Cross-cloud surveys and synthesis papers covering AI/LLM infrastructure exposures.https://nuclide-research.com/en-ushttps://nuclide-research.com/research/case-studies--commercial--langgraph-studio-population-survey-2026-06-07/https://nuclide-research.com/research/case-studies--commercial--langgraph-studio-population-survey-2026-06-07/LangGraph Studio (github.com/langchain-ai/langgraph) is LangChain's local-development debugger / visualizer for LangGraph applications. It is designed to run on localhost:2024 during development, with desktop auth-type meaning no authentication is required because access is assumed to be from the same machine as the developer. LangChain ships separate produc…Sun, 07 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--langgraph-studio-population-survey-2026-06-07.png" alt="LangGraph Studio Population Survey — Local Dev Tool Misdeployed to Public AWS at 90.9%" /></p> <p>LangGraph Studio (github.com/langchain-ai/langgraph) is LangChain&#39;s local-development debugger / visualizer for LangGraph applications. It is designed to run on localhost:2024 during development, with desktop auth-type meaning no authentication is required because access is assumed to be from the same machine as the developer. LangChain ships separate produc…</p> <p>LangGraph Studio (github.com/langchain-ai/langgraph) is LangChain&#39;s local-development debugger / visualizer for LangGraph applications. It is designed to run on localhost:2024 during development, with desktop auth-type meaning no authentication is required because access is assumed to be from the same machine as the developer. LangChain ships separate production tooling — LangGraph Cloud (paid SaaS) and LangGraph Platform (self-hosted enterprise) — which use proper auth.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--langgraph-studio-population-survey-2026-06-07/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--openhands-population-survey-2026-06-07/https://nuclide-research.com/research/case-studies--commercial--openhands-population-survey-2026-06-07/OpenHands (github.com/All-Hands-AI/OpenHands, formerly OpenDevin) is an autonomous coding agent platform with multiple agent types (CodeActAgent, BrowsingAgent, VisualBrowsingAgent, ReadOnlyAgent, LocAgent, DummyAgent) that can interact with code repositories, browse the web, execute shell commands, and modify files. The platform represents one of the highes…Sun, 07 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--openhands-population-survey-2026-06-07.png" alt="OpenHands Population Survey — Autonomous Agent Task History + LLM Config Exposed at Scale" /></p> <p>OpenHands (github.com/All-Hands-AI/OpenHands, formerly OpenDevin) is an autonomous coding agent platform with multiple agent types (CodeActAgent, BrowsingAgent, VisualBrowsingAgent, ReadOnlyAgent, LocAgent, DummyAgent) that can interact with code repositories, browse the web, execute shell commands, and modify files. The platform represents one of the highes…</p> <p>OpenHands (github.com/All-Hands-AI/OpenHands, formerly OpenDevin) is an autonomous coding agent platform with multiple agent types (CodeActAgent, BrowsingAgent, VisualBrowsingAgent, ReadOnlyAgent, LocAgent, DummyAgent) that can interact with code repositories, browse the web, execute shell commands, and modify files. The platform represents one of the highest-LLM06 (Excessive Agency) attack surfaces in the current AI/LLM infrastructure population.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--openhands-population-survey-2026-06-07/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--synthesis-2026-06-07-auth-on-default-cohort/https://nuclide-research.com/research/case-studies--commercial--synthesis-2026-06-07-auth-on-default-cohort/Two-day population survey across 13 OSS AI/LLM infrastructure platforms reveals a maintainer-culture-axis split between demo-first defaults (auth-permissive, 70-91% open) and enterprise-customer-first defaults (auth-required, 0-1%). The cohort is not jurisdiction-defined. Insight #76 scope-bounded to platform class; LLM02 Sensitive Information Disclosure is the dominant finding class; the Capitol.ai escalation demonstrates the maintainer-default failing at enterprise-SaaS scale; in-flight attacker /proc/self/environ activity directly observable on OpenHands instances.Sun, 07 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--synthesis-2026-06-07-auth-on-default-cohort.png" alt="The Auth-on-Default Landscape of OSS AI/LLM Infrastructure" /></p> <p>Two-day population survey across 13 OSS AI/LLM infrastructure platforms reveals a maintainer-culture-axis split between demo-first defaults (auth-permissive, 70-91% open) and enterprise-customer-first defaults (auth-required, 0-1%). The cohort is not jurisdiction-defined. Insight #76 scope-bounded to platform class; LLM02 Sensitive Information Disclosure is the dominant finding class; the Capitol.ai escalation demonstrates the maintainer-default failing at enterprise-SaaS scale; in-flight attacker /proc/self/environ activity directly observable on OpenHands instances.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--synthesis-2026-06-07-auth-on-default-cohort/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--bisheng-population-survey-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--bisheng-population-survey-2026-06-06/Bisheng (github.com/dataelement/bisheng) is an open-source LLM application development platform from DataElem (Beijing), focused on enterprise-oriented document AI, RAG, agent orchestration, and workflow building. Direct functional parallel to RAGFlow (also Shanghai-based) and Flowise.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--bisheng-population-survey-2026-06-06.png" alt="Bisheng Population Survey — Negative Result (Auth-Required Default)" /></p> <p>Bisheng (github.com/dataelement/bisheng) is an open-source LLM application development platform from DataElem (Beijing), focused on enterprise-oriented document AI, RAG, agent orchestration, and workflow building. Direct functional parallel to RAGFlow (also Shanghai-based) and Flowise.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--bisheng-population-survey-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--dify-population-survey-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--dify-population-survey-2026-06-06/Dify is an open-source LLM application development platform (drag-and-drop workflow builder, RAG pipelines, agent orchestration). 2,289 Shodan-indexed instances on http.title:"Dify".Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--dify-population-survey-2026-06-06.png" alt="Dify Population Survey — 939 Config-Disclosure, 9 Open Auth Findings" /></p> <p>Dify is an open-source LLM application development platform (drag-and-drop workflow builder, RAG pipelines, agent orchestration). 2,289 Shodan-indexed instances on http.title:&quot;Dify&quot;.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--dify-population-survey-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--flowise-population-survey-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--flowise-population-survey-2026-06-06/Flowise is a drag-and-drop LLM workflow builder. Default deployment: no authentication on /api/v1/chatflows — the endpoint returns the full list of all configured chatflows, their nodes, deployment status, and embedded credentials in flow configurations.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--flowise-population-survey-2026-06-06.png" alt="Flowise Population Survey — 578/841 Open, CVE-2024-36420 PoC Lab Exposed" /></p> <p>Flowise is a drag-and-drop LLM workflow builder. Default deployment: no authentication on /api/v1/chatflows — the endpoint returns the full list of all configured chatflows, their nodes, deployment status, and embedded credentials in flow configurations.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--flowise-population-survey-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--langfuse-population-survey-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--langfuse-population-survey-2026-06-06/Langfuse is an open-source LLM observability platform (trace ingestion, prompt analytics, evaluation tooling for production AI applications). 1,141 Shodan-indexed instances on "Langfuse" port:3000. 918 responded to live probing. 816 (88.9% of live, 71.5% of indexed) expose signUpDisabled: false to the public internet.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--langfuse-population-survey-2026-06-06.png" alt="Langfuse Population Survey — 816/918 Open Registration (88.9%)" /></p> <p>Langfuse is an open-source LLM observability platform (trace ingestion, prompt analytics, evaluation tooling for production AI applications). 1,141 Shodan-indexed instances on &quot;Langfuse&quot; port:3000. 918 responded to live probing. 816 (88.9% of live, 71.5% of indexed) expose signUpDisabled: false to the public internet.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--langfuse-population-survey-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--librechat-population-survey-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--librechat-population-survey-2026-06-06/LibreChat (github.com/danny-avila/LibreChat) is an open-source ChatGPT-alternative chat interface — supports multiple LLM providers, plugins, multimodal, multi-tenant via shared deployments. 3,153 Shodan-indexed instances on http.title:"LibreChat". 2,000 downloaded; 1,565 responded.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--librechat-population-survey-2026-06-06.png" alt="LibreChat Population Survey — 412/1,565 Open Registration (26.3%)" /></p> <p>LibreChat (github.com/danny-avila/LibreChat) is an open-source ChatGPT-alternative chat interface — supports multiple LLM providers, plugins, multimodal, multi-tenant via shared deployments. 3,153 Shodan-indexed instances on http.title:&quot;LibreChat&quot;. 2,000 downloaded; 1,565 responded.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--librechat-population-survey-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--litellm-gateway-survey-cat05-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--litellm-gateway-survey-cat05-2026-06-06/The hunt started with a single Shodan dork: http.title:"LiteLLM" port:4000. It returned 2,219 results in under a second.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--litellm-gateway-survey-cat05-2026-06-06.png" alt="Cat-05: LiteLLM Gateway Survey — Open Proxies Exposing Commercial LLM API Keys" /></p> <p>The hunt started with a single Shodan dork: http.title:&quot;LiteLLM&quot; port:4000. It returned 2,219 results in under a second.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--litellm-gateway-survey-cat05-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--lobechat-population-survey-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--lobechat-population-survey-2026-06-06/LobeChat (github.com/lobehub/lobe-chat) is an open-source ChatGPT-alternative chat interface from Lobehub, a China-origin OSS community. Direct functional parallel to LibreChat. 641 Shodan-indexed; 636 downloaded; only 12 of 636 (1.9%) responded to live HTTP probing. Of the 12 reachable: 10 are in fully-open mode (enabledAccessCode: false AND enabledOAuthSSO…Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--lobechat-population-survey-2026-06-06.png" alt="LobeChat Population Survey — 10/12 Fully Open (83.3%, small population)" /></p> <p>LobeChat (github.com/lobehub/lobe-chat) is an open-source ChatGPT-alternative chat interface from Lobehub, a China-origin OSS community. Direct functional parallel to LibreChat. 641 Shodan-indexed; 636 downloaded; only 12 of 636 (1.9%) responded to live HTTP probing. Of the 12 reachable: 10 are in fully-open mode (enabledAccessCode: false AND enabledOAuthSSO…</p> <p>LobeChat (github.com/lobehub/lobe-chat) is an open-source ChatGPT-alternative chat interface from Lobehub, a China-origin OSS community. Direct functional parallel to LibreChat. 641 Shodan-indexed; 636 downloaded; only 12 of 636 (1.9%) responded to live HTTP probing. Of the 12 reachable: 10 are in fully-open mode (enabledAccessCode: false AND enabledOAuthSSO: false), 2 are ACCESSCODEGATED, 1 of the open instances also has OAuth SSO available alongside no-access-code.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--lobechat-population-survey-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--openwebui-population-survey-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--openwebui-population-survey-2026-06-06/18,389 Shodan-indexed instances of Open WebUI. One GET to /api/config returns a JSON object that tells you everything: whether auth is enforced, whether public registration is open, the operator's branding name, and the exact version. No scanning required.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--openwebui-population-survey-2026-06-06.png" alt="Open WebUI Population Survey — 39 Auth-Off, 564 Open Signup" /></p> <p>18,389 Shodan-indexed instances of Open WebUI. One GET to /api/config returns a JSON object that tells you everything: whether auth is enforced, whether public registration is open, the operator&#39;s branding name, and the exact version. No scanning required.