Find the AI you shipped and forgot.
Teams stand up model servers, vector databases, and agents faster than anyone writes them down, and a lot of it ends up reachable from the open internet. Resensor passively maps the AI infrastructure exposed on your perimeter, and inventories where your organization uses AI, from the same outside-in vantage point an attacker has.
Shadow AI is now part of your attack surface. The same teams racing to ship with AI stand up model servers, vector stores, and agent tooling faster than anyone inventories them, and much of it is reachable from the internet. Resensor finds that exposed AI infrastructure passively, ranks it by blast radius alongside every other exposure, and separately inventories where your organization uses AI, the question your board and auditors now ask. No agents, no prompts, no writes.
The AI you expose, and the AI you use
AI you expose
- Self-hosted model servers and inference endpoints reachable without auth
- Vector databases holding a queryable copy of your internal data
- Agent servers and low-code builders wired to real tools and credentials
- AI gateways sitting in front of upstream providers and their API keys
AI you use
- AI SaaS providers reached through your DNS records
- AI-named hosts that hint at internal projects
- Assistant and chatbot scripts embedded in your pages
- Your AI-crawler policy in robots.txt and llms.txt
The exposed AI stack, by layer
| Layer | Examples | Why an exposed one matters |
|---|---|---|
| Model servers & gateways | Ollama, vLLM, Triton, LiteLLM | Free compute, a prompt-injection and model-extraction surface, and upstream API keys |
| Vector databases | Qdrant, Weaviate, Chroma, Milvus | An unauthenticated, queryable copy of your internal documents and records |
| ML & notebook tooling | MLflow, Jupyter, Ray | Experiment data and, often, direct code execution |
| Agent layer | MCP servers, Flowise, n8n | Real capabilities, a filesystem or shell, and stored credentials for every service it touches |
Passive, read-only discovery
The discovery never authenticates, never writes, and never sends a prompt or submits a job. Resensor asks each service the same harmless question its own health check would, a single metadata request, and recognizes the answer. A service that introduces itself to an unauthenticated request has already told you the thing that matters: it is exposed. The usage inventory is read the same way, from DNS, host names, page source, and your published crawler policy, so it works without touching anyone's cloud account. For the detail behind each half, see exposed AI infrastructure and the AI usage inventory.
Ranked by blast radius, not hype
Exposed AI is not a separate product bolted on. It surfaces inside Resensor's external attack surface view and is ranked the way everything else is: an unauthenticated vector database or an open agent platform outranks a public demo app, and an AI app that is meant to be public gets inventoried, not alarmed about. Usage findings are recorded as informational, because using AI is not a vulnerability. The point is to tell you which exposure should ruin your afternoon and which is just a demo someone forgot.
See the AI on your attack surface
Add a domain and Resensor maps the AI you expose and the AI you use, ranked by what an attacker could actually reach. No credit card to start.
Start freeCommon questions
What is an AI attack surface?
It is the internet-facing AI an organization exposes, model servers, vector databases, agent tooling, and AI gateways, plus the AI services it uses that are visible from outside. Resensor maps both passively, from the same vantage point an attacker has.
How does Resensor find exposed AI without authenticating?
It sends a single read-only metadata request, the same kind a service's own health check uses. It never logs in, writes, or sends a prompt. A service that answers an unauthenticated request has revealed the one thing that matters: it is reachable and exposed.
Which AI services does it detect?
Self-hosted model servers like Ollama, vLLM, and Triton; vector databases like Qdrant, Weaviate, Chroma, and Milvus; ML tooling like MLflow, Jupyter, and Ray; and the agent layer, including Model Context Protocol servers and low-code builders like Flowise and n8n.
Can it inventory where we use AI for governance?
Yes. From outside it reads four signals: AI SaaS in your DNS, AI-named hosts, assistant scripts in your page source, and your AI-crawler policy in robots.txt and llms.txt. Each becomes an informational inventory entry you can hand to whoever owns AI governance for the EU AI Act, NIST AI RMF, or ISO 42001.
Is AI exposure monitoring a separate product?
No. It is part of Resensor's external attack surface management platform and is ranked by exploitability, scored from real-world evidence (CISA KEV, EPSS, breach data, and live reachability) rather than active exploitation, alongside every other finding, so an unauthenticated vector database surfaces right next to a known-exploited CVE.