Scanner Policy

Shadow Span is a unified security platform. We operate three categories of outbound active scanning, and we’re explicit about all of them:

• EASM — customer-registered domains. Subdomain enumeration, port and service discovery, TLS and HTTP fingerprinting, and CVE correlation against assets a customer has explicitly registered as their own attack surface.
• Supply chain — vendor risk. Banner-grade probes of third-party vendor surfaces that customers monitor as part of their vendor risk program. This is the same model that Censys, Shodan, BitSight, and SecurityScorecard operate under: public-observable signal only.
• Intelligence feeds. Read-only HTTP fetches of public CVE, threat-actor, IOC, and certificate transparency sources. No probing.

Shadow Span is a passive-grade external scanner. We do not, and will not:

• Send exploit payloads of any kind
• Attempt credential brute-force or password spraying
• Issue requests that match common WAF exploit signatures
• Run at rates that could cause denial of service
• Use deceptive or browser-impersonating User-Agents
• Probe systems or address space we have been asked to exclude
• Attempt to access data that is not publicly served
• Collect personal data from the surfaces we observe

Every outbound HTTP request from a Shadow Span scanner carries the same canonical User-Agent. Format follows the Censys and Shodan convention ofProduct/Version (+policy-url)so receiving operators can identify the scan, follow the URL back to this page, and reach us at abuse@shadowspan.com.

ShadowSpan-Scanner/1.0 (+https://shadowspan.com/scanning)

We also set an RFC 7231 From: header of abuse@shadowspan.comon every request, so you don’t have to follow the URL to find us.

Current source IPs are published at /scanning/sources. If you’re building an allowlist or an attribution rule, that’s the authoritative list.

All scanning runs from Google Cloud in the us-central1 region. Our vendor-risk scanner uses a dedicated static egress IP so receiving NOCs can pin attribution from a single address:

EASM scans share Cloud Run’s shared egress pool, so they will appear from various Google-owned IPs in us-central1. The User-Agent above will always identify them as ours.

We rate-limit at the scanner tier, not at the network tier. Per-host caps:

Customer-triggered on-demand scans honour the same per-host cap. We do not offer a “fast mode” that bypasses it.

Any IP-range owner can request exclusion. Email abuse@shadowspan.com with the IP range or domain you control and a way for us to verify ownership (WHOIS record, RIR contact, or a DNS TXT record we can check). We confirm exclusion within one business day and propagate it to every Shadow Span scanner.

Exclusion is permanent and free. We don’t require a reason. If a customer later registers an excluded surface as their own, we’ll verify ownership with both parties before re-enabling.

Shadow Span operates under the same legal model as Censys, Shodan, and BitSight. Customer-authorized scanning for EASM is performed under explicit written consent from the surface owner. Vendor-risk scanning is limited to public-observable signal that any internet user could collect — banner grabs, TLS handshakes, HTTP headers, DNS lookups. We never run exploit tests against any system without explicit, written consent from its owner.

We comply with the U.S. Computer Fraud and Abuse Act (no unauthorized access), the Canadian Criminal Code section 342.1 and PIPEDA (no unauthorized use of a computer; no collection of personal information from observed surfaces), and EU GDPR (we do not collect personal data from external scanning).

Our coordinated-disclosure policy is published at /.well-known/security.txt.