Scan authorization guards
enforced before any scan runs

Before any plan or workspace state is read, the target string is normalised and checked against the platform blocklist. The blocklist refuses SecPortal own domains, critical internet infrastructure (ICANN, IANA, root DNS), financial infrastructure (SWIFT), government and military TLDs (.gov, .mil, .gov.uk, .mod.uk, .police.uk, .nhs.uk), and cloud provider management planes (.amazonaws.com, .azure.com, .azure.net, .googleapis.com, .cloudfront.net). The refusal returns the BLOCKLISTED code so the failure is the same shape as every other guard failure.

The guard counts scans already run this month for the workspace and compares against the plan ceiling. Starter sits at 2 scans per month, Pro at 50, Team at 100. A workspace that hits the ceiling receives SCAN_LIMIT with the current usage and the plan name in the message, so the failure surface is the same string the upgrade prompt reads on the dashboard.

The guard extracts the root domain from the target, with explicit handling for two-part TLDs like co.uk, com.au, co.jp, com.br, and reads verified_domains for the resolved workspace and root. A missing row returns DOMAIN_NOT_VERIFIED. A row that is not in the verified state returns DOMAIN_NOT_VERIFIED with the current verification_status surfaced in the message, so the operator knows whether to retry verification or fix the DNS record, file upload, or meta tag.

A verified row with an expires_at in the past returns DOMAIN_EXPIRED. Verification ages out because ownership of a domain can change through an acquisition, a registrar transfer, or a hosting change, so the platform refuses to honour a stale verification rather than accumulate quiet risk in the scan history.

If the target is a subdomain of the verified root and the plan does not carry the subdomain scanning feature flag, the guard returns SUBDOMAIN_NOT_ALLOWED. Starter does not permit subdomain scanning; Pro and Team do. The check protects workspaces that intend the root-only behaviour from accidentally fanning out scans across a long subdomain inventory.

A row in scan_attestations scoped to the workspace and the verified domain id is required. A target with no attestation returns NO_ATTESTATION. The attestation is the signed authorisation step that sits next to verification; verification proves administrative control of the domain, the attestation proves authority to authorise scanning. Both artefacts have to be present before the scan is allowed to leave the platform.

If the plan carries a non-zero scanCooldownHours value, the guard counts scan_executions for the workspace inside the cooldown window, excluding scans in the blocked or cancelled state. A recent scan inside the window returns COOLDOWN with the cooldown hours and the plan name in the message. Starter carries a 24-hour cooldown; Pro and Team have no cooldown.

Authenticated scans run a second guard that requires the plan to allow authenticated scanning, requires the scan_credentials row to belong to the workspace, requires the credential domain_id to point at a verified domain in the same workspace, and requires the credential target_url hostname to match the scan target or its root. A failure on any of these returns AUTH_NOT_ALLOWED, CREDENTIAL_NOT_FOUND, or CREDENTIAL_DOMAIN_MISMATCH, so a credential intended for one application cannot be reused against another.

The target is on the platform blocklist. The reason string names the category, so the operator knows whether the block is the cloud control-plane category, the government and military TLD category, the critical infrastructure category, or the platform self-block.

The workspace has reached its monthly scan ceiling for the current plan. The failure carries the current usage, the plan ceiling, and the plan name, so the upgrade prompt reads from the same record.

The root of the target is not present in verified_domains for the workspace, or the row exists in a non-verified state. The message names the resolved root domain so the operator knows which verification record to fix.

Verification existed for the root domain but the expires_at timestamp has passed. The platform refuses to honour aged verification because ownership of a domain can change after verification was first recorded.

The target is a subdomain of the verified root and the plan does not carry the subdomain scanning feature flag. Starter lands here; Pro and Team carry the flag on.

No scan_attestations row exists for the workspace and the verified domain id. The attestation is the signed authority-to-test record; without it, ownership is proven but authorisation is not.

A recent scan inside the plan cooldown window is present in scan_executions for the workspace. The message names the cooldown hours and the plan name so the operator knows whether to wait or upgrade.

Authenticated scanning was requested but the plan does not carry the authenticatedScanning feature flag. Starter lands here; Pro and Team carry the flag on.

The credential id supplied to the scan request does not match a scan_credentials row in the workspace. A credential created in one workspace cannot be used by another, because the lookup is workspace-scoped.

The credential references a verified domain that does not exist or is not in the verified state, or the credential target_url hostname does not match the scan target root. A credential intended for app-a.example.com cannot be repointed at app-b.other.com.

How is a scan authorised before it runs?

