Run Vulnerability Assessment and Penetration Tests

logo cloud active logo hybrid disabled logo server disabled logo rtf disabled

If your company security policies require that you perform vulnerability and penetration testing against Anypoint Platform, request a Security Assessment before proceeding.

Request a Security Assessment

To request a Security Assessment:

  1. Contact your MuleSoft Customer Success Manager to request the Security Assessment Request form and Security Assessment Agreement.

  2. Complete the request form and accept the agreement.

    For information required to complete the request form, see the knowledge article Complete the Security Assessment submission form.

  3. Send your completed Security Assessment Request form to

    The automated system contacts you when your Security Assessment request is approved.

    Check your Spam folder for the automated reply before contacting Salesforce.

Run Penetration and Vulnerability Tests

Because penetration testing could interfere with other tenants, MuleSoft allows penetration testing on your workers but not on other Anypoint Platform services.

Salesforce does not address any vulnerabilities found with custom development. You must validate and fix any findings with your custom development.


Before initiating penetration testing:

  • Enable static IPs for the app.

    By default, CloudHub workers do not use static IP addresses, so you can’t test them because their IP addresses might change. For information about how to enable static IPs, see Static IPs Tab Settings.

  • Assign a security resource at your company to review and validate findings from the tests.


After your Security Assessment request is approved, follow these steps:

  1. Run the penetration tests.

    The Security Assessment Agreement includes restrictions and requirements for testing.

  2. Have your security resource use the following documents to identify common false positives or security issues related to settings:

    You must complete this step before following up with Salesforce.
  3. Send any outstanding security vulnerability findings to

    Include the following information in your email:

    • Confirmation number for your Security Assessment approved by Salesforce

    • Summary of all findings and associated severity level of each finding

    • Detailed assessment report noting each finding

    • Steps to reproduce the vulnerability

    • All applicable HTTP requests and responses

    • Explanation of why the example is considered a finding

Reporting Security Vulnerabilities

To report security vulnerability findings, follow the Security Vulnerability Finding Submittal Guide. Security vulnerability reports that do not follow the required steps will be rejected.

Salesforce does not address any security vulnerabilities in the following categories:

  • Scan output from automated vulnerability scanning tools without any valid proof of concept

  • Security bugs without valid proof of concept

  • Vulnerabilities identified in old or deprecated versions of Mule runtime engine

  • Vulnerabilities introduced via code customization made by your company

  • Known security issues that do not pose any risk

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub