Bishop Fox has unveiled AIMap, an internet-scale discovery and security testing platform designed for the rapidly growing AI agent attack surface. As organizations accelerate AI deployments, AIMap delivers the visibility needed to detect and address publicly exposed AI endpoints.
Addressing the Visibility Gap in AI Infrastructure
AIMap originated from a hackathon. In a single afternoon, using off-the-shelf components, the team assembled a platform capable of sweeping the internet for exposed AI agent infrastructure, fingerprinting endpoints, scoring risk, and launching active attacks against them. The ease of assembly was not incidental. It was the finding.
What it surfaced is a growing challenge: AI systems are increasingly deployed as externally accessible services, exposing models, tools, and system functionality through public-facing endpoints, often without consistent authentication or access controls.
This creates external visibility into AI systems that often exceeds an organization’s own understanding of its exposure — and the barrier to assembling that capability is now an afternoon.
“We built AIMap to reflect what attackers are already doing at scale,” said Vinnie Liu, CEO at Bishop Fox. “By releasing it as open source, organizations can take that capability, adapt it to their own environments, and use it to understand what AI systems are exposed, how they are configured, and what they can do when actively tested.”
Comprehensive Discovery and Risk Scoring
AIMap operates across five core capabilities to provide a complete view of AI risk:
- Discovery: Queries internet-scale data to identify exposed AI endpoints across the globe; uses a Shodan-style query language to filter by protocol, location and organization.
- Fingerprinting: Uses specialized probes to determine protocols, frameworks and authentication status.
- Scoring: Assigns a risk score (zero to 10) based on factors like system prompt leakage, unauthenticated access and the presence of high-risk tool execution.
- Testing: Launches protocol-specific attack suites such as prompt injection, tool abuse and model extraction with results streamed in real time.
- Visualization: Features a 3D globe visualization to explore discovered endpoints by protocol type, risk level and geographic location.
The platform supports detection and analysis across a range of AI protocols and frameworks, including Model Context Protocol (MCP), Ollama, vLLM, LiteLLM, LocalAI, LangServe and LangChain deployments, OpenClaw and Clawdbot systems, Open WebUI and LibreChat interfaces, Gradio and Streamlit applications, ComfyUI and Stable Diffusion environments, HuggingFace TGI, and generic inference APIs.
Commitment to Open Source
Consistent with Bishop Fox’s long-standing contributions to the security community, AIMap is available to the public and can be adapted by organizations to their own environments.
Users can deploy the platform locally via Docker Compose to run discovery scans and launch attack tests directly from the application.
For even more details on AIMap, visit the tool page here.
Related News:
Cequence Launches Agent Personas for AI Control
Operant AI Launches CodeInjectionGuard to Stop AI Agent Code Injection Attacks
AIMap is intended for authorized security testing. Operators are solely responsible for ensuring their use of AIMap complies with the Computer Fraud and Abuse Act, GDPR, and all other applicable laws in their jurisdiction. Bishop Fox publishes AIMap as a research and defensive security tool and does not authorize or endorse use against systems the operator does not own or lack permission to test.
