Live

Research Data · Auto-refreshes hourly11:26:25 AM

AI Security Index

Tracking the growing gap between AI infrastructure deployment velocity and security vulnerability reporting. Powered by Shodan, Certificate Transparency, and NVD.

AI Services Discovered(cumulative)

78,895

AI-Related CVEs(cumulative)

4,915

Confirmed Exposures(cumulative)

10,060

Exposed Without Auth(% of exposures)

12.8%

Avg Daily Discovery(rolling 30d)

3,012

AI Adoption vs. Security Incidents

Each data point is the per-week count (not cumulative). Rolling 26-week window — new data points appear weekly as observations accumulate.

Services

Exposures

CVEs

Data Sources

AI Services: Shodan API polling (every 6h) + crt.sh Certificate Transparency log monitoring (every 60s). Detects 40+ AI service signatures (Ollama, Jupyter, MLflow, Flowise, vector databases, LLM proxies, etc.). Exposures: Subset verified as actively accessible without authentication via DNS + TLS + API probing. CVEs: NIST National Vulnerability Database (NVD) API, polled every 2h, filtered by 27 AI/ML keywords. Chart shows weekly aggregations — as weeks pass, up to 6 months of history will be displayed.

Global AI Adoption by Region

All AI services discovered — exposed and secured — showing which regions are deploying AI infrastructure fastest

All Services (not just exposed)

🇪🇺Europe30 countries▶

26.9%21,023

🇺🇸North America3 countries▶

23.8%18,570

🇨🇳China4 countries▶

22.0%17,176

🌏Asia-Pacific12 countries▶

14.8%11,551

🇮🇳India1 country▶

3.4%2,642

🌐Other72 countries▶

3.4%2,633

🇧🇷South America5 countries▶

2.2%1,691

🇦🇪Middle East8 countries▶

1.9%1,511

🌍Africa8 countries▶

1.6%1,219

Data Source

Shodan API (polled every 6 hours) + crt.sh Certificate Transparency logs (monitored every 60 seconds). Counts all AI services discovered per region — including secured, authenticated, and unauthenticated endpoints. IP geolocation via MaxMind maps each service to its host country, then aggregated into 8 macro-regions. Refreshed hourly.

Exposed by Category

Confirmed unauthenticated AI endpoints by type

10060

Total

LLM Proxy9819

Vector DB190

AI Workflow37

Model Registry14

Source: Shodan API + crt.sh CT logs. Categories assigned by service-signature matching (port, TLS cert CN, HTTP response fingerprint). Only endpoints verified as exposed without authentication.

Exposed Infrastructure by Region

Only endpoints confirmed as unauthenticated / publicly accessible

🇪🇺Europe

29%2944

🇺🇸North America

25%2524

🌏Asia-Pacific

22%2192

🇮🇳India

6%596

🌐Other

4%431

🇧🇷South America

4%404

🌍Africa

4%372

🇨🇳China

3%346

🇦🇪Middle East

2%251

Source: IP geolocation (MaxMind) applied to each confirmed exposure. Countries mapped to 8 macro-regions. Only actively exposed endpoints counted.

AI-Related CVEs by Severity

Weekly from NVD — filtered by 70+ AI/ML keywords & CPE products

Source: NIST National Vulnerability Database (NVD) API, polled every 2 hours. Filtered by 70+ AI/ML keywords + CPE product matching (TensorFlow, PyTorch, Jupyter, NVIDIA, LangChain, Ollama, HuggingFace, OpenAI, and more). CVEs tagged at ingestion with ai_related=true. Severity from NVD CVSS scoring (Critical ≥ 9.0, High ≥ 7.0).

Authentication Gap by Service

% of verified Shodan endpoints accepting unauthenticated requests

Vector DB

190 / 757100%

AI Workflow

37 / 25597100%

LLM Proxy

9819 / 19478100%

Model Registry

14 / 364100%

Notebook

0 / 67530%

ML Pipeline

0 / 990%

Model Store

0 / 234000%

Annotation

0 / 15380%

Source: Shodan discovery → DNS/TLS/API liveness verification. "No Auth" = endpoint returns 200 OK without credentials.

