Legal

Acceptable Use Policy

Read this in 60 seconds. Sign once.

You only scan what you own or are authorized to test.

Unauthorized scanning may violate the Computer Fraud and Abuse Act (US, 18 U.S.C. § 1030), the Computer Misuse Act (UK 1990), and similar laws worldwide.

Domain verification is required for every DAST target.

Two methods: DNS TXT record or a file under /.well-known/. Verification expires after 90 days.

Rate limits exist for a reason.

Default 10 req/s per target. Hard ceiling 50 req/s. Daily cap 50k requests on Free plans.

Don't scan blocked categories.

*.gov, *.mil, financial infrastructure, hospital systems, election infrastructure. Operators may allowlist with documented authorization.

Don't scan internal networks.

Private IP ranges (RFC1918, loopback, link-local) and cloud metadata endpoints are blocked at the scanner layer.

Be a good citizen.

Use the responsible-disclosure channel before publishing findings against third parties.

Violations.

We pause accounts on first material breach and terminate on repeat. We may notify law enforcement when warranted.

Terms of Service →Privacy Policy →Responsible Disclosure →Data Processing Addendum →