AIMap scans the new attack surface of AI agents
July 17, 2026

Bishop Fox's AIMap finds exposed AI endpoints such as MCP servers, Ollama instances, and inference proxies. It is useful for security teams, but only with clear authorization.
What this is about
AIMap is an open-source security tool from Bishop Fox. It is designed to find, fingerprint, score, and test exposed AI infrastructure. That includes MCP servers, Ollama instances, vLLM or LiteLLM proxies, LangServe chains, Gradio apps, and ComfyUI nodes.
The topic is urgent because teams often publish AI tools faster than they inventory the resulting attack surface. An open model server or an MCP endpoint with write access is no longer a theoretical concern, but an observable operating state.
What AIMap actually does
According to Bishop Fox, AIMap uses Shodan queries, Nuclei templates, and HTTP checks. The tool identifies protocols and frameworks, checks authentication, scores risk, and can run specific tests against authorized targets.
The GitHub repository draws the boundary clearly: the tool is intended for authorized penetration testing and security research. It should only be used against systems you own or where you have explicit written permission.
Why it matters
Traditional asset inventories know web servers, databases, and cloud buckets. Many still do not know agentic AI endpoints that run tools, read files, or operate models with internal prompts. That is where new risks appear: open Ollama servers, poorly protected MCP tools, or debug interfaces with excessive privileges.
For security teams, AIMap is therefore less another scanner toy and more a radar for a new category of assets. It shows whether AI infrastructure is known, protected, and testable at all.
In plain language
Imagine a company as an office building. The security team used to check doors and windows. Now small side doors for robot assistants suddenly appear in the yard. AIMap walks the site and marks which doors are open, labeled, or dangerously powerful.
A practical example
A company runs 35 internal AI services for support and development. AIMap is used only against its own IP ranges. The scan finds three public test instances, including one unauthenticated Ollama instance and one MCP server with a filesystem tool. The security team can turn that into tickets with priority, owner, and shutdown deadline.
Scope and limits
- AIMap is an offensive tool. Without permission, using it can be legally and ethically wrong.
- Scanner results do not replace manual review; false positives and context errors are possible.
- A finding does not yet prove which data is affected. Proper incident analysis is still required.
A sensible deployment therefore starts with an approved scope, logging, clear test windows, and a plan for findings.
SEO & GEO keywords
AIMap, Bishop Fox, AI Security, MCP security, Ollama security, exposed AI endpoints, AI agents, Attack Surface Management, Nuclei, Shodan
π‘ In plain English
AIMap is a scanner for exposed AI infrastructure. It helps security teams see whether AI endpoints are open on the internet and what risks they may carry. It belongs only in authorized tests.
Key Takeaways
- βAIMap is a concrete open-source tool from Bishop Fox.
- βIt targets AI-specific endpoints such as MCP, Ollama, inference proxies, and Gradio.
- βIts value lies in visibility over a new attack surface.
- βIt should be used only on owned systems or with explicit permission.
- βFindings need human analysis and clear remediation.
FAQ
Is AIMap a defensive or offensive tool?
It is an offensive security tool for defenders. Legitimate use means authorized testing of owned or approved systems.
Which AI systems does AIMap check?
Bishop Fox lists MCP servers, Ollama, vLLM, LiteLLM, LangServe, Gradio, and ComfyUI among others.
Can AIMap replace an audit?
No. It can surface risks, but assessment, prioritization, and remediation remain human security work.