Right now, tens of thousands of AI services — Jupyter notebooks, model stores, LLM proxies, vector databases — are reachable on the public internet. Thousands answer with no authentication at all — one HTTP request from full data theft or remote code execution. Most owners do not know they are listed below.
Every TLS certificate issued for an internal AI service is broadcast through public Certificate Transparency logs within seconds. The Shadow AI Radar is the public, citable, continuously-refreshed dataset of that exposure — 14 categories, 48 detection patterns, Shodan-verified liveness, refreshed every 60 seconds.
Past 24 hours: 2,506 new observations across LLM Proxy (9,819), Vector Database (190), AI Workflow Builder (37), Model Registry (13). 550 verified reachable without authentication. Most exposed product: MinIO Server (18,721). Most active region: China (15,039).
Tuning radar to CT log stream…
Click any category to expand the attacker playbook, blast radius, remediation steps, subdomain patterns, and CVE / OWASP references. Verified counts are confirmed-reachable observations; total counts include unverified rows still in the verification queue.
A subdomain like internal-rag-pipeline.acme.com tells an attacker that you run a RAG architecture, almost always on a default port (FastAPI/Flask 8000–9000). It confirms three things at once: (1) you have an embedding store reachable over HTTPS, (2) you have a backing LLM connected to it, and (3) somewhere in that stack there is privileged data — code, contracts, customer records — being indexed for retrieval.
Wholesale data exfiltration of every document indexed by the pipeline — typically internal wikis, support tickets, contracts, or source code. Successful poisoning attacks turn the LLM into a controlled puppet for every employee that consumes its answers.
*rag**retrieval**knowledge**kb-**eval-**rag-customer**rag-sales*Hostnames matching milvus-*, qdrant-*, chroma-*, weaviate-* signal a bare vector database — not a managed service. These products default to open access for developer convenience; the vast majority of internet-exposed instances accept anonymous reads and writes on their well-known ports (Milvus 19530, Qdrant 6333, Chroma 8000, Weaviate 8080).
Stealing embeddings is provably equivalent to stealing the documents they were built from. A successful read attack therefore exfiltrates years of internal corpus content. A successful write attack lets the attacker dictate what the company's own AI tells employees.
*milvus**qdrant**chroma**weaviate**vector-db**pinecone*Subdomains like openai-internal.startup.io, claude-bridge.acme.com, anthropic-proxy.fintech.ai are the chokepoints where engineering teams stash their model API keys. Every employee request flows through them, which means the proxy holds long-lived API tokens for the upstream model provider.
A direct hit on a single LLM proxy can cost a company hundreds of thousands of dollars in unbudgeted model spend, leak the company's system prompts (which encode product strategy), and expose any tool integrations wired into the agent layer.
*gpt-**claude-**anthropic-**openai-**openai.**llm-proxy**llm-gateway**llm-api**ai-proxy**model-proxy*Hostnames like mlflow-internal.acme.com, ray-dashboard.startup.io, model-registry.fintech.ai expose the build system for AI. These dashboards show every registered model version, every experiment's parameters and metrics, every artifact path, and — critically — the raw prompts and configurations a RAG / agent pipeline shipped to production.
Full model intellectual-property theft + fine-tuning data exposure + remote code execution on the head node. The Ray exposure alone — confirmed at 2,000+ public clusters — is consistently one of the top AI security incidents of the year.
*mlflow**ray**model-registry**registry**training**fine-tune*Subdomains like agent-orchestrator.acme.com or langserve-staging.startup.io expose an autonomous agent — an LLM with tools. The tools are the dangerous part: shell access, filesystem access, internal API calls, browser automation, even cloud account credentials.
Anything a tool the agent has access to can do — usually filesystem read, internal HTTP, and shell execution. A leaked agent endpoint is a direct foothold inside your VPC, no exploit required.
*ai-agent**langserve**langchain**autogen**agent-orchestrator**ai-copilot**agentic**crewai*Hostnames like llm-prompt-cache.acme.com or embeddings-gateway.startup.io are typically a Redis or Memcached instance fronting an LLM. The cache keys are full user prompts; the values are full model responses. Every cache hit is a transcript of an employee asking a private question.
