Bishop Fox released AIMap as open-source โ an Nmap-style scanner for AI infrastructure that does discovery, fingerprinting, risk scoring, vulnerability testing, and visualization across the AI surface. Coverage includes MCP servers, Ollama, vLLM, LiteLLM, LocalAI, LangServe, LangChain, Open WebUI, LibreChat, Gradio, Streamlit, ComfyUI, Stable Diffusion, Hugging Face TGI, and generic inference APIs. The number that lands in the launch coverage and probably should make builders audit their stacks: 175,000+ Ollama instances reachable on the public internet, **roughly 91% with no authentication configured**. That's not a vulnerability in Ollama โ Ollama is doing what you asked it to do โ it's operators deploying local-LLM servers without recognizing they're shipping them to the internet.
The architecture is direct: Discovery via Shodan with 32 AI-specific signatures, Fingerprinting via Nuclei templates and HTTP probes (positive identifiers like Ollama's "Ollama is running" string at root or vLLM's `/version` endpoint), 0-10 risk scoring, protocol-specific attack suites (prompt injection, tool abuse, model extraction), and a Shodan-style visualization with 3D globe view. The exposed-vs-accessible distinction is the operationally important detail: HTTP 200 means no auth (anyone can hit the model), 401/403 means auth is configured, and WWW-Authenticate headers tell you the scheme (Bearer, Basic, API key). For builders running self-hosted LLM infrastructure, the practical asset inventory takes about ten minutes โ point AIMap at your own ASN, get a list of what's exposed and how it's protected. The legal compliance burden (CFAA, GDPR) is on operators using the tool for anything beyond their own infrastructure; Bishop Fox publishes it as a tool, not a service.
The ecosystem read pairs naturally with the prior MCP-server security and Claude Code Auto Mode architecture pieces. The pattern across all three: AI infrastructure is being deployed faster than the deployment hygiene catches up. MCP servers without authentication, Ollama instances on the public internet, vLLM endpoints exposed to anyone who finds them โ the attack surface is wide and visible. AIMap doesn't introduce the problem; it makes it measurable. The 91% Ollama-no-auth number is striking but consistent with the broader pattern of "AI infra deployed for personal use, then forgotten on a public IP." For security teams at AI-builder companies, this is the asset inventory question that hasn't had a tool until now. For solo builders running Ollama on a home server, the relevant question is whether you actually meant to expose port 11434 to the internet, and the answer is almost always no.
Practical move: if you run any of the listed AI infra in production or for personal use, scan your own perimeter with AIMap or equivalent. Default Ollama configuration binds to 0.0.0.0 in some setups โ check the listening interface, then check whether the firewall actually blocks external traffic. For MCP server operators (the recent attack-surface story has shown agents exploitable through prompt-injected tool outputs), the auth + network-isolation question is now a tool-discoverable one. For organizations deploying AI capabilities on internal infrastructure, run the scanner against your own IPs at least quarterly โ the deployment-without-auth pattern reproduces faster than security awareness propagates. The broader signal: AI security tooling is catching up with the rest of the security industry, and the gap between "we deployed an LLM" and "we deployed an LLM securely" has been wider than most builders realized.