Raxis Trust Center
Raxis holds itself to the same security standards we help clients test. This Trust Center summarizes our SOC 2 examination, insurance coverage, secure delivery practices, data handling commitments, supported compliance frameworks, and team credentials.
Last update: June 5, 2026
Reviewed by: Mark Puckett
Compliance & Attestations
Data Handling & Client Privacy
DURING ENGAGEMENTS
- All testing data is transmitted over encrypted channels using TLS 1.2+, VPN, or the Raxis Transporter
- Findings are delivered exclusively through the Raxis One portal, secured with role-based access controls and full audit logging
- Every engagement is scoped and bounded by signed Rules of Engagement before work begins
- Raxis testers operate under strict policies against damaging or destroying customer property
- Emergency escalation procedures are established for each engagement
AFTER ENGAGEMENTS
- Client data is retained in accordance with contract requirements and applicable retention schedules
- Data destruction is available upon request and is executed through a formal approval and tracking process
- Raxis does not sell client data or repurpose it for unrelated use, and does not disclose client identities or engagement details without authorization except as required by law.
CONFIDENTIALITY
- All engagements are covered by NDA, MSA confidentiality terms, or equivalent written confidentiality obligations before project kickoff.
- Raxis employees and contractors with access to sensitive data are subject to background checks at hire and periodically as required by role, client requirements, or internal policy.
- Client identities and engagement details are never disclosed without written consent
Operational Security
SECURE TESTING INFRASTRUCTURE
Raxis One Portal — Project communications, findings, evidence, and reports are delivered through Raxis One, which is included in the Raxis Pentesting Services System covered by our SOC 2 Type 2 examination. Raxis One supports role-based access controls, encrypted transmission, and audit logging.
Raxis Transporter — Our internally developed remote access solution provides secure, on-site-equivalent testing to any location in the world. No VPN credentials or persistent network access required.
INTERNAL SECURITY PRACTICES
- Penetration testing on our own infrastructure at least annually; vulnerability scans performed quarterly
- Endpoint protection deployed across all company devices
- Multi-factor authentication required for all internal systems
- Security awareness training completed by all employees and contractors upon hire and annually thereafter
RULES OF ENGAGEMENT
- Every engagement begins with a formally signed scope document and rules of engagement
- Testing windows and emergency contacts are confirmed before testing starts
- Testing can be paused immediately upon client request at any time
Compliance Frameworks We Support
Raxis delivers penetration testing and security assessments aligned with the following compliance frameworks and regulations:
|
Framework |
Description |
|
PCI DSS v4.0.1 |
Payment card industry security testing, including Requirement 11.4 internal and external penetration testing and segmentation validation where applicable. |
|
HIPAA |
Security testing supporting risk analysis, risk management, and evaluation activities under the HIPAA Security Rule. |
|
SOC 2 |
Penetration testing, vulnerability management, and remediation evidence supporting the Security Trust Services Criteria. |
|
SOX |
IT general controls and security testing evidence supporting financial reporting control environments. |
|
GLBA / Safeguards Rule |
Security testing and assessment support for financial institutions’ customer information protection programs. |
|
NIST SP 800-171 / CMMC |
Security assessment support for organizations protecting controlled unclassified information and defense contractor environments. |
|
ISO 27001 |
Technical security testing and remediation evidence supporting an information security management system. |
|
GDPR |
Security testing supporting Article 32 expectations for regularly testing, assessing, and evaluating technical and organizational security measures. |
|
FERPA |
Security testing support for educational institutions protecting student data and related systems. |
|
NYDFS Cybersecurity Regulation |
Penetration testing, vulnerability management, and security assessment support for covered financial services entities. |
|
MITRE ATT&CK |
Adversary tactics, techniques, and procedures mapping for red team and detection validation engagements. |
Team Certifications
Raxis penetration testers hold top industry certifications that validate deep technical skill and hands-on security expertise. Our certifications represent more than exams — they back the advanced techniques and adversary simulations we deliver every day. If you have a request for a particular certification, we will try to accommodate, however this list is intended to show our commitment to hiring the industry best.
Recognition
- We’re recognized by major market research firms to be a key player in our space, including Markets and Markets PTaaS, Penetration Testing, and US Penetration Testing.
- Raxis holds a perfect 5.0 rating on Clutch across verified client reviews. Each year, Raxis performs over 600 penetration tests and successfully retrieves protected data in over 85% of Red Team engagements.
- Raxis engineers frequently uncover new vulnerabilities and have numerous published CVEs.
- Raxis is listed as a Sample Vendor for Penetration Testing as a Service (PTaaS) in two Gartner® Hype Cycle™ reports for both 2023 and 2024: Hype Cycle for Security Operations and Hype Cycle for Application Security.
Raxis Vulnerability Research
Raxis engineers have discovered and responsibly disclosed vulnerabilities assigned CVE identifiers across enterprise platforms, including ManageEngine, PRTG Network Monitor, Eaton, and Rock RMS. Selected research writeups are available in our Raxis Discovered Vulnerabilities archive.
|
CVE / NVD |
Raxis Details |
Description (Raxis Pentester) |
|
Stored XSS in Rock RMS that lets a standard user escalate to administrator when an admin views the malicious user’s profile page (Jason Taylor) |
||
|
CSS injection in PRTG Network Monitor via a device’s icon/properties field rendered unescaped inside a style tag (Matt Mathur) |
||
|
ManageEngine Remote Access Plus — Guest IDOR (license details) |
IDOR in ManageEngine Remote Access Plus — a Guest user can retrieve license details via the |
|
|
ManageEngine Remote Access Plus — Guest IDOR (domain details) |
IDOR in ManageEngine Remote Access Plus — a Guest user can retrieve connected domain/controller details (Matt Dunn) |
|
|
Stored XSS in ManageEngine Support Center Plus (Matt Dunn) |
||
|
Information leakage in ManageEngine Asset Explorer (Matt Dunn) |
||
|
Stored XSS in ManageEngine AD Self Service Plus (Matt Dunn) |
||
|
Stored XSS in Nagios XI (Matt Dunn) |
||
|
ManageEngine Applications Manager stored XSS (AD-imported names) |
Stored XSS in ManageEngine Applications Manager, via name fields imported from Active Directory (Matt Dunn) |
|
|
Stored XSS in PRTG Network Monitor (Matt Dunn) |
||
|
ManageEngine Key Manager Plus stored XSS (AD-imported fields) |
Stored XSS in ManageEngine Key Manager Plus, via user detail fields imported from Active Directory (Matt Dunn) |
|
|
ManageEngine ADSelfService Plus stored XSS (directory-search email field) |
Stored XSS in ManageEngine AD Self Service Plus, in the email field of directory search results (Matt Dunn) |
Questions About Our Security Posture?
We believe in transparency. If you need additional documentation — including our SOC 2 report, proof of insurance, or details about our security practices — we’re happy to provide it. Just let us know what you’d like to see via our Contact Form.
