Security testing

Penetration testing

Claresia commissions an annual external black-box and grey-box penetration test of the entire production surface. The first engagement lands Q2 2026 with results published shortly after.

Cadence

Annual at minimum. Additional targeted engagements when material architectural changes ship (new deployment mode, new sub-processor, new connector framework).

Vendor

Engagement RFP open with Trail of Bits, Bishop Fox, and NCC Group. Contract signature targeted for Q1 2026. Annual rotation policy keeps adversarial perspective fresh.

Scope

All public Claresia Cloud surfaces, Onboarding Portal, Hub APIs, Distribution Plane endpoints, browser extension, and Teams/Slack apps. Authenticated tenant testing included.

Latest engagement

Scheduled Q2 2026

Methodology: OWASP Web Security Testing Guide 4.2 + custom AI-vendor test plan covering prompt injection, output handling, model-side data exfiltration, sensitive-data detection bypass.
Test types: Black-box (unauthenticated) + grey-box (authenticated tenant) + source-assisted code review on the Distribution Plane.
Timeline: 8 calendar weeks from kickoff to final report. Critical findings reported within 24h of discovery; remediation tracked to closure with re-test.
Disclosure: Public executive summary on this page. Full report available under NDA. Critical findings affecting customers: post-fix advisory published.

Pen-test executive summary

Available after Q2 2026 first engagement closes.

The exec summary will be a 4-6 page PDF covering: scope, methodology, finding summary by severity (critical / high / medium / low / informational), remediation status per finding, and Claresia engineering response. Full reports including individual finding writeups remain under NDA.

Status: scheduled Q2 2026. Pre-register your interest below to receive the exec summary on publication.