Penetration Testing
Status — what is true today
There is no completed third-party penetration test against Adjudon as of 2026-05-06. Procurement teams arriving on this page from a vendor security questionnaire (VSA) deserve a direct answer; here it is. The first external assessment is scheduled for Q3 2026, with vendor selection in progress.
This is uncomfortable to write on a security page, and it is exactly the kind of disclosure procurement most needs to read honestly. A "Pen-Test: Yes" badge that resolves to a year-old report, or a vague "regular assessments" claim, is worse than "we have not yet engaged a vendor."
What we are doing in the meantime
The absence of a third-party pen-test is not the absence of security work. The list below is what is in production today, verifiable from the codebase or from this documentation set:
- Threat-modelling document maintained internally; reviewed on each major architectural change. The model covers the trace-ingestion path (Cardinal Rules 1-4), the audit-chain integrity (Cardinal Rule 5), the API-key surface (Cardinal Rule 7), and the multi-tenant isolation invariant (Cardinal Rule 1).
- Secure-coding gates in CI:
npm audit, dependency-pin policy on production manifests,eslint-plugin-securitybaseline,gitleakspre-commit hook to catch secrets before they land in git history. - Continuous error-tracking via Sentry on the EU region
(
de.sentry.io) withsendDefaultPii: falseand abeforeSendhook that stripsrequest.dataand user PII before transmission — documented at Sub-Processors. - Hash-chain self-verification on a daily cron; any chain break is a paging incident before a customer notices.
- Internal red-team exercises by the engineering team against staging, focused on the OWASP API Security Top 10 (BOLA, broken auth, excessive data exposure, lack of resources / rate limiting, broken function-level authorisation). Findings are remediated and tracked in the internal incident log; the log itself is not published.
The three Cardinal Rules most often probed by external
assessors — cross-tenant data leakage, audit-log
tampering, secrets in error messages — are encoded as
in-code invariants documented in CLAUDE.md § Cardinal
Rules. Every PR that touches an authenticated route runs the
codified review checklist before merge.
Scope of the planned Q3 2026 assessment
The scheduled assessment will cover:
- External web-application surface (
adjudon.com,app.adjudon.com,docs.adjudon.com,api.adjudon.com) - Authenticated REST API at
/api/v1/*— the surface documented across the API Reference - SCIM 2.0 endpoints at
/scim/v2/*— the IdP-facing provisioning surface - Stripe webhook at
/api/stripe/webhook— signature verification, replay defence - OTel ingestion at
/otel/v1/traces— the OTel-side auth + parsing path - Hash-chain integrity — demonstrated tamper attempts against the chain construction and verify endpoint
The assessment will not cover the customer-side of any integration; that is the customer's own pen-test scope. Adjudon's own SDKs are out-of-scope for the platform assessment because they ship as customer-deployed code; vendor selection prefers firms that can scope a separate library audit on request.
Vendor profile we are evaluating
The vendor selection criteria are public; the shortlist is not yet final:
- EU-based with German-language operational capability (DACH-customer-readable findings)
- CREST-accredited or holding equivalent national certification
- AI-system-aware — the team has run prior assessments against LLM-adjacent applications and understands prompt- injection, training-data leakage, and policy-bypass attack classes specific to the audit-layer
- Re-test commitment for high / critical findings included in the engagement scope
What we will publish on completion
When the engagement closes, this page will be updated with:
| Field | Status today | Status post-engagement |
|---|---|---|
| Vendor name | TBD | Named with company URL |
| Engagement date | scheduled Q3 2026 | Exact start & close dates |
| Methodology | TBD | OWASP ASVS level + custom AI-specific test cases |
| Findings summary | n/a | Total + severity distribution (Critical / High / Medium / Low) |
| Remediation status | n/a | Per-finding; "remediated" or "accepted with mitigation" |
| Re-test result | n/a | Confirmation of remediation closure |
| Full report | NDA-gated when published | Customer access via signed MSA + confidentiality undertaking |
The full report will be made available to enterprise customers under NDA through a signed master services agreement and confidentiality undertaking. The summary above will live on this page publicly so a CISO doing initial vendor due diligence can see the evidence without a contract first.
Honest framing for procurement
If your VSA has a yes/no checkbox for "third-party pen-test completed in the last 12 months," the truthful answer for Adjudon today is No, scheduled Q3 2026. The truthful answer six months from now should be Yes, vendor X, dated YYYY-MM-DD; summary at this URL; full report under NDA. Anything else would be a marketing claim, not a security claim. We treat the distinction as load-bearing.
For procurement teams that cannot accept a vendor without a completed pen-test, two paths are open:
- Wait for the Q3 2026 engagement to complete and the published summary on this page.
- Engage Adjudon under a Custom plan with contractually- negotiated penetration-testing rights for your own security team or contracted assessor; Adjudon's bug-bounty policy at Responsible Disclosure covers white-hat testing in good faith without a formal contract.
See also
- Responsible Disclosure — the channel for reporting findings outside a formal engagement
- Sub-Processors — the EU-region vendor list under SCC
- Audit & Security — the Cardinal Rules every assessment is graded against
- Trust Center — the CISO-facing summary that points back to this page