← Back to scanner

Disclaimer

Last updated: March 25, 2026

⚠️ Unauthorized Security Testing Is Illegal and Strictly Prohibited

SecureMonk may only be used to scan or assess systems you own or have received explicit written authorization to test. Using this Service — or the Ask Monk AI — to probe, fingerprint, exploit, or otherwise test systems without authorization may constitute a criminal offence under the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, the EU Directive on Attacks Against Information Systems, and equivalent laws in your jurisdiction. SecureMonk accepts no liability for unauthorized use and will cooperate fully with law enforcement investigations arising from misuse of the Service.

Not Professional Security Advice

SecureMonk is an automated informational tool. The scan results, scores, recommendations, and AI-generated responses provided by this Service are for educational and informational purposes only and do not constitute professional security advice, a security audit, penetration test, or compliance assessment.

Ask Monk AI — Important Limitations

Ask Monk is powered by Anthropic Claude, a large language model, augmented with a Retrieval-Augmented Generation (RAG) pipeline drawing from public security knowledge bases. You acknowledge the following critical limitations:

  • AI hallucination — language models can generate plausible-sounding but factually incorrect information. Always independently verify any security recommendations before implementing them, especially in production environments.
  • RAG knowledge base is not real-time— the knowledge base (OWASP, CISA KEV, NVD, CWE, MITRE ATT&CK, and others) is updated periodically, not in real time. Newly disclosed vulnerabilities or updated guidance may not yet be reflected in responses.
  • Context limitations — Ask Monk has no knowledge of your specific infrastructure, codebase, or environment. Responses are based on general security principles and the retrieved knowledge base context, not a bespoke assessment of your systems.
  • Not a substitute for professional advice — Ask Monk responses do not constitute professional security advice, legal advice, or compliance guidance. For decisions with material security or legal consequences, consult a qualified cybersecurity professional.
  • Do not submit sensitive information — do not include API keys, passwords, personal data, confidential business information, or sensitive system details in Ask Monk conversations. Questions are processed by third-party AI infrastructure (Anthropic Claude API).

No Guarantee of Accuracy

While we strive for accuracy, scan results reflect a point-in-time snapshot of publicly observable TLS and HTTP header configurations. Results may be affected by:

  • CDN or reverse proxy configurations that modify headers
  • Geographic or network-based variations in server responses
  • Server configuration changes made after the scan
  • Load balancer behavior serving different configurations
  • Temporary network conditions at the time of the scan

A high score does not guarantee that a website is secure, and a low score does not necessarily mean a website is vulnerable to attack.

No Guarantee of Completeness

SecureMonk evaluates a specific subset of security indicators (TLS/SSL configuration, HTTP security headers, and optionally detected technologies with known CVEs). Many critical security aspects are not covered, including but not limited to:

  • Application-level vulnerabilities (XSS, SQL injection, CSRF, etc.)
  • Server-side misconfigurations beyond TLS and headers
  • Authentication and authorization flaws
  • Business logic vulnerabilities
  • Third-party dependency vulnerabilities beyond what is publicly detectable
  • Infrastructure and network security
  • Data protection and encryption at rest

Vulnerability Scan Limitations

The optional vulnerability scan feature detects web technologies heuristically and cross-references them against the National Vulnerability Database (NVD). This process has significant limitations:

  • Version detection is heuristic — version numbers are inferred from HTTP headers, HTML metadata, and JavaScript patterns. They may be absent, incorrect, or stale.
  • NVD data has delays — newly disclosed CVEs may not yet appear in the NVD, and existing entries may be updated or corrected after initial publication.
  • False positives and negatives — a technology may be misidentified, a version may be detected incorrectly, or a CVE may not apply to the specific configuration in use.
  • CVEs are informational only — the presence of a CVE does not confirm exploitability in a specific deployment. Patch status, configuration, and mitigating controls are not assessed.
  • NVD coverage is incomplete — not all software libraries or custom components appear in the NVD, and detection is limited to technologies with known fingerprints.

CVE data is sourced from the National Vulnerability Database (NVD), operated by NIST. SecureMonk is not affiliated with NIST or the NVD.

AI-Generated News Content

The Security News section provides summaries generated by an AI language model (Google Gemini) from public security RSS feeds, published twice daily. This content is subject to the following limitations:

  • AI-generated summaries may contain inaccuracies, omissions, or misrepresentations of the source material.
  • Content reflects the source articles available at the time of generation and may not represent the full context of a security event.
  • News summaries are for informational purposes only and should not be used as the sole basis for security decisions.
  • SecureMonk is not responsible for the accuracy or completeness of third-party source articles linked in the news brief.

Scope of Scanning

SecureMonk only examines publicly accessible information obtained through standard TLS handshakes and HTTP responses. The Service does not:

  • Attempt to exploit any vulnerabilities
  • Access restricted or authenticated areas of websites
  • Perform brute force, fuzzing, or intrusive testing
  • Modify, alter, or damage target websites in any way
  • Access data beyond what a normal web browser would receive

Not a Compliance Tool

Scan results should not be used as evidence of compliance with any regulatory framework, including but not limited to PCI DSS, HIPAA, SOC 2, GDPR, ISO 27001, or NIST standards. Compliance assessments require comprehensive audits by qualified professionals.

Use at Your Own Risk

You acknowledge that you use the Service and rely on scan results and AI responses entirely at your own risk. SecureMonk, its operators, contributors, and affiliates are not responsible for any actions taken or not taken based on scan results or Ask Monk responses, including but not limited to:

  • Security incidents that occur despite a high scan score
  • Business decisions made based on scan results or AI recommendations
  • Configuration changes that cause service disruptions
  • Reliance on scan results or AI responses for contractual or legal obligations
  • Any harm resulting from following AI-generated security guidance without independent verification

Third-Party Websites

SecureMonk scans third-party websites at your request. We are not affiliated with, endorsed by, or responsible for any third-party website that is scanned. Scan results reflect the configuration of the target website and are not an endorsement or criticism of that website or its operators.

Recommendation

For comprehensive security assessments, we strongly recommend engaging qualified cybersecurity professionals who can perform thorough testing, including penetration testing, code review, and compliance audits tailored to your specific requirements. Ask Monk is a starting point for security education — not a replacement for expert human judgment.

Contact

If you have questions about this disclaimer, contact us at [email protected].