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--openwebui-population-survey-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--openwebui-population-survey-2026-06-06-calibration-deltas/https://nuclide-research.com/research/case-studies--commercial--openwebui-population-survey-2026-06-06-calibration-deltas/A spot-check verification pass on five named-institution findings in the Open WebUI population survey, applying the attribution hierarchy from Insight #79.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--openwebui-population-survey-2026-06-06-calibration-deltas.png" alt="Cat-OW Calibration Deltas — 5 Named Findings Re-Verified" /></p> <p>A spot-check verification pass on five named-institution findings in the Open WebUI population survey, applying the attribution hierarchy from Insight #79.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--openwebui-population-survey-2026-06-06-calibration-deltas/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--phoenix-population-survey-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--phoenix-population-survey-2026-06-06/Arize Phoenix (github.com/Arize-ai/phoenix) is an open-source LLM observability and tracing platform — span ingestion, project organization, dataset versioning, prompt management for production AI applications. 94 Shodan-indexed instances on "Phoenix" port:6006. 89 unique endpoints downloaded; 55 responded.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--phoenix-population-survey-2026-06-06.png" alt="Arize Phoenix Population Survey — 41/55 Unauthenticated Project Disclosure" /></p> <p>Arize Phoenix (github.com/Arize-ai/phoenix) is an open-source LLM observability and tracing platform — span ingestion, project organization, dataset versioning, prompt management for production AI applications. 94 Shodan-indexed instances on &quot;Phoenix&quot; port:6006. 89 unique endpoints downloaded; 55 responded.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--phoenix-population-survey-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--ragflow-population-survey-2026-06-06/https://nuclide-research.com/research/case-studies--commercial--ragflow-population-survey-2026-06-06/RAGFlow (github.com/infiniflow/ragflow) is an open-source RAG knowledge-base engine — document ingestion, vector retrieval, LLM-backed Q&A over enterprise knowledge bases. 1,915 Shodan-indexed instances on http.title:"RAGFlow". 709 responded to live probing. 618 (87.2% of live, 32.3% of indexed) expose registerEnabled: 1 to the public internet.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--ragflow-population-survey-2026-06-06.png" alt="RAGFlow Population Survey — 618/709 Open Registration (87.2%)" /></p> <p>RAGFlow (github.com/infiniflow/ragflow) is an open-source RAG knowledge-base engine — document ingestion, vector retrieval, LLM-backed Q&amp;A over enterprise knowledge bases. 1,915 Shodan-indexed instances on http.title:&quot;RAGFlow&quot;. 709 responded to live probing. 618 (87.2% of live, 32.3% of indexed) expose registerEnabled: 1 to the public internet.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--ragflow-population-survey-2026-06-06/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--cat03-model-serving-survey-2026-06-05/https://nuclide-research.com/research/case-studies--commercial--cat03-model-serving-survey-2026-06-05/Survey of 5,018 IPs across 17 Shodan and 9 Censys queries targeting Cat-03 (model serving and inference: llama.cpp, KoboldCpp, LM Studio, vLLM, SillyTavern, faster-whisper, One API, New API, Open WebUI, SGLang, GPT4All, HuggingFace TGI). 158 hosts responded live; aimap fingerprinted 72 services and flagged 20 CRITICAL / 19 HIGH. Verification of the flagged c…Fri, 05 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--cat03-model-serving-survey-2026-06-05.png" alt="Cat-03 Model Serving &amp; Inference — Survey 2026-06-05" /></p> <p>Survey of 5,018 IPs across 17 Shodan and 9 Censys queries targeting Cat-03 (model serving and inference: llama.cpp, KoboldCpp, LM Studio, vLLM, SillyTavern, faster-whisper, One API, New API, Open WebUI, SGLang, GPT4All, HuggingFace TGI). 158 hosts responded live; aimap fingerprinted 72 services and flagged 20 CRITICAL / 19 HIGH. Verification of the flagged c…</p> <p>Survey of 5,018 IPs across 17 Shodan and 9 Censys queries targeting Cat-03 (model serving and inference: llama.cpp, KoboldCpp, LM Studio, vLLM, SillyTavern, faster-whisper, One API, New API, Open WebUI, SGLang, GPT4All, HuggingFace TGI). 158 hosts responded live; aimap fingerprinted 72 services and flagged 20 CRITICAL / 19 HIGH. Verification of the flagged candidates refuted the majority: the One API/New API default-credential thesis did not hold at population scale (0/9), and four &quot;GPT Researcher&quot;, one &quot;Lunary&quot;, one &quot;h2oGPT&quot;, and two TTS fingerprints were misattributions. Six hosts confirmed genuinely unauthenticated with a 200-with-data read. The most material finding is an unauthenticated Ollama instance proxying a paid Ollama Connect cloud subscription (deepseek-v4-pro:cloud), callable by any internet host.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--cat03-model-serving-survey-2026-06-05/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--ai-gateways-survey-cat32-2026-06-01/https://nuclide-research.com/research/case-studies--commercial--ai-gateways-survey-cat32-2026-06-01/An AI gateway sits in front of every upstream LLM provider an operator uses. It holds the OpenAI key, the Anthropic key, the Gemini key, the DeepSeek key. All in one process. That is the point of the product. It is also the problem.Mon, 01 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--ai-gateways-survey-cat32-2026-06-01.png" alt="AI Gateways Population Survey: Cat-32 (2026-06-01)" /></p> <p>An AI gateway sits in front of every upstream LLM provider an operator uses. It holds the OpenAI key, the Anthropic key, the Gemini key, the DeepSeek key. All in one process. That is the point of the product. It is also the problem.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--ai-gateways-survey-cat32-2026-06-01/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--argo-workflows-survey-cat29-2026-05-31/https://nuclide-research.com/research/case-studies--commercial--argo-workflows-survey-cat29-2026-05-31/<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverageSun, 31 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--argo-workflows-survey-cat29-2026-05-31.png" alt="Argo Workflows Population Survey — Cat-29 (2026-05-31)" /></p> <p>&lt;!-- ksat-tag:auto-generated:start --&gt; ## DCWF KSAT coverage</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--argo-workflows-survey-cat29-2026-05-31/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--data-labeling-survey-2026-05-31/https://nuclide-research.com/research/case-studies--commercial--data-labeling-survey-2026-05-31/Data-labeling platforms sit at the input boundary of every supervised-learning and RLHF pipeline. They hold the raw data being labeled: PII-dense text, scanned documents, medical and facial imagery, and the human-preference pairs that fine-tune LLMs. A 2026-05-04 cheap-VPS pass had already shown the category is auth-on by default (doccano 348/348, 98.9% auth…Sun, 31 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--data-labeling-survey-2026-05-31.png" alt="Data Labeling &amp; Annotation: the registration knob that re-opens the door" /></p> <p>Data-labeling platforms sit at the input boundary of every supervised-learning and RLHF pipeline. They hold the raw data being labeled: PII-dense text, scanned documents, medical and facial imagery, and the human-preference pairs that fine-tune LLMs. A 2026-05-04 cheap-VPS pass had already shown the category is auth-on by default (doccano 348/348, 98.9% auth…</p> <p>Data-labeling platforms sit at the input boundary of every supervised-learning and RLHF pipeline. They hold the raw data being labeled: PII-dense text, scanned documents, medical and facial imagery, and the human-preference pairs that fine-tune LLMs. A 2026-05-04 cheap-VPS pass had already shown the category is auth-on by default (doccano 348/348, 98.9% auth-on). So this survey was not a literal-no-auth hunt. It asked a sharper question: when a platform ships auth-on, does its own default-open knob (open self-registration, a documented default API key, no-auth commercial mode) re-create effective-unauth at population scale? And it targeted the managed-cloud tier the cheap-VPS pass had missed.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--data-labeling-survey-2026-05-31/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--rag-frameworks-survey-cat07-2026-05-31/https://nuclide-research.com/research/case-studies--commercial--rag-frameworks-survey-cat07-2026-05-31/First population survey of the RAG-framework-server category. 16 platforms in the 2026-05-27 pre-assessment intel (data/platform-intel/rag-frameworks-osint-2026-05-27.md); 15 dorks run this session. The category spans private document-QA workspaces, RAG pipelines, agentic-RAG, and self-hosted AI search — platforms whose value is the document corpus and conne…Sun, 31 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--rag-frameworks-survey-cat07-2026-05-31.png" alt="RAG Framework Servers Population Survey — Cat-07 (2026-05-31)" /></p> <p>First population survey of the RAG-framework-server category. 16 platforms in the 2026-05-27 pre-assessment intel (data/platform-intel/rag-frameworks-osint-2026-05-27.md); 15 dorks run this session. The category spans private document-QA workspaces, RAG pipelines, agentic-RAG, and self-hosted AI search — platforms whose value is the document corpus and conne…</p> <p>First population survey of the RAG-framework-server category. 16 platforms in the 2026-05-27 pre-assessment intel (data/platform-intel/rag-frameworks-osint-2026-05-27.md); 15 dorks run this session. The category spans private document-QA workspaces, RAG pipelines, agentic-RAG, and self-hosted AI search — platforms whose value is the document corpus and connected LLM API keys, not just compute.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--rag-frameworks-survey-cat07-2026-05-31/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--service-mesh-survey-2026-05-31/https://nuclide-research.com/research/case-studies--commercial--service-mesh-survey-2026-05-31/Every survey so far measured platforms that have an authentication layer and ship it on or off. Service-mesh introspection planes are a harder test for the auth-on-default thesis: most of them have no auth layer at all. Kiali's anonymous strategy, Linkerd's viz dashboard, Cilium's Hubble UI and relay, Istio's Envoy-admin and istiod-debug all rely on network…Sun, 31 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--service-mesh-survey-2026-05-31.png" alt="Service Mesh Control Planes: when exposure is the authentication failure" /></p> <p>Every survey so far measured platforms that have an authentication layer and ship it on or off. Service-mesh introspection planes are a harder test for the auth-on-default thesis: most of them have no auth layer at all. Kiali&#39;s anonymous strategy, Linkerd&#39;s viz dashboard, Cilium&#39;s Hubble UI and relay, Istio&#39;s Envoy-admin and istiod-debug all rely on network…</p> <p>Every survey so far measured platforms that have an authentication layer and ship it on or off. Service-mesh introspection planes are a harder test for the auth-on-default thesis: most of them have no auth layer at all. Kiali&#39;s anonymous strategy, Linkerd&#39;s viz dashboard, Cilium&#39;s Hubble UI and relay, Istio&#39;s Envoy-admin and istiod-debug all rely on network placement (loopback, ClusterIP, NetworkPolicy, &quot;do not expose&quot;) as the entire control. The question this survey asks: when the only control is network position, what does the exposed population look like? The prediction (Insight #71, codified here): exposure and unauthenticated are the same fact, so the rate approaches 100% by construction.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--service-mesh-survey-2026-05-31/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--specialty-data-layers-survey-2026-05-29/https://nuclide-research.com/research/case-studies--commercial--specialty-data-layers-survey-2026-05-29/Three of five sampled Spark History Servers exposed their job inventories with no authentication, and two of them are machine-learning pipelines. The job names are the finding. They map the feature-engineering, training, and prediction stages of an ML workflow on Google Cloud. ClickHouse returned 5,208 hosts on the empty- password port, but confirming the un…Sat, 30 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--specialty-data-layers-survey-2026-05-29.png" alt="Specialty Data Layers survey, 2026-05-30" /></p> <p>Three of five sampled Spark History Servers exposed their job inventories with no authentication, and two of them are machine-learning pipelines. The job names are the finding. They map the feature-engineering, training, and prediction stages of an ML workflow on Google Cloud. ClickHouse returned 5,208 hosts on the empty- password port, but confirming the un…</p> <p>Three of five sampled Spark History Servers exposed their job inventories with no authentication, and two of them are machine-learning pipelines. The job names are the finding. They map the feature-engineering, training, and prediction stages of an ML workflow on Google Cloud. ClickHouse returned 5,208 hosts on the empty- password port, but confirming the unauthenticated-query finding requires executing SQL against production databases, which the scope discipline did not permit. The population is real; the unauth claim is unverified, and this writeup says so.