Skip to main content

Customer-Performed Penetration Testing

At Files.com, we applaud customers who take security seriously and want to perform additional testing against our platform. However, customer-performed penetration testing is a complex topic—one that requires careful consideration to ensure it aligns with our standards and does not harm our infrastructure or interfere with other customers.

A Key Distinction: Quality Matters

We make an important distinction between:

  • High-quality penetration testing performed by trusted enterprise-grade vendors, often as part of a well-scoped internal security program, and
  • Low-quality, automated scanning performed by cheap or careless vendors that generate high noise and little to no actionable signal.

We are proud to support the former. We actively discourage the latter and have put controls in place to limit it.

Common PenTest Findings

The Files.com platform includes several flexible file transfer protocols—including legacy FTP and SFTP—to support a wide range of customer systems.

As a result, penetration testing may surface expected findings such as:

  • Use of insecure FTP services (when enabled)
  • Presence of open ports, such as port 22 for SFTP
  • Use of insecure ciphers, if customers have explicitly enabled them

These services are customer-facing only and do not access our internal environment. They exist by design to serve customers with legacy systems or specialized interoperability needs.

Coordination Is Required

You must coordinate with us in advance before conducting any penetration testing against the Files.com service.

We will evaluate your proposed testing vendor and methodology before authorizing the test. In our experience, low-quality vendors often:

  • Generate large volumes of false positives (e.g., flagging standard FTP services or passive FTP ports)
  • Provide zero actionable insights
  • Place undue load on our systems through unsupervised scanning

To help avoid these outcomes, we request early involvement.

Requirements to Test

To be eligible to conduct penetration testing on Files.com, the following requirements must be met:

  • You must be a Premier or Enterprise plan customer
  • You must sign our penetration testing agreement
  • You must agree to share the full results of your testing with Files.com

Once these requirements are met, we will coordinate timing.

Unauthorized Testing Will Be Blocked

Please be aware that if you attempt to run a penetration test without prior approval and coordination, we will almost certainly detect and block your IP addresses automatically.

This is part of our ongoing commitment to service protection, uptime, and responsible platform stewardship.

IP Whitelisting

Our standard position is that we do not provide behind-the-firewall access or offer any form of IP whitelisting to bypass our security protections when conducting a penetration test.

Our production security systems are designed to detect and block malicious behavior—including the kinds of automated, high-volume scanning that are often used in penetration testing. If your testing tools are blocked, that’s not an error—it’s exactly the behavior you expect and want from our defenses.

We believe the most honest and useful test of our platform is one where your testers experience the same protections that real-world attackers would. Any dilution of that security—such as through whitelisting—creates a less realistic assessment.

Exception Process for IP Whitelisting

In rare cases, we are willing to support a temporary exception to this policy, but only under very specific conditions.

To be eligible, you must:

  • Be a current Enterprise customer or engaged in an active, late-stage Enterprise opportunity with our sales team
  • Agree to fully indemnify Files.com for any damage or disruption caused by your testing
  • Provide a $100,000 refundable cash deposit in advance of testing

This deposit is held as a financial guarantee against any indemnified risk. It will be returned upon completion of testing if no indemnification is required.

If you are not able to meet these conditions, we will gladly work with you in other ways to help you assess our security posture—whether through:

  • A review of our independent third-party penetration test results
  • Security questionnaires and whitepapers
  • Architectural deep dives with our team

Our Commitment

We want our customers to have confidence in our platform’s security posture and to feel supported in conducting meaningful evaluations. At the same time, we must ensure that any testing is done safely, effectively, and without risk to the Files.com service or other customers.

By working together, we can support your security goals without compromising stability or trust.

If you’re planning a test or have questions about the process, please reach out to us through your account representative or the support team. We're happy to guide you through the next steps.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.