In 2023 and 2024 Object First engaged NCC Group to perform a security assessment on Object First Appliance (formally known as Ootbi). In late 2025, Object First re-engaged NCC Group to perform a second round of testing on release 1.7 Object First Appliance.
NCC Group's latest evaluation included the management console user interface, management web API, appliance server, front-facing API used by Veeam and other systems to create buckets and store objects, Honeypot feature, and a code review.
NCC Group observed the Object First Appliance demonstrates notable security improvements since the 2024 test. The latest assessment uncovered a set of common application flaws, all of which were rated low or informational severity.