cyberivy
AIMapBishop FoxAI SecurityMCPOllamaSecurity ToolsOpen Source AI

AIMap scans the new attack surface of AI agents

July 17, 2026

Bishop-Fox-Open-Graph-Bild mit AIMap-Schriftzug und dunklem Security-Design.

Bishop Fox's AIMap finds exposed AI endpoints such as MCP servers, Ollama instances, and inference proxies. It is useful for security teams, but only with clear authorization.

What this is about

AIMap is an open-source security tool from Bishop Fox. It is designed to find, fingerprint, score, and test exposed AI infrastructure. That includes MCP servers, Ollama instances, vLLM or LiteLLM proxies, LangServe chains, Gradio apps, and ComfyUI nodes.

The topic is urgent because teams often publish AI tools faster than they inventory the resulting attack surface. An open model server or an MCP endpoint with write access is no longer a theoretical concern, but an observable operating state.

What AIMap actually does

According to Bishop Fox, AIMap uses Shodan queries, Nuclei templates, and HTTP checks. The tool identifies protocols and frameworks, checks authentication, scores risk, and can run specific tests against authorized targets.

The GitHub repository draws the boundary clearly: the tool is intended for authorized penetration testing and security research. It should only be used against systems you own or where you have explicit written permission.

Why it matters

Traditional asset inventories know web servers, databases, and cloud buckets. Many still do not know agentic AI endpoints that run tools, read files, or operate models with internal prompts. That is where new risks appear: open Ollama servers, poorly protected MCP tools, or debug interfaces with excessive privileges.

For security teams, AIMap is therefore less another scanner toy and more a radar for a new category of assets. It shows whether AI infrastructure is known, protected, and testable at all.

In plain language

Imagine a company as an office building. The security team used to check doors and windows. Now small side doors for robot assistants suddenly appear in the yard. AIMap walks the site and marks which doors are open, labeled, or dangerously powerful.

A practical example

A company runs 35 internal AI services for support and development. AIMap is used only against its own IP ranges. The scan finds three public test instances, including one unauthenticated Ollama instance and one MCP server with a filesystem tool. The security team can turn that into tickets with priority, owner, and shutdown deadline.

Scope and limits

  • AIMap is an offensive tool. Without permission, using it can be legally and ethically wrong.
  • Scanner results do not replace manual review; false positives and context errors are possible.
  • A finding does not yet prove which data is affected. Proper incident analysis is still required.

A sensible deployment therefore starts with an approved scope, logging, clear test windows, and a plan for findings.

SEO & GEO keywords

AIMap, Bishop Fox, AI Security, MCP security, Ollama security, exposed AI endpoints, AI agents, Attack Surface Management, Nuclei, Shodan

πŸ’‘ In plain English

AIMap is a scanner for exposed AI infrastructure. It helps security teams see whether AI endpoints are open on the internet and what risks they may carry. It belongs only in authorized tests.

Key Takeaways

  • β†’AIMap is a concrete open-source tool from Bishop Fox.
  • β†’It targets AI-specific endpoints such as MCP, Ollama, inference proxies, and Gradio.
  • β†’Its value lies in visibility over a new attack surface.
  • β†’It should be used only on owned systems or with explicit permission.
  • β†’Findings need human analysis and clear remediation.

FAQ

Is AIMap a defensive or offensive tool?

It is an offensive security tool for defenders. Legitimate use means authorized testing of owned or approved systems.

Which AI systems does AIMap check?

Bishop Fox lists MCP servers, Ollama, vLLM, LiteLLM, LangServe, Gradio, and ComfyUI among others.

Can AIMap replace an audit?

No. It can surface risks, but assessment, prioritization, and remediation remain human security work.

Sources & Context