Trust
How ExposureGrid scans safely, and what we promise about your data
Security tools earn trust by being honest about what they do and don't do. Here's how ExposureGrid is built and what to expect when you submit a target.
Trust, safety, and data principles for ExposureGrid scans.
Operating principles
Six commitments we hold ourselves to
External & non-invasive
ExposureGrid uses lightweight, externally observable checks: TLS handshakes, response headers, DNS queries, and CSP / CORS probes. No payloads, no fuzzing, no credential testing, no destructive probes.
Authorization required
You may only submit targets you own or that you have explicit, legally sufficient authorization to assess. Public reachability is not consent. Misrepresenting authorization violates our Terms of Service.
Coverage transparency
Every report tells you exactly which checks ran, which were skipped, and why. ExposureGrid never silently degrades a scan into a fake clean result.
Minimal data collection
We collect what we need to scan, score, and explain findings. We don't traffic in customer browsing data, and we treat scan history as workspace-scoped data.
Tokenized public reports
Public scan reports are addressable only via a long, unguessable URL token. Account workspaces keep all data scoped to authenticated users.
Honest about scope
ExposureGrid is an external posture scanner. It complements penetration testing, code review, runtime monitoring, and formal compliance. It does not replace any of them.
What an ExposureGrid scan does, and doesn't do
A clear contract with the targets we scan
A scan does
- Resolve and connect to public-facing hosts.
- Complete TLS handshakes and inspect certificate metadata.
- Issue a small number of HTTP requests to read response headers.
- Query public DNS records (SPF, DKIM, DMARC, MX, etc.).
- Probe representative endpoints for CSP / CORS posture.
A scan does not
- Send exploit payloads or fuzzing inputs.
- Test credentials, brute-force logins, or attempt auth bypass.
- Modify, delete, or write any data on the target.
- Run high-volume traffic floods or anything DoS-shaped.
- Pull customer-private content from authenticated areas.
Authorization & acceptable use
You must be authorized to scan the target
ExposureGrid's public scanner accepts a target URL without account verification, but our Terms of Service require that you only submit domains you own or that you have explicit, legally sufficient authorization to assess. Public reachability is not consent.
We may rate-limit or block scans for abuse prevention. We may also block public scans for domains that are managed inside ExposureGrid with current, valid ownership verification, so account holders stay in control of how their assets are publicly assessed.
If you believe a scan was run against your property without authorization, contact [email protected].
Operated by EventHorizon Forge
The company behind ExposureGrid
ExposureGrid is built and operated by EventHorizon Forge, a security company that builds infrastructure, identity, and managed services. The same principles you see here (evidence first, honest scope, safe defaults) apply across everything EHFC builds and runs.