Legal

Acceptable Use Policy.

AttackEdge is an offensive-adjacent tool. It scans live systems. We ship it with guard-rails, and this page is those guard-rails written out. Use the service within these rules and you have no reason to worry.

Last updated: 2026-04-21

1. You must own or be authorised to scan every target

This is the non-negotiable rule. Every domain, subdomain, IP address, host, or service you submit to AttackEdge must be one of the following:

  • Owned by you or by an organisation on whose behalf you are using the service, and you have authority to instruct a security scan.
  • Owned by a third party who has given you express, documented written authorisation to commission a scan.

If neither applies, you do not have authority to scan the target, and submitting it is a serious breach of these rules and may be a criminal offence under the Australian Cybercrimes Act 2001 (Part 10.7 of the Criminal Code Act 1995), the United States Computer Fraud and Abuse Act, the United Kingdom Computer Misuse Act 1990, and equivalent statutes elsewhere.

2. Ownership verification

We verify ownership before scanning. The three standard methods are the same ones Google and Microsoft use: a DNS TXT record, a verification file placed on your webserver, or an email challenge to a standard administrative mailbox. Full instructions at attackedge.io/how-to-verify.

Where the standard methods do not fit your situation (IP addresses without a web service, consultant engagements, shared hosting, or complex cloud setups), complete the Scan Authorisation Form. It is a short written authorisation you sign electronically. We review it manually, typically within one business day.

Scans do not run until verification passes. We may at our discretion require additional verification for ambiguous ownership situations. Keep your verification records in place: if a verification record is removed, the target loses authorised status and subsequent scans will fail.

3. Prohibited uses

You agree not to use AttackEdge to:

  • Scan any target you do not own or have express authorisation to scan.
  • Scan critical infrastructure, government systems, or systems you know or ought reasonably to know are sensitive, without express written authorisation from the operator.
  • Attempt to exploit vulnerabilities found by the scan on a target you do not own.
  • Use scan findings for unauthorised access, extortion, harassment, or other unlawful purposes.
  • Reverse engineer, disassemble, or copy the service with intent to create a competing product.
  • Resell, sublicense, or redistribute our reports as your own product without our written consent.
  • Share your account credentials with third parties, or allow multiple users to share one paid account.
  • Overload, probe, or attempt to circumvent the rate limits or security controls of the service itself.
  • Extract bulk data from the service or scrape our website beyond normal human use.

4. Service provider and consultant use

If you are a consultant, MSP, or other service provider using AttackEdge on behalf of your clients, you are responsible for ensuring your client has authorised the scan and provided the ownership verification required. The authorisation must be written. We may ask you to evidence it in the event of a dispute.

Reselling AttackEdge reports as-is to your clients is permitted under a one-off-per-engagement basis. Rebranding our reports without attribution, or offering a "AttackEdge-powered" product as your own, requires a separate agreement with us.

5. What we will do if you break these rules

We take this seriously. If we have reason to believe you are breaching this policy we may, at our discretion and without notice:

  • Pause or terminate scans in progress.
  • Suspend or close your account.
  • Withhold or reverse refund eligibility.
  • Retain logs and evidence for law enforcement or for our own legal defence.
  • Notify the affected third party, if we can identify them.
  • Cooperate with law-enforcement requests in line with our Privacy Policy and applicable law.

We also reserve the right to pursue costs, damages, or other remedies under our Terms of Service.

6. Responsible disclosure for the service itself

If you find a security issue in AttackEdge (our website, our app, or the infrastructure that runs scans), please tell us at security@attackedge.io before disclosing it publicly. We will respond within one business day, work in good faith to fix the issue, and credit you for the finding if you want.

We will not take legal action against researchers acting in good faith under standard responsible-disclosure practice: no exploitation beyond what is needed to demonstrate the issue, no access to other customers' data, no denial-of-service, no social engineering of our staff or contractors, and a reasonable time for us to remediate before public disclosure.

7. Changes

We may update this policy when our service or the threat landscape changes. Material changes are notified by email or through the product before they take effect. The current version is always on this page.

8. Contact

Questions about this policy: legal@attackedge.io. Security issues in AttackEdge itself: security@attackedge.io.