How Quillio handles penetration testing
Quillio runs annual third-party penetration tests covering the application layer, cloud infrastructure, and tenant isolation boundaries. We remediate findings before the test report is finalised. Summary reports (not full findings for confidentiality reasons) are available to enterprise firms under NDA.
Scope
Tests cover the web application, API surface, cloud infrastructure (networking, storage, IAM), and specifically the tenant isolation boundaries between firms. Social engineering and physical security testing are out of scope for our SaaS model.
Testers
We use an external Australian cybersecurity firm with CREST-accredited testers. The same firm is used year-on-year for consistency of methodology while a second firm is engaged every 3 years for a fresh perspective.
Remediation
Critical and high findings are remediated before the test report is finalised. Medium and low findings are remediated on a prioritised backlog, with timelines in the test report summary. All findings are tracked in our security ticket system.
Common issues
- Full pen test reports are not shared — summary reports available under NDA
- Frequency increases for major releases — additional tests for architectural changes
- Bug bounty supplements pen testing — details on our security page
Try Quillio on a real matter.
The fastest way to know if Quillio fits your practice is to use it on your own work. The free trial requires no credit card and no sales call.
Start your free trial