NEW AI & agent attack-surface fingerprinting is live
← Blog

Your shadow AI is showing

June 7, 2026Resensor4 min read

Resensor AI surfacing. A network graph of AI services discovered on an external attack surface, with three nodes labelled: llm-proxy.acme.com, chatbot-staging, and vector-db with port 6333 open.

Somewhere in your organization, someone stood up a model server to prototype a feature. Someone else wired a chatbot to a vector database full of internal documents. A third person pointed an agent at a handful of internal tools to see what it could do. It worked. They moved on. Nobody wrote any of it down.

That is shadow AI, and it has quietly become one of the fastest-growing parts of the external attack surface. The same teams racing to ship with AI are standing up infrastructure faster than anyone is inventorying it, and a lot of that infrastructure is reachable from the open internet. Resensor now fingerprints it: the LLM proxies, chatbots, vector stores, and agent tooling exposed on your perimeter. The AI you shipped and forgot.

The AI nobody put on the inventory

Shadow IT is an old problem. The AI version is sharper, because the tools are newer, far easier to deploy, and tend to ship insecure by default.

A developer runs a local model server on a workstation and forwards a port so a teammate can reach it. A team deploys a vector database and a quick demo UI to a cloud box for one sprint, then never tears it down. An agent server gets exposed during a debugging session and stays up. None of this passes through change control. None of it lands on the asset list the security team actually watches. The defining trait of shadow AI is not that it is malicious. It is that it is invisible to the people responsible for defending it. You cannot protect a surface you do not know you have.

Why it is a security problem, not an IT footnote

Of all the things to leave exposed, AI infrastructure is among the worst, because of what it holds and what it can do.

  • Vector databases are copies of your proprietary data. The whole point of a vector store is to make a corpus of internal documents, support history, or customer records queryable. An unauthenticated instance makes that corpus queryable by anyone who can reach it.
  • Model servers and gateways are open compute and a credential store. An exposed inference endpoint gets drained for free compute and is a direct prompt-injection and model-extraction surface. An AI gateway sits in front of upstream providers and holds their API keys.
  • The agent layer is the most dangerous of the three. Agent servers and low-code AI builders connect a model to real capabilities: a filesystem, a shell, databases, SaaS accounts. They routinely ship with authentication off by default. An exposed one hands a stranger whatever the tool was built to do, along with the stored credentials for every service it touches.

None of this is exotic, and most of it was never meant to face the internet in the first place. It faces the internet anyway, because it went up fast and quietly and nobody circled back.

How Resensor finds it

The discovery is deliberately passive and read-only. We never authenticate, never write, and never send a prompt or submit a job. We ask each service the same harmless question its own health check would ask, a single metadata request, and we recognize the answer. A service that introduces itself to an unauthenticated request has already told you the one thing that matters: it is exposed.

What we look for spans the categories teams actually deploy. Self-hosted model servers like Ollama, vLLM, and Triton. Vector databases like Qdrant, Weaviate, Chroma, and Milvus. ML tooling like MLflow, Jupyter, and Ray. And the agent layer that is growing fastest right now: Model Context Protocol servers, low-code builders like Flowise and n8n, and gateways like LiteLLM.

We are not going to publish the fingerprint catalog here. The detection logic, the exact endpoints and the way each service gives itself away, is the part a competitor would copy and an attacker would use to dodge. What matters to you is the outcome, not the mechanism.

What you do with what we find

Every exposed service becomes two things: an entry in your asset inventory and a finding, ranked by blast radius. An unauthenticated vector database or an open agent platform is not the same severity as a public demo app, and we do not pretend otherwise. Code-execution and data-store surfaces rank high. Inference endpoints sit in the middle. An AI app that is meant to be public gets inventoried, not alarmed about. The point is to tell you which exposure should ruin your afternoon and which is just a demo someone forgot.

And because the whole nature of shadow AI is that it appears without anyone deciding to expose it, a one-time scan is not enough. Resensor watches continuously and tells you the moment a new AI service shows up on your surface: the model server that went live this morning, the agent endpoint someone left running after a debugging session last week. The exposure that hurts you is usually the one that appeared after the last time anyone looked.

The goal is simple, and it is the same goal that runs through everything we build. The AI you shipped should be on your asset list before it is on someone else's target list.

See your own AI surface

You almost certainly have more AI infrastructure facing the internet than your last inventory shows. Run your external surface through Resensor and find out what is already exposed, what it would hand an attacker, and which pieces are worth acting on first.