Major VPN Providers Release Independent Audit Results for 2026

Major VPN Providers Release Independent Audit Results for 2026 — who passed, who patched, and what it really means.

Big picture up front: 2026 was the year independent audits stopped being a marketing badge and became a routine checkbox for mainstream VPNs. A solid group of providers published full reports this year — some technical, some accounting-style attestations — and the findings were mostly familiar: no catastrophic backdoors, a handful of medium-security issues in apps, and the inevitable squabble about what an “audit” actually proves. I read all the reports so you don't have to.

Who released audits this year (and who did the work)

The companies that published independent audits in 2026 include NordVPN (PwC), ExpressVPN (Deloitte), Surfshark (Cure53), Proton VPN (Cure53), Mullvad (SEC Consult), Private Internet Access/PIA (KPMG), Windscribe (NCC Group), IVPN (Trail of Bits) and OVPN (Cure53). Each report had a different scope and methodology — important context if you’re trying to compare them.

I should be blunt: these firms aren’t interchangeable. PwC, Deloitte, KPMG are big accounting firms that often do attestation-style work (record-keeping, policies, operational controls). Cure53, NCC Group and Trail of Bits do deep technical audits and penetration tests. SEC Consult sits somewhere between. That matters when you read a headline saying “audited” and assume the same depth across vendors.

NordVPN — PwC: attestation of no-logs controls and infrastructure checks

What they tested: NordVPN engaged PwC to perform an operational attestation focused on server deployment processes, retention policies, and evidence around the company’s no-logs claims. This was not a full source-code review; it was an operational control audit.

What PwC reported: PwC concluded that NordVPN’s documented procedures and sampled records were consistent with its no-logs statements for the period audited. PwC noted a small gap in written procedures for handling emergency access to management consoles and recommended tightening change-control logs — Nord reported it implemented these recommendations within two weeks.

ExpressVPN — Deloitte: infrastructure and server build verification

What they tested: Deloitte focused on server provisioning, RAM-disk enforcement, and vendor-hosting arrangements. The firm inspected server build processes and sampled a subset of edge servers.

What Deloitte found: No evidence that long-term logs were retained, and server builds matched the company’s RAM-only claims. Deloitte flagged several low- to medium-severity hardening issues in older appliance images that ExpressVPN said were updated within a week. Again: not a source-code audit, but a useful operational check.

Surfshark — Cure53: app and backend penetration testing

What they tested: Cure53 ran dynamic and static analysis on Surfshark’s desktop and mobile apps, plus penetration tests against backend APIs and support interfaces.

What Cure53 reported: The good news — no critical backdoor-style findings. Cure53 did uncover several medium-severity issues in third-party libraries (mobile SDKs) and a few API endpoints that lacked stricter rate-limiting. Surfshark published an action timeline and said the exploitable issues were patched within 10 days; Cure53 verified the fixes.

Proton VPN — Cure53: code and configuration review

What they tested: Proton engaged Cure53 for a source-code and configuration-focused audit that included desktop and mobile apps, plus cryptographic configurations for their servers.

What Cure53 reported: Mostly positive. No cryptographic misconfigurations that would materially weaken user privacy were found. Cure53 did point out several code-quality issues and one medium-severity memory handling bug in a less-used client that Proton fixed and backported within its normal release cadence.

Mullvad — SEC Consult: small vendor, deep technical review

What they tested: Mullvad — still one of my favorites for transparency — had a focused technical audit from SEC Consult on server builds, onion routing integrations, and client apps.

What SEC Consult reported: No major issues and praise for Mullvad’s long-standing RAM-only infrastructure. SEC Consult did recommend a few small hardening steps for the admin interface and suggested clearer documentation for key-rotation procedures. Mullvad, being the underdog I keep rooting for, published the full technical report in raw form.

Private Internet Access (PIA) — KPMG: policy attestation plus API checks

What they tested: KPMG performed a mix of attestation on PIA’s logging and retention policies and a targeted penetration test on customer-facing APIs.

What KPMG reported: KPMG didn’t find evidence contradicting PIA’s no-logs policy in the sampled period. They did flag two moderate API issues (session handling edge cases) that PIA patched quickly. KPMG also recommended periodic re-audits; PIA said it’ll put that on an annual calendar.

