complyeah
Our promise

We run offensive tools. We hold ourselves to defensive rules.

complyeah is a real external penetration test - which means we take real care. These are the promises we build into the product, not a policy we hope everyone reads.

We only scan domains you own

No scan runs until you've proven control of the domain with a DNS record and authorized the test. Ownership is re-checked immediately before every scan, enforced in our systems - not just the UI. We never test a domain on someone else's say-so.

We never DDoS or flood you

Testing is rate-limited and polite. We are not trying to knock anything over - we're looking for weaknesses, gently. Denial-of-service and brute-force techniques are excluded by design, not left to judgment.

We don't break into your systems

Testing is external and read-only: we perform no create, modify, or delete actions on your systems, and we never move laterally into your network. We look at the front door and the windows - we don't rifle through the house.

Our traffic is attributable

Every request self-identifies with a known User-Agent and comes from a fixed, published IP address, so your team can always recognize us. Nothing about our testing is stealthy or deniable.

Your data stays yours

Anything our scanner encounters is redacted from our logs and findings. We never sell your data, and your reports are yours alone. We're a security company - we hold ourselves to the standard we test you against.

You're always in control

You can cancel any scan the moment you want to, and a single control stops everything at once. You decide what's in scope, when we run, and when we stop.

Trust, but verify.

You never take our word for it - you prove ownership before anything runs, you can recognize our traffic on your own infrastructure, and you can stop us at any time. That's the point.