Can I run scans without permission?
Question
How is FractalScan Surface able to legally run passive scans without a company's permission? How does FractalScan Surface avoid legal issues and comply with the UK's Computer Misuse Act (CMA)?
Answer
You do not need permission from an organisation to scan their domains and IPs.
In building FractalScan Surface, and leveraging Red Maple's experience of cyber security, we continuously review our capability to ensure that FractalScan Surface does not undertake any activity regarded as an offence by the CMA. FractalScan Surface gathers information from public data sources and will use headless web browser sessions to check a website's security. We are only gathering information which is publicly available.
We are not undertaking any active scanning of an organisation's assets or doing anymore than a normal web-browser (like Chrome or Edge) would do. FractalScan Surface does not do any active port scanning looking for services which may or may not be there. The application also does not use or require any credentials, it is looking at what is publicly available to everyone. Unlike other active tools, FractalScan Surface will not attempt any test attacks on assets benign or otherwise.