Verification

How we verify you're authorised to scan.

Every scan starts with a simple verification step. We only run scans on targets you own or have express written authorisation to commission. Here is how it works, what you will need, and what to do if the standard methods do not fit your setup.

Last updated: 2026-04-21

Why we verify

Scanning live systems without authorisation is a criminal offence under the Australian Cybercrimes Act 2001, the United States Computer Fraud and Abuse Act, the United Kingdom Computer Misuse Act 1990, and equivalent statutes elsewhere. Verification is how we prove authorisation before any scan runs. It protects you, it protects us, and it aligns with standard practice across the security industry.

Pick one method

You only need to complete one of the three methods below. DNS is the most reliable, file upload is the fastest, email is the fallback.

1. DNS TXT record (most reliable)

In your DNS provider, add a TXT record:

  • Name: _attackedge-verify
  • Type: TXT
  • Value: attackedge-verification-<your token> (we generate the token for you at scan submission)

Use this when you have access to your DNS provider (for example, Cloudflare, Route 53, GoDaddy, CrazyDomains, VentraIP). DNS propagation typically takes 5 to 60 minutes. We check every minute until it appears.

2. File at a well-known path (fastest)

Upload a file to your webserver:

  • Path: https://example.com/.well-known/attackedge-verify.txt
  • Contents: <your token> (one line, no other content)

Use this when you have FTP, SSH, cPanel, or CMS access that lets you drop a file at the site root. Verification is near-instant once the file is in place.

3. Email challenge (fallback)

We send a verification link to one of the standard administrative mailboxes on the target domain:

  • abuse@example.com
  • admin@example.com
  • hostmaster@example.com
  • postmaster@example.com
  • webmaster@example.com

You pick which one at scan submission. Click the link inside the email to verify. Use this only if neither DNS nor file methods are available to you.

Verifying an IP address

If you submitted an IP instead of a domain, the file-upload method still works as long as the IP responds on port 80 or 443. Upload the verification file to the root of the web service running on that IP.

If there is no web service on the IP (for example, a bare VPS without a webserver, or a mail-only host), use the Scan Authorisation Form instead.

When the standard methods will not work

Some situations do not fit the three methods above:

  • Shared hosting where you cannot write to the site root.
  • Cloud IP addresses with no web service exposed.
  • IP ranges (/29 or larger) where you cannot place a file on every host.
  • Consultant or MSP engagements, where you are scanning on behalf of a client who manages their own DNS and hosting.
  • Internal DNS you control privately but which does not resolve from the public internet.

For any of these, complete the Scan Authorisation Form. It is a short written authorisation you sign electronically. We review it manually, typically within one business day, and confirm your scan authorisation by email.

What happens after verification

As soon as verification passes, your scan is queued immediately. You receive an email confirming the scan has started. Reports are delivered within 24 hours. You can track scan status in the app.

Questions

If any of this is unclear or your situation is unusual, email hello@attackedge.io before paying. We would rather help you through verification up-front than refund a scan that could not run.