Can I run scans without permission?

Question

How is Hexiosec ASM able to legally run passive scans without a company's permission? How does Hexiosec ASM avoid legal issues and comply with the UK's Computer Misuse Act (CMA)?

Answer

You do not need permission from an organisation to scan their domains and IPs.

In building Hexiosec ASM, and leveraging Hexiosec's experience of cyber security, we continuously review our capability to ensure that Hexiosec ASM does not undertake any activity regarded as an offence by the CMA. Hexiosec ASM gathers information from public data sources and will use headless web browser sessions to check a website's security. We are only gathering information which is publicly available.

We are not undertaking any active scanning of an organisation's assets or doing anymore than a normal web-browser (like Chrome or Edge) would do. Hexiosec ASM does not do any active port scanning looking for services which may or may not be there. The application also does not use or require any credentials, it is looking at what is publicly available to everyone. Unlike other active tools, Hexiosec ASM will not attempt any test attacks on assets benign or otherwise.