Back to form

Security Assessment Authorization

Last updated: April 12, 2026

1. Parties

This authorization is between you (“the Authorizing Party”) and Cestulab Co., Limited, operating as Prowl Security (“Prowl,” “we,” “us”).

By submitting the intake form at /free-audit, you confirm that you are authorized to grant permission for security testing on the domain(s) you provide.

2. Testing scope

Prowl will perform a security assessment that may include the following activities:

2a. Passive (read-only) activities

  • HTTP response header analysis
  • TLS/SSL certificate and cipher suite inspection
  • DNS record enumeration (A, MX, TXT, NS, CNAME)
  • Email security assessment (SPF, DKIM, DMARC)
  • Path and file enumeration via HEAD/GET requests to common paths
  • Technology fingerprinting from publicly visible metadata
  • CMS and API schema discovery via read-only queries

2b. Active (non-destructive) activities

  • Submitting test data to publicly accessible forms to observe error handling and information disclosure
  • Sending crafted input payloads (XSS, LFI, SSRF, command injection) to test input validation — using benign, non-destructive test strings only
  • Probing publicly exposed API endpoints with malformed or unexpected requests
  • Querying AI/LLM endpoints with prompt injection test strings, if applicable
  • Probing payment-related API endpoints for logic and authorization flaws, if applicable
  • Running version-specific CVE checks against detected software versions
  • SSH configuration auditing against exposed SSH services

3. What we will NOT do

  • No denial-of-service (DoS) or load testing. We will not flood your infrastructure with traffic.
  • No data exfiltration. We will not download, copy, or store your application data, user data, or database contents.
  • No data modification or deletion. We will not alter, overwrite, or remove any data on your systems.
  • No credential brute-forcing. We will not attempt to guess passwords or authentication tokens.
  • No lateral movement. Testing is limited to the domain(s) and endpoints you explicitly authorize.
  • No social engineering. We will not contact your employees, users, or partners as part of the assessment.
  • No malware deployment. We will not upload, install, or execute any persistent code on your systems.

4. Ownership verification

Testing will not begin until we have verified that you own or are authorized to control the target domain(s). Verification may be completed via one of the following methods:

  • Adding a DNS TXT record we provide
  • Adding an HTML <meta> tag to your homepage
  • Responding from an administrative email address at the target domain
  • Another method agreed upon in writing

5. Findings & confidentiality

  • All findings are delivered privately and exclusively to you (the Authorizing Party).
  • We will not disclose your company name, domain, findings, or any site-specific details to any third party without your explicit written consent.
  • Reports are delivered via encrypted channel or secure link and are retained for up to 90 days, after which they are deleted unless you request otherwise.

6. Anonymized research use

By submitting the intake form, you consent to Prowl using anonymized, non-identifiable, aggregate statistics from your assessment in published research. This includes data such as:

  • Percentage of sites missing specific security headers
  • Prevalence of email spoofing vulnerabilities across the sample
  • Common technology stacks and their associated risk patterns

At no point will your company name, domain name, IP addresses, endpoints, personnel names, or any information that could identify your organization be included in any published material.

7. Limitation of liability

Prowl performs security assessments on a best-effort basis. While we use advanced AI-powered methodology, no security assessment can guarantee discovery of all vulnerabilities. Prowl is not liable for vulnerabilities not discovered, nor for any damages arising from your decision to act (or not act) on findings.

8. Authorization record

Your submission of the intake form, together with the timestamp, your IP address, and the confirmation email sent to you, constitutes your authorization record. No counter-signature from Prowl is required — we are the consistent offering party.

You may revoke authorization at any time by emailing agent@tofulab.ai. Any testing in progress will be halted immediately upon receipt.

9. Contact

Questions about this authorization or our testing methodology can be directed to: agent@tofulab.ai

Cestulab Co., Limited d/b/a Prowl Security — Delaware, USA