Skip to content
English
Raise a Support Ticket Customer portal
  • There are no suggestions because the search field is empty.

Security Testing

An Overview Of How We Test Our Security Processes

Expansive maintains a structured and independently verified security testing programme to ensure our platform, infrastructure, and processes remain resilient against emerging threats.
Testing is conducted through a combination of continuous internal validation, scheduled external penetration testing, and ongoing vulnerability management as part of our ISO/IEC 27001 Information Security Management System (ISMS).

Independent Penetration Testing

Expansive engages an independent, CREST-accredited security testing firm to perform quarterly penetration tests on our production platform and core infrastructure.

Scope

Each engagement includes:

  • External web applications and API endpoints

  • Authentication and session management (including MFA and token lifecycle)

  • Role-based access controls and tenant data segregation

  • Encryption implementation and secrets management

  • Cloud infrastructure configuration and network boundaries

  • Application dependencies, libraries, and patch levels

Remediation & Assurance

  • All findings are recorded and risk-assessed within our ISMS.

  • Critical and High-severity issues are remediated before deployment or continued operation.

  • Medium and Low-severity issues are addressed through normal release cycles.

  • Summary reports or attestation letters can be provided under NDA on request.

These activities support compliance with ISO/IEC 27001:2022 controls A.5.23 – Information security testing and A.8.8 – Management of technical vulnerabilities.

Continuous Security Validation

Between formal tests, Expansive performs continuous internal security validation as part of the secure development lifecycle (SDLC).
Automated tooling and peer review processes verify:

  • Dependency and library vulnerabilities (via SCA tools)

  • Static code analysis for injection and logic flaws

  • Container image scanning before release

  • Configuration and secret-management checks within deployment pipelines

Findings from internal validation feed into the same remediation workflow used for external test results, ensuring complete traceability and accountability.

Vulnerability Management

Expansive operates a proactive vulnerability management programme:

  • Vendor and NCSC advisories are continuously monitored.

  • Relevant CVEs are triaged and assessed within 24 hours of publication.

  • Emergency patching follows the process described in our Updates & Maintenance policy.

  • Routine patching occurs within the monthly release cycle, ensuring all customer instances remain within one major version of the latest platform release.

All vulnerability actions are logged in the ISMS for evidence and continuous improvement tracking.

Ongoing Assurance

The overall security testing programme is reviewed annually by the Information Security Lead and verified through:

  • Internal ISMS audits

  • Annual ISO 27001 surveillance audits

  • Periodic independent review of testing scope and effectiveness

This layered approach ensures Expansive maintains an independently verified, continually improving security posture.