Safe scanning rules
Rules for using ShakerScan without abusing third-party services, scanning unauthorized systems, or causing unsafe target behavior.
Customers may only scan assets they own, operate, or are explicitly authorized to test. Public or third-party targets require documented authorization.
Domain verification, target ownership checks, scan caps, request budgets, and production-mode controls exist to reduce abuse risk.
Passive, public, and light checks may be available before domain verification depending on plan and deployment settings. Active, invasive, authenticated, scheduled, production, broad discovery, browser, RAG, tool-use, and AI Gate scans can require stronger product confirmations or ownership verification.
TXT domain verification proves control of DNS at a point in time. It does not expand the allowed scope beyond systems the customer is authorized to test.
Do not use ShakerScan for denial of service, credential theft, unauthorized access, malware delivery, evasion, harassment, data exfiltration, or testing targets outside the approved scope.
Do not submit secrets, private keys, customer data, regulated data, or third-party confidential data unless the workspace and legal terms are approved for that use.
Do not test government, military, healthcare, financial, critical infrastructure, education, telecom, marketplace, platform, cloud-provider, or other third-party systems without written authority and explicit scope. Authorized testing of a customer-owned regulated application may require enterprise or private-control-plane terms.
Do not run destructive testing, denial-of-service testing, credential stuffing, phishing, social engineering, spam, malware, persistence, lateral movement, data modification, or bulk exfiltration through ShakerScan.
Customers may not use ShakerScan where prohibited by sanctions, export-control restrictions, applicable law, or third-party authorization limits. Customers are responsible for ensuring their users, targets, destinations, and end uses are permitted.
Self-serve use is not intended for PHI, cardholder data, government-classified data, or other regulated production data unless a separate written agreement authorizes that use.
ShakerScan may limit, suspend, or block scans, targets, API keys, accounts, or workspaces that appear unsafe, abusive, illegal, or outside authorized scope.
Enforcement can include scan throttling, target disablement, API-key revocation, workspace suspension, and account termination where appropriate.
For legal, privacy, security, or authorization questions, contact security@shakerscan.com.