Acceptable Use Policy

This Acceptable Use Policy ("AUP") governs the use of all platforms, services, environments, training materials, and content (collectively, "Services") provided by Fighting Smart Cyber, LLC ("FSC," "we," "us," or "our"), including but not limited to SOC-in-a-Box, the CYROID Cyber Range, Secure Kubernetes Core, application bundles, training labs, and the fightingsmartcyber.com website.

This AUP supplements the Terms & Conditions and any signed Master Services Agreement, Statement of Work, or Rules of Engagement. By accessing or using any FSC Service, you ("User") agree to this AUP. We may suspend or terminate access for any violation, at our sole discretion, with or without notice.

1. Scope and Who This Applies To

This AUP applies to every person who accesses an FSC Service, including Client employees, contractors, students, course participants, evaluators, trial users, and anyone using credentials issued by FSC or by a Client to access an FSC-managed environment. Clients are responsible for the conduct of their authorized users and must ensure those users have read and agree to this AUP before granting access.

2. General Acceptable Use

You may use FSC Services only for lawful purposes and only in accordance with the documentation, course descriptions, scope of work, or rules of engagement that apply to your engagement. You must:

• Operate within the explicit scope of your authorization;
• Comply with all applicable U.S. federal, state, and local laws, including the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act, and applicable export control laws;
• Comply with all applicable third-party terms of service for cloud providers, software, and external services you choose to integrate with FSC Services;
• Respect the privacy, intellectual property, and confidentiality of others;
• Use Services in a manner consistent with their intended purpose.

3. Prohibited Activities

You may not use FSC Services to:

• Conduct any unauthorized access to, interference with, or exfiltration from systems, networks, applications, or data that you do not own or that you have not been explicitly authorized to test in writing;
• Launch attacks, scans, or exploitation activity against any third party from FSC infrastructure, FSC-managed cloud accounts, or FSC-issued public IP space;
• Distribute malware, ransomware, spyware, or destructive payloads outside of an isolated training or test environment;
• Generate, host, store, or transmit child sexual abuse material, content that incites violence, unlawful harassment, or unlawful discrimination;
• Send unsolicited bulk email (spam), conduct phishing campaigns against persons who have not consented in writing as part of an authorized engagement, or operate command-and-control infrastructure for unauthorized operations;
• Mine cryptocurrency, run distributed compute farms, or otherwise consume disproportionate compute resources outside the agreed scope;
• Attempt to bypass authentication, isolation, billing, quota, or licensing controls of FSC Services;
• Reverse-engineer, decompile, or attempt to extract source code from FSC Background IP except where expressly permitted by law that cannot be contractually waived;
• Resell, sublicense, white-label, or provide commercial training based on FSC Services or content without a written reseller or partner agreement;
• Use FSC Services to violate U.S. export controls or sanctions, including by exporting technical data or providing access to embargoed countries or restricted parties (see Terms § 14).

4. Offensive Security Tools and Content

FSC Services include offensive security tools, exploit frameworks, adversary emulation tradecraft, and other dual-use cybersecurity content. These materials are provided for authorized defensive research, authorized penetration testing, education, and CTF/exercise contexts only.

You will not use FSC-provided offensive tools, payloads, or tradecraft against any system, network, person, or organization without written authorization from a party with the legal right to grant that authorization. Possession of offensive material through FSC Services does not authorize its use against any target.

If you are participating in an FSC-led assessment or red team engagement, your authorization is defined by the signed Rules of Engagement for that engagement. If you are using FSC training content, your authorization is limited to the FSC-provided lab, range, or other isolated environment, plus any systems you separately own or are explicitly authorized to test.

5. Cyber Range and Training Environments

CYROID, lab environments, training ranges, and similar isolated infrastructure ("Range Environments") are provided for skill-building, exercise, and capability validation. When using Range Environments you will not:

• Attempt to break out of the Range Environment, pivot into FSC's underlying production infrastructure, or attack other tenants;
• Establish persistent egress connectivity from a Range Environment to systems outside the agreed scope;
• Exfiltrate Range content, scenarios, flag values, or instructor materials for redistribution;
• Use Range Environments to stage attacks against the public internet, third parties, or your own production environment;
• Store personal data, regulated data (e.g., PHI, PCI, CUI), classified information, or other sensitive production data inside a Range Environment unless the engagement explicitly authorizes it and appropriate controls are in place.

FSC may snapshot, reset, or terminate Range Environments to enforce isolation, recover resources, or respond to abuse.

6. Account Security and Credentials

You are responsible for safeguarding any credentials, API keys, certificates, or access tokens issued to you. You will not share credentials, allow others to use your account, or use another person's account. You will notify FSC promptly at team@fightingsmartcyber.com upon learning of any actual or suspected compromise of an FSC account or credential.

7. Acceptable Use of Training Materials

Slides, exercises, scenarios, lab guides, recordings, and other training content are FSC Background IP and are licensed for the personal educational use of the enrolled student, or for internal use by the organization that purchased the course, only. You will not publicly post, redistribute, resell, or use FSC training content to train others outside your organization without written permission.

8. Network, Bandwidth, and Resource Use

FSC Services are sized for the workloads described in the applicable SOW, order, or product page. FSC may apply rate limits, resource quotas, or fair-use policies, and may throttle or pause activity that is disproportionate, abusive, or that threatens the stability of shared infrastructure or other tenants.

9. Reporting Abuse and Vulnerabilities

If you observe a violation of this AUP, abuse of FSC infrastructure, or a security vulnerability in an FSC Service, please report it to team@fightingsmartcyber.com. Good-faith vulnerability research conducted in accordance with this AUP and any published coordinated disclosure guidance will not be treated as a breach of this AUP.

10. Enforcement and Consequences

FSC may investigate suspected violations and may, at its sole discretion and without prior notice, suspend access, terminate accounts, throttle or quarantine workloads, preserve and inspect logs, and cooperate with law enforcement. Violations may also result in liability under the Terms & Conditions, including the indemnification obligations in Terms § 13. Suspension or termination for violation does not relieve Client of unpaid fees.

11. Changes to This Policy

FSC may update this AUP from time to time. Material changes will be reflected by an updated "Effective Date" above. Continued use of FSC Services after an update constitutes acceptance of the revised AUP.

Contact