Skip to content

Responsible use

Vex Raptor is an offensive security tool. It sends real attack payloads at its targets. Use it only where you are authorized to do so.

Authorization is mandatory

Only scan systems you own or have explicit written permission to test. Unauthorized scanning may be illegal in your jurisdiction and can disrupt the target. When in doubt, do not scan.

Before you scan

  • Confirm you have written authorization covering the exact target scope.
  • Prefer staging/pre-production for aggressive (Full/AI) depths.
  • Coordinate with the target owner on timing and rate.
  • Understand that active attacks can create test data, trigger alerts, or affect application state.

Built-in safeguards

  • Instance license — production deployments require a VEX_LICENSE_KEY (RS256 JWT) issued by Vex. Without a valid license the platform will not start in ENVIRONMENT=prod and scans are blocked. Contact legal@vexraptor.io for licensing.
  • Domain ownership verification — in production, every external target must be proven before scanning (DNS TXT at _vex-verify.<domain> or HTTP file at /.well-known/vex-verify.txt). Applies to all users including admins. Local/lab targets (localhost, private ranges) are exempt for intentional lab use.
  • Authentication — all scans require a logged-in user (JWT) or org API key (CI webhook). There is no anonymous scanning.
  • SSRF validation — every outbound request is checked; loopback, link-local, cloud metadata endpoints, private ranges, and encoded-IP bypasses are blocked. Internal-range scanning is only possible when explicitly enabled in non-production environments.
  • Per-phase timeouts and fail-soft — phases are time-boxed and isolated so a scan cannot run away or crash the platform.
  • Tamper-proof agent — the agent enforces a hard scope lock on outbound requests, isolates untrusted target output before it reaches the LLM, and reports prompt-injection attempts from a hostile target instead of obeying them.
  • Health gate — targets that fail a pre-scan health check skip active phases.

Data & privacy

  • Findings and reports stay in your database (self-hosted).
  • Third-party enrichment only runs when you configure its API key.
  • For maximum privacy, run air-gapped with a local LLM. See Sovereignty.

Reporting a security issue in Vex Raptor

If you find a vulnerability in Vex Raptor itself, report it through your support channel rather than filing it publicly.