• Independent researchers spent the past several weeks examining our standalone identity protection app and email relay service. Here’s what they looked at.
  • Why we keep auditing
  • What ExpressMailGuard does, and what was tested
  • What Identity Defender does, and what was tested
  • Where to read the reports
  • Privacy across the whole stack
  • Independent researchers spent the past several weeks examining our standalone identity protection app and email relay service. Here’s what they looked at.
  • Why we keep auditing
  • What ExpressMailGuard does, and what was tested
  • What Identity Defender does, and what was tested
  • Where to read the reports
  • Privacy across the whole stack

ExpressMailGuard and Identity Defender pass Cure53 security audits

Featured 28.05.2026 3 mins
Sonja Raath
Written by Sonja Raath
Marnie Spicer
Reviewed by Marnie Spicer
Fangying Ang
Edited by Fangying Ang
image2

Independent researchers spent the past several weeks examining our standalone identity protection app and email relay service. Here’s what they looked at.

A privacy policy is a promise on a screen. We prefer privacy enforced by architecture and verified by people whose job is to break things. That's why we hand the source code for our products to independent researchers and publish what they find.

For ExpressMailGuard and Identity Defender, that work fell to Cure53—a Berlin-based cybersecurity firm known for white-box penetration testing that pulls no punches. They've audited our VPN protocol, our browser extensions, our router, our mobile apps, and our server infrastructure over the years. This time, we asked them to do the same for two products that handle some of the most sensitive information we touch: who you correspond with, and who you are.

Why we keep auditing

Independent third-party audits have been a core part of how we build and ship products for years. The products that handle user data (VPN protocols, a password vault, a server platform) get reviewed by external researchers, and the findings get published in full.

To date, ExpressVPN has commissioned and published more independent audits than any other VPN provider, covering everything from our Lightway protocol to TrustedServer to our no-logs policy. The two new Cure53 reports bring our published audit count to 27.

What ExpressMailGuard does, and what was tested

ExpressMailGuard gives you email aliases to hand out instead of your real address. When a service emails the alias, we relay the message to your real inbox. The service never sees your actual email; you receive the message either way.

The product is built on two promises: that mail isn’t retained on our servers after it’s relayed, and that the relay layer can't be used to build a profile of who you correspond with. Cure53 examined the web app, the routing logic, and the infrastructure that connects an alias to an inbox, looking specifically for ways those promises could break.

Image1

After eighteen days of testing, Cure53 concluded that ExpressMailGuard "demonstrated a relatively strong and mature security posture, with no Critical or High severity vulnerabilities identified." They found the architecture sound and the codebase resistant to the kinds of attacks that typically compromise web applications. Cure53 raised two vulnerabilities and eleven miscellaneous issues—weaknesses without a clear exploitation path. Our team worked through them in the weeks that followed, and Cure53 has formally retested and verified the fixes that have shipped.

What Identity Defender does, and what was tested

Identity Defender, available as a standalone app for U.S. users, watches for the signals that often appear before someone realizes their identity has been misused—new credit inquiries opened in their name, address changes they didn't request, personal information showing up in data-broker databases or breach lists. It also submits removal requests to data brokers on the user's behalf, automatically.

Because the app handles deeply personal information, Cure53 paid particular attention to how users authenticate, how the app handles personally identifiable information, and how it stores anything sensitive on the device.

Image3

Their conclusion, after fourteen days of testing across the iOS and Android apps, was that “the absence of any High or Critical severity findings reflects a solid overall security posture.” Cure53 raised seven vulnerabilities and four miscellaneous issues. Our team worked through them in the weeks that followed, and Cure53 has formally retested and verified the fixes that have shipped.

Where to read the reports

The full Cure53 reports, along with the rest of our audit history and ISO certifications, are published on the ExpressVPN Trust page.

You can also download each report directly:

Privacy across the whole stack

Securing your digital life used to mean installing a firewall and moving on. It's a much wider job now: managing identities, credentials, the trail of data each app leaves behind, and increasingly the AI systems that touch all of it.

The Cure53 reviews of ExpressMailGuard and Identity Defender are part of how we're approaching that bigger job. An ExpressVPN subscription used to be a VPN. Today it's a set of five products built to work together: ExpressVPN for the connection itself, ExpressKeys for password management, ExpressAI for private AI, ExpressMailGuard for email aliasing, and Identity Defender for identity monitoring and data removal.

Each one gets the same independent scrutiny the VPN has had for years.

Read more about the full ExpressVPN product suite.

Take the first step to protect yourself online. Try ExpressVPN risk-free.

Get ExpressVPN
Content Promo ExpressVPN for Teams
Sonja Raath

Sonja Raath

I like hashtags because they look like waffles, my puns intended, and watching videos of unusual animal friendships. Not necessarily in that order.

  • RELATED POST
  • MORE FROM THE AUTHOR
Pros and cons of AI: What it means for work, life, and society
Pros and cons of AI: What it means for work, life, and society
Ernest Sheptalo 28.05.2026 20 mins
What is a sugar daddy scam, and how does it work?
What is a sugar daddy scam, and how does it work?
Jennifer Pelegrin 27.05.2026 12 mins
Is APKPure safe? What to know before downloading APKs
Is APKPure safe? What to know before downloading APKs
Ernest Sheptalo 27.05.2026 13 mins
What is firmware? A beginner-friendly guide to the code inside your devices
What is firmware? A beginner-friendly guide to the code inside your devices
Krishi Chowdhary 27.05.2026 14 mins
Online identity explained: Protecting and managing your digital identity
Online identity explained: Protecting and managing your digital identity
Sayb Saad 27.05.2026 13 mins
The hidden retention crisis in open source (and how FOSSASIA is solving it)
The hidden retention crisis in open source (and how FOSSASIA is solving it)
Pete Membrey 21.04.2026 3 mins
We bet big on Rust. But what does it actually take to keep it alive?
We bet big on Rust. But what does it actually take to keep it alive?
Pete Membrey 20.04.2026 3 mins
Inside the zero-access infrastructure powering ExpressAI
Inside the zero-access infrastructure powering ExpressAI
Sonja Raath 16.04.2026 4 mins
Introducing ExpressAI: A private-by-design AI platform
Introducing ExpressAI: A private-by-design AI platform
Sonja Raath 31.03.2026 6 mins
The VPN was just the beginning: Meet the new security suite
The VPN was just the beginning: Meet the new security suite
Sonja Raath 31.03.2026 9 mins
ExpressVPN enters the arena with LEC, VCT EMEA and Americas, G2 Esports, and Method—and we're bringing drops and discounts
ExpressVPN enters the arena with LEC, VCT EMEA and Americas, G2 Esports, and Method—and we're bringing drops and discounts
Marnie Spicer 12.03.2026 3 mins
The AI era requires a new way to control your VPN. So we built it.
The AI era requires a new way to control your VPN. So we built it.
Sonja Raath 05.03.2026 6 mins

ExpressVPN is proudly supporting

Get Started