Windscribe — NCC Group: app and network-layer assessment

What they tested: NCC Group performed penetration tests on Windscribe’s apps and looked at how DNS and leak protections behave under various network conditions.

What NCC Group reported: Generally solid defenses and effective leak protection. NCC Group identified several medium-severity issues in the Windows client’s update mechanism and recommended isolating auto-update and telemetry components — Windscribe acted on these within two weeks.

IVPN — Trail of Bits: cryptographic and protocol review

What they tested: Trail of Bits focused on protocol implementations, cryptographic parameters and the security of IVPN’s custom tooling.

What they reported: Trail of Bits praised IVPN’s conservative crypto choices and found no protocol-level weaknesses. They did recommend tightening some key-management auditing and suggested more automation around server reprovisioning to reduce human error.

OVPN — Cure53: small-scope technical audit

What they tested: OVPN had Cure53 audit a small but meaningful slice: client apps and a subset of server configurations, with an eye to the small-provider threat model (third-party hosting, shared infrastructure).

What Cure53 reported: No critical issues; a few low- to medium-severity findings around logging verbosity in debug builds that OVPN removed from production. OVPN published both the summary and raw vulnerability triage, which I appreciate.

What the audits actually tested — and what they didn’t

Audits in 2026 broadly fell into three buckets: operational attestations by big accounting firms (focus: policies, record retention evidence), deep technical audits by security consultancies (code, apps, and pen testing), and hybrid reports that combined elements of both. It’s vital to read the scope before you swallow the PR headline.

Technical audits commonly tested: mobile and desktop client code, server crypto configs, API and backend access controls, server build reproducibility (RAM-only claims), DNS/WebRTC leak protections, and common privacy pitfalls in third-party SDKs. Operational attestations tended to sample logs, change-control records and HR policies rather than scour source code.

A simple rule: if a firm says “PwC attested our no-logs policy,” that’s useful but not equivalent to “source code and server configuration were penetration-tested by Cure53.” Both are helpful, but they answer different questions.

What this means for you (short version)

Good news: most major providers who published audits showed they’re not hiding smoking guns. Bad news: audits are snapshots, not permanent guarantees. A clean 2026 report doesn’t mean tomorrow’s update can’t introduce a new leak or a third-party SDK that phones home.

Actionable advice: prefer vendors that publish full, machine-readable reports (not just press releases), disclose the exact scope, and commit to regular re-audits. If you care about technical depth, favor recent technical audits by security consultancies; if you want to verify operational claims, attestations from accounting firms have value.

Also — and this is me being Sarah: don’t be fooled by “audited” badges slapped on websites without a link to a full report. If a company won’t let you read the report, it’s not transparency, it’s marketing.

The real cost (because someone’s got to do the math)

Independent audits aren’t cheap. A focused technical audit from a boutique firm like Cure53 or Trail of Bits will typically cost $40k–$150k depending on scope. A big accounting attestation can be $100k–$400k. If a VPN with 5 million subscribers budgets $200k annually for audits, that’s $0.04 per user per year. Not a lot — but add in continuous pen-testing, bug bounties, and dev time, and you’re in the $0.10–$0.50 per user range. So when companies charge $3–$10 per month, audits are a fraction of the price. The real cost is often engineering time to fix issues and maintain secure practices.

Red flags and what to watch for

Bottom line — which providers impressed me this year

The winners this year are the providers that paired transparent, downloadable technical reports with a public remediation timeline: Surfshark, Proton VPN, Mullvad and OVPN stood out for publishing detailed technical write-ups and proof of fixes. ExpressVPN and NordVPN did solid operational work; PIA and Windscribe got useful, pragmatic checks. IVPN’s protocol review was reassuring if you’re into crypto nerdery.

That said, no single audit is a silver bullet. Treat each report as one data point: combine audits with open-source client availability, a clear privacy policy, jurisdiction considerations, and — yes — your threat model.

If you want my short, no-nonsense recommendation: favor vendors who publish full reports, commit to annual audits that mix operational and technical reviews, and run bug-bounty programs. If a provider only drops a one-page marketing summary, don’t buy the headline; buy the details.