NEW AI & agent attack-surface fingerprinting is live
AI exposure

Find the AI you shipped and forgot.

Teams stand up model servers, vector databases, and agents faster than anyone writes them down, and a lot of it ends up reachable from the open internet. Resensor passively maps the AI infrastructure exposed on your perimeter, and inventories where your organization uses AI, from the same outside-in vantage point an attacker has.

Built on authoritative exploit intelligence
CISA KEV FIRST EPSS NVD CVE Certificate Transparency Nuclei Have I Been Pwned RDAP / WHOIS
The short answer

Shadow AI is now part of your attack surface. The same teams racing to ship with AI stand up model servers, vector stores, and agent tooling faster than anyone inventories them, and much of it is reachable from the internet. Resensor finds that exposed AI infrastructure passively, ranks it by blast radius alongside every other exposure, and separately inventories where your organization uses AI, the question your board and auditors now ask. No agents, no prompts, no writes.

Two questions, one external view

The AI you expose, and the AI you use

AI you expose

  • Self-hosted model servers and inference endpoints reachable without auth
  • Vector databases holding a queryable copy of your internal data
  • Agent servers and low-code builders wired to real tools and credentials
  • AI gateways sitting in front of upstream providers and their API keys

AI you use

  • AI SaaS providers reached through your DNS records
  • AI-named hosts that hint at internal projects
  • Assistant and chatbot scripts embedded in your pages
  • Your AI-crawler policy in robots.txt and llms.txt
What we find

The exposed AI stack, by layer

Layer Examples Why an exposed one matters
Model servers & gatewaysOllama, vLLM, Triton, LiteLLMFree compute, a prompt-injection and model-extraction surface, and upstream API keys
Vector databasesQdrant, Weaviate, Chroma, MilvusAn unauthenticated, queryable copy of your internal documents and records
ML & notebook toolingMLflow, Jupyter, RayExperiment data and, often, direct code execution
Agent layerMCP servers, Flowise, n8nReal capabilities, a filesystem or shell, and stored credentials for every service it touches
How we find it

Passive, read-only discovery

The discovery never authenticates, never writes, and never sends a prompt or submits a job. Resensor asks each service the same harmless question its own health check would, a single metadata request, and recognizes the answer. A service that introduces itself to an unauthenticated request has already told you the thing that matters: it is exposed. The usage inventory is read the same way, from DNS, host names, page source, and your published crawler policy, so it works without touching anyone's cloud account. For the detail behind each half, see exposed AI infrastructure and the AI usage inventory.

Where it fits

Ranked by blast radius, not hype

Exposed AI is not a separate product bolted on. It surfaces inside Resensor's external attack surface view and is ranked the way everything else is: an unauthenticated vector database or an open agent platform outranks a public demo app, and an AI app that is meant to be public gets inventoried, not alarmed about. Usage findings are recorded as informational, because using AI is not a vulnerability. The point is to tell you which exposure should ruin your afternoon and which is just a demo someone forgot.

See the AI on your attack surface

Add a domain and Resensor maps the AI you expose and the AI you use, ranked by what an attacker could actually reach. No credit card to start.

Start free
FAQ

Common questions

What is an AI attack surface?

It is the internet-facing AI an organization exposes, model servers, vector databases, agent tooling, and AI gateways, plus the AI services it uses that are visible from outside. Resensor maps both passively, from the same vantage point an attacker has.

How does Resensor find exposed AI without authenticating?

It sends a single read-only metadata request, the same kind a service's own health check uses. It never logs in, writes, or sends a prompt. A service that answers an unauthenticated request has revealed the one thing that matters: it is reachable and exposed.

Which AI services does it detect?

Self-hosted model servers like Ollama, vLLM, and Triton; vector databases like Qdrant, Weaviate, Chroma, and Milvus; ML tooling like MLflow, Jupyter, and Ray; and the agent layer, including Model Context Protocol servers and low-code builders like Flowise and n8n.

Can it inventory where we use AI for governance?

Yes. From outside it reads four signals: AI SaaS in your DNS, AI-named hosts, assistant scripts in your page source, and your AI-crawler policy in robots.txt and llms.txt. Each becomes an informational inventory entry you can hand to whoever owns AI governance for the EU AI Act, NIST AI RMF, or ISO 42001.

Is AI exposure monitoring a separate product?

No. It is part of Resensor's external attack surface management platform and is ranked by exploitability, scored from real-world evidence (CISA KEV, EPSS, breach data, and live reachability) rather than active exploitation, alongside every other finding, so an unauthenticated vector database surfaces right next to a known-exploited CVE.

Keep reading

Related