Skip to content
XoloC2

Responsible Use

Responsible Use

Section titled “Responsible Use”

Authorization requirement

Section titled “Authorization requirement”

XoloC2 is a tool for authorized penetration testing only.

You must have explicit written permission from the system owner before deploying any beacon or running any command against a target system. Unauthorized access to computer systems is a criminal offense in most jurisdictions, including:

  • United States — Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
  • European Union — Directive on Attacks Against Information Systems (2013/40/EU)
  • United Kingdom — Computer Misuse Act 1990
  • Mexico — Código Penal Federal, Art. 211 bis

“I was just testing” is not a legal defense without prior written authorization.

What authorized use looks like

Section titled “What authorized use looks like”

Before deploying XoloC2 on any engagement:

  • You have a signed penetration testing agreement or statement of work (SOW)
  • The scope document explicitly lists the systems and IP ranges in scope
  • The client has been informed that a C2 framework will be used
  • You have a point of contact at the client who can verify your activity if needed

What this tool is not for

Section titled “What this tool is not for”

XoloC2 is not designed or intended for:

  • Unauthorized access to systems you do not own and have not been authorized to test
  • Targeting systems outside an agreed scope
  • Surveillance, stalkerware, or monitoring individuals without their consent
  • Attacks on critical infrastructure, healthcare, or public services
  • Any activity that causes harm, disruption, or financial damage to third parties

Your responsibilities as an operator

Section titled “Your responsibilities as an operator”
  • Contain your infrastructure — use redirectors and kill dates to limit exposure after an engagement ends
  • Clean up — remove beacons and persistence mechanisms from target systems after the engagement
  • Protect your C2 server — enable MFA, IP whitelist, and strong passwords; a compromised C2 server is a liability for your clients
  • Secure exfiltrated data — data collected during testing must be handled according to your client’s data classification requirements and deleted after the report is delivered
  • Disclose vulnerabilities responsibly — findings discovered during an engagement belong to the client; coordinate disclosure through them

The MIT License and liability

Section titled “The MIT License and liability”

XoloC2 is released under the MIT License. This license permits free use, modification, and distribution, but includes no warranty and imposes no restrictions on use.

The authors and contributors of XoloC2 accept no liability for how this software is used. The responsibility for legal, ethical, and authorized use rests entirely with the operator.

Reporting misuse

Section titled “Reporting misuse”

If you believe XoloC2 infrastructure is being used for unauthorized activity, report it through GitHub: github.com/Juguitos/XoloC2/issues.