- Malwarebytes completed its first third-party audit without logging
- The in-depth assessment found no evidence of user data being recorded.
- Identified vulnerabilities, including one critical, have been fixed
Malwarebytes announced the completion of the first-ever independent, third-party security audit of its VPN infrastructure. Following the acquisition of AzireVPN in 2024, Malwarebytes has handed over the keys to its custom privacy architecture to popular security auditing provider X41 D-Sec.
Why is this important to you? A no-logging policy is a promise that a VPN provider does not track, store, or share your IP address, browsing history, or DNS queries. But without an external audit, there’s no way to verify that your data isn’t being collected quietly on the backend. By opening its core source code and server configurations, Malwarebytes follows the lead of the best VPNs on the market to provide concrete proof that your internet traffic remains entirely invisible.
Unlike a surface-level analysis, X41 D-Sec completed a grueling two-month “white box” penetration test. This methodology gave auditors full access to Malwarebytes Privacy VPN apps on Windows, macOS, iOS, and Android, plus a deep dive into its global network of diskless, RAM-only servers.
Go beyond “trust us”
For a VPN to be truly secure, the infrastructure that runs the service must be foolproof. In the final report, auditors confirmed that the provider’s technical architecture complies with its privacy policy, finding no evidence of recorded user activity.
“During our assessment, we observed no evidence of user activity logging, and access to systems is tightly controlled, with no unnecessary remote, local, or SSH access exposed,” X41 D-Sec noted in the report. official audit report.
Trust is everything in VPNs, and it’s now verified. Our first-ever independent audit of Malwarebytes Privacy VPN highlights our commitment to transparency and user privacy. Learn the audit results and how we’re raising the bar on VPN privacy. https://t.co/QKetM5wA9GApril 2, 2026
In an industry where transparency is becoming a mandatory requirement to compete with heavyweights like NordVPN and ExpressVPN, this move positions Malwarebytes as a verified privacy advocate.
According to Marcin Kleczynski, founder and CEO of Malwarebytes, the days of blind trust in cybersecurity are over.
“Trust should not be a leap of faith; it should be an informed choice based on evidence,” Kleczynski explained. “If a VPN provider cannot provide this level of transparency through independent auditing, it is worth asking whether they should be trusted.”
Filling the Gaps
The true value of an independent audit isn’t just about proving that a company is doing things right; it’s about finding vulnerabilities before bad actors do.
The X41 D-Sec report concludes that Malwarebytes’ systems have a “good level of security” compared to systems of similar size and complexity. Importantly, auditors discovered vulnerabilities during their in-depth analysis, including one critical issue. Rather than hiding these flaws, Malwarebytes worked with listeners to fix them.
According to X41, “although vulnerabilities have been identified, most have already been fixed, including one critical issue, with the remaining items being resolved.” »
By combining software auditing with hardware penetration testing, Malwarebytes sets the bar high for its future privacy features. As Jérôme Boursier, Senior Research Engineer at Malwarebytes, noted: “This in-depth security audit provides the level of transparency that every VPN provider and privacy company should aim for. »
