Skip to main content
Genesis SignalsCyber

Scanning Authorization Policy

Last updated: 2026

Vulnerability scanning and exposure reviews are performed only after written authorization is received from the asset owner or authorized representative.

Why this matters

Unauthorized scanning, even with good intentions, is illegal under the Computer Fraud and Abuse Act (CFAA) and equivalent laws in other jurisdictions. It can also disrupt services, trigger security alerts, and create liability for both parties.

Genesis Signals Cyber operates under a strict written authorization requirement for all vulnerability scanning, exposure assessment, and web application testing services. This is not negotiable and is not waived under any circumstance.

Authorization requirements

  • Authorization must be provided in writing before any scanning begins.
  • The authorizing party must be the asset owner or an individual with documented authority to authorize testing on behalf of the organization.
  • The scope, including specific domains, IP addresses, web applications, and cloud assets, must be confirmed and agreed upon before scanning proceeds.
  • Assets outside the confirmed scope are not scanned under any circumstances.
  • Authorization records are retained for the duration of the engagement and a reasonable period thereafter.
  • Authorization may be revoked in writing at any time, which will halt any in-progress or scheduled scanning.

What is not covered by your authorization

Even with a signed authorization, the following are outside scope unless explicitly agreed upon in a separate, specific authorization:

  • Assets owned by third parties, even if accessible from your network or systems.
  • Shared hosting environments where scanning would affect other tenants.
  • Cloud provider infrastructure not directly owned or leased by the authorizing organization.
  • Any system or domain not explicitly listed in the confirmed scope.

How authorization works in practice

When you engage Genesis Signals Cyber for a vulnerability assessment or monthly monitoring service, the engagement process includes:

  1. 01.A scope confirmation document listing all approved domains, IP addresses, and assets.
  2. 02.Written acknowledgment from an authorized representative confirming ownership or authorization authority.
  3. 03.Retention of that authorization for the duration of the engagement.
  4. 04.A confirmation exchange before each scanning cycle for monthly engagements if scope has changed.
DisclosuresPrivacy PolicyTerms of Use