Verify an EchelonGraph scan

It's an HTTP request header named X-EchelonGraph-Verify, with a value that begins with v1. and looks like this:

X-EchelonGraph-Verify: v1.<signed-payload>.<signature>
User-Agent: Mozilla/5.0 (compatible; EchelonGraph-ExposureRadar-Verifier/1.0; +https://echelongraph.io/responsible-disclosure)
From: security@echelongraph.io

Heads-up: a typical default access log (Apache/nginx combined format) records only the client IP and User-Agent — not custom request headers. You'll find the X-EchelonGraph-Verify value in logs that capture full request headers: your application logs, a reverse proxy / load balancer or WAF configured to log headers, or a traffic capture. Paste just the value (everything after X-EchelonGraph-Verify:).

Most default logs do capture the User-Agent and source IP. A genuine EchelonGraph request always shows our declared-bot User-Agent and a contact address:

• • User-Agent: Mozilla/5.0 (compatible; EchelonGraph-<Radar>/1.0; +https://echelongraph.io/responsible-disclosure)
• • From: security@echelongraph.io

A User-Agent on its own can be copied by anyone, which is exactly why the signed receipt exists. A request bearing our name with no valid receipt did not come from us — please report it to security@echelongraph.io.

Each genuine probe carries an HMAC-signed receipt over the exact target IP, port, radar, and timestamp — signed with a key that only our servers hold. We can't be impersonated: a forged or copied token won't verify, or it will reveal a target/time that doesn't match the request in your logs. We never log in, exploit, write to, or read data from your systems — see our Responsible Disclosure & Data Transparency policy, including how to opt out.