Security at Vasion: The Commitment Behind the Certifications
Justin Scott
June 1, 2026
5 min
Security isn't something you achieve once and move on from. It's a discipline built through investment, tested by adversity, and proven through action. At Vasion, we've always approached security this way. When a security researcher published a disclosure covering vulnerabilities in our product, we did what we believe every responsible software company should do: we acknowledged it, we remediated it, and we came out stronger.
We're writing this post because our customers and prospects deserve a direct, honest account of what happened, what we did about it, and why Vasion is more secure today than it has ever been.
What Happened
In April 2025, security researcher Pierre Kim published a disclosure identifying 83 vulnerabilities in PrinterLogic. The findings spanned research conducted between 2021 and 2024 and covered the Virtual Appliance, SaaS platform, and client software. The vulnerabilities ranged in severity and included issues related to cross-site scripting, encryption practices, configuration weaknesses, and other areas.
We take every vulnerability report seriously, and we took this one especially so.
What We Did About It
Every single validated vulnerability has been remediated. Our security bulletin, which has been publicly available on our documentation site since 2025, documents each CVE, its description, investigation details, remediation steps, and current status. We credited the researcher for every finding, because responsible disclosure makes the entire industry stronger.
Equally important: there have been zero known exploitations of any of these vulnerabilities in the wild. No customer data was compromised. No incidents were reported. Our security monitoring, which operates continuously across our environments, confirmed this throughout the disclosure and remediation process.
For our SaaS customers, remediations were deployed automatically through our continuous delivery pipeline with no customer action required. For Virtual Appliance customers, patched versions were released with clear upgrade guidance.
Why Vulnerability Disclosures Don't Mean "Insecure"
The existence of vulnerability disclosures is not evidence of a weak security posture. Rather, it's evidence of a product that security researchers are actively examining and a company that engages with those researchers transparently.
Every major software platform in the world has vulnerabilities discovered and disclosed. What separates responsible companies from the rest is what happens next. Do they remediate? Do they communicate openly? Do they invest in preventing similar issues in the future?
At Vasion, the answer to all of those questions is yes.
The Security Investments We've Made
The Pierre Kim disclosure simply accelerated an application security transformation that was already underway. Here's what Vasion has invested to ensure our platform meets the highest security standards in the industry:
Security Integrated Into Every Code Delivery
We run Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Application Security Testing (DAST) on every delivery through our CI/CD pipelines. At Vasion, security scanning is a gate that every code change must pass through before it reaches production.
Security-First Architecture
Our architectural requirements make security a standard, non-negotiable design principle. Our security team authors Architecture Decision Records (ADRs) and architecture design principles directly.
FIPS Validated Encryption
Vasion now utilizes FIPS 140-2 validated cryptographic modules exclusively across the platform. All data in transit is protected with TLS 1.2 using FIPS validated encryption. All data at rest is protected with AES-256 encryption. This is the same encryption standard required by the U.S. federal government for protecting sensitive information.
Dual Pen Testing Program
We conduct two independent penetration tests per year. One through Coalfire for our federal environments and one through a separate external firm for our commercial SOC 2 Type 2, ISO 27001, and ISO 42001 audits. This dual approach ensures that both our federal and commercial environments are rigorously tested by independent third parties on a consistent cadence.
Third-Party Continuous Monitoring (FedRAMP®)
Our FedRAMP environment operates under continuous security monitoring managed by Stack Armor, a specialized Managed Security Services Provider (MSSP). This includes a full security operations center with centralized log aggregation and analysis, AI-driven threat detection, findings aggregation, vulnerability scanning, host-based intrusion detection, and web application scanning. This is 24/7 monitoring with defined response SLAs.
AI Security Platform
As Vasion advances its AI-powered capabilities, we're deploying a comprehensive AI security tooling stack, including runtime guardrails, prompt injection defense, AI red teaming in our CI/CD pipelines, and governance enforcement for AI coding agents. We hold ISO 42001 certification for AI management systems, and we're operationalizing that governance with real tooling, not just documentation.
The Certifications That Validate Our Commitment
Certifications aren't just badges. They represent thousands of hours of documentation, independent assessment, continuous monitoring, and organizational commitment. Vasion holds:
FedRAMP High Authorization to Operate (ATO) — Achieved in January 2026 with DISA sponsorship, this is the most rigorous cloud security authorization issued by the U.S. federal government. FedRAMP High is based on NIST SP 800-53 and requires implementation of over 400 security controls, independent third-party assessment, and ongoing continuous monitoring. Fewer than 600 cloud service offerings currently hold FedRAMP authorization. The process took years and represents the gold standard for cloud security compliance.
DoD IL-4 Authorization (In Progress) — Vasion is actively pursuing authorization to handle Controlled Unclassified Information (CUI) for Department of Defense workloads under the DoD Cloud Computing Security Requirements Guide at Impact Level 4. Our FedRAMP High authorization provides the foundation for this effort, and the process is well underway.
ISO 27001:2022 — The globally recognized standard for Information Security Management Systems (ISMS), requiring systematic risk management and continuous security improvement.
ISO 42001:2023 — The international standard for AI Management Systems, demonstrating governance, risk management, and responsible use of AI technologies.
SOC 2 Type 2 — Independent auditor verification that Vasion's security controls are not only designed effectively but are operating effectively over time.
These frameworks reinforce each other, and together they create a security posture that is independently validated from multiple angles.
Our Cloud-Native Architecture Advantage
It's worth noting that Vasion's platform was rebuilt from the ground up starting in 2016 as a cloud-native, multi-tenant architecture. This wasn't a legacy application lifted into the cloud. This architectural decision means:
- Immutable infrastructure: Our environments are deployed from code, not configured manually. This eliminates configuration drift and ensures consistency across all regions.
- Automatic patching: SaaS customers receive security updates automatically through our continuous delivery pipeline. No manual patching, no delayed updates, no customer action required.
- Isolation by design: Multitenant architecture with strong isolation controls ensures that customer environments are segregated.
- Global scale with consistent security: We operate production environments across multiple regions worldwide, all governed by the same security controls and monitoring.
What This Means for Our Customers
If you're an existing Vasion customer: your platform is secure, your data is protected, and vulnerabilities responsibly disclosed and validated by the Vasion security team have been remediated. If you're running Vasion SaaS, those remediations were delivered automatically. If you're running a Virtual Appliance, please ensure you're on the latest version—our security bulletin provides specific version guidance.
Security disclosures are a normal part of the software industry. What matters is what a company does when they happen. At Vasion, we remediated every finding, invested in structural improvements to prevent future issues, and earned the most rigorous security certifications in the industry. That's the standard we hold ourselves to.