# Penetration Testing ilert engages independent external security firms to conduct regular penetration tests of its platform, infrastructure, and applications. External assessments are complemented by internal security reviews with full source access, and by continuous automated testing on every change that reaches the codebase. ## Testing Cadence * **Annual external penetration tests** by independent third-party security firms * **Internal white-box reviews** with full source access, complementing the external assessments between annual cycles * **Continuous automated testing** on every pull request — static analysis, secrets scanning, dependency vulnerability scanning, and infrastructure-as-code policy checks * **Quarterly vulnerability scans** on production systems using automated tools * **Responsible-disclosure intake** open year-round via — see [Vulnerability Disclosure](/trust-center/security/vulnerability-disclosure.md) ## Engagement History ilert has maintained an independent penetration-testing programme since 2023. External assessments are performed by [cure53](https://cure53.de), a specialist German security firm. | Date | Type | Tester | Focus areas | | ------------- | ------------------ | ------------------- | ------------------------------------------------------------------------------------------------- | | June 2023 | External grey-box | cure53 | Web frontend, REST APIs, OAuth2 identity provider, SSO flows | | February 2024 | External grey-box | cure53 | Mobile applications (iOS + Android), Slack and Microsoft Teams bots, cryptographic state handling | | May 2025 | External grey-box | cure53 | Web frontend, REST APIs, API gateway, WebSocket gateway | | April 2026 | Internal white-box | ilert security team | Full platform source review, AI agent stack, mobile applications, infrastructure-as-code | Scope rotates deliberately so that, over a multi-year window, every significant area of the platform is reviewed at least once. ## Scope Penetration tests cover: * Web applications (ilert platform) * Mobile applications (iOS and Android) * REST APIs, API gateway, and integration endpoints * WebSocket gateway and real-time messaging * AI agent stack and tool integrations * Infrastructure and network components * Identity, authentication, and SSO/SAML flows * Multi-tenant isolation across customer-owned entities * Cryptographic controls (encryption at rest, in transit, key management) * Third-party integration surfaces (webhook signatures, OAuth callbacks, stored-credential handling) ## Methodology External testers follow industry-standard methodologies, including: * OWASP Web Security Testing Guide (WSTG) * OWASP Mobile Security Testing Guide (MSTG) for the iOS and Android clients * Penetration Testing Execution Standard (PTES) Each engagement combines automated scanning with manual exploitation. Tests produce a written report; findings are classified by severity using CVSS 3.1 and remediated according to defined timelines. ## Coverage Frameworks ilert's testing programme systematically covers: * **OWASP Top 10 (2021)** — web application risks * **OWASP Application Security Verification Standard (ASVS) Level 2** — with Level 3 gaps tracked and prioritised * **OWASP Mobile Application Security Verification Standard (MASVS)** — applied to the iOS and Android clients * **OWASP API Security Top 10** — API-specific risks, including broken object-level authorisation (BOLA / IDOR) * **CWE / SANS Top 25** — common weakness enumeration ## Remediation Process 1. **Triage** — each finding is assigned a severity (CVSS 3.1), an owner, and a target remediation window. Critical and High findings are addressed immediately; Medium and Low findings are scheduled into the engineering backlog. 2. **Fix** — engineering implements the remediation, peer-reviewed by at least one other engineer with input from ilert's security team. 3. **Re-test** — the fix is verified against a reproducible test case before the finding is closed. Regressions are tracked between engagements. 4. **Disclosure** — where a finding could affect customer deployments, customers are notified through ilert's customer-advisory channels. Platform-level fixes that require no customer action are rolled out transparently through the normal release cycle. ## Requesting the Penetration Test Report The latest penetration test executive summary is available to customers and prospects under NDA. **Email:** [sales@ilert.com](mailto:sales@ilert.com?subject=ilert%20pentest%20report) Please include your company name and the context of your request (e.g., vendor security review, procurement process). ## Customer-Initiated Testing ilert cooperates with customer-initiated security assessments, including threat-led penetration tests (TLPT) and cyber table-top exercises, at no additional cost. This is documented in ilert's [DORA Addendum](/trust-center/legal/dora-addendum.md) (Clause 6.4) for financial-sector customers. *** *Last updated: April 2026* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ilert.com/trust-center/security/penetration-testing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.