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--specialty-data-layers-survey-2026-05-29/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--auth-gateway-survey-2026-05-29/https://nuclide-research.com/research/case-studies--commercial--auth-gateway-survey-2026-05-29/Open Policy Agent ships with no authentication, and five of six sampled hosts returned their full Rego policy list with no credentials. The policy names are the finding. They map the operator's authorization model and the topology of whatever AI stack sits behind them. The admin APIs of Kong and OPA are Shodan-dark because they serve JSON, so the harvest fou…Fri, 29 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--auth-gateway-survey-2026-05-29.png" alt="Auth / Identity / Gateway survey, 2026-05-29" /></p> <p>Open Policy Agent ships with no authentication, and five of six sampled hosts returned their full Rego policy list with no credentials. The policy names are the finding. They map the operator&#39;s authorization model and the topology of whatever AI stack sits behind them. The admin APIs of Kong and OPA are Shodan-dark because they serve JSON, so the harvest fou…</p> <p>Open Policy Agent ships with no authentication, and five of six sampled hosts returned their full Rego policy list with no credentials. The policy names are the finding. They map the operator&#39;s authorization model and the topology of whatever AI stack sits behind them. The admin APIs of Kong and OPA are Shodan-dark because they serve JSON, so the harvest found OPA only through the diagnostic page string. Casdoor returned 1,375 identity-platform hosts that ship with the admin/123 default, a different exposure class the restraint ethic left untested.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--auth-gateway-survey-2026-05-29/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--experiment-tracking-registry-survey-2026-05-29/https://nuclide-research.com/research/case-studies--commercial--experiment-tracking-registry-survey-2026-05-29/MLflow ships with no authentication, and the population shows it: eight of eight sampled servers returned the full experiment list with no credentials. One held 379 experiments and leaked a Google Cloud Storage bucket name. The other high-severity targets did not deliver. Determined.ai was authenticated on every reachable host, including two on AWS GovCloud,…Fri, 29 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--experiment-tracking-registry-survey-2026-05-29.png" alt="Experiment Tracking, registry and RCE half, 2026-05-29" /></p> <p>MLflow ships with no authentication, and the population shows it: eight of eight sampled servers returned the full experiment list with no credentials. One held 379 experiments and leaked a Google Cloud Storage bucket name. The other high-severity targets did not deliver. Determined.ai was authenticated on every reachable host, including two on AWS GovCloud,…</p> <p>MLflow ships with no authentication, and the population shows it: eight of eight sampled servers returned the full experiment list with no credentials. One held 379 experiments and leaked a Google Cloud Storage bucket name. The other high-severity targets did not deliver. Determined.ai was authenticated on every reachable host, including two on AWS GovCloud, so the admin:blank default did not appear. Ray and Aim are Shodan-dark behind React single-page apps.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--experiment-tracking-registry-survey-2026-05-29/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--ml-governance-survey-2026-05-29/https://nuclide-research.com/research/case-studies--commercial--ml-governance-survey-2026-05-29/Nine dorks. Six platforms. The category is well-secured at population scale, and that is the finding. The auth-on platforms run patched versions. The auth-off platforms are either Shodan-dark or empty demos. One unauthenticated Marquez server confirmed, and it held no production data.Fri, 29 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--ml-governance-survey-2026-05-29.png" alt="ML Governance / Data Catalog survey, 2026-05-29" /></p> <p>Nine dorks. Six platforms. The category is well-secured at population scale, and that is the finding. The auth-on platforms run patched versions. The auth-off platforms are either Shodan-dark or empty demos. One unauthenticated Marquez server confirmed, and it held no production data.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--ml-governance-survey-2026-05-29/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--model-serving-management-survey-2026-05-29/https://nuclide-research.com/research/case-studies--commercial--model-serving-management-survey-2026-05-29/The model-serving category is Shodan-dark. vLLM, Triton, TGI, and TorchServe all serve JSON APIs, and their identifying strings live in JSON bodies, not in the HTML Shodan crawls. The dominant self-hosted LLM inference server returned one hit on its own banner. That one host was a real unauthenticated vLLM serving a 20B model. The management-bypass surfaces…Fri, 29 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--model-serving-management-survey-2026-05-29.png" alt="Model Serving, management-plane and registry, 2026-05-29" /></p> <p>The model-serving category is Shodan-dark. vLLM, Triton, TGI, and TorchServe all serve JSON APIs, and their identifying strings live in JSON bodies, not in the HTML Shodan crawls. The dominant self-hosted LLM inference server returned one hit on its own banner. That one host was a real unauthenticated vLLM serving a 20B model. The management-bypass surfaces…</p> <p>The model-serving category is Shodan-dark. vLLM, Triton, TGI, and TorchServe all serve JSON APIs, and their identifying strings live in JSON bodies, not in the HTML Shodan crawls. The dominant self-hosted LLM inference server returned one hit on its own banner. That one host was a real unauthenticated vLLM serving a 20B model. The management-bypass surfaces that make this category dangerous are invisible to passive discovery.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--model-serving-management-survey-2026-05-29/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--rag-stragglers-survey-2026-05-29/https://nuclide-research.com/research/case-studies--commercial--rag-stragglers-survey-2026-05-29/AnythingLLM ships single-user mode with no password, and two of five sampled hosts had the web UI open to any browser visitor. The verification narrowed the finding: the open UI is browser-reachable, but the developer REST API still demands a key even in no-auth mode. RAGFlow returned 1,705 hosts, a large pre-auth-RCE-class population, but the RCE lives on a…Fri, 29 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--rag-stragglers-survey-2026-05-29.png" alt="RAG framework stragglers, 2026-05-29" /></p> <p>AnythingLLM ships single-user mode with no password, and two of five sampled hosts had the web UI open to any browser visitor. The verification narrowed the finding: the open UI is browser-reachable, but the developer REST API still demands a key even in no-auth mode. RAGFlow returned 1,705 hosts, a large pre-auth-RCE-class population, but the RCE lives on a…</p> <p>AnythingLLM ships single-user mode with no password, and two of five sampled hosts had the web UI open to any browser visitor. The verification narrowed the finding: the open UI is browser-reachable, but the developer REST API still demands a key even in no-auth mode. RAGFlow returned 1,705 hosts, a large pre-auth-RCE-class population, but the RCE lives on an internal RPC port and the vulnerable version cannot be confirmed from outside, so the survey confirms identity and stops there. LightRAG is Shodan-dark behind its JSON API.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--rag-stragglers-survey-2026-05-29/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--safety-guardrail-survey-2026-05-29/https://nuclide-research.com/research/case-studies--commercial--safety-guardrail-survey-2026-05-29/Five dorks. One confirmed unauthenticated guardrail server, and the guardrail was the least exposed thing on the box. The same host left MongoDB, Redis, MySQL, PostgreSQL, and a Docker registry open with no authentication. The safety tool meant to inspect untrusted input was sitting on an unlocked data tier.Fri, 29 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--safety-guardrail-survey-2026-05-29.png" alt="LLM Safety / Guardrail survey, 2026-05-29" /></p> <p>Five dorks. One confirmed unauthenticated guardrail server, and the guardrail was the least exposed thing on the box. The same host left MongoDB, Redis, MySQL, PostgreSQL, and a Docker registry open with no authentication. The safety tool meant to inspect untrusted input was sitting on an unlocked data tier.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--safety-guardrail-survey-2026-05-29/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--ai-eval-redteam-survey-2026-05-28/https://nuclide-research.com/research/case-studies--commercial--ai-eval-redteam-survey-2026-05-28/Promptfoo is the only AI eval/red-team platform in the 13-platform scope that produced confirmed unauthenticated exposure at scale. Four instances returned {"email":null} on GET /api/user/email with eval datasets and provider configurations readable without credentials. The best-characterized instance (evals.dev.generalwisdom.com, AWS Ashburn) exposed 60 LLM…Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--ai-eval-redteam-survey-2026-05-28.png" alt="AI Evaluation and Red-Team Platform Survey — Promptfoo Population Pass" /></p> <p>Promptfoo is the only AI eval/red-team platform in the 13-platform scope that produced confirmed unauthenticated exposure at scale. Four instances returned {&quot;email&quot;:null} on GET /api/user/email with eval datasets and provider configurations readable without credentials. The best-characterized instance (evals.dev.generalwisdom.com, AWS Ashburn) exposed 60 LLM…</p> <p>Promptfoo is the only AI eval/red-team platform in the 13-platform scope that produced confirmed unauthenticated exposure at scale. Four instances returned {&quot;email&quot;:null} on GET /api/user/email with eval datasets and provider configurations readable without credentials. The best-characterized instance (evals.dev.generalwisdom.com, AWS Ashburn) exposed 60 LLM provider configurations including the Anthropic Claude 4.x model family and Azure GPT-4o, along with active eval datasets including test case corpora, prompt templates, and token usage statistics from runs as recent as 2026-05-01. LangSmith self-hosted instances were auth-enforced across all 30+ sampled hosts; v0.10+ default auth tightening has held. The six remaining platforms with HTTP server modes (TruLens, Inspect AI, HELM, DeepEval, Arthur Shield, Patronus AI) produced zero confirmed instances on Shodan. Six platforms are CLI-only with no HTTP server; Shodan surface is zero by design.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--ai-eval-redteam-survey-2026-05-28/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--auth-gateway-survey-2026-05-28/https://nuclide-research.com/research/case-studies--commercial--auth-gateway-survey-2026-05-28/Shodan harvest of 13 auth and API gateway platforms returned confirmed populations across six categories. SuperTokens (port 3567) is the largest exposed surface at 455 confirmed internet-facing instances with no API key configured by default. Authentik reaches or exceeds Shodan's 1,000-result display cap. Authelia shows 33 instances. Kong admin port (8001) r…Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--auth-gateway-survey-2026-05-28.png" alt="Auth and API Gateway Platforms: Population Survey" /></p> <p>Shodan harvest of 13 auth and API gateway platforms returned confirmed populations across six categories. SuperTokens (port 3567) is the largest exposed surface at 455 confirmed internet-facing instances with no API key configured by default. Authentik reaches or exceeds Shodan&#39;s 1,000-result display cap. Authelia shows 33 instances. Kong admin port (8001) r…</p> <p>Shodan harvest of 13 auth and API gateway platforms returned confirmed populations across six categories. SuperTokens (port 3567) is the largest exposed surface at 455 confirmed internet-facing instances with no API key configured by default. Authentik reaches or exceeds Shodan&#39;s 1,000-result display cap. Authelia shows 33 instances. Kong admin port (8001) returns four direct admin API exposures. Casdoor, Keycloak, and ZITADEL have smaller footprints with IP populations harvested and queued for identity verification. Ory Kratos (port 4434), Ory Hydra (port 4445), OPA (port 8181), Tyk, and OPAL returned no hits on precision dorks, with broad port-only dorks requiring per-host verification before any finding can be claimed.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--auth-gateway-survey-2026-05-28/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--kubecost-opencost-finops-cost-api-survey-2026-05-28/https://nuclide-research.com/research/case-studies--commercial--kubecost-opencost-finops-cost-api-survey-2026-05-28/Sixty-seven Kubernetes cost-tooling endpoints (Kubecost 50, OpenCost 14, vendor-undetermined 3) answer their cost-model API with no authentication. Fifty-nine return full per-namespace cluster topology and summed daily spend on a single unauthenticated GET. That is the finding: a FinOps cost sidecar, deployed to watch the wallet, indexes the entire cluster a…Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--kubecost-opencost-finops-cost-api-survey-2026-05-28.png" alt="Unauthenticated FinOps Cost APIs Hand Attackers a Free Cluster Recon Map" /></p> <p>Sixty-seven Kubernetes cost-tooling endpoints (Kubecost 50, OpenCost 14, vendor-undetermined 3) answer their cost-model API with no authentication. Fifty-nine return full per-namespace cluster topology and summed daily spend on a single unauthenticated GET. That is the finding: a FinOps cost sidecar, deployed to watch the wallet, indexes the entire cluster a…</p> <p>Sixty-seven Kubernetes cost-tooling endpoints (Kubecost 50, OpenCost 14, vendor-undetermined 3) answer their cost-model API with no authentication. Fifty-nine return full per-namespace cluster topology and summed daily spend on a single unauthenticated GET. That is the finding: a FinOps cost sidecar, deployed to watch the wallet, indexes the entire cluster and then serves that index to anyone who asks. An unauthenticated caller gets a labeled map of every workload namespace, the cluster&#39;s security control plane (secret stores, admission controllers, EDR/SIEM), a dollar-denominated ranking of which clusters are the high-value production estates, and on 10 host-rows a co-located AI/LLM workload inventory. No credential needs to leak for any of this. The cost API is the map; the namespaces it reveals are the marked destinations.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--kubecost-opencost-finops-cost-api-survey-2026-05-28/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--model-serving-registry-survey-2026-05-28/https://nuclide-research.com/research/case-studies--commercial--model-serving-registry-survey-2026-05-28/Shodan sweep across 11 model-serving and registry platforms. MLflow is the only platform with a live, indexable population -- 10 confirmed unauthenticated instances spanning 6 cloud providers and 6 countries. Every other platform surveyed (vLLM, TorchServe, TensorFlow Serving, Ray Serve, BentoML, Seldon Core, KServe, ONNX Runtime Server, TGI, Triton) returne…Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--model-serving-registry-survey-2026-05-28.png" alt="Model Serving and Registry Infrastructure Survey" /></p> <p>Shodan sweep across 11 model-serving and registry platforms. MLflow is the only platform with a live, indexable population -- 10 confirmed unauthenticated instances spanning 6 cloud providers and 6 countries. Every other platform surveyed (vLLM, TorchServe, TensorFlow Serving, Ray Serve, BentoML, Seldon Core, KServe, ONNX Runtime Server, TGI, Triton) returne…</p> <p>Shodan sweep across 11 model-serving and registry platforms. MLflow is the only platform with a live, indexable population -- 10 confirmed unauthenticated instances spanning 6 cloud providers and 6 countries. Every other platform surveyed (vLLM, TorchServe, TensorFlow Serving, Ray Serve, BentoML, Seldon Core, KServe, ONNX Runtime Server, TGI, Triton) returned zero live hosts.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--model-serving-registry-survey-2026-05-28/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--rag-stragglers-survey-2026-05-28/https://nuclide-research.com/research/case-studies--commercial--rag-stragglers-survey-2026-05-28/Four RAG platforms were left unfinished from prior survey runs: LightRAG, RAGFlow, DocsGPT, and Ragapp. This pass closes them out with a full Shodan harvest, verification, and arsenal run.Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--rag-stragglers-survey-2026-05-28.png" alt="RAG Stragglers: LightRAG, RAGFlow, DocsGPT, Ragapp Population Survey" /></p> <p>Four RAG platforms were left unfinished from prior survey runs: LightRAG, RAGFlow, DocsGPT, and Ragapp. This pass closes them out with a full Shodan harvest, verification, and arsenal run.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--rag-stragglers-survey-2026-05-28/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--safety-guardrail-survey-2026-05-28/https://nuclide-research.com/research/case-studies--commercial--safety-guardrail-survey-2026-05-28/Two LLM Guard v0.0.10 instances confirmed from an 11-platform Shodan sweep. Both have auth configured on scan endpoints (/analyze/prompt, /analyze/output, /scan/output). Both expose /metrics without auth. The metrics endpoints leak operator domain names, internal docker network topology, container IPs, and production request volumes. F2 (57.128.58.103) has a…Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--safety-guardrail-survey-2026-05-28.png" alt="LLM Guard survey: guardrail platforms Shodan-dark except /metrics side-channel" /></p> <p>Two LLM Guard v0.0.10 instances confirmed from an 11-platform Shodan sweep. Both have auth configured on scan endpoints (/analyze/prompt, /analyze/output, /scan/output). Both expose /metrics without auth. The metrics endpoints leak operator domain names, internal docker network topology, container IPs, and production request volumes. F2 (57.128.58.103) has a…</p> <p>Two LLM Guard v0.0.10 instances confirmed from an 11-platform Shodan sweep. Both have auth configured on scan endpoints (/analyze/prompt, /analyze/output, /scan/output). Both expose /metrics without auth. The metrics endpoints leak operator domain names, internal docker network topology, container IPs, and production request volumes. F2 (57.128.58.103) has a second open Prometheus instance on port 9090 with scrape topology naming litellm:4000/metrics as the upstream target. All other guardrail platforms surveyed (Vigil, Rebuff, NeMo Guardrails, Guardrails AI, LlamaGuard, ShieldLM, PromptGuard, LlamaFirewall, OpenShield) returned zero confirmed instances across all dorks.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--safety-guardrail-survey-2026-05-28/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--specialty-data-layers-survey-2026-05-28/https://nuclide-research.com/research/case-studies--commercial--specialty-data-layers-survey-2026-05-28/<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverageThu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--specialty-data-layers-survey-2026-05-28.png" alt="Cat-30: Specialty Data Layers — Population Survey" /></p> <p>&lt;!-- ksat-tag:auto-generated:start --&gt; ## DCWF KSAT coverage</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--specialty-data-layers-survey-2026-05-28/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--voice-audio-ai-survey-2026-05-28/https://nuclide-research.com/research/case-studies--commercial--voice-audio-ai-survey-2026-05-28/<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverageThu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--voice-audio-ai-survey-2026-05-28.png" alt="Voice/Audio AI Infrastructure Survey" /></p> <p>&lt;!-- ksat-tag:auto-generated:start --&gt; ## DCWF KSAT coverage</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--voice-audio-ai-survey-2026-05-28/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--argo-workflows-survey-2026-05-27/https://nuclide-research.com/research/case-studies--commercial--argo-workflows-survey-2026-05-27/Shodan survey of the global Argo Workflows population via TLS certificate fingerprint. 67 confirmed instances (initial survey, ssl:"ArgoProj" dork) plus 17 Argo-confirmed instances from a second non-overlapping population of 200 IPs (ssl:"Argo Workflows" dork). All tested instances across both populations: auth-enforced. Combined passive-discoverable populat…Wed, 27 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--argo-workflows-survey-2026-05-27.png" alt="Argo Workflows: K8s-Native Workflow Orchestration Survey" /></p> <p>Shodan survey of the global Argo Workflows population via TLS certificate fingerprint. 67 confirmed instances (initial survey, ssl:&quot;ArgoProj&quot; dork) plus 17 Argo-confirmed instances from a second non-overlapping population of 200 IPs (ssl:&quot;Argo Workflows&quot; dork). All tested instances across both populations: auth-enforced. Combined passive-discoverable populat…</p> <p>Shodan survey of the global Argo Workflows population via TLS certificate fingerprint. 67 confirmed instances (initial survey, ssl:&quot;ArgoProj&quot; dork) plus 17 Argo-confirmed instances from a second non-overlapping population of 200 IPs (ssl:&quot;Argo Workflows&quot; dork). All tested instances across both populations: auth-enforced. Combined passive-discoverable population: 267 hosts. Notable operators include Home Depot, Apex Clearing, ForgeRock/Ping Identity, Salling Group, GREE Inc, Waabi AI, freed.ai, CAFIS (NTT Data). Zero unauthenticated instances across the entire combined population.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--argo-workflows-survey-2026-05-27/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--ml-governance-data-catalog-survey-2026-05-27/https://nuclide-research.com/research/case-studies--commercial--ml-governance-data-catalog-survey-2026-05-27/56 confirmed governance platforms, 56 auth-enforced. Zero auth-off. All OpenMetadata instances run v1.3.1+, past the CVE-2024-28255 patch boundary. Version disclosure MEDIUM on 31 OpenMetadata hosts.Wed, 27 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--ml-governance-data-catalog-survey-2026-05-27.png" alt="ML Governance / Data Catalog Survey — OpenMetadata + DataHub" /></p> <p>56 confirmed governance platforms, 56 auth-enforced. Zero auth-off. All OpenMetadata instances run v1.3.1+, past the CVE-2024-28255 patch boundary. Version disclosure MEDIUM on 31 OpenMetadata hosts.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--ml-governance-data-catalog-survey-2026-05-27/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--openhands-code-assistant-survey-cat09-2026-05-26/https://nuclide-research.com/research/case-studies--commercial--openhands-code-assistant-survey-cat09-2026-05-26/191 OpenHands instances in Shodan. We scanned 56. 52 returned /api/v1/settings without authentication. On 26 of those 52 hosts, Evolution API (WhatsApp automation gateway) runs on port 3000 alongside OpenHands on port 3001. The same deployment template, the same no-auth posture, repeated across 26 cloud servers.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--openhands-code-assistant-survey-cat09-2026-05-26.png" alt="OpenHands Autonomous Agent: 52 Unauth Deployments, WhatsApp Bot Builder Pattern" /></p> <p>191 OpenHands instances in Shodan. We scanned 56. 52 returned /api/v1/settings without authentication. On 26 of those 52 hosts, Evolution API (WhatsApp automation gateway) runs on port 3000 alongside OpenHands on port 3001. The same deployment template, the same no-auth posture, repeated across 26 cloud servers.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--openhands-code-assistant-survey-cat09-2026-05-26/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--langgraph-deployment-gap-survey-2026-05-25/https://nuclide-research.com/research/case-studies--commercial--langgraph-deployment-gap-survey-2026-05-25/LangGraph's self-hosted deployment path ships with no authentication. We found sixteen internet-facing deployments. All sixteen were open. A financial AI system processing credit reports in Shanghai. A two-node PII scraper running in Paris with no auth by design.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--langgraph-deployment-gap-survey-2026-05-25.png" alt="LangGraph&#39;s Deployment Gap: Exposed AI Agent Infrastructure at Scale" /></p> <p>LangGraph&#39;s self-hosted deployment path ships with no authentication. We found sixteen internet-facing deployments. All sixteen were open. A financial AI system processing credit reports in Shanghai. A two-node PII scraper running in Paris with no auth by design.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--langgraph-deployment-gap-survey-2026-05-25/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--langgraph-server-survey-2026-05-25/https://nuclide-research.com/research/case-studies--commercial--langgraph-server-survey-2026-05-25/Population-scale survey of LangGraph Server deployments. LangGraph is LangChain's stateful multi-agent execution runtime. The canonical server ships on FastAPI/uvicorn (port 8000) with no authentication by default. Community wrappers (Node.js, custom Python) follow the same pattern.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--langgraph-server-survey-2026-05-25.png" alt="LangGraph Server Population Survey (2026-05-25)" /></p> <p>Population-scale survey of LangGraph Server deployments. LangGraph is LangChain&#39;s stateful multi-agent execution runtime. The canonical server ships on FastAPI/uvicorn (port 8000) with no authentication by default. Community wrappers (Node.js, custom Python) follow the same pattern.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--langgraph-server-survey-2026-05-25/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--redis-stack-redisinsight-population-survey-2026-05-25/https://nuclide-research.com/research/case-studies--commercial--redis-stack-redisinsight-population-survey-2026-05-25/Population-scale survey of Redis Stack (Redis with RediSearch vector search module) and RedisInsight (browser-based Redis management GUI) deployments.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--redis-stack-redisinsight-population-survey-2026-05-25.png" alt="Redis Stack / RedisInsight Population Survey (2026-05-25)" /></p> <p>Population-scale survey of Redis Stack (Redis with RediSearch vector search module) and RedisInsight (browser-based Redis management GUI) deployments.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--redis-stack-redisinsight-population-survey-2026-05-25/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--agenta-llmops-observability-survey-2026-05-22/https://nuclide-research.com/research/case-studies--commercial--agenta-llmops-observability-survey-2026-05-22/<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverageFri, 22 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--agenta-llmops-observability-survey-2026-05-22.png" alt="Agenta LLMOps — Population Survey" /></p> <p>&lt;!-- ksat-tag:auto-generated:start --&gt; ## DCWF KSAT coverage</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--agenta-llmops-observability-survey-2026-05-22/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--universities--overview/https://nuclide-research.com/research/case-studies--universities--overview/Full sweep of all 10,224 recognized universities worldwide (Hipo dataset, 202 countries). Two lanes ran:Wed, 20 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--universities--overview.png" alt="University AI Infrastructure Exposure: Global Overview" /></p> <p>Full sweep of all 10,224 recognized universities worldwide (Hipo dataset, 202 countries). Two lanes ran:</p> <p><a href="https://nuclide-research.com/research/case-studies--universities--overview/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--cost-billing-analytics-survey-2026-05-19/https://nuclide-research.com/research/case-studies--commercial--cost-billing-analytics-survey-2026-05-19/The AI cost / billing / usage analytics tier sits at the intersection of LLM operations and finance: it tracks per-tenant token usage, attaches dollar amounts to model calls, and surfaces usage to operators and customers. The auth posture matters because the data is financial-grade (CFO + auditor attention) and the API keys exposed in this tier are upstream…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--cost-billing-analytics-survey-2026-05-19.png" alt="AI Cost / Billing / Usage Analytics population survey: Langfuse secret-key exposures + Dokploy frontend-secret leak class" /></p> <p>The AI cost / billing / usage analytics tier sits at the intersection of LLM operations and finance: it tracks per-tenant token usage, attaches dollar amounts to model calls, and surfaces usage to operators and customers. The auth posture matters because the data is financial-grade (CFO + auditor attention) and the API keys exposed in this tier are upstream…</p> <p>The AI cost / billing / usage analytics tier sits at the intersection of LLM operations and finance: it tracks per-tenant token usage, attaches dollar amounts to model calls, and surfaces usage to operators and customers. The auth posture matters because the data is financial-grade (CFO + auditor attention) and the API keys exposed in this tier are upstream LLM provider keys with real billing power.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--cost-billing-analytics-survey-2026-05-19/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--mesh-and-orchestration-surveys-2026-05-19/https://nuclide-research.com/research/case-studies--commercial--mesh-and-orchestration-surveys-2026-05-19/Two surveys ran in parallel against unsurveyed FUTURE-SURVEYS roadmap categories:Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--mesh-and-orchestration-surveys-2026-05-19.png" alt="Service mesh + workflow-orchestration population surveys: Envoy admin config-dump + Prefect admin/settings + ML pipeline-engine exposures" /></p> <p>Two surveys ran in parallel against unsurveyed FUTURE-SURVEYS roadmap categories:</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--mesh-and-orchestration-surveys-2026-05-19/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--safety-guardrail-population-survey-2026-05-19/https://nuclide-research.com/research/case-studies--commercial--safety-guardrail-population-survey-2026-05-19/The auth-on-default thesis predicts that products which ship without authentication will appear at population scale with the unauth posture intact. The LLM safety / guardrail / policy layer is the inversion test: does the layer that filters LLM input/output run itself unauthenticated? The first-pass verified-real result is yes, for a small but substantive su…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--safety-guardrail-population-survey-2026-05-19.png" alt="LLM Safety / Guardrail / Policy Engine population survey" /></p> <p>The auth-on-default thesis predicts that products which ship without authentication will appear at population scale with the unauth posture intact. The LLM safety / guardrail / policy layer is the inversion test: does the layer that filters LLM input/output run itself unauthenticated? The first-pass verified-real result is yes, for a small but substantive su…</p> <p>The auth-on-default thesis predicts that products which ship without authentication will appear at population scale with the unauth posture intact. The LLM safety / guardrail / policy layer is the inversion test: does the layer that filters LLM input/output run itself unauthenticated? The first-pass verified-real result is yes, for a small but substantive subset.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--safety-guardrail-population-survey-2026-05-19/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--code-assistants-population-survey-2026-05-18/https://nuclide-research.com/research/case-studies--commercial--code-assistants-population-survey-2026-05-18/This is the second pass on the AI code-assistant tier. The first pass on 2026-05-14 ran the full chain on 233 hosts and found 54 unauth across 8 platforms. Four days later we re-harvested and ran the chain again. Late in the session, a Stage-2 verification pass at the data-layer corrected the headline numbers down by 66 percent and produced two new insights.Mon, 18 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--code-assistants-population-survey-2026-05-18.png" alt="Code assistants — category 09 population follow-up survey 2026-05-18" /></p> <p>This is the second pass on the AI code-assistant tier. The first pass on 2026-05-14 ran the full chain on 233 hosts and found 54 unauth across 8 platforms. Four days later we re-harvested and ran the chain again. Late in the session, a Stage-2 verification pass at the data-layer corrected the headline numbers down by 66 percent and produced two new insights.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--code-assistants-population-survey-2026-05-18/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--jetson-tensorrt-edge-survey-2026-05-18/https://nuclide-research.com/research/case-studies--commercial--jetson-tensorrt-edge-survey-2026-05-18/The survey scoped as "Jetson / TensorRT edge" found that the dominant exposed population on the public internet is not the Jetson hardware itself. It is the edge-AI applications that ship with Jetson and run on similar hardware elsewhere. The four largest classes are Frigate (205 unauthenticated of 447 reachable), CodeProject.AI (39 of 40), DeepStack (24 of…Mon, 18 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--jetson-tensorrt-edge-survey-2026-05-18.png" alt="Jetson, TensorRT, and edge-AI: a population survey of NVR and inference exposure" /></p> <p>The survey scoped as &quot;Jetson / TensorRT edge&quot; found that the dominant exposed population on the public internet is not the Jetson hardware itself. It is the edge-AI applications that ship with Jetson and run on similar hardware elsewhere. The four largest classes are Frigate (205 unauthenticated of 447 reachable), CodeProject.AI (39 of 40), DeepStack (24 of…</p> <p>The survey scoped as &quot;Jetson / TensorRT edge&quot; found that the dominant exposed population on the public internet is not the Jetson hardware itself. It is the edge-AI applications that ship with Jetson and run on similar hardware elsewhere. The four largest classes are Frigate (205 unauthenticated of 447 reachable), CodeProject.AI (39 of 40), DeepStack (24 of 25), and motionEye (18 of 64). Frigate alone produced 15 hosts where /api/config returns YAML containing back-end RTSP camera URLs with plaintext credentials.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--jetson-tensorrt-edge-survey-2026-05-18/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--22-ai-stack-attribution-2026-05-17/https://nuclide-research.com/research/case-studies--commercial--22-ai-stack-attribution-2026-05-17/The morning's mapping probe surfaced 22 Elasticsearch hosts with densevector or knnvector fields. Those are unambiguous AI / RAG workloads. We ran cert-pivot, Shodan, and aimap-profile on each one.Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--22-ai-stack-attribution-2026-05-17.png" alt="22 unauthenticated AI-stack Elasticsearch operators (2026-05-17)" /></p> <p>The morning&#39;s mapping probe surfaced 22 Elasticsearch hosts with densevector or knnvector fields. Those are unambiguous AI / RAG workloads. We ran cert-pivot, Shodan, and aimap-profile on each one.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--22-ai-stack-attribution-2026-05-17/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--ai-agents-survey-2026-05-17/https://nuclide-research.com/research/case-studies--commercial--ai-agents-survey-2026-05-17/We surveyed the public-facing agent-framework population: AutoGen Studio, CrewAI, LangGraph Studio, Langflow, AgentOps. The corpus harvested from Shodan dorks totaled 351 unique IPs. After running aimap with existing fingerprints and applying Insight #30 multi-port consistency checking, the result is striking: the population is dominated by honeypot baits.Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--ai-agents-survey-2026-05-17.png" alt="AI agent framework population survey, 2026-05-17" /></p> <p>We surveyed the public-facing agent-framework population: AutoGen Studio, CrewAI, LangGraph Studio, Langflow, AgentOps. The corpus harvested from Shodan dorks totaled 351 unique IPs. After running aimap with existing fingerprints and applying Insight #30 multi-port consistency checking, the result is striking: the population is dominated by honeypot baits.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--ai-agents-survey-2026-05-17/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--es-clickhouse-cross-stack-2026-05-17/https://nuclide-research.com/research/case-studies--commercial--es-clickhouse-cross-stack-2026-05-17/Yesterday's surveys produced raw counts of 5,037 unauthenticated Elasticsearch hosts and 1,832 unauthenticated ClickHouse hosts. The verification ran through bespoke Python scripts. This survey ships aimap v1.9.8 (enumElasticsearch and enumClickHouse) and re-runs both host lists.Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--es-clickhouse-cross-stack-2026-05-17.png" alt="Cross-stack 24-hour follow-up on Elasticsearch and ClickHouse (2026-05-17)" /></p> <p>Yesterday&#39;s surveys produced raw counts of 5,037 unauthenticated Elasticsearch hosts and 1,832 unauthenticated ClickHouse hosts. The verification ran through bespoke Python scripts. This survey ships aimap v1.9.8 (enumElasticsearch and enumClickHouse) and re-runs both host lists.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--es-clickhouse-cross-stack-2026-05-17/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--llm-gateway-survey-2026-05-17/https://nuclide-research.com/research/case-studies--commercial--llm-gateway-survey-2026-05-17/We surveyed the public-facing LLM gateway / API-proxy population: LiteLLM, Helicone, Portkey, OneAPI, NewAPI, OpenRouter self-host. A LLM gateway sits between an application and one or more upstream LLM providers. It brokers requests, holds the operator's OpenAI / Anthropic / DeepSeek API keys, logs every prompt and response, and meters usage.Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--llm-gateway-survey-2026-05-17.png" alt="LLM gateway / proxy population survey, 2026-05-17" /></p> <p>We surveyed the public-facing LLM gateway / API-proxy population: LiteLLM, Helicone, Portkey, OneAPI, NewAPI, OpenRouter self-host. A LLM gateway sits between an application and one or more upstream LLM providers. It brokers requests, holds the operator&#39;s OpenAI / Anthropic / DeepSeek API keys, logs every prompt and response, and meters usage.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--llm-gateway-survey-2026-05-17/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--mcp-server-survey-2026-05-17/https://nuclide-research.com/research/case-studies--commercial--mcp-server-survey-2026-05-17/We surveyed the public Model Context Protocol (MCP) server population. MCP is Anthropic's wire format for letting LLMs call into external tools, prompts, and resources. It has become the standard control plane for agentic LLM deployments. We harvested candidates with protocol-strict Shodan dorks and cross-referenced against the 51 accidental MCP hits in yest…Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--mcp-server-survey-2026-05-17.png" alt="MCP server population survey, 2026-05-17" /></p> <p>We surveyed the public Model Context Protocol (MCP) server population. MCP is Anthropic&#39;s wire format for letting LLMs call into external tools, prompts, and resources. It has become the standard control plane for agentic LLM deployments. We harvested candidates with protocol-strict Shodan dorks and cross-referenced against the 51 accidental MCP hits in yest…</p> <p>We surveyed the public Model Context Protocol (MCP) server population. MCP is Anthropic&#39;s wire format for letting LLMs call into external tools, prompts, and resources. It has become the standard control plane for agentic LLM deployments. We harvested candidates with protocol-strict Shodan dorks and cross-referenced against the 51 accidental MCP hits in yesterday&#39;s training-observability survey.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--mcp-server-survey-2026-05-17/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--meow-multi-actor-campaign-scope-2026-05-17/https://nuclide-research.com/research/case-studies--commercial--meow-multi-actor-campaign-scope-2026-05-17/We sampled 150 of the 3,604 fully-wiped Elasticsearch hosts from this morning's re-probe. We read the readme index on each one. Three different actors are running the campaign in parallel.Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--meow-multi-actor-campaign-scope-2026-05-17.png" alt="Meow / Indexrm Elasticsearch extortion. Three actors. (2026-05-17)" /></p> <p>We sampled 150 of the 3,604 fully-wiped Elasticsearch hosts from this morning&#39;s re-probe. We read the readme index on each one. Three different actors are running the campaign in parallel.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--meow-multi-actor-campaign-scope-2026-05-17/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--meow-population-census-2026-05-17/https://nuclide-research.com/research/case-studies--commercial--meow-population-census-2026-05-17/We re-ran the full 4,776-host Elasticsearch population through aimap v1.9.10. The new release reads one document from the attacker-planted marker index and parses it for actor identifiers. The morning's 150-host probe found three actors; the population-scale pass confirms three primary actors plus a long tail.Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--meow-population-census-2026-05-17.png" alt="Meow / Indexrm campaign: per-actor census across 4,776 ES hosts" /></p> <p>We re-ran the full 4,776-host Elasticsearch population through aimap v1.9.10. The new release reads one document from the attacker-planted marker index and parses it for actor identifiers. The morning&#39;s 150-host probe found three actors; the population-scale pass confirms three primary actors plus a long tail.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--meow-population-census-2026-05-17/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--training-observability-survey-2026-05-17/https://nuclide-research.com/research/case-studies--commercial--training-observability-survey-2026-05-17/We surveyed self-hosted training-observability platforms: Weights & Biases (self-hosted), ClearML, Aim, Ray Dashboard, MLflow. The aim was to map the population of public-facing experiment trackers and characterize the auth posture per platform class.Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--training-observability-survey-2026-05-17.png" alt="Training observability survey, 2026-05-17" /></p> <p>We surveyed self-hosted training-observability platforms: Weights &amp; Biases (self-hosted), ClearML, Aim, Ray Dashboard, MLflow. The aim was to map the population of public-facing experiment trackers and characterize the auth posture per platform class.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--training-observability-survey-2026-05-17/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--vectordb-survey-2026-05-17/https://nuclide-research.com/research/case-studies--commercial--vectordb-survey-2026-05-17/We surveyed the public vector-database population: Qdrant, Weaviate, Milvus, ChromaDB. Vector DBs hold the embeddings for an operator's RAG pipeline. Every document, customer transcript, support ticket, legal record, or PII row the operator has chunked and indexed for retrieval. The Meow / Indexrm extortion campaign hits Elasticsearch only, so unlike yesterd…Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--vectordb-survey-2026-05-17.png" alt="Vector database population survey, 2026-05-17" /></p> <p>We surveyed the public vector-database population: Qdrant, Weaviate, Milvus, ChromaDB. Vector DBs hold the embeddings for an operator&#39;s RAG pipeline. Every document, customer transcript, support ticket, legal record, or PII row the operator has chunked and indexed for retrieval. The Meow / Indexrm extortion campaign hits Elasticsearch only, so unlike yesterd…</p> <p>We surveyed the public vector-database population: Qdrant, Weaviate, Milvus, ChromaDB. Vector DBs hold the embeddings for an operator&#39;s RAG pipeline. Every document, customer transcript, support ticket, legal record, or PII row the operator has chunked and indexed for retrieval. The Meow / Indexrm extortion campaign hits Elasticsearch only, so unlike yesterday&#39;s ES population the vector-DB population is not wipe-contaminated. Operator data is alive.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--vectordb-survey-2026-05-17/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--agent-framework-stragglers-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--agent-framework-stragglers-population-survey-2026-05-16/Population survey of the agent-framework stragglers. Platforms that emerged in 2024-2025 alongside the AutoGen / Open WebUI / Flowise generation. Closes the gap left by the AutoGen Studio survey (2026-05-14) which only covered one platform in category 06.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--agent-framework-stragglers-population-survey-2026-05-16.png" alt="Agent-Framework Stragglers Population Survey (2026-05-16)" /></p> <p>Population survey of the agent-framework stragglers. Platforms that emerged in 2024-2025 alongside the AutoGen / Open WebUI / Flowise generation. Closes the gap left by the AutoGen Studio survey (2026-05-14) which only covered one platform in category 06.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--agent-framework-stragglers-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--agent-memory-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--agent-memory-population-survey-2026-05-16/Population-scale survey of agent-memory backends. The platform class that stores LLM conversation history, user profiles, and per-session context. A null-result-as-finding survey in the METHODOLOGY sense: the agent-memory tier is Tier-C (auth-on-default) at population scale.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--agent-memory-population-survey-2026-05-16.png" alt="Agent-Memory Population Survey: Falsification-Confirmation Result (2026-05-16)" /></p> <p>Population-scale survey of agent-memory backends. The platform class that stores LLM conversation history, user profiles, and per-session context. A null-result-as-finding survey in the METHODOLOGY sense: the agent-memory tier is Tier-C (auth-on-default) at population scale.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--agent-memory-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--argocd-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--argocd-population-survey-2026-05-16/Population-scale survey of Argo CD. The Kubernetes continuous-deployment pipeline. Argo CD operators configure git-source repositories, deploy targets (k8s clusters), and credentials; the platform watches git and reconciles cluster state. Unauth access to an Argo CD instance = arbitrary code deployment to the operator's k8s clusters.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--argocd-population-survey-2026-05-16.png" alt="Argo CD Population Survey (2026-05-16)" /></p> <p>Population-scale survey of Argo CD. The Kubernetes continuous-deployment pipeline. Argo CD operators configure git-source repositories, deploy targets (k8s clusters), and credentials; the platform watches git and reconciles cluster state. Unauth access to an Argo CD instance = arbitrary code deployment to the operator&#39;s k8s clusters.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--argocd-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--clickhouse-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--clickhouse-population-survey-2026-05-16/Largest single-platform population survey of the day. ClickHouse is the OLAP database that powers most modern observability stacks (SigNoz, Plausible, PostHog, Helicone, Phoenix-on-OTLP). Wherever an AI/LLM service emits traces or analytics, there's often a ClickHouse behind it.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--clickhouse-population-survey-2026-05-16.png" alt="ClickHouse Population Survey (2026-05-16)" /></p> <p>Largest single-platform population survey of the day. ClickHouse is the OLAP database that powers most modern observability stacks (SigNoz, Plausible, PostHog, Helicone, Phoenix-on-OTLP). Wherever an AI/LLM service emits traces or analytics, there&#39;s often a ClickHouse behind it.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--clickhouse-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--consul-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--consul-population-survey-2026-05-16/Population-scale survey of HashiCorp Consul deployments. Service registry + KV store + service-mesh control plane. Consul's default ACL policy is allow, so out-of-the-box deployments expose the agent, catalog, and KV state to anyone on the network. This survey is the third in the HashiCorp infrastructure trinity (etcd survey + Vault survey on 2026-05-15, Con…Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--consul-population-survey-2026-05-16.png" alt="Consul (HashiCorp) Population Survey (2026-05-16)" /></p> <p>Population-scale survey of HashiCorp Consul deployments. Service registry + KV store + service-mesh control plane. Consul&#39;s default ACL policy is allow, so out-of-the-box deployments expose the agent, catalog, and KV state to anyone on the network. This survey is the third in the HashiCorp infrastructure trinity (etcd survey + Vault survey on 2026-05-15, Con…</p> <p>Population-scale survey of HashiCorp Consul deployments. Service registry + KV store + service-mesh control plane. Consul&#39;s default ACL policy is allow, so out-of-the-box deployments expose the agent, catalog, and KV state to anyone on the network. This survey is the third in the HashiCorp infrastructure trinity (etcd survey + Vault survey on 2026-05-15, Consul completes today).</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--consul-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--data-labeling-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--data-labeling-population-survey-2026-05-16/Survey of the data-labeling platform population. The systems that store training-data annotation tasks, often containing PII or sensitive labels. Smaller surface than other categories surveyed today; the mixed result is informative.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--data-labeling-population-survey-2026-05-16.png" alt="Data-Labeling Population Survey (2026-05-16)" /></p> <p>Survey of the data-labeling platform population. The systems that store training-data annotation tasks, often containing PII or sensitive labels. Smaller surface than other categories surveyed today; the mixed result is informative.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--data-labeling-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--elasticsearch-ai-stack-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--elasticsearch-ai-stack-population-survey-2026-05-16/Population survey of Elasticsearch clusters with focus on AI-stack adjacency. RAG vector stores, langchain/llama-index indices, embedding caches, prompt history. Elasticsearch has been a major exposure surface for 8 years (the original "exposed Elasticsearch" panic was 2015); the novel angle here is the AI-stack-specific index-naming as an operator-attributi…Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--elasticsearch-ai-stack-population-survey-2026-05-16.png" alt="Elasticsearch AI-Stack Population Survey (2026-05-16)" /></p> <p>Population survey of Elasticsearch clusters with focus on AI-stack adjacency. RAG vector stores, langchain/llama-index indices, embedding caches, prompt history. Elasticsearch has been a major exposure surface for 8 years (the original &quot;exposed Elasticsearch&quot; panic was 2015); the novel angle here is the AI-stack-specific index-naming as an operator-attributi…</p> <p>Population survey of Elasticsearch clusters with focus on AI-stack adjacency. RAG vector stores, langchain/llama-index indices, embedding caches, prompt history. Elasticsearch has been a major exposure surface for 8 years (the original &quot;exposed Elasticsearch&quot; panic was 2015); the novel angle here is the AI-stack-specific index-naming as an operator-attribution channel.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--elasticsearch-ai-stack-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--experiment-tracking-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--experiment-tracking-population-survey-2026-05-16/Closes the experiment-tracking half of category 04 (the compute-orchestration half was surveyed 2026-05-06 with Spark / Airflow / Ray). MLflow was surveyed earlier in the series (Insight #18 buckets-locked finding). This survey covers the MLflow siblings: Weights & Biases self-hosted, ClearML, Aim Stack, Comet ML.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--experiment-tracking-population-survey-2026-05-16.png" alt="Experiment-Tracking Population Survey (2026-05-16)" /></p> <p>Closes the experiment-tracking half of category 04 (the compute-orchestration half was surveyed 2026-05-06 with Spark / Airflow / Ray). MLflow was surveyed earlier in the series (Insight #18 buckets-locked finding). This survey covers the MLflow siblings: Weights &amp; Biases self-hosted, ClearML, Aim Stack, Comet ML.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--experiment-tracking-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--gpu-compute-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--gpu-compute-population-survey-2026-05-16/Survey of the GPU-compute orchestration tier: Run:ai (Nvidia's enterprise GPU scheduler), DCGM-exporter (Prometheus exporter for NVIDIA GPU metrics), NVIDIA Bright Cluster Manager, Slurm REST API. Smaller surface than image-gen / vector-DB but operator-rich. These are dashboards and exporters that disclose the operator's full GPU topology.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--gpu-compute-population-survey-2026-05-16.png" alt="GPU-Compute Population Survey (2026-05-16)" /></p> <p>Survey of the GPU-compute orchestration tier: Run:ai (Nvidia&#39;s enterprise GPU scheduler), DCGM-exporter (Prometheus exporter for NVIDIA GPU metrics), NVIDIA Bright Cluster Manager, Slurm REST API. Smaller surface than image-gen / vector-DB but operator-rich. These are dashboards and exporters that disclose the operator&#39;s full GPU topology.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--gpu-compute-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--image-generation-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--image-generation-population-survey-2026-05-16/First population-scale survey of the image-generation modality. ComfyUI, AUTOMATIC1111 / SD WebUI, InvokeAI, Fooocus, SwarmUI, SD.Next, Forge. The category had no aimap fingerprints prior to this survey; the manual→productize→re-run loop applied. Fingerprint built mid-survey, shipped as aimap v1.9.6, then re-run across the corpus.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--image-generation-population-survey-2026-05-16.png" alt="Image-Generation Population Survey (2026-05-16)" /></p> <p>First population-scale survey of the image-generation modality. ComfyUI, AUTOMATIC1111 / SD WebUI, InvokeAI, Fooocus, SwarmUI, SD.Next, Forge. The category had no aimap fingerprints prior to this survey; the manual→productize→re-run loop applied. Fingerprint built mid-survey, shipped as aimap v1.9.6, then re-run across the corpus.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--image-generation-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--ros-robotics-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--ros-robotics-population-survey-2026-05-16/Population survey of ROS (Robot Operating System) deployments. The canonical robotics middleware stack. ROS master :11311 speaks XMLRPC, rosbridge :9090 speaks WebSocket+HTTP. Both leak topic/node names when reachable unauth, and ROS is physical-impact tier, topics like /cmdvel, /jointstates, /movebase map to physical actuators on robots.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--ros-robotics-population-survey-2026-05-16.png" alt="ROS Robotics Population Survey (2026-05-16)" /></p> <p>Population survey of ROS (Robot Operating System) deployments. The canonical robotics middleware stack. ROS master :11311 speaks XMLRPC, rosbridge :9090 speaks WebSocket+HTTP. Both leak topic/node names when reachable unauth, and ROS is physical-impact tier, topics like /cmdvel, /jointstates, /movebase map to physical actuators on robots.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--ros-robotics-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--vectordb-stragglers-population-survey-2026-05-16/https://nuclide-research.com/research/case-studies--commercial--vectordb-stragglers-population-survey-2026-05-16/Closes the four platform-class stragglers left after the 2026-05 Qdrant / ChromaDB / Milvus / Weaviate sweep: Apache Solr, Meilisearch, Typesense, Vespa, plus pgvector body-marker recheck. Each candidate corpus was harvested individually and probed via fastenumvectordb.py.Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--vectordb-stragglers-population-survey-2026-05-16.png" alt="Vector-DB Stragglers Population Survey (2026-05-16)" /></p> <p>Closes the four platform-class stragglers left after the 2026-05 Qdrant / ChromaDB / Milvus / Weaviate sweep: Apache Solr, Meilisearch, Typesense, Vespa, plus pgvector body-marker recheck. Each candidate corpus was harvested individually and probed via fastenumvectordb.py.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--vectordb-stragglers-population-survey-2026-05-16/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--docker-daemon-population-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--docker-daemon-population-survey-2026-05-15/Survey of the Shodan-indexed Docker daemon population on port 2375. The canonical unauth port for the Docker HTTP API. Port 2376 is the TLS-auth variant; port 2375 is unauth by framework spec, and operators who expose it on the public internet are running with root-equivalent RCE-on-the-host as a default.Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--docker-daemon-population-survey-2026-05-15.png" alt="Unauth Docker Daemon Population Survey (2026-05-15)" /></p> <p>Survey of the Shodan-indexed Docker daemon population on port 2375. The canonical unauth port for the Docker HTTP API. Port 2376 is the TLS-auth variant; port 2375 is unauth by framework spec, and operators who expose it on the public internet are running with root-equivalent RCE-on-the-host as a default.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--docker-daemon-population-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--etcd-population-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--etcd-population-survey-2026-05-15/Population-scale survey of etcd. The distributed key-value store that backs Kubernetes' entire cluster state. Each unauthenticated etcd is a secrets-store leak class: anyone can list (and read) the cluster's stored data including Kubernetes secrets, service-discovery records, and operator-stored configuration.Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--etcd-population-survey-2026-05-15.png" alt="etcd Population Survey (2026-05-15)" /></p> <p>Population-scale survey of etcd. The distributed key-value store that backs Kubernetes&#39; entire cluster state. Each unauthenticated etcd is a secrets-store leak class: anyone can list (and read) the cluster&#39;s stored data including Kubernetes secrets, service-discovery records, and operator-stored configuration.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--etcd-population-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--llamacpp-population-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--llamacpp-population-survey-2026-05-15/Direct follow-on survey to the day's Ollama work and the aimap v1.9.4 release. aimap v1.9.4 added a llama.cpp server fingerprint after the 194.233.71.223 single-host case revealed that PHASE-2 fingerprinting was missing llama.cpp on port 11434 despite an explicit Server: llama.cpp HTTP header. This survey is the first population-scale exercise of that finger…Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--llamacpp-population-survey-2026-05-15.png" alt="llama.cpp HTTP Server Population Survey (2026-05-15)" /></p> <p>Direct follow-on survey to the day&#39;s Ollama work and the aimap v1.9.4 release. aimap v1.9.4 added a llama.cpp server fingerprint after the 194.233.71.223 single-host case revealed that PHASE-2 fingerprinting was missing llama.cpp on port 11434 despite an explicit Server: llama.cpp HTTP header. This survey is the first population-scale exercise of that finger…</p> <p>Direct follow-on survey to the day&#39;s Ollama work and the aimap v1.9.4 release. aimap v1.9.4 added a llama.cpp server fingerprint after the 194.233.71.223 single-host case revealed that PHASE-2 fingerprinting was missing llama.cpp on port 11434 despite an explicit Server: llama.cpp HTTP header. This survey is the first population-scale exercise of that fingerprint.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--llamacpp-population-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--medical-edge-ai-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--medical-edge-ai-survey-2026-05-15/Surveyed the 1,017-CIDR tier-2 cloud range list (DigitalOcean / Hetzner / Vultr / OVH / Linode ≈ 3.55M IPs) for medical-imaging AI infrastructure: Orthanc DICOM servers, MONAI Label / MONAI Deploy, NVIDIA Clara, NVIDIA NIM, and dcm4che-class archives. Shodan was unavailable for this survey (API key rotated stale), so discovery used the port-first methodology…Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--medical-edge-ai-survey-2026-05-15.png" alt="Medical / Edge AI Survey: DICOM Protocol Exposure at Population Scale" /></p> <p>Surveyed the 1,017-CIDR tier-2 cloud range list (DigitalOcean / Hetzner / Vultr / OVH / Linode ≈ 3.55M IPs) for medical-imaging AI infrastructure: Orthanc DICOM servers, MONAI Label / MONAI Deploy, NVIDIA Clara, NVIDIA NIM, and dcm4che-class archives. Shodan was unavailable for this survey (API key rotated stale), so discovery used the port-first methodology…</p> <p>Surveyed the 1,017-CIDR tier-2 cloud range list (DigitalOcean / Hetzner / Vultr / OVH / Linode ≈ 3.55M IPs) for medical-imaging AI infrastructure: Orthanc DICOM servers, MONAI Label / MONAI Deploy, NVIDIA Clara, NVIDIA NIM, and dcm4che-class archives. Shodan was unavailable for this survey (API key rotated stale), so discovery used the port-first methodology from Insight #21: masscan against the medical/edge port set (4242 / 8042 / 8043 / 11112 / 8000) followed by protocol-strict verification per Insight #1.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--medical-edge-ai-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--ollama-population-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--ollama-population-survey-2026-05-15/Re-survey of the Ollama exposure surface, walked on Shodan rather than via masscan-on-cloud-prefixes. The prior two surveys (5.38M IPs across six tier-1+2 clouds) found 1,192 confirmed unauth Ollama. This re-survey walks the Shodan-indexed Ollama population directly:Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--ollama-population-survey-2026-05-15.png" alt="Ollama Population Survey: Shodan-Walk (2026-05-15)" /></p> <p>Re-survey of the Ollama exposure surface, walked on Shodan rather than via masscan-on-cloud-prefixes. The prior two surveys (5.38M IPs across six tier-1+2 clouds) found 1,192 confirmed unauth Ollama. This re-survey walks the Shodan-indexed Ollama population directly:</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--ollama-population-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--rag-frameworks-population-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--rag-frameworks-population-survey-2026-05-15/<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverageFri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--rag-frameworks-population-survey-2026-05-15.png" alt="RAG Framework Servers: Population-Scale Survey (2026-05-15)" /></p> <p>&lt;!-- ksat-tag:auto-generated:start --&gt; ## DCWF KSAT coverage</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--rag-frameworks-population-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--vault-population-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--vault-population-survey-2026-05-15/Population-scale survey of HashiCorp Vault deployments. Vault is the canonical secrets-management platform. The operator's database credentials, API keys, signing keys, and other application secrets live inside. Unauth exposure isn't itself an instant-compromise (Vault auth-gates the secret-read API), but it IS a major intel-disclosure surface and, in three…Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--vault-population-survey-2026-05-15.png" alt="Vault (HashiCorp) Population Survey (2026-05-15)" /></p> <p>Population-scale survey of HashiCorp Vault deployments. Vault is the canonical secrets-management platform. The operator&#39;s database credentials, API keys, signing keys, and other application secrets live inside. Unauth exposure isn&#39;t itself an instant-compromise (Vault auth-gates the secret-read API), but it IS a major intel-disclosure surface and, in three…</p> <p>Population-scale survey of HashiCorp Vault deployments. Vault is the canonical secrets-management platform. The operator&#39;s database credentials, API keys, signing keys, and other application secrets live inside. Unauth exposure isn&#39;t itself an instant-compromise (Vault auth-gates the secret-read API), but it IS a major intel-disclosure surface and, in three rare cases, a full-takeover candidate.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--vault-population-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--voice-agents-population-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--voice-agents-population-survey-2026-05-15/Survey of the voice-agent platform population: LiveKit (server + agents framework), Pipecat, Vocode, with Deepgram / Twilio as secondary integration signals.Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--voice-agents-population-survey-2026-05-15.png" alt="Voice-Agent Population Survey: LiveKit-dominant (2026-05-15)" /></p> <p>Survey of the voice-agent platform population: LiveKit (server + agents framework), Pipecat, Vocode, with Deepgram / Twilio as secondary integration signals.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--voice-agents-population-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--voice-cloning-population-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--voice-cloning-population-survey-2026-05-15/Survey of the Shodan-reachable voice-cloning surface (RVC / GPT-SoVITS / Applio / OpenVoice / ChatTTS / F5-TTS) and adjacent voice-TTS platforms. The aimap fingerprints for these platforms were shipped 2026-05-08 (shodan/queries/17-voice-audio-ai.md); this is the population-survey leg that closes Survey 17 batch 2.Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--voice-cloning-population-survey-2026-05-15.png" alt="Voice-Cloning Population Survey: Shodan-Reachable Slice (2026-05-15)" /></p> <p>Survey of the Shodan-reachable voice-cloning surface (RVC / GPT-SoVITS / Applio / OpenVoice / ChatTTS / F5-TTS) and adjacent voice-TTS platforms. The aimap fingerprints for these platforms were shipped 2026-05-08 (shodan/queries/17-voice-audio-ai.md); this is the population-survey leg that closes Survey 17 batch 2.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--voice-cloning-population-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--whisper-asr-population-survey-2026-05-15/https://nuclide-research.com/research/case-studies--commercial--whisper-asr-population-survey-2026-05-15/Population-scale survey of Whisper ASR (speech-to-text) deployments. The canonical OpenAI Whisper plus the popular forks (whisper.cpp, faster-whisper, WhisperX). aimap fingerprints shipped 2026-05-08; this survey closes the remaining open piece of Survey 17.Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--whisper-asr-population-survey-2026-05-15.png" alt="Whisper ASR Population Survey (2026-05-15)" /></p> <p>Population-scale survey of Whisper ASR (speech-to-text) deployments. The canonical OpenAI Whisper plus the popular forks (whisper.cpp, faster-whisper, WhisperX). aimap fingerprints shipped 2026-05-08; this survey closes the remaining open piece of Survey 17.</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--whisper-asr-population-survey-2026-05-15/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--autogen-studio-survey-2026-05-14/https://nuclide-research.com/research/case-studies--commercial--autogen-studio-survey-2026-05-14/NuClide ResearchThu, 14 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--autogen-studio-survey-2026-05-14.png" alt="AutoGen Studio, agent-platform tier cloud survey 2026-05-14" /></p> <p>NuClide Research</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--autogen-studio-survey-2026-05-14/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--browser-automation-backend-survey-2026-05-14/https://nuclide-research.com/research/case-studies--commercial--browser-automation-backend-survey-2026-05-14/NuClide ResearchThu, 14 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--browser-automation-backend-survey-2026-05-14.png" alt="Browser-automation backend tier cloud survey 2026-05-14" /></p> <p>NuClide Research</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--browser-automation-backend-survey-2026-05-14/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--cdp-browser-control-survey-2026-05-14/https://nuclide-research.com/research/case-studies--commercial--cdp-browser-control-survey-2026-05-14/NuClide ResearchThu, 14 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--cdp-browser-control-survey-2026-05-14.png" alt="Chrome DevTools Protocol, browser-automation backend cloud survey 2026-05-14" /></p> <p>NuClide Research</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--cdp-browser-control-survey-2026-05-14/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase5b-bucket-accessibility-2026-05-13/https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase5b-bucket-accessibility-2026-05-13/NuClide Research · 2026-05-13Wed, 13 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-phase5b-bucket-accessibility-2026-05-13.png" alt="VisorBishop Phase 5b: Bucket-accessibility pass against 49 MLflow artifact stores" /></p> <p>NuClide Research · 2026-05-13</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase5b-bucket-accessibility-2026-05-13/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase5b-public-survey-2026-05-13/https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase5b-public-survey-2026-05-13/NuClide Research · 2026-05-13Wed, 13 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-phase5b-public-survey-2026-05-13.png" alt="VisorBishop Phase 5b: bucket-accessibility pass against 49 MLflow artifact stores (public)" /></p> <p>NuClide Research · 2026-05-13</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase5b-public-survey-2026-05-13/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--synthesis-ai-observability-phase2-2026-05-12/https://nuclide-research.com/research/case-studies--commercial--synthesis-ai-observability-phase2-2026-05-12/NuClide Research · 2026-05-12Tue, 12 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--synthesis-ai-observability-phase2-2026-05-12.png" alt="AI observability tier, Phase 2 synthesis (cross-cuts + version-deltas)" /></p> <p>NuClide Research · 2026-05-12</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--synthesis-ai-observability-phase2-2026-05-12/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter1-survey-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter1-survey-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-iter1-survey-2026-05-11.png" alt="VisorBishop loop-iteration #1: Re-sweep all Phase 1 corpora, surface gaps" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter1-survey-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter2-survey-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter2-survey-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-iter2-survey-2026-05-11.png" alt="VisorBishop loop-iteration #2: Extended port set, exposure-inventory pivot" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter2-survey-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter3-survey-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter3-survey-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-iter3-survey-2026-05-11.png" alt="VisorBishop loop-iteration #3: AI-stack ML pipeline ports, Rogers NetOps disclosure" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter3-survey-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter4-survey-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter4-survey-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-iter4-survey-2026-05-11.png" alt="VisorBishop iter-4: Adjacent platforms (Opik, AgentOps, Phospho)" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter4-survey-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter5-survey-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter5-survey-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-iter5-survey-2026-05-11.png" alt="VisorBishop iter-5: LiteLLM Proxy + Argilla + Promptfoo (gateway + annotation + eval tiers)" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter5-survey-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter6-survey-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter6-survey-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-iter6-survey-2026-05-11.png" alt="VisorBishop iter-6: Full LiteLLM 5,391-host population sweep (283 unauth LLMjacking primitives)" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter6-survey-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter7-survey-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter7-survey-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-iter7-survey-2026-05-11.png" alt="VisorBishop iter-7: MLflow Tracking + Weights &amp; Biases self-host (experiment-tracking tier)" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter7-survey-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter8-survey-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter8-survey-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-iter8-survey-2026-05-11.png" alt="VisorBishop iter-8: Six platforms swept, near-zero critical (LLM pipeline + ML orchestration + product analytics)" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-iter8-survey-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase3-survey-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase3-survey-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-phase3-survey-2026-05-11.png" alt="VisorBishop: Phase 3 meta-fingerprinter for the AI observability tier" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase3-survey-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase5-primitives-2026-05-11/https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase5-primitives-2026-05-11/NuClide Research · 2026-05-11Mon, 11 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--visorbishop-phase5-primitives-2026-05-11.png" alt="VisorBishop Phase 5: Three primitives that turn 492 critical hosts into an impact narrative" /></p> <p>NuClide Research · 2026-05-11</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--visorbishop-phase5-primitives-2026-05-11/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--helicone-deep-dive-survey-2026-05-10/https://nuclide-research.com/research/case-studies--commercial--helicone-deep-dive-survey-2026-05-10/NuClide Research · 2026-05-10Sun, 10 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--helicone-deep-dive-survey-2026-05-10.png" alt="Helicone deep-dive: Phase 2 (default ClickHouse exposure on benchmarkit.solutions)" /></p> <p>NuClide Research · 2026-05-10</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--helicone-deep-dive-survey-2026-05-10/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--helicone-llm-observability-survey-2026-05-10/https://nuclide-research.com/research/case-studies--commercial--helicone-llm-observability-survey-2026-05-10/NuClide Research · 2026-05-10Sun, 10 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--helicone-llm-observability-survey-2026-05-10.png" alt="Helicone LLM-observability population survey (21-host self-hosted population)" /></p> <p>NuClide Research · 2026-05-10</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--helicone-llm-observability-survey-2026-05-10/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--langfuse-deep-dive-survey-2026-05-10/https://nuclide-research.com/research/case-studies--commercial--langfuse-deep-dive-survey-2026-05-10/NuClide Research · 2026-05-10Sun, 10 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--langfuse-deep-dive-survey-2026-05-10.png" alt="Langfuse deep-dive: Phase 2 (source audit + latent primitives + extended IP-shadow)" /></p> <p>NuClide Research · 2026-05-10</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--langfuse-deep-dive-survey-2026-05-10/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--langfuse-llm-observability-survey-2026-05-10/https://nuclide-research.com/research/case-studies--commercial--langfuse-llm-observability-survey-2026-05-10/NuClide Research · 2026-05-10Sun, 10 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--langfuse-llm-observability-survey-2026-05-10.png" alt="Langfuse LLM-observability population survey (1,333-host population, 0% unauth)" /></p> <p>NuClide Research · 2026-05-10</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--langfuse-llm-observability-survey-2026-05-10/">Read the survey →</a></p>https://nuclide-research.com/research/case-studies--commercial--langsmith-deep-dive-survey-2026-05-10/https://nuclide-research.com/research/case-studies--commercial--langsmith-deep-dive-survey-2026-05-10/NuClide Research · 2026-05-10Sun, 10 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/research/case-studies--commercial--langsmith-deep-dive-survey-2026-05-10.png" alt="LangSmith deep-dive: Phase 2 (customer identity disclosure on 19 enterprise operators)" /></p> <p>NuClide Research · 2026-05-10</p> <p><a href="https://nuclide-research.com/research/case-studies--commercial--langsmith-deep-dive-survey-2026-05-10/">Read the survey →</a></p>