Terms of use

Last updated: 2026-05-20.

What this service is

OutOfBits is an out-of-band application security testing (OAST) platform. You claim short DNS labels under ooast.net, and the service captures any DNS, HTTP, or SMTP requests that arrive at those hosts. You can inspect what was captured and optionally mutate the response with Python modifiers running in a sandbox.

Use at your own risk

OutOfBits is provided as-is, with no warranties of any kind — express or implied. There is no guarantee of availability, fitness for a particular purpose, security, or accuracy. The service may go down, lose data, or change behavior at any time without notice.

Responsible use

You are solely responsible for how you use OutOfBits. You agree to:

• Only target systems you own or have explicit, documented authorization to test.
• Comply with all applicable laws, including computer-misuse and unauthorized-access statutes in your jurisdiction and the target's.
• Not use the service to harass, defraud, or harm any person or organization.
• Not use the service to host or distribute malware, phishing content, or other abusive payloads.

Captured data is untrusted

Anything sent to a host you've claimed is captured verbatim and stored, including DNS qnames, HTTP request bodies, headers, query strings, and source IPs. Anyone on the public internet can send arbitrary data to your hosts — that is the OAST use case. Treat captured data as untrusted attacker-controlled input.

Don't put real secrets through it

Do not deliberately route production credentials, customer PII, payment details, or other sensitive data through your OutOfBits hosts as part of normal operations. Captured data is stored in our database, may appear in backups, and is retained for the period below. If a callback unavoidably contains a secret (e.g. a session token leaking through an SSRF probe), delete the interaction promptly and rotate the secret.

Data retention & backups

• Captured interactions (DNS, HTTP, and SMTP), chain execution logs, and rate-limit ticks are deleted after 30 days.
• Audit events (sign-ins, host claims, modifier edits, admin actions) are kept long-term.
• Database backups are taken weekly and retained for several months on the host (and optionally off-host).
• Deleted interactions disappear from the UI and API immediately but may persist in older backups until those are rotated.

Account access

Access is invitation-only. Access can be revoked at the owner's discretion, with or without notice, for any reason — including suspected abuse, legal request, or operational necessity. Revoked accounts keep their data on the server (subject to the retention schedule above) but cannot sign in.

Limitation of liability

To the maximum extent permitted by law, the owner of OutOfBits is not liable for any direct, indirect, incidental, consequential, or punitive damages arising from your use of the service — including but not limited to data loss, service unavailability, unintended data exposure, or actions taken by third parties against your hosts.

Changes to these terms

These terms may change. Material changes will be flagged on next sign-in and you'll be asked to re-accept. Continued use after acceptance constitutes agreement to the current version.

Contact

Questions, access requests, abuse reports, or data deletion requests: chs@outofbits.com.