The rapid integration of large language models into core business operations has quietly opened a new, highly valuable front in the ongoing war against cyber threats, one that threat actors are already actively exploiting through systematic reconnaissance. While organizations race to leverage the power of generative AI, malicious actors are moving just as quickly to map out this new digital territory, searching for unprotected gateways to sensitive systems. The theoretical risk of AI-centric attacks has now become a documented reality, with recent data revealing a surge in automated probes targeting exposed LLM infrastructure. This shift marks a critical turning point, demanding that security postures evolve to address a class of vulnerabilities that did not exist on this scale only a short time ago.
Your New AI is Live But Who Else is Talking to It
Recent evidence confirms that any LLM connected to the internet is almost certainly being scanned by malicious actors. Security firm honeypots designed to mimic LLM infrastructure detected a staggering 91,000 attack sessions between late 2025 and early 2026. This activity was not a slow trickle but a concentrated flood; an alarming 80,469 of these probes occurred in a compressed 11-day burst, signaling a dramatic escalation in automated reconnaissance efforts.
This data provides concrete proof that the surveillance of AI systems is widespread and methodical. The high volume of interactions indicates that attackers are no longer simply experimenting with this new technology but are actively and systematically searching for misconfigured servers and exposed APIs. For any organization deploying LLMs, the conclusion is clear: if an AI endpoint is publicly accessible, it is not a matter of if it will be found, but when.
The New Frontier of Cyber Attacks Why LLMs are a Prime Target
Large language models have rapidly transitioned from niche research projects to critical components of business infrastructure, handling everything from customer service to data analysis. This evolution has inadvertently created a new and valuable attack surface that threat actors are eager to exploit. These models often serve as a bridge between public-facing interfaces and internal corporate systems, making them an attractive entry point for adversaries.
The primary objective of the current wave of attacks is reconnaissance. Threat actors are methodically probing for misconfigured servers and unprotected APIs to gain unauthorized access to powerful commercial AI models. By identifying these vulnerabilities, they can systematically map out exposed LLM endpoints across the internet. This allows them to build comprehensive target lists for future, more sophisticated exploitation campaigns, which could range from data exfiltration to resource hijacking.
A Tale of Two Campaigns How Attackers are Probing Your AI
One major offensive was a mass scanning campaign characterized by its high volume and broad scope. This reconnaissance mission systematically probed over 73 distinct LLM models, including prominent families like OpenAI’s GPT, Google’s Gemini, Anthropic’s Claude, and Meta’s Llama. The attackers used simple, benign-looking queries such as “hi” or “How many states are there in the United States?” to test for live, responsive endpoints without triggering basic security alerts. Significantly, over 80,000 of these sessions were traced back to just two IP addresses with a long and documented history of exploiting hundreds of other known vulnerabilities.
A second, more targeted campaign leveraged a specific feature to execute Server-Side Request Forgery (SSRF) attacks. This operation abused Ollama’s “model pull” functionality, which is designed to download new models, by injecting malicious registry URLs. To confirm a successful breach, the attackers used out-of-band testing tools that would signal when the exploit worked. A notable spike in this activity occurred over the Christmas holiday, a common tactic used by attackers to take advantage of reduced security staffing, blurring the lines between legitimate security research and malicious grey-hat hacking.
From the Researchers Desk Evidence and Expert Analysis
Security experts have analyzed this activity and concluded it is far from random noise. As Bob Rudis, Vice President of Data Science at GreyNoise, states, “If you’re running exposed LLM endpoints, you’re likely already on someone’s list.” The data supports this assertion, indicating the mass scanning was the work of a “professional threat actor conducting reconnaissance.” The IP addresses involved have been linked to over four million previous sensor hits, demonstrating a consistent and professional approach to vulnerability discovery.
Further analysis of the SSRF campaign revealed a sophisticated use of automation. Despite originating from 62 different IPs across 27 countries, 99% of the attacks shared the same JA4H signature, a digital fingerprint associated with the underlying software making the connection. This uniformity strongly suggests the attackers used a shared automation tool, such as Nuclei, to coordinate their efforts. This level of coordination points toward a deliberate and well-organized operation rather than disparate, opportunistic attacks.
Hardening Your Defenses Actionable Steps to Protect Your LLM
To counter the threat of mass reconnaissance, organizations can take immediate and decisive action. A primary step involves actively blocking the IP addresses and Autonomous System Numbers (ASNs) identified in these widespread scanning campaigns. Implementing strict rate-limiting on LLM endpoints is also crucial, as it can prevent the kind of rapid-fire requests used by automated scanners. Furthermore, security teams should diligently monitor logs for suspicious patterns, such as a single IP making requests to multiple models in quick succession or using common scanner queries.
For mitigating SSRF and model pull exploits, specific configurations are necessary. Ollama deployments should be hardened to permit pulling models only from a pre-approved list of trusted registries, preventing the injection of malicious URLs. At the network level, blocking known Out-of-band Application Security Testing (OAST) domains at the DNS layer can disrupt an attacker’s ability to validate a successful exploit. Monitoring network traffic for JA4 fingerprints associated with common offensive security tools can also provide an early warning of an automated attack in progress.
The evidence of coordinated campaigns targeting LLM infrastructure confirmed that the grace period for securing AI is over. Attackers have moved beyond theoretical exploration and are now actively building lists of vulnerable targets for future exploitation. The systematic nature of these probes demonstrates a clear strategic interest in this new attack surface. Consequently, organizations must now treat LLM security not as a future consideration but as an immediate and critical priority, implementing robust defenses that are specifically tailored to the unique vulnerabilities of artificial intelligence systems.
