Acceptable Use Policy
Last updated: February 2026
This Acceptable Use Policy ("AUP") governs your use of the Find The Breach platform and all associated vulnerability scanning, penetration testing, and security assessment services (collectively, the "Service"). By accessing or using the Service, you agree to comply with this AUP. Any violation of this policy may result in the immediate suspension or termination of your account and may expose you to civil and criminal liability.
1 Authorized Scanning Requirements
You may only scan targets for which you have explicit, documented authorization. Before initiating any scan through the Service, you must satisfy all of the following conditions:
- You own the target domain, IP address, or network infrastructure, or you have obtained written permission from the owner to conduct security testing against it.
- Written authorization must be current, signed by an individual with legal authority to grant such permission, and must specify the scope of testing permitted.
- You must retain all authorization documentation for the duration of your use of the Service and for a minimum of twelve (12) months following the completion of any scan.
- You must be prepared to provide proof of authorization to Find The Breach upon request within forty-eight (48) hours.
- Authorization must cover the specific types of tests you intend to conduct, including but not limited to port scanning, vulnerability assessment, web application testing, and network enumeration.
- Compliance with the UK Computer Misuse Act 1990 (as amended by the Serious Crime Act 2015) and the equivalent laws of any jurisdiction from which you access the Service, in addition to applicable US federal and state laws.
Find The Breach reserves the right to verify your authorization at any time. Failure to provide satisfactory proof of authorization may result in the immediate suspension of your account and referral to applicable law enforcement authorities.
Target Verification Methods
FindTheBreach employs the following methods to verify your authorization to scan a target:
- DNS TXT Record: Add a unique verification code provided by FindTheBreach as a DNS TXT record for your domain (e.g.,
ftb-verify=abc123). - File Upload: Place a verification file with a unique token at a specified path on your web server (e.g.,
/.well-known/ftb-verify.txt). - WHOIS Verification: Confirm domain ownership via the registrant email address listed in WHOIS records.
- Manual Review: For IP ranges, internal networks, or cloud-hosted infrastructure, FindTheBreach may request written authorization on company letterhead, a signed authorization form, or verification through your cloud provider's API (e.g., AWS, Azure, GCP resource tagging).
All targets must be verified before scanning begins. FindTheBreach reserves the right to re-verify authorization periodically for ongoing scan schedules and continuous monitoring configurations.
2 Permitted Uses
The Service is designed to be used for lawful security testing and assessment purposes only. Permitted uses include:
- Scanning your own websites, domains, and network infrastructure for vulnerabilities
- Conducting authorized security assessments on behalf of clients who have provided written consent
- Performing compliance-related vulnerability assessments as required by industry standards such as PCI DSS, HIPAA, SOC 2, or ISO 27001
- Educational and research purposes conducted against systems you own or operate in a controlled environment
- Internal security audits conducted by your organization's security team against your organization's own assets
3 Prohibited Activities
The following activities are strictly prohibited and constitute a material breach of this AUP:
Unauthorized Scanning
Scanning any system, network, or application for which you do not have explicit written authorization. This includes scanning targets belonging to third parties without their documented consent.
Prohibited Targets
Scanning the following categories of targets without express prior authorization from both the target owner and Find The Breach:
- Government systems, military networks, or law enforcement infrastructure
- Critical infrastructure including power grids, water treatment facilities, healthcare systems, financial exchanges, and transportation networks
- Emergency services systems including 911 dispatch and hospital emergency networks
- Systems belonging to educational institutions serving minors
- Any system located in a jurisdiction where such scanning is prohibited by law
- Operational Technology (OT), Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, Programmable Logic Controllers (PLCs), or any systems that control physical processes, manufacturing equipment, utility infrastructure, medical devices, or safety-critical systems
- Systems operating within environments classified as Safety Integrity Level (SIL) 1-4 under IEC 61508 or equivalent safety standards
Cloud Infrastructure Scanning Requirements
If your Target systems are hosted on third-party cloud infrastructure, you must comply with the cloud provider's security testing policies in addition to these Terms:
- Amazon Web Services (AWS): AWS allows most security assessments without prior approval for 8 listed services. Prohibited tests include DNS zone walking, DoS/DDoS, and port flooding. See AWS Customer Support Policy for Penetration Testing.
- Microsoft Azure: Penetration testing is permitted under Microsoft's Rules of Engagement. Notification is no longer required but DoS testing is prohibited. See Microsoft Penetration Testing Rules of Engagement.
