Authorization Policy

You may submit a target to Gated only if you own it or have explicit authorization from the owner to perform security testing against it. Every scan you run is your attestation that this authorization exists.

By scanning a target, you confirm that:

• You own the target, or you have written authorization from the owner to test it.
• The scope of that authorization covers the kind of testing Gated performs, including active probing of tools and endpoints.
• You will not use Gated to test third-party systems you are not authorized to test.

You are solely responsible for ensuring authorization is in place before each scan. Gated does not and cannot verify your authorization on your behalf.

The traffic a scan generates depends on its intensity. Passive and probe scans send read-shaped requests against a target you submit — handshake inspection, schema reads, light protocol probes. They run on your click-through attestation that you are authorized to test the target.

Explore and adversarial scans run active testing, including exercising tool endpoints to reproduce findings. On Direct-mode targets, those higher intensities require DNS TXT verification of the target's hostname before Gated will dispatch the scan. CLI-proxy targets use the operator's network-level access to the host as ownership proof and need no DNS check.

Scanning is bounded to the targets you submit; we do not pivot beyond them.

For Direct-mode targets, Gated gates higher-intensity scans on DNS TXT verification. You publish a record under _gated_verify.<hostname> with the token shown on the target's settings page. Adversarial scans re-check that record at dispatch; an explore scan trusts a previously successful verification. If the record disappears, the target stops accepting higher-intensity scans until you re-verify.

For internal MCP servers, scanning runs through gated-cli, which you run inside your own network. The same authorization rule applies: only run it against systems you control or are authorized to test.

CLI-proxy targets require no DNS verification at any intensity. Running the CLI on a host that can reach the target is itself the authorization signal — only someone with network access to that host could point Gated at it.

If we believe a target is being scanned without authorization, we may suspend scanning and the associated account. We may cooperate with lawful requests from affected parties.

If you believe a system you own has been scanned through Gated without authorization, email abuse@gated.cc with details, and we’ll investigate.