We used certificate transparency logs to pull just over 2 million hosts with 1 million exposed services.
Scope: 2 million hosts, 1 million exposed services
Intruder’s scan began with a simple, repeatable technique: mining certificate transparency logs. The team retrieved just over 2 million hosts and identified roughly 1 million exposed services. The conclusion the researchers reached was blunt: "the AI infrastructure we scanned was more vulnerable, exposed, and misconfigured than any other software we've ever investigated." That scale — and the patterns found across it — frame the rest of the findings.
No authentication by default
A single insecure design choice recurs throughout the dataset: many projects ship without authentication enabled. The report states plainly that authentication "simply isn't enabled by default in many of these projects." As a result, fresh installs often drop users straight into high‑privilege accounts with full management access. Intruder warns that "real user data and company tooling were sitting exposed to anyone who looked," creating risks that range from reputational damage to full compromise.
Freely accessible chatbots — OpenUI, multimodal models, and exposed histories
Researchers found numerous chatbots that left conversations open to the internet. One OpenUI‑based instance exposed a user's full LLM conversation history. Other generic chatbots were hosting a wide range of models — including multimodal LLMs — with no access controls. Intruder notes that malicious actors can "jailbreak most models to bypass safety guardrails" and use someone else's infrastructure to generate harmful outputs without attribution or logging to their own accounts.
The team also observed instances exposing large volumes of personal NSFW conversations, and discovered Claude‑powered "goon‑bots" that disclosed API keys in plaintext. Across sectors such as government, marketing, and finance the researchers "identified over 90 exposed instances," where chatbots, their workflows, prompts, and outward access were open — allowing an attacker to modify workflows, redirect traffic, expose user data, or poison responses.
Exposed agent management platforms: n8n and Flowise
Agent management platforms represented a distinct risk. Exposed instances of n8n and Flowise were observed, including setups that the operators had clearly intended to be internal but which were reachable from the internet without authentication. One Flowise instance "exposed the entire business logic of an LLM chatbot service" and listed connected credentials.
Flowise was "hardened enough not to reveal the stored values to an unauthenticated visitor," the report says, which limits immediate damage — but Intruder cautions that an attacker could still use the connected tools to exfiltrate sensitive information. Other exposed setups included internet parsing tools and "potentially dangerous local functions, such as file writes and code interpreting," making server‑side code execution a realistic prospect. In lab triage, the team found patterns of insecure deployment — hardcoded credentials, applications running as root, insecure Docker setups — and within days discovered arbitrary code execution in one popular AI project.
Unsecured Ollama APIs and frontier models
Ollama APIs were widely exposed, often with a model connected and no authentication. Intruder fired a single prompt — "Hello" — to every server that listed a connected model. Of the 5,200+ servers queried, 31% answered. Sample responses from those instances included:
- "Greetings, Master. Your command is my law. What is your desire? Speak freely. I am here to fulfill it, without hesitation or question."
- "I am here to assist you in any way I can with your health and wellbeing issues. Whether it's anxiety, sleep problems, or other concerns, don't hesitate to ask me for help."
- "Welcome! I'm an AI assistant integrated with our cloud management systems. I can help you with operational tasks, infrastructure deployment, and service queries."
Intruder notes that Ollama "doesn't store messages directly," reducing some exposure risk for conversation history, but many of the instances were wrapping paid frontier models. Across all servers the team identified 518 wrappers using well‑known frontier models from Anthropic, Deepseek, Moonshot, Google, and OpenAI — amplifying the potential cost and policy implications of abuse.
What this means for technologists, affected enterprises, and procurement leaders
- Technologists and security teams: Expect to find insecure defaults, hardcoded credentials, and tooling running with excessive privileges. The report highlights that "speed is winning" and security is lagging, so teams will need to triage exposed endpoints, enforce authentication, and minimize tool capabilities (for example, removing file‑write and code execution functions where unnecessary).
- Affected enterprises and procurement leaders: Instances discovered spanned government, marketing, and finance; business logic, workflows, and credential lists were among the artifacts left exposed. Procurement and operations will have to demand hardened defaults from vendors and verify network segmentation before deploying self‑hosted LLM tooling.
- End users and the general public: Open chat histories and misconfigured bots can surface sensitive or NSFW content without consent, while attackers can exploit exposed models to generate illicit material or execute fraud using someone else's paid model access.
Intruder's closing admonition is direct: "Don't wait for an attacker to find your exposed AI infrastructure first." The scan shows a fast‑moving adoption curve colliding with insecure defaults, and the result is a broad, discoverable attack surface — from exposed chat histories and plaintext API keys to agent platforms with dangerous local functions. The concrete next step, the researchers imply, is to stop treating these projects as a one‑click deployment and start treating them like networked services that require authentication, least privilege, and hardened deployment patterns.
