Scanner posture & your control

What we scan

Dhara scans your public-facing external surface. That means the same view a prospective attacker on the internet already has today. In practice:

• Subdomain enumeration (DNS / certificate transparency / passive sources)
• Live-host identification and HTTP response metadata
• Port and service reconnaissance (top common ports on live hosts)
• Web-asset fingerprinting (server, framework, CMS, WAF/CDN detection)
• Signed CVE probes via Nuclei templates, rate-limited per profile

We identify ourselves. Every probe carries the User-Agent dhara-scan/1.0 (+https://audit.eleven11.pro/scanners). If you grep your access logs and you're reading this page because you found that user-agent, that's the mechanism working as intended.

What we don't do

• We never attempt authentication. No credential-stuffing, no brute force, no password spray.
• We never send email, never submit forms, never chat with a support agent.
• We don't exploit findings. Unauthenticated observation only — full stop.
• We don't register accounts. We don't hit sign-up flows.
• We don't scan the listed Disallow paths in your robots.txt for WordPress-admin-style endpoints.
• For regulated surfaces (ABHA, HIPAA, ABDM partners, gov.in), we further restrict to passive sources only — no active probing at all. Your origin is never touched.

Stop future scans

If you don't want us to scan you again, reply opt out to the thread that delivered the report, or email [email protected] with the domain in the subject line.

• Effect: we add the domain (and its subdomains) to our scan denylist.
• Timing: within 24 hours of the request.
• Confirmation: by reply, with the denylist entry quoted back.
• Scope: permanent unless you explicitly re-authorise. Operating assumption is: once you say no, the answer stays no.

Delete the report & underlying data

If you'd like the report itself — plus the raw scan output and any internal index entries it produced — removed from our systems, reply delete to the thread, or email [email protected].

• What we delete: the HTML + PDF report, the underlying report.json, the Nuclei output and tool logs, the findings index entry in our knowledge graph, and any share-link tokens issued for the report.
• Timing: within 7 days of the request.
• Confirmation: by reply, with the affected file paths listed.
• What we keep: an audit-log entry that says “<domain> requested deletion on <date>, completed on <date>”. No scan content. Retained for our own accountability only.

Report-level controls

Every report we deliver carries its own set of opt-outs, callable the same way — reply to the thread with a single word. These are receipts, not tricks:

• no pixel — removes the 1×1 read-tracking pixel from every report we send you going forward. Existing pixels in already-delivered emails can't be recalled (email is like that) but no new ones will fire.
• minimal — strips the cross-sell block from future reports in your thread. You still get the findings; you don't get the “also available as…” suggestion.
• opt out — as above. Stops future scans.
• delete — as above. Removes the report and underlying data.

Anything else

If you want something we haven't listed above — a partial-scope opt-out (e.g., “scan everything except *.internal.example.com”), a delay (“don't scan us until we've finished our own internal review”), or just a conversation — email [email protected]. A human reads every one. Usual response time: within one business day.

This in writing

Formal version of the above with our retention and handling commitments is on our legal page. The short version of how the scan itself works (what profile does what) is on how-it-works.

This page is versioned. Material changes are recorded with the date below, and the previous version is kept as an appendix to the legal notice so you can read what the policy said when a specific scan ran.

Last updated: April 2026. Policy owner: Eleven11.