aimap
nmap for AI infrastructure
§ Workflow phase
- 01 hunt
- 02 analyze
- 03 enrich
- 04 report
- 05 instrument
Discovery. Finds what is exposed.
aimap fingerprints 218 AI/ML service classes — LLMs, vector databases, model servers, MLOps platforms, agent frameworks, RAG stacks, MCP servers — and runs 62 dedicated deep enumerators that surface PII exposure, unauthenticated RCE, exposed credentials, claimable admin states, and default credentials.
A traditional scanner sees port 11434 open. aimap sees Ollama 0.20.4 · deepseek-v4-pro:cloud · /api/generate open, anyone can run inference.
Why this exists
The default exposure surface for AI/ML infrastructure is structurally
different from the surface that commodity scanners were built around. Vector
databases ship without auth by default. Inference servers expose
/v1/models to the internet. LLM gateways ship with root / 123456.
Fine-tuning dashboards proxy GPU compute to anyone who finds the URL. Generic
CVE-driven scanners report none of it because there’s no CVE — the deployment
is the vulnerability.
aimap was built around that gap, with detection logic written from real surveys rather than catalog data.
What it does
- 218 AI/ML service-class fingerprints
- 62 deep enumerators per class, beyond banner grab
- Default credential checks (One API
root/123456, Grafanaadmin/admin, others) - PII / RCE / credential / admin-takeover / open-relay classification
- ML-adjacent infrastructure detection (MinIO, etcd, Redis co-located with AI services)
- JSON output for chaining into VisorLog, SIEM pipelines; human-readable for triage
- Single Go binary, no Python runtime, ~8MB
Recent additions (v1.9.51)
- enumOneAPI — detects open LLM relay (
/v1/models) and default credentials (root/123456) onsongquanpeng/one-apideployments (1.19M Docker Hub pulls, actively exploited) - enumArgilla — auth-state and annotation dataset enumeration on HuggingFace Argilla; handles both v1.x and v2.x error shapes
- Cat-03 model serving fingerprints — KoboldCpp, LM Studio, Aphrodite Engine, LMDeploy, GPT4All, HuggingFace TGI, faster-whisper server
Source
github.com/nuclide-research/aimap
In the field
Default fingerprint stage on every NuClide engagement involving an AI/ML target. Field-validated across the 2026 cross-cloud survey series — 30+ platform categories, thousands of verified findings across Ollama, Weaviate, Qdrant, ChromaDB, Milvus, MLflow, Langfuse, Flowise, Dify, and others.
§ Used in
Used in
SURVEYS · 06
- 01
Cat-03 Model Serving & Inference — Survey 2026-06-05
- 02
AI Gateways Population Survey: Cat-32 (2026-06-01)
- 03
Argo Workflows Population Survey — Cat-29 (2026-05-31)
- 04
Data Labeling & Annotation: the registration knob that re-opens the door
- 05
RAG Framework Servers Population Survey — Cat-07 (2026-05-31)
- 06
Service Mesh Control Planes: when exposure is the authentication failure
FIELD CASES · 06
- 01
NCKU Edge Host: a Kubernetes Control Plane Behind a MikroTik Gateway
- 02
Voice/Audio AI re-run: Category 17, 2026-05-29
- 03
Cat-06 Stragglers: Agno Auth-Off-Default, GPT Researcher 14 Unauth, Walmart Temporal Exposure
- 04
Cat-04 Stragglers: Prefect Auth-Off-Default, Dask University Clusters, ClearML Ransomed ES
- 05
ClimateGPT Stack — Unauth vLLM + Opik + Streamlit
- 06
116.202.28.181 — Pantaflow Live Transcription Server
§ hunt layer
Same phase
- 01
JAXEN
Stateful Go recon framework with deep TLS forensics
- 02
VisorGraph
High-performance infrastructure mapping with native gVisor sandboxing
- 03
VisorGoose
Government TLD AI discovery via CT logs, Shodan, DNS, and Ollama fingerprinting
- 04
menlohunt
GCP External Attack Surface Management with automated chain detection
- 05
recongraph
Seed-polymorphic recon engine with environmental contamination detection
- 06
VisorSD
Shodan exposure scanner + adversarial RAG security testing
- 07
VisorBishop
Cross-platform AI/LLM observability fingerprinter, 12 platforms, IP-direct-shadow probe