Independent audit confirms Surfshark's infrastructure 'aligns with the highest security standards'

Surfshark has announced the completion of an independent security audit of its network infrastructure.

Class-leading security is one of the reasons Surfshark features on our best VPN list, and the audit confirmed the VPN meets "the highest security standards."

External cybersecurity firm SecuRing conducted the audit, and no critical vulnerabilities were found. Security was determined to be a "top priority" across the design, configuration, and maintenance of Surfshark's infrastructure.

We'll run through the audit's highlights, but Surfshark has also published the report in full.

Verifying Surfshark's network infrastructure

In a blog post, Surfshark shared its goals for the security audit. The VPN said it wanted to verify its network infrastructure "was protected against unauthorized access and business disruption, resilient against real-world attacks, and aligned with the highest security standards."

SecuRing completed its audit between December 1-10, 2025. It performed penetration testing and simulated real-world attacks. The objective was to breach Surfshark in the same way a malicious hacker would. SecuRing was looking for any vulnerabilities that could cause financial losses to Surfshark or its users.

SecuRing wanted to confirm that:

• Unauthorized users cannot access Surfshark's infrastructure
• User data is protected
• Services wouldn't be interrupted for users
• No security misconfigurations are present
• Potential weaknesses are detected before they can be abused

Demonstrating the highest security standards

SecuRing's audit found "no vulnerabilities with critical risk impact." One medium risk vulnerability was found, but promptly resolved. No "key threats" manifested as a result of the identified vulnerabilities.

User security was not found to be at risk and there were strong protections against real-world attacks.

"The testing mirrored real-world attack scenarios to simulate external attackers compromising the network, and it was performed without any privileged credentials, inside information, or special access," said Tomas Stamulis, Chief Security Officer at Surfshark.

"With this, we wanted to ensure that unauthorized users cannot access our infrastructure, client data always remains protected, servers can't be interrupted for our clients, security misconfigurations can’t occur, and potential weaknesses are noted immediately before they can be abused."

The medium-risk vulnerability identified was related to an SSL/TLS configuration. One server, on a specific occasion, was utilising "both strong, modern security and some older security methods."

Surfshark said most connections use the modern methods, but "the older option could have been misused in rare situations." Despite being hard for a hacker to potentially exploit, the vulnerability was fixed immediately by Surfshark. SecuRing also provided Surfshark with no-risk, best-practice recommendations.

Stamulis commented on the findings, saying "digital security is constantly under the bad actors' radar and an independent audit examining our security systems is a crucial part of building trust and ensuring transparency allowing us to identify and implement minor improvements, such as these SS/TLS configurations.

"The successful completion of this infrastructure audit highlights, once again, that our systems align with the highest security standards, providing tangible proof to our users that services they use are protected."

Surfshark has recently introduced significant upgrades to its network infrastructure, including FastTrack, Everlink, and 100 Gbps servers. This audit confirms that all these features are operating with high security standards and users are safe using Surfshark.