Contact Us 1-800-596-4880

Run Vulnerability Assessment and Penetration Tests

If your company security policies require that you perform vulnerability and penetration testing against Anypoint Platform, you may commence testing without notifying Salesforce beforehand.

All assessments must be performed in accordance with the Security Assessment Agreement.

Run Penetration and Vulnerability Tests

Because penetration testing could interfere with other tenants, MuleSoft allows penetration testing on your workers but not on other Anypoint Platform services.

Salesforce does not address any vulnerabilities found with custom development. You must validate and fix any findings with your custom development.


Before initiating penetration testing:

  • Enable static IPs for the app.

    By default, CloudHub workers do not use static IP addresses, so you can’t test them because their IP addresses might change. For information about how to enable static IPs, see Static IPs Tab Settings.

  • Assign a security resource at your company to review and validate findings from the tests.


  1. Run the penetration tests.

    The Security Assessment Agreement includes restrictions and requirements for testing.

  2. Have your security resource use the following documents to identify common false positives or security issues related to settings:

  3. If your assessment generates vulnerability findings, please complete validation for any automated findings. Send any outstanding validated security vulnerability findings to

    Include the following information in your email:

    • Confirmation number for your Security Assessment approved by Salesforce

    • Summary of all findings and associated severity level of each finding

    • Detailed assessment report noting each finding

    • Steps to reproduce the vulnerability

    • All applicable HTTP requests and responses

    • Explanation of why the example is considered a finding

Reporting Security Vulnerabilities

To report security vulnerability findings, follow the Security Vulnerability Finding Submittal Guide. Security vulnerability reports that do not follow the required steps will be rejected.

Salesforce does not address any security vulnerabilities in the following categories:

  • Scan output from automated vulnerability scanning tools without any valid proof of concept

  • Security bugs without valid proof of concept

  • Vulnerabilities identified in old or deprecated versions of Mule runtime engine

  • Vulnerabilities introduced via code customization made by your company

  • Known security issues that do not pose any risk