Last updated 10 May 2026

Terms of Service

By using AttackMap (this website, the scan API, and the reports we generate) you agree to these terms. AttackMap is operated by Cliff Hack. Contact: support@attackmap.org.

What we do

AttackMap runs a passive security scan against a URL you provide. "Passive" means: about fifteen read-only HTTP requests over roughly ten seconds. We do not log in, fuzz inputs, exploit anything, or test authenticated endpoints. We then produce a report listing findings, severity, evidence, and remediation, and email it to the address Stripe shares with us at checkout.

You must have authorization to scan the URL

You may only submit URLs you own or have explicit, written permission to test. Scanning sites without authorization may violate the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent laws elsewhere. You are solely responsible for confirming you have permission. If you don't, do not use AttackMap.

We refuse and may decline service for scans of obviously third-party properties (large platforms, infrastructure not plausibly under your control, etc.), and we cooperate with subpoenas and lawful requests.

What you get for $29

• One passive pentest of the URL submitted at checkout.
• A Markdown report delivered by email within five minutes of successful payment.
• A re-download link valid seven days from delivery.

The free preview returns a grade plus the top three findings. It is rate-limited and may serve cached results.

Refunds

If the paid report does not surface findings you couldn't have identified yourself in five minutes, email support@attackmap.org within 14 days of purchase. We'll refund you. We don't require a justification or a ticket number.

We will not refund if (a) you didn't have authorization to scan the URL, (b) the URL is unreachable due to your own configuration after we've made reasonable attempts, or (c) you've submitted the request more than 14 days after purchase.

No warranty

AttackMap is provided as-is. We make no guarantee that the report is exhaustive, that the absence of a finding means your site is safe, or that listed findings are the most important issues affecting you. The scan looks at the public edge of one URL and reports what it can see. A clean grade is not a substitute for a real engagement.

To the maximum extent permitted by law, we disclaim all warranties, express or implied, including merchantability, fitness for a particular purpose, and non-infringement.

Limit of liability

Our total liability for any claim arising out of or relating to AttackMap is limited to the amount you paid us in the prior twelve months. We are not liable for indirect, incidental, consequential, or special damages — including lost profits, lost data, downtime, reputational harm, or third-party claims — even if advised of the possibility.

Acceptable use

You agree not to:

• Submit URLs you don't have authorization to test.
• Use AttackMap to plan or execute unauthorized access, denial of service, or any other unlawful activity.
• Resell, repackage, or scrape AttackMap reports as a service.
• Attempt to circumvent rate limits, payment, or any other technical control on the service.

Violating this section may result in immediate termination of access and forfeiture of fees.

Changes

We may revise these terms. If we make material changes we'll update the date at the top of this page and post a notice on the homepage for at least 30 days. Continued use after that constitutes acceptance.

Governing law

These terms are governed by the laws of the United States and the state in which AttackMap is operated, without regard to conflict of law principles. Any dispute will be resolved in the state or federal courts of that jurisdiction.