VisorBishop
Cross-platform AI/LLM observability fingerprinter, 12 platforms, IP-direct-shadow probe
§ Workflow phase
- 01 hunt
- 02 analyze
- 03 enrich
- 04 report
- 05 instrument
Discovery. Finds what is exposed.
VisorBishop is a single-binary Go fingerprinter for 12 AI/LLM observability and gateway platforms. Built from the population-scale 2026-05 cross-survey work: when you discover that Phoenix is 25% unauth at population scale and LiteLLM is 10.4%, you need a probe that confirms the platform AND its auth posture in one pass without relying on the operator-set HTTP title alone.
What it does
- 12 platform probes. Phoenix (Arize AI), Langfuse, Helicone, LangSmith, Lunary, OpenLIT, Pezzo, Opik (Comet ML), AgentOps, Argilla, Promptfoo, LiteLLM Proxy. Each probe verifies the platform via a marker-specific endpoint, NOT title-string alone.
- IP-direct-shadow probe. 26-port concurrent sweep of common AI-stack debug ports (Redis, Memcached, NATS, ClickHouse, MailHog, Prometheus, etc.) per host. Surfaces the “hostname-routed SSO does not protect IP-direct shadow” pattern.
- Auth-state classification. Every confirmed finding gets a
posture call:
open(unauth),protected(auth-fronted), orunknown. - Cross-platform attribution. When one operator hosts multiple platforms (e.g. Phoenix + Qdrant on the same IP), VisorBishop surfaces the correlation in a single output row.
Why this exists
Phase 1+2 of the 2026-05 cross-survey used per-platform Python probes,
which created N parallel toolchains for N platforms and let
fingerprint quality drift between them. VisorBishop unifies the
fingerprint definition in one place. When we discovered that
LangSmith and ZenML both serve /api/v1/info, we tightened the
LangSmith probe once in VisorBishop and the population-scale
recount produced correct numbers.
How we use it
# Probe a single target
visorbishop -t https://app.langfuse.example.com
# Sweep a corpus
visorbishop -i targets.txt -c 32 -timeout 4s \
-json out.json -csv out.csv
# Include IP-direct-shadow port sweep on every confirmed host
visorbishop -i targets.txt -ip-shadow -json out.jsonThe 6-iteration Phase 3 loop below validates VisorBishop against the cumulative population data. Each iteration refined either the prober coverage or the methodology:
- iter-1. Extended IP-direct-shadow port set (Redis, MailHog, node_exporter; +8 unauth surfaces)
- iter-2. MinIO + ClickHouse object/datastore tier (32 hits)
- iter-3. AI-stack pipeline ports (3 unauth Qdrant + Rogers Communications NetOps double-exposure)
- iter-4. Adjacent observability platforms Opik + AgentOps + Phospho
- iter-5. LiteLLM gateway + Argilla annotation + Promptfoo eval (35 new unauth instances; introduced the LLMjacking class to the tool)
- iter-6. Full LiteLLM 5,391-host population sweep: 283 confirmed unauth LLMjacking primitives globally
The cumulative live findings are visible on the VisorBishop dashboard.
The 12 platforms, with detection markers
| Platform | Class | Detection marker |
|---|---|---|
| Phoenix (Arize AI) | Observability | /graphql introspection + SPA HTML version extract |
| Langfuse | Observability | tRPC + langfuse cert subject CN |
| Helicone | Observability | API key probe + ClickHouse shadow |
| LangSmith | Observability | /api/v1/info with customer_info/license_expiration_time/known instance_flags |
| Lunary | Observability | NextAuth.js detection |
| OpenLIT | Observability | NextAuth.js + OpenLIT-specific routes |
| Pezzo | Observability | GraphQL introspection |
| Opik (Comet ML) | Observability | Dropwizard health endpoint |
| AgentOps | Observability | Per-tenant health endpoint + langfuse_host cross-disclosure |
| Argilla | Annotation | argilla.api.errors::UnauthorizedError on /api/v1/me |
| Promptfoo | Evaluation | /api/results/ JSON shape match |
| LiteLLM Proxy | Gateway | SPA title “LiteLLM API” + /.well-known/litellm-ui-config |
§ Used in
Used in
SURVEYS · 06
- 01
VisorBishop Phase 5b: Bucket-accessibility pass against 49 MLflow artifact stores
- 02
VisorBishop Phase 5b: bucket-accessibility pass against 49 MLflow artifact stores (public)
- 03
VisorBishop loop-iteration #1: Re-sweep all Phase 1 corpora, surface gaps
- 04
VisorBishop loop-iteration #2: Extended port set, exposure-inventory pivot
- 05
VisorBishop loop-iteration #3: AI-stack ML pipeline ports, Rogers NetOps disclosure
- 06
VisorBishop iter-4: Adjacent platforms (Opik, AgentOps, Phospho)
FIELD CASES · 06
- 01
116.202.28.181 — Pantaflow Live Transcription Server
- 02
University of Arizona: Branded "U of A GenAI" — Open WebUI v0.7.2 with University-OIDC + Auth-On
- 03
Red Rocks Community College: Open WebUI v0.9.2 on `datalab02.rrcc.edu` — Auth-On + LDAP (First Community College in Survey)
- 04
University of Chicago: Two-Host Observation — Streamlit on `helabserver0` (auth-on framework) + JupyterHub on `jupyterhub-dev.grid` (502 Bad Gateway / degraded)
- 05
University of Southern Maine: 8-Host JupyterHub Fleet on `cs.usm.maine.edu` — Entomology-Themed Research Cluster, All Auth-Enforced
- 06
Cooper Union for the Advancement of Science and Art: Open WebUI v0.9.2 on `kahan.ee.cooper.edu` — Auth-On + LDAP
§ hunt layer
Same phase
- 01
aimap
nmap for AI infrastructure
- 02
JAXEN
Stateful Go recon framework with deep TLS forensics
- 03
VisorGraph
High-performance infrastructure mapping with native gVisor sandboxing
- 04
VisorGoose
Government TLD AI discovery via CT logs, Shodan, DNS, and Ollama fingerprinting
- 05
menlohunt
GCP External Attack Surface Management with automated chain detection
- 06
recongraph
Seed-polymorphic recon engine with environmental contamination detection
- 07
VisorSD
Shodan exposure scanner + adversarial RAG security testing