Overview
This article helps you understand how penetration testing and vulnerability scanning work for the Access Volcanic platform. Access Volcanic runs regular security testing to identify and fix vulnerabilities before they become real threats. This testing is carried out at platform level because Access Volcanic is a shared, multi-tenant environment.
Key benefits
Identify security vulnerabilities before attackers can exploit them.
Support secure development and operational practices across the platform.
Prioritise remediation work based on severity and impact.
Provide transparency through redacted reports available on request.
Maintain platform security through weekly automated scanning and annual expert testing.
Before you start
Before reviewing this article, you should understand:
Access Volcanic is a shared, multi-tenant platform hosting multiple customers.
Security testing is performed at platform level by Access Volcanic and The Access Group.
Individual customer testing is not permitted due to the shared environment.
Redacted penetration test reports are available on request through Access Volcanic Support.
How Access Volcanic performs security testing
Access Volcanic runs regular penetration and security testing on the platform. This identifies vulnerabilities and addresses them early. Testing includes weekly automated vulnerability scanning and annual external penetration testing.
These activities form part of The Access Group's information security (InfoSec) process. They help reduce risk by finding issues early. They also support secure development practices and prioritise fixes based on severity and impact.
Weekly automated vulnerability scanning
Access Volcanic runs weekly automated vulnerability scans using Detectify, a web security scanning tool.
What weekly scanning does
Weekly automated scanning provides feedback on security issues that may have been introduced by platform changes. It helps guard against regressions where previously fixed issues reappear. It also identifies newly reported vulnerabilities that may impact the platform.
Detectify alerts are reviewed regularly. They are often reviewed again after recent platform changes to catch any issues quickly.
Limitations of automated scanning
Automated scanning is useful, but it has limitations. It cannot replicate complex, multistep attacks. It also cannot match the depth of a skilled human-led penetration test.
Annual external penetration testing
Each year, the Access Volcanic platform undergoes an external penetration test. This is performed by a third-party security consultancy as part of The Access Group's information security (InfoSec) process.
What makes annual testing different
Annual external penetration testing is more thorough than automated scanning. This is because it involves real people attempting to compromise the platform. Testing typically includes deeper investigation of attack paths. It also includes more complex multistep attack techniques and approaches that automated tools cannot perform reliably.
How annual test results are handled
Penetration test reports can contain sensitive details that could increase risk if disclosed. Because of this, full penetration test reports are not shared outside the Engineering team. Any findings are handled according to InfoSec procedures for incident management.
The Engineering team reviews the results. They determine remediation actions. They work towards resolving issues based on priority and impact.
Customer-led vulnerability testing
You are not permitted to run your own penetration tests against the Access Volcanic platform.
β οΈ Important: Running your own penetration tests against Access Volcanic could disrupt service for all customers and trigger security incident responses.
The platform is a shared, multi-tenant environment. Uncontrolled testing could impact platform stability or availability. It could inadvertently affect other customers. It could also generate security monitoring and incident responses that disrupt service.
What you can request
On request, Access Volcanic can provide you with a redacted version of penetration test results.
Reporting and discussing vulnerabilities
If you'd like to request a redacted penetration test report, please raise a support case with Access Volcanic Support. If you'd like to discuss a vulnerability you believe you've discovered, please do the same. We'll review your request or report and handle it through the appropriate security and incident management process.
π Note: Redacted penetration test reports are available on request and provide security information with sensitive technical details removed.
Best practices
Request redacted penetration test reports when preparing for audits or compliance reviews.
Report potential vulnerabilities through the support case system rather than attempting your own tests.
Review the InfoSec process with your Account Manager if you have specific security requirements.
Contact Access Volcanic Support if you need clarification on security testing schedules or results.
FAQs
Q1: Can I run my own penetration test on the Access Volcanic platform?
Answer: No, you are not permitted to run your own penetration tests because Access Volcanic is a shared, multi-tenant environment. Uncontrolled testing could impact platform stability, affect other customers, or trigger security incident responses.
Q2: Can I get a copy of the latest penetration test report?
Answer: You cannot receive the full penetration test report. However, you can request a redacted version by raising a support case with Access Volcanic Support.
Q3: How often is the Access Volcanic platform tested?
Answer: The platform is covered by weekly automated vulnerability scanning using Detectify. Annual external penetration testing is performed by a third-party security consultancy. This forms part of The Access Group's InfoSec process.
Q4: What is the difference between automated scanning and penetration testing?
Answer: Automated scanning runs weekly and identifies known vulnerabilities and regressions quickly, but it cannot perform complex, multi-step attacks. Annual penetration testing involves skilled security professionals who investigate deeper attack paths. They use techniques that automated tools cannot replicate.
Q5: How do I report a vulnerability I've discovered?
Answer: To report a vulnerability you believe you've discovered, raise a support case with Access Volcanic Support. We'll review your report and handle it through the appropriate security and incident management process.
Q6: Why can't I see the full penetration test report?
Answer: Full penetration test reports contain sensitive technical details that could increase security risk if disclosed. These reports are restricted to the Engineering team, but you can request a redacted version that removes sensitive information.