VisorGoose
Government TLD AI discovery via CT logs, Shodan, DNS, and Ollama fingerprinting
§ Workflow phase
- 01 hunt
- 02 analyze
- 03 enrich
- 04 report
- 05 instrument
Discovery. Finds what is exposed.
VisorGoose discovers AI infrastructure inside government TLDs by combining Certificate Transparency log mining, Shodan queries, DNS enumeration, and Ollama-class fingerprinting.
What it does
- CT log mining for
*.gov,*.mil,*.gov.<cc>and equivalent national gov TLDs - Multi-source seed expansion: CT certs + Shodan + DNS
- Ollama-class fingerprint sweeps with timing-based filtering
- Mullvad VPN guard, refuses to run if VPN is not active
Why this exists
Government infrastructure changes hands across administrations and agencies, and the AI footprint moves with it. Sustained CT-log monitoring against gov-TLDs surfaces deployments that were never indexed by commercial scanners.
§ Used in
Used in
§ hunt layer
Same phase
- 01
aimap
nmap for AI infrastructure
- 02
JAXEN
Stateful Go recon framework with deep TLS forensics
- 03
VisorGraph
High-performance infrastructure mapping with native gVisor sandboxing
- 04
menlohunt
GCP External Attack Surface Management with automated chain detection
- 05
recongraph
Seed-polymorphic recon engine with environmental contamination detection
- 06
VisorSD
Shodan exposure scanner + adversarial RAG security testing
- 07
VisorBishop
Cross-platform AI/LLM observability fingerprinter, 12 platforms, IP-direct-shadow probe