Contact Us 1-800-596-4880

Run Vulnerability Assessment and Penetration Tests

If your company security policies require that you perform vulnerability and penetration testing against Anypoint Platform, you can commence testing without notifying Salesforce beforehand.

All assessments must be performed in accordance with the Security Assessment Agreement.

Run Penetration and Vulnerability Tests

Because penetration testing can interfere with other tenants, MuleSoft allows penetration testing on your workers but not on other Anypoint Platform services.

Salesforce does not address vulnerabilities found with custom development. You must validate and fix any findings with your custom development.


Before initiating penetration testing:

  • Enable static IPs for the app.

    By default, CloudHub workers don’t use static IP addresses, so you can’t test them because their IP addresses might change. For information about how to enable static IPs, see Static IPs Tab Settings.

  • Assign a security resource at your company to review and validate findings from the tests.


  1. Run the penetration tests.

    The Security Assessment Agreement includes restrictions and requirements for testing.

  2. Have your security resource use the following documents to identify common false positives and security issues related to settings:

  3. If your assessment generates vulnerability findings, complete validation for any automated finding. Send all outstanding validated security vulnerability findings to

    Include the following information in your email:

    • Confirmation number for your Security Assessment approved by Salesforce

    • Summary of all findings and the associated severity level of each finding

    • Detailed assessment report that notes each finding

    • Steps to reproduce the vulnerability

    • All applicable HTTP requests and responses

    • Explanation of why the example is considered a finding

Reporting Security Vulnerabilities

To report security vulnerability findings, follow the Security Vulnerability Finding Submittal Guide. Security vulnerability reports that do not follow the required steps are rejected.

Salesforce does not address any security vulnerabilities in the following categories:

  • Scan output from automated vulnerability scanning tools without a valid proof of concept

  • Security bugs without valid proof of concept

  • Vulnerabilities identified in old or deprecated versions of Mule runtime engine

  • Vulnerabilities introduced via code customization made by your company

  • Known security issues that don’t pose any risk