Scanning authorization
The short version: we cannot scan anything you haven't proven you own, everything we run is non-destructive and logged, and anything more intrusive requires a separately signed authorization. These are properties of the platform, not promises in a policy document.
1. Ownership verification is a hard gate
Before the first scan of any asset, you must prove control of it using one of:
- DNS TXT record — a unique token published under your domain;
- Hosted file — the same token served from
/.well-known/on your site; - Registrant email — confirmation sent to the domain's administrative contact.
The scanning engine will not accept a target that has not passed verification. There is no manual override, no "trust us" path, and no exception for sales. IP addresses and cloud accounts verify through the domain or account that owns them.
2. Non-destructive, defined
Standard subscription scanning is read-only observation of what your infrastructure already exposes:
- Service and version discovery on internet-facing addresses;
- TLS/certificate inspection, DNS and mail-security records (SPF, DKIM, DMARC);
- Known-vulnerability matching against observed software versions;
- Configuration checks that involve no exploitation, no payloads, no authentication attempts, no load generation.
We never attempt to exploit a finding, guess credentials, exfiltrate data, or degrade service as part of subscription scanning. Scan traffic originates from published addresses so your team (or your IT provider) can always identify us.
3. Intrusive testing requires a signed scope
Authenticated testing, exploitation-based validation, and penetration testing are available only under a separately signed authorization scope: named systems, named techniques, a time window, emergency contacts, and sign-off by someone with authority over the systems. Arranged through our sales team, never self-serve.
4. Everything is logged, and you can see it
Every scan — its targets, time, and probes — is recorded and visible in your dashboard. If you ever wonder what we did and when, the answer is a click away, not a support ticket away.
5. Reporting concerns
If you believe our scanner touched an asset you did not authorize, or you're seeing unexpected traffic from our ranges, contact abuse@instantciso.com. Reports are investigated as priority incidents.
Why we're strict about this: unauthorized scanning is illegal in both of our markets (the Computer Fraud and Abuse Act in the US; s. 342.1 of the Criminal Code in Canada) — and more importantly, an executive service you trust with your infrastructure should be engineered so that misuse is impossible, not merely forbidden.