Acceptable Use Policy
Effective date: July 9, 2026
- Company/product
- Cracken / https://cracken.ai
- Legal entity
- CrackenAGI Ltd.
- Registered office
- 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT
- Governing law for self-serve terms
- England and Wales
1. Purpose
This Acceptable Use Policy ("AUP") governs use of Cracken's self-serve services. It is incorporated into the applicable Terms, Data Processing Agreement, Privacy Policy, Rules of Engagement and other service documents.
Cracken is an AI-assisted adversarial-validation and cyber-resilience platform. It may help users identify, validate and evidence security weaknesses. That capability must be used only for lawful, authorized defensive security purposes.
2. Authorized use
You may use Cracken only for lawful, authorized security testing of systems, applications, networks, cloud resources, accounts and data that you own or are expressly authorized to test. You are responsible for obtaining and maintaining written authorization from the relevant owner and for complying with all applicable Rules of Engagement.
Cracken does not require domain verification before every scan by default. However, Cracken may request domain verification, written authorization, identity evidence, business verification, RoE evidence or other supporting documents ad hoc for risk users, risk features, risk actions and risk-based triggers.
3. Prohibited use
You must not use Cracken to:
- test, scan, exploit, access or affect any system without authorization;
- exceed approved scope, test intensity, credentials, accounts, targets or Rules of Engagement;
- cause denial of service, service degradation, destructive activity or data corruption;
- steal, exfiltrate or disclose data except for minimal evidence necessary for an authorized finding;
- establish persistence, backdoors, covert access or unauthorized long-term access;
- conduct phishing, social engineering, physical security testing or third-party targeting unless expressly authorized in writing;
- extort, threaten, publish or sell unremediated vulnerability information;
- create, distribute or operate malware outside authorized defensive testing;
- evade Cracken safety, rate, billing, geographic, export or abuse controls;
- reverse engineer, extract, reconstruct, derive, disclose, copy, benchmark for replication, or attempt to discover Cracken source code, object code, architecture, non-public APIs, prompts, system prompts, model instructions, playbooks, skills, agents, workflows, rules, policies, guardrails, detection logic, evaluation logic, "tentacles" or other non-public methods or proprietary components;
- use Cracken outputs, traffic, errors, logs, screenshots, responses or metadata to build, train, fine-tune, benchmark, validate or improve a competing product, model, agent, workflow or security tool, except as expressly permitted in writing;
- use Cracken from, for the benefit of, or in connection with restricted territories or prohibited parties: Russia; Belarus; Cuba; Iran; North Korea / DPRK; Syria; Crimea / Sevastopol / occupied or non-government-controlled Ukrainian territories, including Donetsk, Luhansk, Kherson and Zaporizhzhia areas;
- use Cracken in connection with any party, entity, sector, military end use/end user, transaction, export, re-export, transfer, service or technical-data activity that is restricted or prohibited under applicable EAR, ITAR, OFAC, EU, UK, UN or similar export-control or sanctions rules;
- use Cracken for any illegal, harmful, deceptive, abusive, unsafe or unethical activity;
- violate law, third-party rights, platform rules or professional Rules of Engagement.
4. Restricted targets and high-risk activity
Some targets or activities require additional caution and may require Cracken review, written authorization, tighter scope, special approvals or refusal, even where the user claims authorization. Examples include critical infrastructure, public-sector systems, healthcare or life-safety systems, third-party SaaS platforms, shared cloud environments, telecommunications, financial-market infrastructure and any environment where testing could create disproportionate harm. Customers should request approval for high-risk targets or activities through Cracken's support ticketing portal at https://crackenai.featurebase.app/ before running those workflows when approval is required by Cracken, the Terms, the Rules of Engagement, the target owner or applicable law.
5. Supporting documents and cooperation
Cracken may request supporting documents for risk users, risk features, risk actions and risk-based triggers. You must respond accurately and promptly. Failure to provide requested documentation, providing false documentation, or refusing to cooperate with a safety, abuse, export/sanctions or incident investigation may result in suspension or termination.
6. Monitoring and enforcement
Cracken may monitor user activity, workflows, logs, targets, prompts, commands, account signals and security events to detect violations of this AUP, Rules of Engagement, export/sanctions controls, law or platform safety requirements.
Cracken may immediately suspend or terminate access, pause workflows, revoke API keys, quarantine data, disable features or preserve evidence if Cracken reasonably suspects unauthorized hacking, unsafe activity, export/sanctions violation, fraud, payment abuse, RoE breach, legal violation, prohibited reverse engineering or risk to Cracken, customers, third parties or the public.
7. Refunds after suspension or termination
If Cracken terminates or suspends service for material breach, unlawful use, unethical use, sanctions/export violation, fraud, unauthorized hacking, RoE violation, prohibited reverse engineering of code, prompts, playbooks, skills, "tentacles" or other proprietary components, or any other serious AUP violation, Cracken may deny refunds or credits where permitted by law. If service ends for a mutually agreed non-violation reason or Cracken terminates for convenience, unused prepaid fees may be handled on a pro-rata basis according to the Terms.
8. AI output and customer responsibility
Cracken may use autonomous or semi-autonomous AI agents. Outputs may be incomplete, inaccurate or unsafe if used without review. Customers remain responsible for verifying findings, approving remediation, configuring scope, safeguarding credentials and ensuring that all use is lawful and authorized.
9. Contacts
Support and high-risk target approval requests: https://crackenai.featurebase.app/
Security and abuse reports: security@cracken.ai
Legal notices: legal@cracken.ai
Privacy questions: privacy@cracken.ai
