Terms of Service

Effective Date: April 27, 2026

Introduction These Terms of Service govern your access to and use of Overwatch ASM, operated by Gibborim Offensive Security, LLC ("Company," "we," "us," or "our"). By accessing or using the Service, you agree to be bound by these Terms. If you do not agree, you may not access or use the Service. If you are entering into these Terms on behalf of a company or organization, you represent that you have authority to bind that entity.

Description of Service Overwatch ASM is an AI-powered attack surface management platform that provides external asset discovery and enumeration (subdomains, hosts, certificates, cloud assets, code exposure), automated reconnaissance and vulnerability scanning against submitted assets, AI-assisted analysis, risk scoring, and finding triage, and LLM-generated executive reports and continuous monitoring dashboards. The Service is intended for defensive security monitoring and informational purposes only.

Authorized Use Only You agree that you will only use the Service to scan and monitor assets that you own or are explicitly authorized to assess. You may not use the Service to scan systems, networks, or domains without proper authorization from the asset owner, conduct illegal reconnaissance, intrusion activity, or unauthorized access to third-party systems, or violate any applicable local, state, national, or international laws or regulations. You are solely responsible for ensuring you have proper written authorization for all assets submitted for scanning. We reserve the right to suspend or terminate accounts engaged in unauthorized use.

Accounts and Organizations To access the Service, you must create an account and provide accurate, complete information. The platform implements role-based access control (RBAC) at three tiers. Organization Members can view scan results, reports, and findings for assets belonging to their organization. Organization Admins can invite and remove members, manage organization settings, configure scan targets, and manage access within the organization. Platform Admins are Gibborim Offensive Security personnel responsible for platform-wide administration and access customer data only for support, incident response, or legal obligation.

You are responsible for maintaining the confidentiality of your login credentials, all activity conducted under your account, and ensuring account access is not shared with unauthorized users. Organization Admins may enable and enforce Multi-Factor Authentication (MFA) across all members of their organization. The platform supports TOTP authenticator apps as the primary MFA method and email OTP as a backup. We strongly recommend MFA be enabled for all accounts. We may suspend or terminate accounts that violate these Terms or that we reasonably believe have been compromised.

Subscriptions and Payments Access to the Service requires a paid subscription. The Starter plan supports up to 3 root domains and 1 organization with monthly automated scans. The Pro plan supports up to 15 root domains and 5 organizations with weekly automated scans and priority support. The Enterprise plan supports unlimited root domains and organizations with daily and on-demand scans and custom agents. Subscriptions renew automatically unless canceled before the renewal date. Payments are processed by Stripe, Inc. under their PCI-DSS compliance program. We do not receive or store full payment card details. All fees are non-refundable unless otherwise required by law. We reserve the right to update pricing with reasonable advance notice.

Data, Scanning, and Ownership By using the Service, you grant us permission to perform external reconnaissance and vulnerability scans against assets you submit, collect and analyze publicly accessible data related to those assets, store scan results, findings, and metadata to provide reporting and historical tracking, and process scan data through Anthropic's Claude AI models (Sonnet and Opus) for analysis, triage, and report generation. Only technical scan data is transmitted to Anthropic — not personally identifiable information about your users. We do not claim ownership of your submitted assets or the data generated from scanning them. You retain full ownership of your data. We do not access private systems or bypass authentication controls.

Data Export and Portability Scan results and executive reports are accessible via your organization dashboard and available for download as PDFs. For export of raw scan data in structured formats such as JSON or CSV, contact contact@gibborimoffsec.com and we will accommodate reasonable requests in a timely manner. Upon account termination, you may request a final export of your organization's scan data prior to deletion.

AI-Generated Insights The Service uses Anthropic's Claude AI (Sonnet and Opus models) for AI-assisted analysis and report generation. AI-generated results may be incomplete or inaccurate and are provided for informational purposes only. You are responsible for validating findings before taking action based on Service output. AI-generated executive reports are decision-support tools, not definitive security assessments.

Vulnerability Disclosure We are committed to the security of our own platform. If you discover a security vulnerability in Overwatch ASM or Gibborim Offensive Security infrastructure, please report it responsibly to security@gibborimoffsec.com. We will acknowledge receipt within 5 business days and communicate remediation timelines. We will not pursue legal action against researchers acting in good faith under this policy.

Incident Response and Breach Notification We maintain internal incident response procedures to address security events. In the event of a confirmed security incident involving your organization's data, we will notify affected customers within 72 hours of becoming aware of the incident via the email address associated with your account and will provide information about the nature of the incident, the data affected, and the steps being taken to remediate.

Intellectual Property We grant you a limited, non-exclusive, non-transferable license to access and use the Service in accordance with these Terms. You may not resell or redistribute the Service or its outputs, reverse engineer or attempt to extract underlying platform code or AI models, or use the Service outside its intended defensive security purpose. All rights not expressly granted are reserved by Gibborim Offensive Security, LLC.

Prohibited Use You agree not to use the Service to conduct unauthorized scanning, testing, or reconnaissance against systems you do not own or are not authorized to test, violate any applicable laws or regulations, interfere with or attempt to gain unauthorized access to networks, systems, or other platform accounts, or engage in any activity that could expose Gibborim Offensive Security or its customers to legal liability. Violation may result in immediate account termination and may be reported to appropriate authorities.

Cookies We use cookies to maintain session functionality, improve user experience, and analyze platform usage. You may disable cookies in your browser settings; however, some features may not function properly without them.

Disclaimer The Service and all information provided are offered on an "as is" and "as available" basis. We make no warranties regarding the accuracy or completeness of scan results or AI-generated findings, detection of all vulnerabilities or exposures within submitted assets, or fitness for any particular security, compliance, or regulatory purpose. The Service is intended for informational and security analysis purposes only.

Limitation of Liability To the fullest extent permitted by applicable law, Gibborim Offensive Security, LLC shall not be liable for security incidents or breaches not caused by our gross negligence or willful misconduct, loss of data, revenue, or business resulting from reliance on Service output, service interruptions or downtime, or decisions made based on AI-generated platform output. Our total aggregate liability for any claim shall not exceed the total fees paid by you in the twelve months preceding the claim. Nothing in these Terms limits liability where prohibited by law.

Termination We may suspend or terminate your access at any time if you violate these Terms, if we reasonably suspect misuse or unauthorized scanning, or if termination is required by law or legal process. You may terminate your account at any time by contacting contact@gibborimoffsec.com. Upon termination, your data will be handled in accordance with our Privacy Policy.

Governing Law These Terms are governed by the laws of the State of Oklahoma, United States, without regard to conflict of law principles. You agree to the exclusive jurisdiction of the state and federal courts located in Oklahoma for resolution of any disputes arising out of or relating to these Terms or the Service.

Changes to These Terms We may update these Terms from time to time. For material changes, we will notify you via the email address associated with your account or via an in-platform notice prior to the changes taking effect. Continued use of the Service after changes take effect constitutes acceptance of the updated Terms.

Contact For questions regarding these Terms, to report misuse, or to request data export upon termination, contact us at: contact@gibborimoffsec.com gibborimoffsec.com

Security disclosures: security@gibborimoffsec.com