Verify an attestation

How verification works

Every attestation has a unique verification ID, printed on the PDF and encoded in the QR code on the same document.

Looking up an ID returns the original scan record: customer, target hostnames, scan date, scope, and methodology version. The record cannot be edited after issuance.

The verification page is always public. Customers cannot suppress it. This is intentional: an attestation is only trustworthy if anyone can confirm it.

What you'll see

You'll see scan details — when it ran, what was tested, with what tools. You will NOT see the customer's actual findings — those remain confidential to the customer.

If the ID is invalid, expired, or revoked, you'll see a clear notice. We never silently fail.

See a sample attestation page for an example.

→ For prospects & procurement teams

A vendor sent you an attestation. Now what?

Three things worth checking before accepting any vendor's security testing artifact:

Verify it. A real attestation is checkable on the issuer's verification page. If you can't verify it independently, it's worth less.
Read the scope. Does it cover the product you're buying? Authenticated flows or just the public surface? When was it issued?
Ask whether it was a pen test or an automated scan. Both are useful — they aren't the same thing. The artifact should be clear about which it is. For high-stakes vendors, ask if they've also commissioned a manual penetration test in the last 12 months.

Questions about how to evaluate vendor security artifacts? Email hello@thecybergrid.com and we'll happily walk through it.