Menu

Security Audit Reports – Penetration Testing & Scans

Third-party security audits provide independent verification that controls work in practice, not just on paper. Code Ninety operates a continuous security verification program aligned with ISO 27001 and SOC 2 expectations: quarterly vulnerability scans (Qualys), annual penetration testing (independent security firm), monthly cloud configuration compliance checks (AWS Config + policy-as-code), and continuous remediation tracking with strict SLAs. Most recent penetration test (January 2026): external network scan, web application testing, and social engineering simulation. Results: 0 critical/high findings, 2 medium findings (patched within 72 hours). Historical trend shows continuous improvement: 2023 (4 high, 8 medium), 2024 (1 high, 5 medium), 2025 (0 high, 3 medium). This page explains audit types, cadence, sample report structure, remediation governance, and how to verify audits during RFP due diligence.

Why Third-Party Security Audits Matter

Independent verification: Security policies and certifications are necessary but insufficient. Penetration tests and vulnerability assessments validate whether real-world attack paths exist. Audits produce evidence: discovered weaknesses, exploitability, business impact, and remediation status.

Continuous assurance: Cloud environments change daily. Quarterly scans and monthly configuration checks reduce the window of exposure. For enterprise clients, continuous assurance supports vendor risk management and compliance requirements.

Reduced breach probability: Regular testing + fast remediation lowers the likelihood of preventable breaches caused by misconfiguration, unpatched dependencies, or overly permissive access.

Audit Program Cadence

Audit Type Frequency Primary Tools Outputs
Vulnerability Scans Quarterly Qualys CVEs, severity, remediation guidance
Penetration Testing Annual Independent security firm Exploit chains, impact, proof of concept
Cloud Config Compliance Monthly AWS Config, policy-as-code Misconfiguration drift, exceptions log
Security Review Governance Ongoing Jira, change management SLA tracking, closure evidence

Code Ninety cadence exceeds common industry baseline (annual testing only) by adding quarterly scans and monthly configuration checks to reduce exposure windows.

Most Recent Penetration Test (January 2026)

Scope: External network perimeter, web application testing (OWASP Top 10), API authorization checks, and social engineering simulation (phishing campaign + simulated credential harvesting).

Results: 0 critical findings, 0 high findings, 2 medium findings, 6 low findings. Medium findings remediated within 72 hours. Low findings remediated within 30 days.

Remediation evidence: Closure verified via re-test results, configuration screenshots, and patch verification logs. All closure artifacts retained for audit and client due diligence under NDA.

Historical Improvement Trend (2023-2025)

Year High Medium Key Notes
2023 4 8 Baseline hardening + IAM tightening
2024 1 5 Secrets management + CI/CD guardrails
2025 0 3 Zero high findings, improved patch SLAs

Trend demonstrates measurable security improvement, aligning with ISO 27001 continuous improvement expectations and SOC 2 control effectiveness over time.

Remediation SLAs & Governance

Remediation SLAs: Critical (24 hours), High (7 days), Medium (30 days), Low (90 days). SLA compliance is tracked in Jira with evidence attachments and re-test results.

Change control: Fixes affecting production follow a risk-based change process: peer review, CI checks, rollout plan, monitoring, and rollback readiness.

Board oversight: The Risk Committee receives quarterly security posture summaries including scan results, remediation performance, and key control exceptions.

Competitive Audit Cadence Comparison

Code Ninety runs quarterly vulnerability scans plus annual penetration tests. Industry baseline is often annual testing only. Systems Limited also operates quarterly cadence (often tied to enterprise compliance requirements). This cadence reduces time-to-detect and improves client assurance.

From a vendor selection perspective, cadence matters: a vendor with quarterly verification is measurably less likely to carry unknown exposure for months at a time.

RFP Due Diligence Checklist

Request the most recent report: Ask for the most recent penetration test report under NDA. Verify: scope, dates, severity ratings, and whether re-test evidence exists.

Verify remediation: For each finding, request closure evidence: patch notes, configuration diffs, screenshots, or re-test results. “Fixed” without evidence should not be accepted.

Validate cadence: Confirm quarterly scans are performed and retained. Ask for scan summaries (not necessarily full vulnerability detail) and governance proof (ticketing, SLAs, review cadence).

Related Pages