A deliberately-vulnerable (and a deliberately-secure) demo MCP server, public on purpose. Scan it here, with the open-source CLI, or with your own tooling — and see exactly what each grade looks like.
Each path is its own MCP server with a different security posture. Point the scanner at the full URL — or paste it into the box on the home page.
https://playground.mcpscanner.dev/error
No auth, misconfigured CORS, risky tools, and confirmed injection payloads. The tool set + CORS mode are randomised, so every scan looks a little different.
Scan it →https://playground.mcpscanner.dev/success
A properly secured server. It rejects anonymous and weak tokens, so an anonymous scan finds nothing exploitable. Pass a strong bearer token to get benign “hello world” output.
Scan it →https://playground.mcpscanner.dev/random
A randomised profile, seeded per client IP + 30-second window so a single scan stays self-consistent but re-rolls roughly every 30 seconds — flipping between a secure and an insecure server.
Scan it →This isn't just for our scanner. Use it to test any MCP security tool — ours, the open-source CLI, or something you're building yourself.
No filesystem, shell, database or network is ever touched. Responses are canned fakes — safe to run, safe to scan.
An open MCP server with tools is always at least one critical (no-auth), so it caps at a D. Grades A–C require an authenticated server.
Whatever the scanner reports here is exactly what it reports on a real server — identical checks, identical scoring.