- Malwarebytes Completed Its First No-Logs Third-Party Audit
- Deep evaluation found no evidence of user data logging
- Identified vulnerabilities have been addressed, including one critical one.
Malwarebytes has announced the completion of the first independent, third-party security audit of its VPN infrastructure. Following the acquisition of AzireVPN in 2024, Malwarebytes handed over the keys to its custom privacy architecture to renowned security auditing provider X41 D-Sec.
Why do you care about this? A no-logs policy is a promise that a VPN provider will not track, store, or share your IP address, browsing history, or DNS queries. But without an external audit, there is no way to verify that your data is not being silently collected on the backend. By opening up its core source code and server configurations, Malwarebytes follows the lead of the best VPNs on the market to offer concrete proof that your Internet traffic remains completely invisible.
Unlike a surface-level scan, X41 D-Sec performed a grueling two-month “white box” penetration test. This methodology gave auditors full access to the Malwarebytes Privacy VPN apps on Windows, macOS, iOS, and Android, as well as a deep dive into its global network of diskless, RAM-only servers.
Beyond “trust us”
For a VPN to be truly secure, the infrastructure running the service must be bulletproof. In the final report, auditors confirmed that the provider’s technical architecture is consistent with its privacy policy, and found no evidence that user activity was recorded.
“During our evaluation, we observed no evidence of user activity logging, and access to the systems is tightly controlled, with no unnecessary remote, local, or SSH access exposed,” X41 D-Sec noted in the official audit report.
Trust is everything in VPNs, and now it’s verified. Our first independent audit of Malwarebytes Privacy VPN highlights our commitment to transparency and the privacy of our users. See what the audit found and how we’re raising the bar on VPN privacy. https://t.co/QKetM5wA9GApril 2, 2026
In an industry where transparency is becoming a mandatory requirement to compete with heavyweights like NordVPN and ExpressVPN, this move positions Malwarebytes as a verified privacy advocate.
According to Marcin Kleczynski, founder and CEO of Malwarebytes, the days of blind faith in cybersecurity are over.
“Trust should not be a leap of faith; it should be an informed choice based on evidence,” Kleczynski explained. “If a VPN provider can’t offer that level of transparency through an independent audit, it’s worth asking whether they should be trusted.”
Patching the gaps
The true value of an independent audit is not only to demonstrate that a company is doing things right; is to find the flaws before malicious actors do.
The X41 D-Sec report concluded that Malwarebytes systems are at a “good level of security” compared to systems of similar size and complexity. Crucially, the auditors discovered vulnerabilities during their deep scan, including one critical issue. Instead of hiding these flaws, Malwarebytes collaborated with auditors to fix them.
According to X41, “while vulnerabilities were identified, most have already been fixed, including one critical issue, and the remaining items are in the process of being resolved.”
By combining a software audit with hardware penetration testing, Malwarebytes is setting a high bar for its future privacy features. As Jérôme Boursier, Principal Research Engineer at Malwarebytes, noted: “This comprehensive security audit provides the level of transparency that any VPN provider and privacy company should aspire to.”
