Reference

Scanner egress IPs

Allowlist these IPs at your WAF, CDN, or edge so the Console can reach internet-facing targets without false-positive blocks.

Production scanner egress

All Range Assessment and scoped pentest traffic originates from these stable ranges. We add new IPs by appending; existing ones are not recycled.

# IPv4 (CIDR)
203.0.113.0/29     # primary
198.51.100.16/29   # secondary (failover)

# Reverse-DNS
*.scanner.smert.ai

The CIDRs above are placeholders pending the public IP-allocation announcement. Treat *.scanner.smert.ai as the canonical hostname allowlist while we finalize the IPs — that hostname is operationally pinned to the scanner pool and is safe to use in WAF allow rules today.

Identifying headers

Every scanner request is tagged so your SOC can correlate traffic.

User-Agent: SmertAI-Scanner/1.x (+https://cybersecurity.globalrailsuite.com/security)
X-Smertai-Engagement: <engagement-id>
X-Smertai-Run: <run-id>

Cloudflare WAF — quick rule

(ip.src in {203.0.113.0/29 198.51.100.16/29}) or (http.user_agent contains "SmertAI-Scanner")
# Action: Skip → all rules

What we never do

No traffic from these IPs is destructive — no DoS, no data destruction, no ransom.
We never test a target that is not on your tenant's allowlist table.
We respect the kill-switch in the Console — stopping a run halts new requests within seconds.

See the Authorization to Test (ROE) for the full rules of engagement, and /security for the safety model.