Our first third-party audit is here (and yes, we learned a lot!)
Transparency has always been a big part of how we do things at AzireVPN.
If you’ve been around for a while, you’ve probably seen it firsthand – we don’t just say we’re private, we show it. Transparency reports? Check. Monthly warrant canary? Always. Photos of our actual servers? Of course. Even YouTube videos where we bring you inside our facilities and data centers around the world.
If there’s a way to be open about what we do – we’re doing it. But until now, one important piece was missing: a full, independent third-party audit.
Not because we didn’t want one – but because audits like these are a lot. Time, resources, and yes – money. As a small team, we’ve always prioritized putting those resources into building and running the best VPN we possibly can.
Still, it mattered. And we knew we’d get there. And now – we have! 🚀
A sneak peek into the hardware penetration test
Why this matters
When it comes to VPNs, a third-party audit is one of the best ways to prove you’re actually doing what you say. It’s independent validation that our infrastructure, setup, and practices really deliver the level of privacy we promise.
It’s one thing for us to say it. It’s another to have external experts try to break it.
“This is a major milestone for us as a VPN company. It has been 13 years since the launch of our first server right here in Stockholm. We’ve always been all about transparency and have had nothing to hide – but the audit by X41 D-Sec gives us that extra layer of assurance that what we’ve built over the years really is as private as we believed. It’s a great feeling, and it puts us on par with the biggest VPN names out there.” – Tobias Windh, Co-founder of AzireVPN
And just as importantly – this wasn’t just validation. It was learning.
Having another set of (very experienced) eyes on our systems helps us spot things we might have missed and make AzireVPN even more bulletproof.
The audit process
The process started off in early 2025, shortly after AzireVPN became part of Malwarebytes. That step made it possible for us to finally run a full-scale audit of our infrastructure. Since AzireVPN now shares infrastructure and server-side software with Malwarebytes Privacy VPN, the audit covered both services at the same time.
After careful consideration, we partnered with X41 D-Sec – an independent German security firm known for high-quality security research, source code audits, and deep technical testing.
The audit ran between December 1, 2025 and January 9, 2026, and included a software audit and a hardware audit where we physically shipped our servers to Germany so the researchers could perform hands-on hardware penetration testing.
Results
You can read the full audit report here:
According to X41:
"Overall, the systems demonstrate a strong security level and are well positioned to support user privacy, appearing to be on a good security level compared to systems of similar size and complexity.
During our assessment, we did not observe evidence of user activity logging, and access to systems is tightly controlled, with no unnecessary remote, local, or SSH access exposed.
While vulnerabilities were identified, most have already been addressed, including one critical issue, with remaining items in the process of being resolved."
We didn’t expect a perfectly clean report. Not because we don’t trust our systems – but because security is complex, and another set of eyes always finds things. And that’s exactly what happened.
Our team has already addressed the majority of the findings and we are actively working on the remaining ones. Here’s where we are today:
- 1 Critical vulnerability – fixed ✅
- 1 Critical vulnerability – in progress 🔧
- 2 Medium vulnerabilities – fixed ✅
- 5 Medium vulnerabilities – fixed on all new servers ✅
- 1 Medium vulnerability – in progress 🔧
- 1 Low vulnerability – fixed ✅
- 2 Low vulnerabilities – fixed on all new servers ✅
- 1 Low vulnerability – in progress 🔧
Issues found
Here's a few more details on the critical issues found:
1.Unverified Debian Image (fixed)
The researchers discovered that, while the Debian image was downloaded from a secure URL, a small piece of verified data – called the checksum – did not have its signature validated using the Debian CD signing key.
We’ve fixed this already. ✅
2. Unverified Boot Chain (in progress)
Our servers use PXE booting, which means they boot from files delivered over the network instead of local storage. The issue: this process didn’t include cryptographic signature verification.
In theory, this could allow a highly sophisticated attacker to perform a “man-in-the-middle” attack during boot and inject malicious code. In practice, this would require a very high level of access – such as gaining entry to the data center, reaching our secured racks, and interfering with the network during the boot process. (If you're curious what that environment actually looks like, you can check out our London server video here: Inside a high security data center 🏢 | Behind the scenes AzireVPN)
This is not a quick fix, as it involves deeper architectural changes. But it is important, so we will be working on implementing a more secure, cryptographically verified boot process over time.
You can see the full list of issues found in the audit report.
What this means going forward
Security isn’t just a checkbox for us – it’s a continuous process.
This audit is a big milestone for us, but it’s also exactly what we expected it to be: validation and a way to get better. We’re fixing what needs fixing, improving what can be improved, and continuing to build a VPN that’s as private and secure as we claim it is.
A huge thank you to X41 D-Sec and the researchers involved – Djamal Touazi, JM, Markus Vervier, Robert Femmer and Eric Sesterhenn – for all their work and collaboration.
Same AzireVPN – now independently verified
We’ve always believed in showing, not telling.
This audit helps validate what we’ve built so far – and highlights where we can do better. We’re continuing to improve, and we’ll keep sharing that journey with you!
Privacy first, no exceptions.
AzireVPN was created in Stockholm, Sweden in 2012 with a mission of becoming a market-leading VPN service that helps people avoid censorship and interception on the internet. With WireGuard, Blind Operator and zero logs policy, today AzireVPN is one of the leading privacy-oriented VPN services with owned and dedicated servers worldwide.
AzireVPN is part of Malwarebytes, a global leader in real-time cyber protection.
Try AzireVPN today – 7 day money back guarantee.