Find what an attacker already knows about your AS/400 — before they act.
Every exposed IBM i has attack vectors that generic scanners miss entirely. Our service was built exclusively for IBM i architecture: we audit objects, user profiles, exit points, adopted authority, system values and network access — from the real perspective of an intruder targeting your platform.

​

Why your IBM i demands specialized assessment

IBM i has a unique security architecture — QSECURITY, QAUDJRN, object authority, special profiles like QSECOFR — that generic vulnerability tools simply do not understand. A standard network scanner sees open ports. We see what actually matters:

​

Users holding *ALLOBJ or *SECADM without documented business justification
Programs using adopted authority to silently escalate privileges
Unregistered exit points leaving FTP, ODBC, DDM, DRDA, TELNET open to the network
Passwords that never expire or QPWDEXPITV(*NOMAX) system values in production
QSECURITY below level 40 on production partitions
*PUBLIC *CHANGE authority on business-critical libraries
Unaudited SQL execution: STRSQL, RUNSQLSTM, direct DB2 queries with no journal trail

Your compliance auditor will ask for this. Know it first.

What the service covers

Profile and Authority Analysis
Full review of all active user profiles: special authorities, group memberships, default or never-expired passwords, dormant profiles with live access, and adopted authority usage in critical programs and service programs.

Exit Points and Network Access Audit
We verify which network services are exposed without registered exit programs — FTP, ODBC, DDM/DRDA, NetServer, TELNET, REXEC. We identify which users can extract data from your system without leaving any trace in QAUDJRN.

System Values Review
We evaluate the ~50 security-related system values against hardening benchmarks: QSECURITY, QAUDLVL, QPWDEXPITV, QMAXSIGN, QINACTITV, QRMTSIGN, QALWUSRDMN, and others — mapped directly to PCI-DSS v4.0, ISO 27001:2022 and CIS IBM i controls.

Audit Journal Analysis
Where QAUDJRN is active, we extract and analyze critical journal entry types: failed signon attempts (PW), authority changes (CA), privileged command execution (CD), object ownership transfers (OW), and network connection events (SK, CV).

Object and Data Security
We identify libraries, files and programs with excessive or unintended authorities. We surface improper *PUBLIC access and sensitive objects without adequate protection across QSYS, QGPL and application libraries.

IBM i Ethical Hacking
We simulate an attacker operating with internal network access or standard user credentials — attempting privilege escalation, restricted data access and exit point bypass — documenting every confirmed vector with reproducible, step-by-step evidence.

​

What you receive

Every engagement delivers a full executive and technical report:

Risk-prioritized findings classified as Critical, High, Medium or Low
Reproducible technical evidence — CL commands and SQL statements that demonstrate each vulnerability in your specific environment
Business impact statement for each finding — what data or critical process is at real risk
IBM i-specific remediation steps — not generic advice, but the exact commands and configuration changes required
Compliance mapping — every finding cross-referenced to PCI-DSS, SOX, HIPAA or ISO 27001 control requirements
Executive summary ready to present to management or external auditors

Service frequency
ModeFrequencyBest forInitial AssessmentOne-timeEstablishing your current security baselineContinuous MonitoringMonthlyActive PCI-DSS or SOX regulated environmentsPeriodic AuditQuarterly or Semi-annualOngoing compliance maintenance programsPre-Audit ReviewOn demandBefore an external compliance or regulatory review
Each engagement begins with scope confirmation: libraries, user profiles, subsystems and network ranges within the IBM i environment to be assessed.

​

Compliance frameworks covered
PCI-DSS v4.0 · SOX · HIPAA · ISO 27001:2022 · NIST SP 800-53 · CIS IBM i Benchmark

​

Why ExSystem

• IBM i security specialists — not a generic security firm that occasionally handles AS/400

• IBM Premier Business Partner with direct access to IBM technical resources

• Manufacturers of IPSecurity, the most complete IBM i security suite on the market

• Over 10 years auditing IBM i environments across the United States, Latin America and Europe

• Assessment performed without permanent agents — zero impact on your production workload