Service Disclaimers

1. General Disclaimer

The information provided on this website and through our services is for general cybersecurity purposes. While we strive for accuracy, the cybersecurity threat landscape changes rapidly and information may become outdated. Nothing on this website constitutes professional advice tailored to your specific circumstances.

2. Penetration Testing and Security Assessments

2.1 Scope and Authorisation

All penetration testing and security assessment services are conducted only under a signed engagement agreement that specifies:

• The scope of testing (systems, networks, applications, and IP ranges authorised for testing)
• The testing window (dates and times during which testing is authorised)
• Authorised testing techniques and any restrictions
• Emergency contact procedures
• Rules of engagement

Testing is conducted in compliance with the Computer Misuse Act 1990. We do not conduct any testing without prior written authorisation from the system owner.

2.2 Risk Acknowledgement

Penetration testing, by its nature, involves probing systems for vulnerabilities using techniques similar to those used by malicious actors. While we take every reasonable precaution, testing may:

• Cause temporary service disruption or degradation
• Trigger security alerts and automated defences
• Reveal pre-existing vulnerabilities that could be exploited by others if not remediated
• In rare circumstances, cause system instability or data loss

Clients are advised to maintain current backups and have incident response procedures in place during testing engagements.

2.3 Limitations

• Our assessments reflect the state of systems at the time of testing. New vulnerabilities may emerge after the assessment.
• No penetration test can guarantee discovery of all vulnerabilities. The absence of findings does not mean the absence of risk.
• Our findings and recommendations are based on professional judgement and the information available at the time. We do not guarantee that implementing our recommendations will prevent all security incidents.
• Results are confidential to the client and should not be shared with third parties without our written consent.

2.4 Professional Liability

Our liability for penetration testing engagements is governed by the terms of the signed engagement agreement, including any agreed liability cap. We maintain professional indemnity insurance appropriate to our services.

3. Cyber Threat Intelligence

3.1 Nature of Intelligence

Threat intelligence reports and alerts are produced from multiple sources including dark web monitoring, open-source intelligence (OSINT), and community sharing platforms. Intelligence products should be understood as:

• Indicative, not definitive — they represent our best assessment based on available information
• Point-in-time — the threat landscape changes continuously; intelligence may become outdated
• Probabilistic — confidence levels are assigned to all assessments and should be considered when making decisions

3.2 Accuracy and Completeness

While we employ rigorous validation processes (multi-source corroboration, analyst review, confidence scoring), we cannot guarantee:

• The accuracy, completeness, or timeliness of all intelligence
• That all relevant threats will be detected
• That identified threats will materialise
• That indicators of compromise (IOCs) are free from false positives

Intelligence is provided with confidence ratings (HIGH, MEDIUM, LOW). Recipients should consider these ratings when making security decisions.

3.3 Attribution

Threat actor attribution is inherently uncertain. Attributions in our intelligence products represent our assessed judgement, not confirmed fact. Attribution assessments may change as new information becomes available. We clearly state attribution confidence in all intelligence products.

3.4 No Guarantee of Protection

Threat intelligence informs security decisions but does not guarantee protection. Implementing our intelligence feeds, IOC blocklists, or detection rules reduces risk but cannot eliminate it. Clients remain responsible for their own security posture.

4. Dark Web Monitoring

4.1 Collection Methodology

Our dark web monitoring capability operates through passive observation only. We:

• Monitor publicly accessible areas of dark web forums, paste sites, and communication channels
• Do not create accounts on criminal platforms
• Do not purchase stolen data, credentials, or exploits
• Do not interact with, engage, or communicate with threat actors
• Do not access any system without authorisation

Our monitoring complies with the Computer Misuse Act 1990 and the UK GDPR.

4.2 Coverage Limitations

• No dark web monitoring service can achieve complete coverage of all dark web activity
• Dark web sources are ephemeral — content may be posted and removed before detection
• Some forums and channels require invitation or reputation-based access that passive monitoring cannot achieve
• Monitoring detects data after it has been published on the dark web — it cannot prevent the initial breach

4.3 Compromised Credential Alerts

When we identify client-related credentials on the dark web:

• We report findings as rapidly as possible, typically within 24 hours for critical findings
• We provide the compromised credential type (email, username) and source, but not plaintext passwords (which are handled according to our data protection policies)
• The existence of credentials on the dark web does not confirm they have been used for unauthorised access
• Clients should treat all identified compromised credentials as potentially exploitable and initiate remediation

4.4 Data Protection

Personal data encountered during dark web monitoring is handled in accordance with our Privacy Policy, our Legitimate Interest Assessment, and our Data Protection Impact Assessment. We process only the minimum data necessary for threat intelligence purposes.

5. Security Advisories and Blog Content

5.1 General Information Only

Security advisories, blog posts, and technical articles published on our website are provided for general informational and educational purposes only. They:

• Do not constitute professional advice for your specific environment
• May not reflect the most current threat landscape at the time of reading
• Should not be relied upon as the sole basis for security decisions
• May reference third-party tools, techniques, or products without endorsement

5.2 Responsible Use

Technical information published on our website is intended for legitimate cybersecurity purposes — defence, education, and authorised testing. We do not endorse or encourage the use of any techniques for unauthorised access to computer systems, which may constitute an offence under the Computer Misuse Act 1990.

6. Incident Response

6.1 Emergency Support

Incident response services are provided under separate engagement agreements. Contact during an active incident does not automatically create a service agreement or impose obligations on Varangian.

6.2 Limitations

• Incident response effectiveness depends on the quality and availability of evidence, logs, and system access provided by the client
• We cannot guarantee complete containment, eradication, or recovery from any security incident
• Forensic findings represent our professional assessment and may not be admissible as evidence in all legal proceedings without additional expert testimony
• Time-critical incident response may require decisions to be made with incomplete information

7. Limitation of Liability

To the maximum extent permitted by law:

• Our liability for any service engagement is limited to the terms of the signed engagement agreement
• Where no engagement agreement exists (e.g., reliance on website content), our liability is excluded as stated in our Terms of Service
• We are not liable for any loss or damage arising from a client's failure to implement our recommendations
• We are not liable for any loss or damage arising from reliance on threat intelligence that proves to be inaccurate or incomplete, provided we followed our standard validation processes

Nothing in these disclaimers excludes or limits our liability for death or personal injury caused by our negligence, fraud, or any other liability that cannot be excluded or limited by English law.

8. Contact

For questions about these disclaimers, contact us at info@varangian.ai.