AIMap: Open-source tool finds and tests exposed AI endpoints

Public-facing Ollama servers, MCP endpoints, and inference proxies have multiplied across the internet over the past year, often deployed without authentication or rate limits. AIMap is an open-source platform that finds these systems at internet scale, fingerprints them, scores their exposure, and runs protocol-specific attack tests against authorized targets.

What AIMap does

AIMap covers five functions. Discovery queries Shodan-indexed data through 32 preset queries tuned to known AI signatures. Fingerprinting probes each candidate with Nuclei templates and live HTTP checks to identify protocol, framework, authentication state, exposed tools, models, and any leaked system prompts. Scoring assigns each endpoint a 0-to-10 value weighted by authentication posture, tool exposure, CORS configuration, TLS state, system prompt leakage, and dangerous capability combinations.

Testing runs protocol-specific attack suites covering prompt injection, tool abuse, and model extraction, with payloads, responses, severity ratings, and remediation notes streamed in real-time. Visualization presents the results in a Shodan-style search interface and a 3D globe view filterable by protocol, risk level, country, port, and organization.

Coverage spans Model Context Protocol (MCP), Ollama, vLLM, LiteLLM, LocalAI, LangServe and LangChain deployments, OpenClaw and Clawdbot systems, Open WebUI and LibreChat interfaces, Gradio and Streamlit applications, ComfyUI and Stable Diffusion environments, Hugging Face TGI, and generic inference APIs.

For MCP servers, the attack module performs tool enumeration, authorization boundary testing, and prompt injection assessment delivered through tool descriptions. For Ollama, it runs model listing, model weight exposure verification, and prompt injection. OpenAI-compatible endpoints are tested for model enumeration, completion endpoint abuse, and system prompt extraction.

Distinguishing exposed from accessible

Aashiq Ramachandran, the Bishop Fox security researcher who created AIMap, told Help Net Security that the platform separates endpoints that are network-reachable from those that are open. “When we probe paths like /v1/models, a 200 response indicates the endpoint is truly wide-open, no authentication whatsoever. A 401 or 403 tells us auth is configured,” Ramachandran said. The probe further classifies authentication type by reading WWW-Authenticate headers to differentiate Bearer/OAuth, Basic auth, and API key requirements.

Each discovered endpoint carries an auth_status field, and the dashboard aggregates a no_auth_count value across the dataset. Ramachandran said the operational difference matters for triage: an Ollama instance returning 200 on its API sits in a different risk class than a vLLM deployment returning 401, even when both are visible from the public internet.

Detection of partially misconfigured authentication, where one path enforces auth and another path on the same instance does not, is on the roadmap and is not in the current release.

Framework fingerprints and the OpenAI-compatible problem

A recurring problem in AI infrastructure scanning is that many frameworks expose OpenAI-compatible APIs on overlapping ports in the 8000 to 8080 range, making generic /v1/models checks unreliable for attribution. Ramachandran said AIMap addresses this by probing framework-specific endpoints first and falling back to the generic check only after.

Dedicated fingerprints exist for Ollama, vLLM, LiteLLM, LocalAI, Hugging Face TGI, Gradio, ComfyUI, Open WebUI, LangServe, and MCP servers. Each uses positive identifiers: Ollama returns the string “Ollama is running” on its root path, vLLM exposes a /version endpoint, and LiteLLM’s /health response contains its name in the body.

Triton, LM Studio’s server mode, llama.cpp’s built-in HTTP server, and Jan currently lack dedicated signatures. Ramachandran said deployments running OpenAI-compatible APIs from those servers are still detected and flagged as exposed inference endpoints, attributed generically. Dedicated fingerprints for each are planned, with Triton’s health and model repository endpoints and llama.cpp’s /slots endpoint among the response characteristics that allow positive identification.

How scoring is weighted

The 0-to-10 score combines lack of authentication, unknown authentication status, the count and type of exposed tools, presence of high-risk or critical-risk tools, open CORS policies, missing TLS, system prompt leakage, exposed models, uncensored model detection, and signup configurations.

Combinations of risky conditions, such as unauthenticated access paired with code execution, receive additional weight. According to Bishop Fox, scores above 7 typically indicate exploitable conditions seen in the wild, including unauthenticated endpoints with code execution and exposed system prompts paired with tool access.

Scale of the exposure

Bishop Fox’s product demonstration cites more than 175,000 exposed Ollama instances and more than 8,000 open MCP servers reachable from the public internet, with nearly half offering code execution and no authentication. The same demonstration puts the share of organizations with AI-specific security controls at 13 percent. A scan shown in the demo turned up close to 2,000 live AI endpoints across 50 countries, with 91 percent lacking authentication of any kind.

Operator responsibility

AIMap’s discovery and fingerprinting modules are read-only. Active attack modules require operator opt-in and explicit target confirmation before execution. Operators bear sole responsibility for compliance with the Computer Fraud and Abuse Act, GDPR, and other applicable laws. The tool is published for authorized security testing, defensive research, and assessment of systems the operator owns or has written permission to test.

AIMap is available for free on GitHub.

Must read:

• 25 open-source cybersecurity tools that don’t care about your budget
• GitHub CISO on security strategy and collaborating with the open-source community

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!