- Google Cloud Platform (GCP): GCP does not require notification for penetration testing that complies with their Terms of Service and AUP. Load testing requires prior approval.
FindTheBreach is not responsible for any actions taken by cloud providers against your account as a result of scanning activities initiated through our Service. You are solely responsible for understanding and complying with your cloud provider's security testing policies before initiating any scan.
Malicious Activities
- Using the Service to exploit discovered vulnerabilities for unauthorized access, data theft, or system compromise
- Launching denial-of-service attacks or intentionally disrupting the availability of target systems
- Using the Service to distribute malware, ransomware, or any other malicious software
- Intercepting or attempting to intercept data belonging to third parties
- Using the Service to conduct social engineering attacks without explicit authorization
Platform Abuse
- Attempting to reverse engineer, decompile, or disassemble the Service
- Circumventing or attempting to circumvent rate limits, usage quotas, or other technical restrictions
- Sharing account credentials with unauthorized parties or operating multiple accounts to circumvent limitations
- Reselling, sublicensing, or redistributing the Service without written authorization from Find The Breach
- Interfering with the Service's infrastructure, including attempting to access other users' data or scan results
4 Rate Limiting and Fair Use
To ensure equitable access and optimal performance for all users, the Service enforces the following fair use guidelines:
- Each subscription tier includes defined scan quotas, concurrent scan limits, and API rate limits as specified in your service agreement.
- Automated or scripted interactions with the Service must comply with published API rate limits and must include appropriate delays between requests.
- Scans must be configured with reasonable intensity settings that do not overwhelm target systems or degrade the performance of the Service for other users.
- Bulk scanning operations must be scheduled during off-peak hours whenever possible, and users must coordinate with Find The Breach support for large-scale engagements exceeding their tier limits.
- Find The Breach reserves the right to throttle, queue, or temporarily suspend scans that adversely affect platform performance or other users' experience.
Default Rate Limits
| Resource | Free Trial | Starter | Professional | Enterprise |
|---|---|---|---|---|
| API requests/min | 30 | 60 | 120 | Custom |
| Concurrent scans | 1 | 2 | 5 | Custom |
| Scans/day | 3 | 10 | 50 | Unlimited |
| Targets | 3 | 10 | 50 | Unlimited |
Rate limits are enforced via HTTP 429 responses. Enterprise customers may request custom rate limits by contacting support@findthebreach.com. Current tier limits and usage are available in the portal under Account Settings > API Keys.
5 Monitoring and Enforcement
Find The Breach actively monitors the use of the Service to ensure compliance with this AUP. Our monitoring activities may include:
- Automated analysis of scan targets and patterns to detect unauthorized or suspicious activity
- Review of abuse complaints received from third parties regarding scans originating from the Service
- Periodic audits of user accounts and scanning activity
- Collaboration with internet service providers, hosting providers, and law enforcement agencies as necessary
6 Consequences of Violation
Violations of this AUP may result in any or all of the following actions, at Find The Breach's sole discretion:
- Warning: A written notice identifying the violation and requiring immediate corrective action.
- Suspension: Temporary suspension of your account and access to the Service pending investigation.
- Termination: Permanent termination of your account without refund of any prepaid fees.
- Legal Action: Referral to appropriate law enforcement authorities and pursuit of civil remedies, including claims for damages and injunctive relief.
- Reporting: Notification to affected third parties, internet service providers, and relevant regulatory authorities.
Find The Breach may take immediate action without prior notice in cases involving imminent harm, illegal activity, or threats to the security or integrity of the Service or third-party systems.
7 Reporting Abuse
If you believe that any user of the Service is violating this AUP, or if you have received unwanted scans originating from the Find The Breach platform, please report the activity immediately:
Find The Breach — Abuse Reports
Email: security@findthebreach.com
Please include the following information in your report:
- Your contact information
- IP addresses or domains involved
- Date and time of the incident
- Description of the activity and any supporting evidence (logs, screenshots)
We investigate all abuse reports promptly and will respond within forty-eight (48) business hours.
8 Changes to This Policy
Find The Breach reserves the right to modify this AUP at any time. Material changes will be communicated via email to registered account holders and posted on our website at least thirty (30) days before taking effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised AUP.
9 Contact Information
If you have questions about this Acceptable Use Policy, please contact us: