NEW

Start with the pressure: sales, launch, abuse, agents, data, or guardrails

Use the engagement router
aisecurityllc
Log inStart AI Security Assessment
aisecurityllc
Start AI Security Assessment

SecEng Workbench · Map

SecEng Surface Scanner

Find every AI vendor, SDK, runtime, and shadow model before it becomes an attack surface.

Surface Scanner runs across your browser, repos, and IDE — detecting AI model providers, agent frameworks, vector stores, widgets, and inference endpoints from signals alone. Every hit resolves against a versioned vendor catalog and flows into a structured AI asset register.

Open demoStart a discovery engagementBack to Map

Platforms

Chrome extension

In-page side panel, one-click scan, 120+ vendor catalog

GitHub scanning

Repo import, dependency graph, SDK fingerprinting

VS Code extension

Inline flags, real-time catalog resolution, workspace scan

CLI / API

Scripted surface scans, CI/CD integration, JSON output

Capabilities

What Surface Scanner does.

Browser AI fingerprinting

The Chrome extension captures DOM selectors, script URLs, globals, cookies, local storage, network requests, and headers — resolving every AI signal against a versioned vendor catalog without touching internal APIs.

GitHub repository scanning

Scans repos for AI SDK imports, framework usage, config patterns, and model references. Identifies LangChain, LlamaIndex, OpenAI client, HuggingFace, AutoGen, and 60+ other libraries from code structure alone.

VS Code workspace analysis

Flags AI dependencies, risky patterns, and unreviewed SDK additions inline as you code. Integrates with the shared savvy-stacks catalog for real-time vendor resolution inside the editor.

AI vendor registry resolution

Every detected signal resolves against a versioned catalog of 120+ AI vendors, model families, agent frameworks, vector stores, guardrails, eval harnesses, and inference runtimes — one canonical source.

Shadow AI detection

Surfaces undocumented AI endpoints, embedded widgets, runtime globals, and SDK bundles that don't appear in engineering docs or supply-chain manifests — found by behavioral signal analysis.

Attack surface register export

Generates a structured AI asset inventory with vendor, family, confidence, trust boundary, owner, and risk tags — ready for governance, audit, or red-team handoff to the Attack phase.

Live demo

See a surface discovery run — rendered from a real repo fixture.

The demo walks through a GitHub repo scan of an AI platform: 112 signals detected, vendor catalog resolution, RAG boundary analysis, and a structured risk output — the same format used in red-team handoffs.

Open demo Also: Trust Scanner

Output format

Vendors detectedOpenAI · LangChain · Pinecone · Guardrails AI
Confidencehigh · medium · low per signal
Trust boundaryinternal · external · third-party
Risk tagsshadow_ai · unreviewed_sdk · retrieval_exposure
ExportJSON asset register · red-team handoff brief

Other Map instruments

Threat Canvas

DFD-style AI threat modeling, trust-boundary mapping, and abuse-path planning.

Trust Scanner

Score public AI trust signals across six dimensions — legal, governance, security, and more.

Authority Graph

Agent authority, tool permissions, approval paths, and delegated-action risk mapping.