AIMap: Open-source tool to identify and test exposed AI endpoints

AIMap: open-source tool for discovering and testing exposed AI endpoints

Over the past twelve months, the number of publicly accessible Ollama servers, MCP endpoints, and inference proxies has increased exponentially on the Internet, often implemented without authentication or rate limits. AIMap is an open-source platform that identifies these systems on a global scale, analyzes them, assesses their exposure, and performs protocol-specific attack tests on authorized targets.

Main features of AIMap

AIMap covers five main functions. Discovery occurs through 32 preconfigured queries that analyze Shodan-indexed data, searching for known AI signatures. The fingerprinting phase uses Nuclei templates and live HTTP checks to identify the protocol, framework, authentication status, exposed tools, models, and any leaked system prompts. Each endpoint receives a score from 0 to 10, based on factors such as authentication posture, tool exposure, CORS configuration, TLS status, system prompt leakage, and combinations of dangerous capabilities.

The testing phase performs protocol-specific attack suites, covering prompt injections, tool abuse, and model extraction. Results are displayed in a Shodan-like search interface and a global 3D view, filterable by protocol, risk level, country, port, and organization.

Scope of application

AIMap supports a wide range of frameworks and implementations, including Model Context Protocol (MCP), Ollama, vLLM, LiteLLM, LocalAI, LangServe and LangChain, OpenClaw and Clawdbot, Open WebUI and LibreChat, Gradio and Streamlit, ComfyUI and Stable Diffusion environments, Hugging Face TGI, and generic inference APIs.

For MCP servers, the attack module performs tool enumeration, authorization boundary testing, and prompt injection assessment. For Ollama, it performs model listing, model weight exposure verification, and prompt injections. Endpoints compatible with OpenAI are tested for model enumeration, completion endpoint abuse, and system prompt extraction.

Differentiation between exposed and accessible

Aashiq Ramachandran, the Bishop Fox security researcher who created AIMap, explained that the platform distinguishes between network-reachable endpoints and those that are open. "When we probe paths like /v1/models, a 200 response indicates that the endpoint is actually open, with no authentication. A 401 or 403 response tells us that auth is configured," said Ramachandran. The probe further classifies the type of authentication by reading the WWW-Authenticate headers to differentiate Bearer/OAuth, Basic auth, and API key requirements.

Each discovered endpoint has an authstatus field, and the dashboard aggregates a noauth_count value across the entire dataset. Ramachandran emphasized that this operational distinction is crucial for triage: an Ollama instance returning 200 on its API belongs to a different risk class than a vLLM implementation returning 401, even though both are visible from the Internet.

Framework fingerprinting and the OpenAI compatibility problem

A recurring problem in scanning AI infrastructures is that many frameworks expose OpenAI-compatible APIs on overlapping ports in the 8000-8080 range, making generic /v1/models checks unreliable for attribution. Ramachandran explained that AIMap addresses this issue by first probing framework-specific endpoints and resorting to the generic check only as a fallback.

There are dedicated fingerprints for Ollama, vLLM, LiteLLM, LocalAI, Hugging Face TGI, Gradio, ComfyUI, Open WebUI, LangServe, and MCP servers. Each framework uses positive identifiers: Ollama returns the string "Ollama is running" on its root path, vLLM exposes a /version endpoint, and LiteLLM's /health response contains its name in the body.

Triton, LM Studio's server mode, the built-in HTTP server of llama.cpp, and Jan currently do not have dedicated fingerprints. Ramachandran stated that implementations running OpenAI-compatible APIs from these servers are still detected and reported as exposed inference endpoints, attributed generically. Dedicated fingerprints for each are planned, with Triton's health endpoints and model repository, and llama.cpp's /slots endpoint among the response features that allow positive identification.

Score weighting

The 0 to 10 score combines lack of authentication, unknown authentication status, the number and type of exposed tools, the presence of high-risk or critical-risk tools, open CORS policies, missing TLS, system prompt leakage, exposed models, uncensored model detection, and logging configurations.

Combinations of risky conditions, such as unauthenticated access paired with code execution, receive additional weight. According to Bishop Fox, scores above 7 typically indicate exploitable conditions observed in the wild, including unauthenticated endpoints with code execution and exposed system prompts paired with tool access.

Scalability of exposure

Bishop Fox's product demo cites over 175,000 exposed Ollama instances and over 1,000 exposed MCP endpoints, underscoring the urgency of adopting AI-specific security measures.

The importance of data visualization

AIMap not only identifies and assesses AI endpoints but also provides an intuitive visualization of the results through a Shodan-like search interface and a 3D globe view. These tools allow operators to filter results by protocol, risk level, country, port, and organization, facilitating the analysis and prioritization of the most critical endpoints. The 3D view, in particular, provides a geographical representation of exposed endpoints, highlighting areas with the highest concentration of risks.

The role of AIMap in defensive research

AIMap has been designed to support both authorized security testing and defensive research. Operators can use the tool to assess systems they own or for which they have obtained written authorization to test. The ability to perform protocol-specific tests, such as prompt injection, tool abuse, and model extraction, allows for an in-depth assessment of vulnerabilities. Additionally, payloads, responses, severity levels, and remediation notes are transmitted in real-time, providing valuable information for risk mitigation.

Future challenges and the potential of AIMap

Despite significant progress, AIMap still faces some challenges. For example, the detection of partially incorrect authentication configurations, where one path applies authentication while another does not, is currently under development and not included in the current version. Furthermore, the development of dedicated fingerprints for frameworks such as Triton, LM Studio, llama.cpp, and Jan is planned, which will further improve the tool's accuracy.

As AI infrastructures continue to evolve and threats increase, tools like AIMap will become increasingly essential. The ability to identify and assess exposed endpoints not only helps organizations protect their systems but also contributes to a broader understanding of vulnerabilities and best practices for AI security.

AIMap represents a significant step forward in AI infrastructure security. Its ability to discover, identify, assess, and test exposed endpoints provides operators with the tools needed to address growing security threats. With the widespread adoption of AI technologies, the use of tools like AIMap will be crucial to ensuring that these technologies are implemented securely and effectively.