A historical record of every privileged conversation a company's employees had with their AI tooling — typically the most sensitive material in the org, written in plain language. Public exposure is a near-automatic regulator escalation under GDPR / DPDP / HIPAA depending on content.
*cache**embeddings-gateway**prompt-cache**redis-llm*Subdomains like jupyter-internal.acme.com, notebook-staging.startup.io, or lab-ds.fintech.ai expose a full interactive Python execution environment. Jupyter notebooks ship with no authentication in single-user mode. Every running notebook has filesystem access, a built-in terminal, and typically contains API keys, database passwords, and cloud credentials embedded in code cells or .env files in the working directory.
Arbitrary code execution on the host machine with full filesystem access. Exposed notebooks are actively exploited for cryptocurrency mining and as pivot points into internal networks. Stored credentials in notebook cells provide lateral movement to cloud accounts, databases, and internal APIs.
*jupyter**jupyterhub**notebook**nb-**jupyter-lab**lab-ds**ipynb*Subdomains like chat-ai.acme.com, flowise.startup.io, or dify-internal.corp.ai expose a full AI workflow builder. These platforms store API keys for OpenAI, Anthropic, Azure, and local models in a single dashboard. Chat histories contain every question employees asked the AI — often including PII, financial data, legal discussions, and source code. Tool integrations provide access to internal databases, CRMs, and file systems.
Multi-provider API key theft enables LLMjacking ($46K-$100K/day in unauthorized inference bills). Chat history exfiltration exposes every sensitive question employees asked the AI. RCE vulnerabilities (CVE-2025-59528) provide full server compromise. These are the fastest-growing shadow AI surface.
*openwebui**open-webui**flowise**dify**n8n-ai**ai-workflow**ai-builder**chat-ui**chatbot-*Subdomains like inference-api.acme.com, torchserve.startup.io, or vllm-prod.fintech.ai expose production model serving infrastructure. Management APIs allow registering/unregistering models, viewing loaded model metadata, and accessing inference endpoints. TorchServe binds gRPC management ports to 0.0.0.0 by default (CVE-2024-35199), making internal management APIs publicly accessible.
Model poisoning via unauthorized model registration causes every downstream consumer to serve attacker-controlled output. ShellTorch RCE chain provides full server compromise. Model extraction through repeated inference queries enables intellectual property theft of proprietary AI models.
*torchserve**tf-serving**inference-**model-serve**serving-**prediction-**vllm**tgi-**hf-inference**text-gen*Subdomains like airflow.acme.com, dag-scheduler.startup.io, or pipeline-internal.corp.ai expose the orchestration control plane for ML training pipelines. Airflow dashboards reveal every DAG definition (pipeline code), connection credentials (database passwords, cloud API keys), and task execution logs — which frequently contain plain-text secrets (CVE-2024-45784). Variable endpoints expose every stored secret in the system.
Full credential exposure for every connected system — databases, cloud accounts, APIs, model registries. Pipeline manipulation enables training data poisoning that corrupts all downstream models. Task logs contain a historical record of every secret that ever transited the pipeline.
*airflow**dag-**ml-pipeline**data-pipeline**pipeline-**orchestrator-*Subdomains like label-studio.acme.com or annotation-tool.startup.io expose the data labeling platform used to prepare training datasets. These tools contain the raw training data (images, text, audio), annotation guidelines (which reveal model architecture intent), project configurations, and user accounts. CVE-2025-25295 allows reading arbitrary server files via path traversal.
Training data theft reveals the content and scope of AI projects. Modified annotations create poisoned training data that degrades or manipulates model behavior. Path traversal vulnerabilities expose server credentials and internal configuration files.
*label-studio**labelstudio**argilla**annotation-**labeling-**annotate-*Subdomains like minio-ml.acme.com, artifacts.startup.io, or model-storage.corp.ai expose S3-compatible object storage — the default artifact backend for MLflow, Kubeflow, and most ML pipelines. These stores contain trained model weights (intellectual property worth millions), training datasets (often containing PII), experiment artifacts, and configuration files with cloud credentials. MinIO ships with default credentials (minioadmin:minioadmin).
Complete intellectual property theft of every model trained by the organization. Training data exfiltration may contain PII subject to GDPR/HIPAA breach notification. Model poisoning via artifact replacement turns the production AI into an attacker-controlled puppet.
