· intuitem · News  · 2 min read

CISO Assistant Q2 2026 penetration test report is now available

Staying true to our commitment to transparency and security, we're publishing the latest CISO Assistant penetration test report, conducted by Synacktiv. All findings were reviewed and remediated within hours.

Staying true to our commitment to transparency and security, we're publishing the latest CISO Assistant penetration test report, conducted by Synacktiv. All findings were reviewed and remediated within hours.

To stay consistent with our commitment to transparency and security, we’re pleased to publish the latest CISO Assistant penetration testing report, conducted by Synacktiv.

Many thanks to their team for the quality of their work, their professionalism, and the excellent collaboration throughout the engagement (hi Renaud and team 👋).

All findings were reviewed and remediated within hours of being reported. To make the report easier to consume, we’ve added a summary page highlighting the key information and results.

Acknowledgment

We would like to thank Synacktiv for conducting this penetration test with exceptional rigor and professionalism. Their comprehensive analysis, clear reporting, and valuable recommendations have strengthened the platform’s security posture.

Tested scope

The application was tested in a PRO SaaS deployment while the testers had access to the source code (CISO Assistant is open source) — a white-box engagement that gives the most thorough coverage possible.

Key findings

RefFindingSeverityStatusNotes
V-01Template injection in audit templatesHigh✅ Patched in v3.16.7Added an extra sandboxing mode. Templates are managed only by admins, who control their quality and security. Defense-in-depth in the infrastructure (rootless containers, network policies) prevented lateral movement and kept the tenant admin within their scope.
V-02Error messages information leakLow✅ DismissedThe surfaced information is not sensitive and is intentionally exposed to help with debugging. All sensitive settings (e.g., secrets) follow a write-only pattern.
V-03Subdomain enumeration through certificate transparencyRemark✅ DeprecatedA legacy TLS-management design choice that was deprecated more than a year ago by moving to a wildcard certificate.

The single High-severity finding (V-01) was patched in v3.16.7, with sandboxing reinforced as a defense-in-depth measure on top of the existing admin-only template controls and infrastructure isolation. The remaining items were either intentional behavior (V-02) or already addressed by an earlier design change (V-03).

Why we publish this

Security is not a checkbox — it’s an ongoing practice. Publishing our pentest results, including the findings and how we handled them, is part of how we hold ourselves accountable to the community and to our customers. We believe an open GRC platform should be transparent about its own security posture.

As always, we welcome your feedback and any security findings through our usual channels.

Back to Blog

Related Posts

View All Posts »