Customer-Performed Penetration Testing
Files.com supports customers who want to perform their own penetration testing against the platform, subject to the coordination and eligibility rules on this page. Testing must not harm Files.com infrastructure or affect other customers, and the value of a test depends heavily on the quality of the vendor running it.
High-Quality vs. Low-Quality Testing
There is a sharp difference between the two kinds of testing Files.com sees from customers:
- High-quality penetration testing performed by trusted enterprise-grade vendors, often as part of a well-scoped internal security program.
- Low-quality, automated scanning performed by cheap or careless vendors that generates high noise and little actionable signal.
Files.com supports the former. The latter is actively discouraged, and controls are in place to limit it.
Common Penetration Test Findings
The Files.com platform includes several flexible file transfer protocols, including legacy FTP and SFTP, to support a wide range of customer systems.
Penetration testing routinely surfaces expected findings such as:
- Use of insecure FTP services, when enabled
- Presence of open ports, such as port 22 for SFTP
- Use of insecure ciphers, if you have explicitly enabled them
These services are customer-facing only and do not access the Files.com internal environment. They exist by design to serve customers with legacy systems or specialized interoperability needs.
Coordination Is Required
You must coordinate with Files.com in advance before conducting any penetration testing against the service.
Files.com evaluates the proposed testing vendor and methodology before authorizing the test. Low-quality vendors typically:
- Generate large volumes of false positives, such as flagging standard FTP services or passive FTP ports
- Provide no actionable insights
- Place undue load on the platform through unsupervised scanning
Early involvement avoids these outcomes.
Requirements to Test
To be eligible to conduct penetration testing on Files.com, you must:
- Be an Enterprise plan customer
- Sign the Files.com penetration testing agreement
- Agree to share the full results of your testing with Files.com
Once these requirements are met, Files.com will coordinate timing with you.
Unauthorized Testing Will Be Blocked
If you attempt to run a penetration test without prior approval and coordination, Files.com will almost certainly detect the activity and block your IP addresses automatically. This is part of how the platform protects service availability for every customer.
IP Whitelisting
Files.com does not provide behind-the-firewall access or any form of IP whitelisting to bypass security protections during a penetration test.
The production security systems are designed to detect and block malicious behavior, including the automated, high-volume scanning that often makes up a penetration test. When your testing tools are blocked, that is exactly the behavior you expect from real-world defenses.
The most useful test of the platform is one where your testers experience the same protections that a real attacker would. Whitelisting dilutes that and produces a less realistic assessment.
Exception Process for IP Whitelisting
In rare cases, Files.com supports a temporary exception to this policy, under specific conditions.
To be eligible, you must:
- Be a current Enterprise customer, or engaged in an active, late-stage Enterprise opportunity with the Files.com sales team
- Agree to fully indemnify Files.com for any damage or disruption caused by your testing
- Provide a $100,000 refundable cash deposit in advance of testing
The deposit is held as a financial guarantee against any indemnified risk. It is returned upon completion of testing if no indemnification is required.
If you cannot meet these conditions, Files.com will work with you in other ways to help you assess the platform's security posture:
- A review of independent third-party penetration test results
- Security questionnaires and whitepapers
- Architectural deep dives with the Files.com team
If you are planning a test or have questions about the process, reach out through your account representative or the support team.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes