AIMap discovers, fingerprints, scores, and tests exposed AI agent infrastructure across the internet.

It queries Shodan to identify exposed AI and ML endpoints, then probes each one using Nuclei templates and live HTTP checks to determine protocol, framework, authentication status, tools, models, and system prompts.

Each endpoint receives a risk score from 0 to 10 based on authentication posture, tool exposure, CORS policy, TLS configuration, system prompt leakage, and dangerous capability combinations. Attack suites for MCP, Ollama, and prompt injection run in real time, with results streamed as they arrive. All discovered endpoints are visualized in a searchable interface.

The barrier to building this capability is now an afternoon. AIMap puts that same view in the hands of defenders — so organizations can see exactly what their AI agent infrastructure looks like from the outside.

Exposed AI systems present a fundamentally new attack surface. They combine models, tool execution, APIs, and user interaction in ways that create novel risk combinations: unauthenticated endpoints with code execution, leaked system prompts, broad CORS policies, exposed model weights. AIMap detects these conditions, scores them based on how they combine in practice, and enables direct testing through protocol-specific scenarios including prompt injection, tool authorization boundary testing, and model extraction.

AI infrastructure has outpaced the security tooling built to assess it. AIMap closes that gap.

AIMap supports detection and analysis across a range of AI protocols and frameworks.

These include MCP (Model Context Protocol), Ollama, vLLM, LiteLLM, LocalAI, LangServe and LangChain deployments, OpenClaw and Clawdbot systems, Open WebUI and LibreChat interfaces, Gradio and Streamlit applications, ComfyUI and Stable Diffusion environments, Hugging Face TGI, and generic inference APIs.

Detection is performed through a combination of endpoint patterns, ports, API paths, and framework-specific markers.

AIMap’s attack testing capabilities are intended exclusively for authorized security engagements. Operators are responsible for confirming they own or have explicit written permission to test any target system. Discovery and fingerprinting features are read-only; active attack modules require operator opt-in and explicit target confirmation before execution. 

AIMap includes built-in attack testing capabilities tailored to specific protocols:

• For MCP servers, the platform supports tool enumeration, authorization boundary testing, and prompt injection assessment via tool descriptions.
• For Ollama instances, it supports model listing, model weight exposure verification, and prompt injection testing.
• OpenAI-compatible endpoints can be tested for model enumeration, completion endpoint abuse, and system prompt extraction assessment.

All attack results are streamed in real time and include severity ratings, raw request and response data, and associated findings.

Each endpoint discovered by AIMap receives a risk score between 0 and 10. 

The score is calculated based on multiple factors, including lack of authentication, unknown authentication status, number and type of exposed tools, presence of high-risk or critical-risk tools, open CORS policies, lack of TLS, system prompt leakage, exposed models, uncensored model detection, and signup configurations.

Additional scoring is applied for combinations of risky conditions, such as unauthenticated access combined with code execution capabilities.

Operationally, scores above 7 typically indicate exploitable combinations such as unauthenticated endpoints with code execution capabilities or exposed system prompts paired with tool access — conditions that have been actively targeted in the wild.

AIMap provides a searchable interface for exploring discovered endpoints across three primary use cases: threat hunting, executive reporting, and incident response.

The Shodan-style query language supports filters for protocol, authentication status, risk level, tool exposure, geographic location, port, and organization. Filters combine to refine results across multiple attributes — defenders can quickly identify their organization’s exposed AI agent infrastructure across cloud regions, or scope exposure when a new vulnerability drops in a specific framework.

The 3D globe visualization displays endpoints by protocol type, risk score, and geographic location. The view is built for executive and board-level reporting, giving leadership a clear picture of attack surface concentration at a glance.