An audit team may ask for to proof that CA PAM is not vulnerable. Here is some information that will help to satisfy the auditors.
The PAM online documentation, e.g. at https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/protect-privileged-account-credentials/default-ports-for-credential-manager, contains information about the various ports used by PAM. Below are 3 options for checking PAM:
1. You can run a vulnerability analysis tool, like qualys.
2. You can use an SSL checker, like Symantec.
3. You can run a web application tool like webinspect.
A 3rd party tool would probably be preferred by the audit team. The results are more likely to be believed if they come from an independent party.