What is out of scope?
Question
FractalScan Surface has a concept of assets being in and out of scope. What does this mean and how is it determined what's in and what's out?
Answer
FractalScan Surface uses 'in scope' and 'out of scope' to control how much of an attack surface to scan. Since everything on the internet is connected, we need to ensure the scope of a FractalScan Surface scan is appropriately focussed.
![Example of in scope node on the explore page of a scan. Example of in scope node on the explore page of a scan.](https://images.archbee.com/ADIhj5CoSURbyJI1tP0pN/7P_H5dA5l9-3ni9DxxiIt_screenshot-2023-08-02-at-112054.png?format=webp)
'In scope' nodes, be they Domains, IP addresses, Components, etc., are connected back to one of the seed nodes via a valid path. A subdomain (or child) of a seed domain will be in scope. However, the domain of a 3rd-party script used on the seed domain's website will be 'out of scope'.
Simply put, if it is 'in scope', then FractalScan Surface has determined that the risks associated with the asset are your responsibility. If it is out of scope, then FractalScan Surface can't be sure it is yours, and you will need to add it as a seed to get FractalScan Surface to inspect it further.
To view the 'out of scope' nodes, go to the 'Out of Scope' page on a scan, and you can add nodes to scope as seeds. Note, this will depend on permissions.
![Add out of scope nodes to sope as seed using the out of scope page on a sca Add out of scope nodes to sope as seed using the out of scope page on a sca](https://images.archbee.com/ADIhj5CoSURbyJI1tP0pN/1Q8JaZPoZdLhdo0pNla8k_screenshot-2023-08-02-at-111739.png?format=webp)