Every scan request runs through canScanDomain before any module fires. The compound guard refuses the request if the target is on the platform blocklist, if the workspace has hit its monthly scan quota, if the root domain is not verified or has aged out, if the request is for a subdomain on a plan that does not allow subdomain scanning, if no signed attestation exists for the verified domain, or if a recent scan inside the cooldown window is present. The guard returns a single typed code and a human-readable reason; the API surfaces both as a 403.

How is target ownership proved before scanning?

The verified_domains table holds the authoritative record. A domain enters the table through DNS TXT, HTML file upload, or meta tag verification, and the scan guard reads the row by the resolved root domain for the workspace. A target whose root is not present, is in a pending verification state, or has aged past its expires_at timestamp is refused, so a scan request always corresponds to a domain whose administrative control was proven for the workspace.

How does the platform refuse scans of infrastructure the customer does not own?

The blocklist refuses categories the platform will not honour regardless of plan or contract. Government and military TLDs, critical internet infrastructure, financial infrastructure such as SWIFT, cloud provider management planes, and SecPortal own domains are refused before any quota or verification check runs. The refusal returns BLOCKLISTED with a reason that names the category, so the operator knows the refusal is a platform policy and not a configuration mistake.

How is a signed authorisation to test recorded?

A scan_attestations row scoped to the workspace and the verified domain id is required before any scan against the domain is allowed to proceed. The attestation sits next to verification; verification proves administrative control of the asset, the attestation captures the authority-to-test declaration. The pair is the audit answer to an unauthorised-scanning question, because the answer reads as one verified-domain row plus one attestation row plus the activity log entries for the scans that ran under that pair.

How is an authenticated scan credential pinned to a target?

A scan_credentials row carries a domain_id that points at a verified domain in the same workspace and a target_url whose hostname must match the scan target or share its root. A credential created for one application cannot be repointed at another, and a credential whose underlying verified domain has aged out of the verified state cannot be used. The credential gate is a separate guard run on top of the domain guard, so authenticated scans inherit every check the external scan already passes.

How are plan limits enforced as part of the guard chain?

The same compound guard reads the plan and applies the monthly scan ceiling, the subdomain scanning feature flag, and the cooldown window between scans. A workspace cannot exceed the plan it paid for by reaching the scan endpoint directly because the guard runs at the API rather than relying on the dashboard to refuse the action. Downgrades take effect on the next scan because every request reads the current plan, not the plan that was active at signup.

A scan request for a root or subdomain whose root domain is not in verified_domains for the workspace returns DOMAIN_NOT_VERIFIED. The message names the resolved root so the operator can fix the verification record rather than the target string.

A verified row whose expires_at is in the past returns DOMAIN_EXPIRED. The platform refuses to scan against aged verification because ownership of the asset may have changed since the original verification.

A target whose root domain is verified but has no row in scan_attestations returns NO_ATTESTATION. Verification proves administrative control; the attestation proves authority to test. The platform requires both before allowing a scan to leave.

A target that resolves to a subdomain of the verified root, on a plan whose subdomainScanning flag is off, returns SUBDOMAIN_NOT_ALLOWED. The message names the plan so the upgrade path is obvious.

A scan request inside the cooldown window for the plan returns COOLDOWN with the cooldown hours surfaced. The window is enforced by counting scan_executions in the cooldown range excluding the blocked and cancelled states, so a refused scan does not reset the cooldown.

An authenticated scan whose credential domain_id matches a verified domain but whose target_url hostname does not match the scan target or its root returns CREDENTIAL_DOMAIN_MISMATCH. The check is hostname-precise so a credential cannot be repurposed across applications even when both share a parent.

Internal security team running a continuous testing programme

The verification records and attestations are managed by the central security team. AppSec and vulnerability management members initiate scans against verified roots and approved subdomains; the guard chain refuses targets that drift outside the approved set, and the activity log captures the refusal so coverage gaps are visible rather than silent.

AppSec team coordinating with engineering and platform

Application teams hand off domains for verification and attestation; AppSec runs the scans. The credential gate keeps authenticated-scan accounts pinned to the application the engineering team intended, so a credential issued for one product cannot be reused against another without a deliberate authorisation step.

GRC owner producing evidence for a compliance cycle

The pre-scan guard chain is the evidence story the GRC owner reads. Verification plus attestation plus the guard codes that refused the out-of-scope targets is the answer to the auditor question about how scanning was authorised, scoped, and policed. The activity log carries the per-scan record on the same workspace.

Security consultancy delivering tests across multiple clients

Each client lands in a workspace with its own verified domains, attestations, and quotas. The guard chain reads workspace-scoped state, so a verified domain in one client workspace does not authorise scans in another. The same pre-flight discipline that holds for an internal team holds across the consulting portfolio.