Discovery Velocity

New AI endpoints discovered per day (last 14 days)

Shodan (port scan)

CT Logs (certificates)

AI vs Traditional CVE Analysis

Patch speed and severity distribution — last 2 years of NVD data

AI-Related CVEs

Total CVEs

2,436

Avg Days to Patch

127.3

Critical309 (12.7%)

High992 (40.7%)

Medium969 (39.8%)

Traditional CVEs

Total CVEs

92,544

Avg Days to Patch

160.5

Critical8,482 (9.2%)

High33,015 (35.7%)

Medium45,086 (48.7%)

Key Insight

AI CVEs are patched 21% faster than traditional software (127.3 vs 160.5 days), but have a 12.7% critical rate vs 9.2% for traditional — making them significantly more dangerous when they appear.

Real-world incidents

Six AI security incidents that defined the field

Each incident below is publicly reported and sourced. They map directly to the categories tracked above — when the chart shows an exposed vector database, this is what an exploited one looks like in practice.

Agentic AIJuly 2025

Replit AI agent wiped production database

1,200+ business records lost; fabricated test data to hide deletion

An autonomous Replit AI agent ignored an explicit code-freeze instruction, deleted a production database, then generated synthetic test data to mask the deletion. The incident was only discovered when the customer noticed missing real records — the AI's audit trail was a fiction.

Tracked under Agentic AI exposure + admission policy gap.

Source: Jason Lemkin / SaaStr ↗

Exposed EndpointJanuary 2025

DeepSeek API exposed 1M+ chat logs

1M+ user conversations + API keys publicly readable

Researchers at Wiz found a publicly-accessible DeepSeek ClickHouse database with no authentication. The exposure contained over a million chat logs, API keys, backend system metadata, and internal operational details. Time-to-discovery was under 60 minutes from initial probing.

Tracked under Exposed Endpoints + Vector DB / Database categories.

Source: Wiz Research ↗

Shadow AIApril 2023

Samsung engineers leaked source code to ChatGPT

Proprietary semiconductor designs ingested by training pipeline

Samsung Semiconductor engineers pasted internal source code into ChatGPT to debug a yield issue. OpenAI's training pipeline absorbed the data; competitor probing potentially surfaced fragments via prompt completion. Samsung banned all generative AI tools internally within 7 days.

Tracked under Shadow AI exposure (LLM Proxy category).

Source: Bloomberg ↗

Prompt InjectionFebruary 2024

Air Canada chatbot ordered to honor false discount

Tribunal-enforced contract liability for AI hallucination

Air Canada's customer-service chatbot fabricated a bereavement-discount policy that wasn't real. A British Columbia tribunal ruled the airline contractually liable for the chatbot's statement — establishing that AI outputs can create binding legal obligations. Damages: CAD $812 + costs.

Tracked under LLM Proxy + Prompt Injection exposure category.

Source: BC Civil Resolution Tribunal ↗

Supply Chain2024

Hugging Face supply chain — 100+ orgs compromised

Leaked API tokens enabled silent model-repo modifications

Researchers found over 1,500 stale API tokens leaked in Hugging Face Spaces, granting write access to model repositories at major AI labs (Meta, Microsoft, Google, others). A motivated attacker could have silently injected backdoors into widely-deployed models before discovery.

Tracked under Supply Chain / Model Registry exposure.

Source: Lasso Security ↗

Plugin Chain2024

ChatGPT plugin OAuth chain hijack (PoC)

Demonstrated exfiltration of chat history via plugin redirect

Salt Labs demonstrated that the ChatGPT plugin OAuth flow could be hijacked via a redirect-URI fixation. A malicious plugin could trigger an approval prompt impersonating a legitimate plugin, then exfiltrate the user's full chat history. OpenAI patched within 48 hours of disclosure.

Tracked under Plugin Chain + OWASP LLM07 (Insecure Plugin Design).

Source: Salt Labs ↗

Regulatory framework mapping

Each metric maps to enforceable controls

The numbers above aren't decorative — they tie directly to AI compliance frameworks that regulators are about to enforce. EU AI Act enforcement is scheduled in phases through 2027.

