The hosted scanner sends real (non-destructive) requests to the target you enter. By using it you agree to the terms below.
You may only scan MCP servers that you own or for which you have explicit permission to perform security testing. Scanning third-party systems without authorization may be illegal in your jurisdiction. You are solely responsible for ensuring you have the right to scan a given target.
A scan makes real HTTP/JSON-RPC requests to the target, including non-destructive probe payloads (e.g. path-traversal and injection strings) used purely to detect vulnerabilities. It never attempts to modify, delete, or persist data on the target. It will not follow redirects to internal addresses and refuses to scan private/internal IP ranges.
Don't use the service to overwhelm a target, to mass-scan systems you don't own, or to circumvent its rate limits and protections. Access is rate-limited per client and per target, and may be throttled, suspended, or blocked at our discretion. For automation, use the open-source CLI, which scans targets directly.
The scanner is provided “as is”, without warranty of any kind. Findings are best-effort indicators, not a guarantee of security or insecurity. We are not liable for any damages arising from use of the service or actions taken based on its output.
We don't require an account and don't store your scan reports server-side. Target URLs and request metadata may be processed transiently to run the scan and to operate rate limiting and abuse prevention.
Questions? Contact us. © 2026 codelake Technologies LLC (an Akyros Labs brand).