Club Benefits
ExpressVPN has completed its 27th independent security audit, the most out of any of the best VPNs.
Cybersecurity firm Cure53 carried out the latest round of reviews, assessing two of the company's newest privacy tools: ExpressMailGuard, an email alias service, and Identity Defender, a US-only protection app.
The audits were comprehensive in scope. Cure53 – known for rigorous white-box penetration testing – examined ExpressMailGuard's secure relay layer, and stress-tested the backend infrastructure behind Identity Defender. It validated that sensitive personally identifiable information remains isolated and protected against unauthorised access.
The milestone marks another step in ExpressVPN's broader ambition to bring independently verified privacy tools under one subscription. Since publishing its first audit in 2018, the company has subjected every major component of its infrastructure to independent scrutiny – from its VPN protocols and no-logs policy to its private AI assistant, and now its email and identity protection products.
What did Cure53 test?
ExpressMailGuard allows users to generate unlimited anonymous email aliases, shielding their real inbox from the services they sign up to. Cure53's audit focused on the secure relay layer, verifying that the system strips identifying metadata, routes messages through aliases, and deletes delivered messages from ExpressVPN's servers – ensuring the relay cannot be used to build user profiles or retain communication archives.
Identity Defender is available as a standalone app for US users. It monitors public records, home and auto titles, court records, financial records, and Dark Web data for early signs of identity theft. It also includes an automated data-removal tool that continuously scrubs personal information from data broker sites.
Cure53 stress-tested the backend infrastructure powering these monitoring services, confirming that sensitive PII remains isolated against unauthorised access.
Full audit reports are published on ExpressVPN's Trust page.
A compounding investment in accountability
Reaching 27 audits reflects a deliberate and long-running commitment that stretches back to 2018, when ExpressVPN published its first independent security review. Since then, the company has submitted every major component of its infrastructure to outside scrutiny – a standard it says goes well beyond industry norms.
"Security audits are not a checkbox exercise for us," said Aaron Engel, CSO at ExpressVPN. "Every product we build that touches user data gets handed to independent researchers whose job is to break it. Twenty-seven audits later, we remain committed to the same standard: trust must be earned, not assumed."
Other leading VPNs do conduct independent security and privacy audits – NordVPN has completed six no-logs reviews and Surfshark two – but neither matches ExpressVPN's volume, or the breadth of products covered.
What sets ExpressVPN apart is that its audits now span its entire product stack – not just the VPN itself. Its password manager, email relay, AI assistant, and identity protection tools are all covered.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
