An audit team may ask for to proof that CA PAM is not vulnerable. Here is some information that will help to satisfy the auditors.
Release: Component: CAPAMX
The PAM online documentation, e.g. at https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/protect-privileged-account-credentials/default-ports-for-credential-manager, contains information about the various ports used by PAM. Below are 3 options for checking PAM:
1. You can run a vulnerability analysis tool, like qualys. 2. You can use an SSL checker, like Symantec. 3. You can run a web application tool like webinspect.
A 3rd party tool would probably be preferred by the audit team. The results are more likely to be believed if they come from an independent party.