- Malwarebytes completed its first third-party no-log audit
- The deep-dive assessment found no evidence of user data logging
- Identified vulnerabilities, including a critical one, have been fixed
Malwarebytes has announced the completion of the first-ever independent third-party security audit of its VPN infrastructure. Following the acquisition of AzireVPN in 2024, Malwarebytes handed over the keys to its custom privacy architecture to renowned security auditing provider X41 D-Sec.
Why does it matter to you? A no-logs policy is a promise that a VPN provider won’t track, store, or share your IP address, browsing history, or DNS queries. But without an external audit, there is no way to verify that your data is not quietly being collected on the backend. By opening its core source code and server configurations, Malwarebytes follows the lead of the best VPNs on the market to provide concrete proof that your internet traffic remains completely invisible.
Unlike a surface-level scan, the X41 D-Sec performed a grueling two-month “white-box” penetration test. This method gave the auditors full access to Malwarebytes Privacy VPN apps across Windows, macOS, iOS, and Android, as well as a deep dive into its global network of RAM-only diskless servers.
Moving beyond “trust us”
For a VPN to be truly secure, the infrastructure running the service must be bulletproof. In the final report, auditors confirmed that the provider’s technical architecture complies with its privacy policy and found no evidence of user activity logging.
“During our assessment, we did not observe evidence of logging of user activity, and access to systems is tightly controlled, with no unnecessary remote, local or SSH access detected,” noted X41 D-Sec in official audit report.
Trust is everything in VPNs – and now it’s verified. Our first independent review of Malwarebytes Privacy VPN highlights our commitment to transparency and privacy for our users. See what the audit found and how we’re raising the bar for VPN privacy. https://t.co/QKetM5wA9GApril 2, 2026
In an industry where transparency is becoming a mandatory requirement to compete with heavyweights like NordVPN and ExpressVPN, this move positions Malwarebytes as a verified privacy protection.
According to Marcin Kleczynski, founder and CEO of Malwarebytes, the days of blind faith in cybersecurity are over.
“Trust should not be a leap of faith; it should be an informed choice based on evidence,” explained Kleczynski. “If a VPN provider can’t offer that level of transparency through an independent audit, it’s worth questioning whether to trust it at all.”
Patches the holes
The true value of an independent audit is not just to prove that a company is doing things right; it’s finding the bugs before malicious actors do.
The X41 D-Sec report concluded that Malwarebytes’ systems are at a “good level of security” compared to systems of similar size and complexity. Crucially, the auditors uncovered vulnerabilities during their deep dive, including one critical issue. Instead of hiding these bugs, Malwarebytes worked with the auditors to fix them.
According to X41, “While vulnerabilities were identified, most have already been fixed, including one critical issue, with remaining items in the process of being fixed.”
By combining a software audit with hardware penetration testing, Malwarebytes sets a high bar for its future privacy features. As Jérôme Boursier, Principal Research Engineer at Malwarebytes, noted, “This thorough security audit provides the level of transparency every VPN provider and privacy company should aim for.”