*minio**minio-**artifacts-**model-artifacts**model-storage**ml-storage*Subdomains like tensorboard.acme.com, wandb-internal.startup.io, or metrics-ml.corp.ai expose experiment tracking dashboards. These reveal every model's architecture (layer configurations, attention heads, embedding dimensions), hyperparameter search spaces, training data distributions, loss curves, hardware configurations (GPU types, cluster size), and environment variables.
Model architecture and hyperparameter theft enables competitors to replicate months of R&D. Training data distribution leaks reveal what data the model was trained on (potential regulatory exposure). Environment variables logged during training may contain cloud credentials.
*tensorboard**tb-**wandb**weights-biases**experiment-**metrics-ml*Subdomains like mcp-server.acme.com, mcp-gateway.startup.io, or tool-server.fintech.ai host MCP (Model Context Protocol) endpoints — the emerging standard for connecting LLMs to external tools and data. An exposed MCP server reveals every tool the AI can call (filesystem, database, API, browser), the system prompt governing its behavior, and the authentication tokens it uses to access internal services. Because MCP servers are designed to be plugged into Claude, ChatGPT, Cursor, and other AI clients, they often ship with zero authentication — the protocol itself has no built-in auth layer.
An exposed MCP server is a direct gateway into every system the AI assistant can access. This typically includes internal databases, code repositories, CRM systems, and cloud APIs — all reachable through the tool layer without additional authentication. The attacker inherits the full privilege set of the MCP server's service account.
*mcp-server**mcp-proxy**mcp-gateway**model-context**tool-server**mcp-bridge*EchelonGraph monitors Certificate Transparency and Shodan banner-grab data for the following subdomain conventions. Each pattern is a literal substring match against freshly-issued certificate hostnames; a single hostname can match multiple categories. Publishing this list keeps the methodology auditable — anyone with access to crt.sh can reproduce our detection logic.
*rag**retrieval**knowledge**kb-**eval-**rag-customer**rag-sales**milvus**qdrant**chroma**weaviate**vector-db**pinecone**gpt-**claude-**anthropic-**openai-**openai.**llm-proxy**llm-gateway**llm-api**ai-proxy**model-proxy**mlflow**ray**model-registry**registry**training**fine-tune**ai-agent**langserve**langchain**autogen**agent-orchestrator**ai-copilot**agentic**crewai**cache**embeddings-gateway**prompt-cache**redis-llm**jupyter**jupyterhub**notebook**nb-**jupyter-lab**lab-ds**ipynb**openwebui**open-webui**flowise**dify**n8n-ai**ai-workflow**ai-builder**chat-ui**chatbot-**torchserve**tf-serving**inference-**model-serve**serving-**prediction-**vllm**tgi-**hf-inference**text-gen**airflow**dag-**ml-pipeline**data-pipeline**pipeline-**orchestrator-**label-studio**labelstudio**argilla**annotation-**labeling-**annotate-**minio**minio-**artifacts-**model-artifacts**model-storage**ml-storage**tensorboard**tb-**wandb**weights-biases**experiment-**metrics-ml**mcp-server**mcp-proxy**mcp-gateway**model-context**tool-server**mcp-bridge*Every incident below is sourced to a primary advisory, vendor disclosure, or published research. The radar surfaces the same class of exposures continuously — these are the public moments where the gap became unmissable.
Three separate incidents within 20 days where Samsung Semiconductor engineers pasted proprietary source code, hardware test scripts, and internal meeting transcripts into ChatGPT — under OpenAI's then-default training-data retention policy. Triggered Samsung's company-wide ban on generative-AI tools.
Anyscale Ray's dashboard endpoint defaults to no authentication. Security researchers found thousands of public Ray clusters via CT-log + Shodan enumeration; the same dashboard accepts job-submission API calls leading to RCE on the head node. Documented attacks deployed cryptominers across enterprise GPU fleets.
A grieving passenger followed AI chatbot guidance on the airline's site for a bereavement-fare refund; the policy didn't exist. British Columbia Civil Resolution Tribunal ruled Air Canada is responsible for what its chatbot says. First major precedent on legal accountability for shadow-AI outputs.
