· intuitem · News · 2 min read
CISO Assistant Q2 2026 penetration test report is now available
Staying true to our commitment to transparency and security, we're publishing the latest CISO Assistant penetration test report, conducted by Synacktiv. All findings were reviewed and remediated within hours.
To stay consistent with our commitment to transparency and security, we’re pleased to publish the latest CISO Assistant penetration testing report, conducted by Synacktiv.
Many thanks to their team for the quality of their work, their professionalism, and the excellent collaboration throughout the engagement (hi Renaud and team 👋).
All findings were reviewed and remediated within hours of being reported. To make the report easier to consume, we’ve added a summary page highlighting the key information and results.
Acknowledgment
We would like to thank Synacktiv for conducting this penetration test with exceptional rigor and professionalism. Their comprehensive analysis, clear reporting, and valuable recommendations have strengthened the platform’s security posture.
Tested scope
The application was tested in a PRO SaaS deployment while the testers had access to the source code (CISO Assistant is open source) — a white-box engagement that gives the most thorough coverage possible.
Key findings
| Ref | Finding | Severity | Status | Notes |
|---|---|---|---|---|
| V-01 | Template injection in audit templates | High | ✅ Patched in v3.16.7 | Added an extra sandboxing mode. Templates are managed only by admins, who control their quality and security. Defense-in-depth in the infrastructure (rootless containers, network policies) prevented lateral movement and kept the tenant admin within their scope. |
| V-02 | Error messages information leak | Low | ✅ Dismissed | The surfaced information is not sensitive and is intentionally exposed to help with debugging. All sensitive settings (e.g., secrets) follow a write-only pattern. |
| V-03 | Subdomain enumeration through certificate transparency | Remark | ✅ Deprecated | A legacy TLS-management design choice that was deprecated more than a year ago by moving to a wildcard certificate. |
The single High-severity finding (V-01) was patched in v3.16.7, with sandboxing reinforced as a defense-in-depth measure on top of the existing admin-only template controls and infrastructure isolation. The remaining items were either intentional behavior (V-02) or already addressed by an earlier design change (V-03).
Why we publish this
Security is not a checkbox — it’s an ongoing practice. Publishing our pentest results, including the findings and how we handled them, is part of how we hold ourselves accountable to the community and to our customers. We believe an open GRC platform should be transparent about its own security posture.
As always, we welcome your feedback and any security findings through our usual channels.
