Scanning authorization

The short version: we cannot scan anything you haven't proven you own, everything we run is non-destructive and logged, and anything more intrusive requires a separately signed authorization. These are properties of the platform, not promises in a policy document.

1. Ownership verification is a hard gate

Before the first scan of any asset, you must prove control of it using one of:

The scanning engine will not accept a target that has not passed verification. There is no manual override, no "trust us" path, and no exception for sales. IP addresses and cloud accounts verify through the domain or account that owns them.

2. Non-destructive, defined

Standard subscription scanning is read-only observation of what your infrastructure already exposes:

We never attempt to exploit a finding, guess credentials, exfiltrate data, or degrade service as part of subscription scanning. Scan traffic originates from published addresses so your team (or your IT provider) can always identify us.

3. Intrusive testing requires a signed scope

Authenticated testing, exploitation-based validation, and penetration testing are available only under a separately signed authorization scope: named systems, named techniques, a time window, emergency contacts, and sign-off by someone with authority over the systems. Arranged through our sales team, never self-serve.

4. Everything is logged, and you can see it

Every scan — its targets, time, and probes — is recorded and visible in your dashboard. If you ever wonder what we did and when, the answer is a click away, not a support ticket away.

5. Reporting concerns

If you believe our scanner touched an asset you did not authorize, or you're seeing unexpected traffic from our ranges, contact abuse@instantciso.com. Reports are investigated as priority incidents.

Why we're strict about this: unauthorized scanning is illegal in both of our markets (the Computer Fraud and Abuse Act in the US; s. 342.1 of the Criminal Code in Canada) — and more importantly, an executive service you trust with your infrastructure should be engineered so that misuse is impossible, not merely forbidden.