AIMap: Scanner for Exposed AI Endpoints Including MCP

Since MCP became the de facto standard for models calling external tools, the number of MCP servers deployed in production has grown steadily. Many of those deployments, however, have not undergone any formal hardening process. AIMap, presented this week on Help Net Security, is an open-source tool that does exactly that: it locates these servers on the internet, enumerates them, and subjects them to basic exposure testing.

What AIMap Does Exactly

AIMap functions as a scanner specifically oriented toward AI infrastructure. Its goal is not generic port scanning in the Shodan style, but rather identifying endpoints that respond to protocols native to the model ecosystem: inference APIs, Ollama instances, OpenAI-compatible servers, and—this is what matters for our audience—unauthenticated MCP servers.

The workflow is straightforward: AIMap performs discovery of active hosts, detects the type of service running on each relevant port, and attempts to interact with the endpoint to determine whether it requires credentials or responds directly to arbitrary requests. In the case of MCP servers, that means attempting to list available tools (`tools/list`) without presenting any token. If the server responds with the tool catalog, the exposure is confirmed.

The project is available on GitHub under an open license, which allows it to be audited, extended, and integrated into existing security pipelines.

Why This Matters Now

The problem that AIMap documents is not new, but it has worsened. When MCP was the territory of experimenters, an exposed MCP server represented a contained risk: few tools, limited impact. In May 2026, a production MCP server can have access to databases, file systems, internal APIs, or the ability to execute code. An endpoint like that, accessible without authentication, is equivalent to leaving an administrative terminal open on the internet.

There is also an organizational factor. Claude Code allows any developer to spin up an MCP server with just a few lines in their `claude_desktop_config.json` or via a marketplace plugin. Deployment friction has dropped significantly; the associated security culture has not necessarily kept pace. Teams that configure these servers for internal use sometimes expose them to the outside world by accident through network misconfigurations or convenience decisions.

For Whom This Is Useful

AIMap has two clear audiences:

• Security and red teams who need to map the attack surface of an organization that has adopted Claude Code, MCP, or proprietary inference platforms. The tool gives them visibility into what is exposed before someone with worse intentions finds it.

• Developers and integration engineers who want to verify that their own MCP server deployments are properly isolated. Running AIMap against your own IP range is a cheap and straightforward sanity check.

What AIMap does not do—and it is worth being clear about—is exploit vulnerabilities. It is a reconnaissance and exposure verification tool, not an exploitation framework. The distinction matters both legally and in terms of what you can do with its results.

What Basic Measures Apply

If your team operates MCP servers accessible from untrusted networks, the mitigation vectors are known: mandatory authentication at the transport layer, IP allowlist restrictions, use of tunnels or VPNs instead of direct exposure, and periodic review of which tools each server has registered. Claude Code supports configuring MCP servers in local mode (`stdio`) precisely to avoid network exposure when it is not necessary.

The appearance of AIMap does not indicate that the MCP protocol has a design flaw; it indicates that the ecosystem has matured enough that someone considered it necessary to build a dedicated scanner for it. That is, in its own way, a signal of real adoption.

---

EP: Tools like AIMap are useful precisely because they make visible what already exists but nobody wants to look at. That it has appeared now suggests that the number of MCP servers exposed on the internet is significant enough to justify a dedicated scanner. It is worth taking seriously before someone else does it for you.