complyeah
Security

Our scanner

Effective July 6, 2026

If you're a site operator and you see traffic from complyeah, this page is for you. complyeah runs an external, read-only penetration-testing scanner, and it only ever tests domains whose owner has verified control of them with us and authorized the scan. This page tells you how to recognize our traffic and how to allowlist it so scans aren't blocked by your WAF or firewall.

How to identify our traffic

Our scanner is attributable - every request self-identifies.

  • User-Agent - complyeah-scanner/1.0 (+https://complyeah.com/scanner)
  • Source IP address - all scan traffic originates from:
    • 34.185.162.119

Allowlisting

To let our scans run without being rate-limited or blocked, add the source IP address above to your firewall, WAF, or CDN allowlist. This only affects scans of domains you have verified and authorized with complyeah - we never scan anything outside that scope.

What the scanner does - and doesn't do

  • Read-only. It performs only GET / HEAD requests and TLS handshakes. It never creates, modifies, or deletes data, submits forms, or attempts to log in.
  • In-scope only. It tests only the exact domain (and its subdomains) whose ownership was DNS- or HTTP-verified and for which an authorization record exists. Off-domain links and third-party hosts are recorded but never requested.
  • Polite. Requests are rate-limited and time-bounded, and the crawler honors robots.txt.
  • Attributable. Traffic comes from the fixed IP above with the self-identifying User-Agent, so you can always trace it back to us.

Seeing unexpected traffic?

If you believe you're seeing scan traffic from complyeah against a domain you own that you did not authorize, contact us at support@complyeah.com and we will investigate and stop it. We take unauthorized scanning seriously - verified ownership and a signed authorization are required before any scan can run.