- Malwarebytes completed its first third-party no-log audit
- The deep-dive assessment found zero evidence of user data logging
- Identified vulnerabilities, including one critical, have been addressed
Malwarebytes has announced the completion of the first-ever independent, third-party security audit of its VPN infrastructure. Following its 2024 acquisition of AzireVPN, Malwarebytes handed over the keys to its custom privacy architecture to the renowned security audit provider X41 D-Sec.
Why does this matter to you? A no-logs policy is a promise that a VPN provider isn’t tracking, storing, or sharing your IP address, browsing history, or DNS queries. But without an external audit, there’s no way to verify that your data isn’t being quietly collected on the backend. By opening up its core source code and server configurations, Malwarebytes follows the lead of the best VPNs on the market to deliver concrete proof that your internet traffic remains entirely invisible.
Unlike a surface-level scan, X41 D-Sec conducted a grueling two-month “white-box” penetration test. This methodology gave the auditors full access to the Malwarebytes Privacy VPN apps across Windows, macOS, iOS, and Android, as well as a deep dive into its global network of RAM-only, diskless servers.
Moving beyond “trust us”
For a VPN to be truly secure, the infrastructure running the service needs to be bulletproof. In the final report, auditors confirmed that the provider’s technical architecture is consistent with its privacy policy, finding no evidence of logging user activity.
“During our assessment, we did not observe evidence of user activity logging, and access to systems is tightly controlled, with no unnecessary remote, local, or SSH access exposed,” X41 D-Sec noted in the official audit report.
Trust is everything in VPNs—and now it’s verified.Our first-ever independent audit of Malwarebytes Privacy VPN highlights our commitment to transparency and privacy for our users.See what the audit found and how we’re raising the bar for VPN privacy. https://t.co/QKetM5wA9GApril 2, 2026
In an industry where transparency is becoming a mandatory requirement to compete with heavyweights like NordVPN and ExpressVPN, this move positions Malwarebytes as a verified privacy defender.
According to Marcin Kleczynski, Founder and CEO of Malwarebytes, the days of blind faith in cybersecurity are over.
“Trust shouldn’t be a leap of faith; it should be an informed choice based on evidence,” Kleczynski explained. “If a VPN provider can’t offer that level of transparency through an independent audit, it’s worth questioning whether it should be trusted at all.”
Patching the gaps
The true value of an independent audit isn’t just proving a company is doing things right; it’s finding the flaws before malicious actors do.
The X41 D-Sec report concluded that Malwarebytes’ systems are at a “good security level” compared to systems of similar size and complexity. Crucially, the auditors did uncover vulnerabilities during their deep dive, including one critical issue. Rather than hiding these flaws, Malwarebytes collaborated with the auditors to patch them.
According to X41, “While vulnerabilities were identified, most have already been addressed, including one critical issue, with remaining items in the process of being resolved.”
By combining a software audit with hardware penetration testing, Malwarebytes is setting a high bar for its future privacy features. As Jérôme Boursier, Principal Research Engineer at Malwarebytes, noted: “This thorough security audit provides the level of transparency any VPN provider and privacy company should aim for.”
