How we verified Allsolve’s security with third-party testing

Key takeaways

• In July 2025, Quanscient commissioned Silverskin to conduct a grey-box penetration test of Quanscient Allsolve.

• The scope included API and interface testing, injection attempts, tenant isolation checks, and privilege escalation attempts.

• No critical or exploitable weaknesses were found during the time of the assessment.

• We run automated vulnerability scans for every major release and monthly, with additional manual tests after significant system changes.

• Security is built into our culture, supported by ongoing training and independent verification.

Security as a foundation for Quanscient Allsolve

When choosing a simulation tool, security is one of the first questions that comes up — and with good reason. Customers trust us with data that can include their most valuable designs, research, and trade secrets. That trust has to be earned and maintained.

Cloud-based simulation offers clear advantages in flexibility, scalability, and collaboration, but it also means that sensitive data is stored and processed in environments outside the customer’s own infrastructure. 

This makes it essential to ensure that access controls, isolation between customers, and overall system resilience are not just well-designed, but proven to hold up under real-world attack scenarios.

At Quanscient, we believe the only credible way to show that we take security seriously is through independent verification. 

This is why we bring in external experts to test our systems. Not just to meet compliance requirements, but to challenge our own assumptions and confirm that our safeguards work in practice.

Why we brought in Silverskin

In July 2025, we commissioned an external penetration test of Quanscient Allsolve by Silverskin, a Finnish cybersecurity company with a strong track record in application and infrastructure testing. 

Our reasons were clear.

First, we wanted to verify the maturity and robustness of Allsolve from an independent perspective. 

Even though our development team is highly experienced and we run automated vulnerability scans ourselves, there is always the possibility of “human overlook”, something a fresh set of expert eyes might catch. 

We wanted to simulate the mindset of a skilled attacker approaching our system for the first time.

Second, the test supports our ISO 27001 and SOC 2 Type II compliance. Both standards expect organizations to assess their security controls through independent means, and penetration testing is a practical way to meet that requirement.

Finding the right partner was important. 

We were looking for more than just automated scanning tools or AI-based analysis. The goal was to work with professionals who understand the technologies we use, can think creatively about potential attack paths, and know how to adapt their approach to our specific environment. 

After reviewing several candidates, we selected Silverskin as the most robust option.

How the testing worked

The penetration test followed a grey-box approach. Silverskin’s team was briefed on Allsolve’s architecture, components, and technologies in use, allowing them to focus on the areas most relevant to real-world risks instead of spending time reverse-engineering the system from scratch.

The scope included typical areas evaluated in SaaS security testing:

• APIs and interfaces — reviewing how they handle inputs and whether any weaknesses could be exploited.
• Injection attempts — trying to feed the system data that could cause unintended or harmful behavior.
• Tenant isolation — testing whether it was possible to access projects or organizational environments without the right permissions.
• Privilege escalation — attempting to expand access rights beyond what a user should have.
  
  

The results

The outcome was clear: no major security flaws or weaknesses were found during the time of the assessment.

Silverskin

During the penetration testing conducted on 01.07.2025, several strengths were identified in the application’s security posture:

• While misconfigured HTTP headers or weak TLS/SSL implementations are common issues in many web applications, Allsolve web application demonstrated a well-configured setup in these areas.

• The simulation environment was fully isolated and automatically destroyed after each execution, reducing the risk of persistency or lateral movement.

• The application enforces strict input validation in critical areas through the use of well-defined schemas, mitigating the risk of common injection vulnerabilities.

• Authorization mechanisms were effectively implemented, ensuring proper access control.

• Only minimal and low risk findings were identified during the security testing. None of these supposed a significant threat at the time of the assessment.

As in any serious penetration test, the team identified some observations and minor points worth noting. 

The observations were low or minimal in severity, consistent with areas already on our radar and tied to functionality, not exploitable weaknesses.

In fact, these observations served as a testament to us of Silverskin’s thoroughness in looking for possible gaps.

Our ongoing approach to security

Penetration testing is not a one-time activity for us but a part of an ongoing process. We maintain a regular schedule of automated vulnerability scans that run with every major production release and on a monthly basis. These scans help us detect known vulnerabilities early and keep our baseline security posture strong.

When we make significant changes to Allsolve’s architecture or access control model, we plan to commission new manual penetration tests. This ensures that any adjustments to the system are reviewed with the same level of scrutiny as the original build.

We also invest in our team’s skills. Later this year, our developers will take part in a web application vulnerability training program delivered by Silverskin. This complements external testing by ensuring that security awareness and best practices are embedded directly in our development process.

Final thoughts

Protecting customer data is a responsibility we take seriously. The projects and simulations run in Quanscient Allsolve often contain sensitive and highly valuable intellectual property. Ensuring that this information remains secure is not optional, it is fundamental to what we do.

Bringing in experienced third parties like Silverskin to test our systems is one way we turn that responsibility into action. Combined with our ongoing scanning, training, and review processes, it’s part of a culture where security is treated as an essential part of product development, not an afterthought.

For more on our security practices, visit our security page or reach out to us directly with questions.

quanscient.com