Unauthenticated MLflow tracking servers exposed to the internet allowed `GET /model-versions/get-artifact?path=../../etc/passwd` style requests to traverse the host filesystem. CVSS 9.8. Affected every MLflow ≤ 2.10.0 — including ~3000 instances publicly discoverable via Shodan.
Researchers found dozens of malicious `pickle`-format models on Hugging Face Hub that executed code on load — stealing Hugging Face tokens, AWS credentials, and SSH keys from the data-scientist's machine. Adjacent to ongoing dataset-poisoning research on the same platform.
Wiz Research published a sweep of public Ollama and vLLM endpoints; both inference frameworks default to no authentication. Attackers can enumerate loaded models, send arbitrary prompts (burning customer GPU budget), and in some configurations remote-execute via known model-load CVEs.
Wiz Research discovered a fully open ClickHouse database belonging to DeepSeek, the Chinese LLM provider, exposed on a default port without authentication. Contained API keys, backend logs, and chat-history metadata. Highlighted that even foundation-model labs ship shadow infrastructure.
Multiple security teams (Tenable, Censys, GreyNoise) report 4000+ Jupyter notebook servers reachable on the public internet without authentication. Each provides interactive Python execution against the host — including any embedded credentials in environment variables, AWS/GCP tokens, internal data files.
Independent security researchers documented multiple cases of Claude.ai sessions and Anthropic API logs surfacing in public search-engine indexes via misconfigured analytics or shared-URL endpoints. Anthropic remediated promptly; the case underscored that LLM-front-end deployments need the same indexing hygiene as any web app.
Banner-grab telemetry from this very platform confirms thousands of Milvus, Qdrant, Chroma, Weaviate, and Ollama instances accepting anonymous queries — discoverable via the same Certificate-Transparency feed the Shadow AI Radar polls. See the live ticker on this page or the AI Threat Map for current counts.
We publish the methodology so the dataset is independently verifiable. Anyone with access to Certificate Transparency and Shodan can reproduce our detection logic.
Two public sources, no scraping, no proprietary signals:
48 literal substring matches against newly-issued certificate hostnames, grouped into the 14 risk categories shown above. See the full detection-pattern catalogue.
Every observation passes through a 6-state liveness probe so we never publish unverified false positives as “exposures”:
unverified — newly observed, probe pendingactive — HTTPS 200 + category-specific deep probe matchedauthenticated — login wall detectedresolved — DNS resolves but the deep probe didn't match — keeps the row, demotes from “active”unreachable — DNS / TCP failed; cert was issued but the service was never reachable from a public networkrechecking — user-triggered re-verification in flightCategory-specific deep probes hit endpoints like Jupyter /api/kernels, Ollama /api/tags, Weaviate /v1/meta, MLflow /api/2.0/mlflow/experiments/list, MinIO /api/v1/buckets, MCP tools/list — full list in code.
Detection ≠ compromise. The radar surfaces exposed AI services; it does not assert any service was breached. Owners may have intentional public access (research demos, public model playgrounds, educational workshops). Treat observations as starting points for verification, not as confirmed vulnerabilities.
MITRE ATLAS catalogues adversary techniques targeting ML systems. AML.T0011 — "Discover ML Model Family" — covers the reconnaissance step the Shadow AI Radar surfaces.
LLM07 covers third-party / shadow components in the LLM supply chain. Exposed MLflow registries, vector databases, and Jupyter notebooks are textbook LLM07 instances.
NIST AI Risk Management Framework MS-2 (Measure) requires continuous monitoring of AI system risks. Shadow-AI exposure is a measurable, external-attack-surface risk.
High-risk AI systems must implement risk management (Art. 9) and demonstrate accuracy + robustness (Art. 15). Exposed inference services are direct evidence of inadequate controls.
ISO 42001 Annex A.8 requires organisations to manage information disclosure to interested parties. Subdomain leaks via CT logs are an unmanaged disclosure pathway.
EchelonGraph. (2026). Shadow AI Radar — Live Exposed AI Infrastructure. Retrieved from https://echelongraph.io/shadow-ai-radar@misc{echelongraph_shadow_ai_radar,
author = {EchelonGraph},
title = {Shadow AI Radar — Live Exposed AI Infrastructure},
year = {2026},
url = {https://echelongraph.io/shadow-ai-radar}
}