How I Test

Preventive Privacy publishes two kinds of writing, and they're held to two different standards. Most pieces are hands-on reviews, where I actually install and live with a product instead of rewriting a vendor's feature list - that means I will always use the product and provide real, hands-on experience to you. The rest are explainers, deeper pieces that take apart how something works, like how a VPN routes your traffic under the hood or why a particular breach happened at the protocol level, not just the headline level. This is something that I am highly passionate about and I do sincerely hope that I can rely the earned knowledge to you. This page covers how both are done: the machines and test cases behind the reviews, the sourcing standard behind the explainers, what counts as a pass or a fail, and how money never decides a verdict. If anything I publish contradicts what's written here, the article is wrong and I want to know about it, feel free to reach out to me anytime!

I'm a software engineer by day, six-plus years as a Java backend developer building production systems in fintech, retail, and online gaming. That background is the reason this site exists and the reason the work goes deeper than "I clicked around for ten minutes." I can read a TLS handshake, a privacy policy, or a CVE writeup and tell you what it actually means. I bring that same habit to both jobs: with a product, I take it apart and find what works and what doesn't; with a topic, I dig until I understand it well enough to explain it plainly.

The short version

My test environment

I run everything across two physical machines and disposable VMs.

Windows machine. Windows 11 (I note the exact build in each review, since antivirus and security behavior changes between Windows feature updates). This is also a daily-use machine, which matters: it's where I notice the system-tray nagging, the boot-time slowdown, and the upsell popups that only show up after a week, not in a fresh ten-minute trial.

Linux machine. Ubuntu. Used for tools with Linux clients, for cross-platform sync testing, and for network-level checks where I want a clean, scriptable environment.

Disposable virtual machines. For anything I don't want touching a real machine, I use VirtualBox VMs with a clean snapshot taken before each test. I revert to the snapshot between runs so every test starts from a known-good state. I use these for:

The split is deliberate. The daily-driver machines capture the lived-in experience that a trial never shows you. The snapshot VMs capture the clean-slate behavior (first install, first scan, full uninstall) that you can't measure honestly once a machine is already cluttered.

What I actually check, by category

The specifics differ per product type. Here's the core checklist I work through for the main categories I cover.

Antivirus and security suites

Password managers

VPNs

Identity protection and breach tools

Verifying real-world complaints

Marketing tells you what a product wants you to believe. Angry users tell you where it actually breaks. Before and during a review I read through Reddit threads, vendor support forums, and app-store reviews to find the loudest recurring complaints about a product, then I try to reproduce them myself.

When I test a reported problem, I record whether I could reproduce it, on which OS and version, and under what conditions. Sometimes the complaint is real and current. Sometimes it was fixed two versions ago. Sometimes it only happens in a specific setup. I'll tell you which, instead of repeating a forum rumor as fact. If I can't reproduce something, that goes in the review too.

What counts as a pass or a fail

I grade against what the product promises to do, not against perfection. Three outcomes:

A few concrete examples of what tips something into a fail: a "no-logs" VPN whose kill switch leaks your real IP when the connection drops; a password manager you can't export your own data out of; an antivirus that leaves running services behind after you uninstall it. These aren't nitpicks. They're the difference between a tool protecting you and a tool you only think is protecting you.

How I research the explainers

Not everything here is a product review. A good chunk of the site is explainers: pieces where I pick something I want to understand properly, spend a few weekends on it, then write the version I wish someone had handed me. There's no product to install, so "firsthand testing" doesn't apply the same way. These pieces get held to a different standard instead.

When an explainer gets something wrong, I correct it in place and note what changed. These pieces are the ones I most want to get right, because they're the ones people learn from.

How money is kept out of the verdict

This is the part most review sites are vague about, so I'll be specific.

The simple rule: if removing every affiliate link from this site would change a single verdict, the site is broken. It won't, because the verdicts aren't for sale.

Versions, dates, and re-testing

Security software changes fast, and a review that doesn't tell you when it was written is half useless. So:

Found a problem with my testing?

If you've used a product I've reviewed and your experience doesn't match mine, I genuinely want to hear it. Reader reports are how I find the edge cases my own setup doesn't hit, and reproducing a reader's problem is one of the most useful tests I run. Send it over, tell me your OS and version, and I'll try to reproduce it.