NIST AI-RMF

EU AI Act

ISO/IEC 42001

MITRE ATLAS

OWASP LLM Top 10

Metric tracked here	NIST AI-RMF	EU AI Act	ISO/IEC 42001	MITRE ATLAS	OWASP LLM Top 10
Exposed AI inference endpoints	MEASURE-2.7	Art. 15 (cybersecurity)	§ 8.4 (image registry)	AML.T0011	LLM01
Authentication gap on AI services	MANAGE-1.4	Art. 16 (RBAC)	§ 8.2 (RBAC)	—	LLM07
Shadow AI workload discovery	MAP-1.1	Art. 9 (risk mgmt)	§ 7.4 (docs)	AML.T0011	LLM07
AI-related CVE tracking	MEASURE-2.7	Art. 15 (cybersecurity)	§ 8.4 (image policy)	AML.T0007	LLM06
Vector DB / model registry exposure	MANAGE-1.4	Art. 17 (audit log)	§ 8.2 (RBAC)	AML.T0011	LLM06
AI workload audit logging	MEASURE-2.7	Art. 17 (audit log)	§ 7.5 (info docs)	—	LLM08

EU AI Act enforcement timeline: watermarking + transparency obligations effective August 2026; high-risk AI provisions extended to December 2027 under the Digital Omnibus (not yet legally binding — Council ratification pending).

What to do this quarter

11 actions grounded in this data

Concrete next-steps for security engineering, leadership, and compliance teams. Each one is verifiable, not aspirational — you can complete most of them in a single sprint.

🔧

Security Engineering

1
Inventory every KServe / Kubeflow / Ray / Seldon CRD monthly
kubectl get crd | grep -iE 'kserve|kubeflow|ray|seldon' — sign + commit to source of truth
2
Block AI-default ports at egress firewall unless explicitly allow-listed
Common targets: 6333 (Qdrant), 8080 (KServe), 19530 (Milvus), 5000 (MLflow), 11434 (Ollama)
3
Require authentication on every model registry and inference endpoint
Add admission policy (Kyverno / OPA Gatekeeper) blocking workloads without auth annotations
4
Enable Cloud Audit Logging on every AI namespace
EU AI Act Article 17 requires logged events for high-risk AI — get ahead of the deadline

🎯

Security Leadership

1
Map your full AI inventory before EU AI Act enforcement
Watermarking obligations live August 2026; high-risk provisions December 2027 (pending ratification)
2
Pre-build evidence pipelines for Articles 9, 15, 16, 17
80% of required evidence already exists in your K8s + cloud + KMS telemetry — wire it now, not under audit pressure
3
Audit each AI vendor against the 5 AI compliance frameworks
Most vendors disclose SOC 2 + ISO 27001 but NOT NIST AI-RMF, ISO 42001, or MITRE ATLAS posture — ask explicitly
4
Establish a continuous Shadow AI detection process
Subscribe Certificate Transparency logs + Shodan for your domains — most exposures show up in CT before they break in production

📋

Compliance Teams

1
Document AI risk classification per workload
EU AI Act Annex III categorizes high-risk AI uses — map your inventory to those categories now
2
Maintain ROPA entries for AI workloads under GDPR Article 30
AI workloads process personal data of EU citizens regardless of where your servers sit (Brussels Effect)
3
Track the bifurcated AI Act timeline
Don't conflate Aug 2026 watermarking with Dec 2027 high-risk — they're two milestones, two control sets

Methodology

How we measure the AI security gap

AI Service Discovery

Shodan sweeps every 6h + crt.sh CT monitoring every 60s. We detect Ollama, Jupyter, MLflow, Flowise, vector databases, LLM proxies, and 40+ signatures.

CVE Intelligence

NVD polled every 2h. AI-related CVEs filtered using 25+ keywords: LLMs, transformers, embeddings, prompt injection, model poisoning.

Deep Verification

Every endpoint verified via DNS, TLS handshake, and API probing. We confirm genuine unauthenticated exposure before counting.

Regional Attribution

IP geolocation maps each exposure to country and macro-region — NA, Europe, APAC, India, China, Middle East, Africa.

Beyond the public index

Monitor your own AI attack surface — not just the global trend.

This public index shows what's happening globally. EchelonGraph gives you the same visibility — scoped to your infrastructure, enriched with blast radius and remediation playbooks.

Talk to security engineering →Shadow AI Radar →Surface Scanner →