A new executive order signed in June 2026 said something the security industry already knew, but said it with the weight of the Justice Department behind it: using AI to access or damage a computer without authorization is a crime, and it will be prosecuted.
Source: The White House, Promoting Advanced Artificial Intelligence Innovation and Security
Most of the coverage focused on the parts about frontier AI models and federal cyber programs. I want to talk about a smaller line in Section 4, because it goes to the heart of how we built Radar.
A Scan Is Access
Here is the uncomfortable truth about vulnerability scanning. When a scanner looks at a domain, it is reaching out and touching someone's systems. It is knocking on doors, checking which ones are unlocked, and writing down what it finds.
If you own the building, that is a security assessment. If you don't, that is casing the place.
The technology is identical. The only thing that separates a legitimate scan from unauthorized access is permission. And "permission" cannot just be a checkbox someone clicked that said "I promise this is mine." A checkbox proves nothing. Anyone can type a domain that isn't theirs into a form and click a box.
The June order makes the stakes plain. It directs the Attorney General to go after anyone who uses AI to illegally access a computer. A scanner that runs against any domain a stranger types in is, at best, one bad actor away from being the tool that crime was committed with.
We were not willing to build that.
How We Prove It Is Yours
Before Radar runs a single scan, it checks one thing: can the person asking for the scan prove they control the domain?
We do this with a DNS record. When you request a scan, we generate a unique token, something like radar-verify= followed by a random string that exists only for you. You add that token as a TXT record in your domain's DNS settings. Then we check for it.
The logic is simple and hard to fake. Only someone with administrative control of a domain can change its DNS records. A customer cannot add a TXT record to a domain they don't own. So if the token is there, ownership is proven. If it isn't, the scan does not run. In our codebase this check has a name. We call it Guardian 1: Proof of Ownership. It is the first gate, and nothing gets past it without clearing it.
It costs you a few minutes the first time. You log into your registrar or DNS provider, paste in one line, and we confirm it. That is the whole process.
Why We Keep the Friction
It would be easy to drop this step. Plenty of tools do. "Just enter a URL and scan" demos better and converts faster.
But the friction is the product. The few minutes you spend proving you own a domain is the same few minutes that guarantees nobody can point our scanner at a hospital, a bank, or a competitor and generate a report on systems they have no right to touch. The order that came out this month is going to make a lot of companies revisit whether their tooling can be misused that way. We answered that question before we wrote the first line of scanning code.
There is a bigger idea underneath this. The security industry spent the last two years racing to bolt AI onto everything, and a lot of what shipped causes as many problems as it solves. We took a different view. The value is not that there is AI inside. The value is that there are guardrails around it, that a real person stands behind it, and that the thing was built to be safe by default instead of safe as an afterthought. Proof of ownership is one of those guardrails you can actually see.
If you want to understand what we hand you after the scan clears that gate, there is a sample report at oscarsixsecurityllc.com. It shows the format, the findings, and the plain-language summary your clients or your board can actually read.
We will not scan a domain you can't prove you own. That is not a limitation. That is the whole point.