to the public? Here's why. Written by Charlie Osborne, Contributing WriterContributing Writer May 29, 2026 at 7:22 a.m. PT ExpressVPN / Elyse Betters Picaro / ZDNETFollow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways ExpressVPN says it has passed 27 independent security audits. Cure53 audited ExpressMailGuard and Identity Defender. Here's how ExpressVPN's audit record compares with rivals.ExpressVPN has announced the completion of 27 independent security audits, with two new products, ExpressMailGuard and Identity Defender, passing inspection.Also: NordVPN isn't just a VPN anymore, but a full security suite - here's what you get nowThe virtual private network service said Thursday that the latest audit, conducted by penetration testing firm Cure53, examined the source code of each product for security flaws, vulnerabilities, or hidden surprises that could cast doubt on ExpressVPN's security posture and no-logs policy. Cure53 assessed ExpressMailGuard, an email masking service that allows users to generate unlimited anonymous email aliases, together with Identity Defender, a monitoring service for US users that scans public records, leaked online data dumps, and the dark web for indicators of identity theft. This brings ExpressVPN's overall audit count to 27. A full list can be found on ExpressVPN's website, with audits performed by Cure53 and KPMG. Also: Best VPN services 2026: Expert tested and recommended"This milestone reflects ExpressVPN's long-standing belief that privacy cannot simply be promised-it must be enforced by architecture and verified by independent experts," the company says. What is a VPN security audit? Security audits can take many forms. In the VPN industry, the following areas may be assessed: Infrastructure: A VPN provider's infrastructure is often one of the first things examined in a security audit, provided it is in scope. Security experts may look at a wide range of factors, including server security, data storage and management, encryption, authentication controls, and network configuration.Source code: Sometimes, VPN providers will allow auditors to assess the source code of their software for inherent or hard-coded vulnerabilities, weaknesses, the use of default credentials, or programming errors.VPN apps: An assessment may also explore desktop, mobile, and browser extensions for coding issues, vulnerabilities, poor encryption, exposed credentials or user data, and whether their features perform safely and as advertised.No-logs policies: Audits must consider VPN providers' no-logs policies and user data handling practices. They should include what -- if any -- user data is logged or stored, how long the VPN provider retains records, whether user activity is monitored, and whether any user data is shared or sold.Encryption protocols: A security audit may examine which encryption standards are upheld and how encryption protocols are implemented, as errors could affect their effectiveness.DNS: DNS leaks may expose your information or browser activity to an ISP. If this happens, your VPN isn't properly masking your online activities, so any DNS leaks must be flagged.New product lines and changes: The above areas may be assessed when a VPN provider launches a new product or makes a significant update to its VPN software. As software changes, new security issues or weaknesses may inadvertently risk user privacy.Whu do audits matter to ExpressVPN?Speaking to ZDNET, Shay Peretz, COO of ExpressVPN, commented: "Independent audits matter to consumers because they are one of the strongest ways to build real trust. A VPN can say anything publicly, but an audit opens up its systems, processes, and assumptions to external scrutiny and proves those claims hold up under real-world testing. It's not just the VPN protocol that needs to be looked at, either. The apps users download, the infrastructure the service runs on, and all the supporting systems a modern VPN relies on should all be subject to independent review." VPN audit records, compared So, you've seen some VPN providers say they have completed 27 independent audits, and others have published only two or three. What's the difference? Also: The best free VPNs of 2026: Expert tested and reviewedVPN-related audits don't just assess VPN software. Instead, testing can be performed across the entire security stack, so audits may focus on specific areas or services. For example, ExpressVPN's latest audit relates to ExpressMailGuard and Identity Defender, rather than the firm's VPN service. Keep this in mind when comparing VPNs and their audit trails. It's also important to note that some audits focus on no-logs policies but also extend to servers, configuration, and access, as these are all connected to safe user data management. Some audits focus on specific products, which, while valuable, can bring up overall counts. Due to this, the overall number of audits might not be the most important factor; rather, frequency, transparent reporting, and items in scope are key. Here is how the top VPN providers of 2026 compare. VPN audits, compared VPN providerAudit numberConfirmed by ZDNETExample audit scopesWhere to find reportsFirst audit dateExpressVPN27YesNo-logs policy, user data management, server infrastructure, configurations, deployment, new servicesExpressVPN Trust Center2018NordVPNSix (working on the seventh)YesNo-logs policy, user data management, server infrastructure, configurations, deploymentNord Accounts2018SurfsharkSeven (more planned this year)YesNo-logs policy, infrastructure, network, apps, servers, new protocol (Dausos)Surfshark Trust Center, accounts2018IPVanishTwo (working on the third, annual audits planned)YesNo-logs policies, user data management, systems, configurations, teamsIPVanish account portal2022Private Internet AccessThreeYesConfiguration, server management, IP handling, no-logs policy (ISAE 3000 (Revised) standard)Blog posts: 2025/20262022 Show more Do VPN security audits matter? VPN providers, like any other software company, can promise you the sky -- but without independent audits and assessments, there's no way to back up or verify their claims. Without a published audit, you have no way of knowing whether privacy and security claims are just marketing ploys. A security audit is not a guarantee of safety, but it is a strong indicator of how a VPN organization approaches user safety and data management. It's also important for published audits to be thorough. They should clearly define the scope of the audit; what was tested, when, and how; any results -- either positive or negative; and how the client responded to feedback. Also: We tested the most popular VPNs in New York, London, and Tokyo - this one is the best for travelingNo security solution is perfect, and there will always be ways to improve. So, if you're exploring a VPN service audit, you should take note of how the company responded, how quickly, and how transparent it is, as this often tells you more than anything else in an audit. When choosing a new VPN provider, go beyond security audits; look for vulnerability disclosure reports, a no-logs policy, and whether it has achieved security certifications, such as ISO 27001. You should always steer clear of VPNs without any transparent security reports, policies, or published audits. There are countless 'free' VPN services online, many of which promise the earth but do not back up their claims with independent research or security assessments, meaning they could be involved in shady practices or storing and sharing your data. The key is independence VPN audits must be independent; otherwise, they are worthless. Also: ExpressVPN review: One of the fastest VPNs we've testedWhen user privacy and security are at stake, it's not enough for a security solutions provider to say that internal assessments are en