ExpressVPN today announced it has completed 27 independent security audits – more than any other VPN provider – as independent cybersecurity firm Cure53 validated two of its newest privacy tools: ExpressMailGuard and Identity Defender.

This milestone ExpressVPN’s long-standing belief that privacy cannot simply be promised – it must be enforced by architecture and verified by independent experts. Cure53, renowned in the cybersecurity community for its rigorous white-box penetration testing, conducted comprehensive source-code reviews and infrastructure assessments of both products. 

A record of verified trust

Since publishing its first audit in 2018, ExpressVPN has subjected every major component of its infrastructure to independent scrutiny – from its VPN protocols and no-logs policy to its private AI assistant and now its email relay and identity protection tools. Reaching 27 audits reflects a compounding investment in accountability that goes well beyond industry norms.

“Security audits are not a checkbox exercise for us,” said Aaron Engel, CSO at ExpressVPN. “Every product we build that touches user data gets handed to independent researchers whose job is to break it. Twenty-seven audits later, we remain committed to the same standard: trust must be earned, not assumed.” 

What Cure53 assessed

ExpressMailGuard allows users to generate unlimited anonymous email aliases, breaking the link between their real inbox and the services they sign up for. Cure53’s audit focused on the secure relay layer: verifying that the system strips identifying metadata, routes messages through aliases, and deletes delivered messages from ExpressVPN’s servers, ensuring the relay cannot be used to build user profiles or retain communication archives.

Identity Defender, available as a standalone app for U.S. users, actively monitors public records, home and auto titles, court records, changes to financial records that may indicate fraud, and dark web data for early signs of identity theft. It also includes an automated data-removal tool that continuously scrubs personal information from data-broker sites. Cure53 stress-tested the backend infrastructure powering these monitoring services, validating that sensitive personally identifiable information (PII) remains isolated and protected against unauthorised access.

Privacy across the entire stack

The audits mark another step in ExpressVPN’s mission to bring independently verified privacy tools under one subscription, covering everything from secure networking and AI to email protection and real-world identity defence.

Full Cure53 audit reports, ISO certifications, and the company’s complete history of independent security assessments are available on the ExpressVPN Trust page.