If you’re running large language models in production, you need to understand something uncomfortable: you’re probably already on someone’s list. Not a theoretical future threat list—an active reconnaissance list being built right now.
The Christmas Spike: 1,688 Attacks in 48 Hours
Over the 2025 holiday period, threat intelligence firm GreyNoise observed something alarming through their honeypot infrastructure. In just 48 hours around Christmas, attackers launched 1,688 attack sessions targeting AI model hosting environments. This wasn’t random scanning—it was deliberate, methodical probing of a rapidly expanding attack surface that most security teams are still learning how to secure.
The numbers tell a stark story. From October 2025 through January 2026, researchers captured 91,403 distinct attack sessions across two campaigns, both focused on identifying weaknesses in how organizations are deploying AI systems in production environments.
Two Campaigns, One Goal: Finding the Weak Points
Campaign One: SSRF Exploitation at Scale
The first campaign ran continuously from October through January, exploiting server-side request forgery (SSRF) techniques against popular AI-adjacent infrastructure. Attackers specifically targeted:
-
Ollama deployments by injecting malicious registry URLs into the model pull mechanism to trigger outbound connections
-
Twilio SMS webhook integrations by abusing the
MediaUrlparameter to force servers to communicate with attacker-controlled infrastructure -
ProjectDiscovery’s OAST callbacks to confirm successful out-of-band exploitation
What’s particularly concerning is the fingerprinting analysis. A single JA4H signature appeared in 99% of attacks, indicating shared automation tooling—likely based on the Nuclei scanning framework. While the 62 source IPs spread across 27 countries might suggest a distributed botnet, the consistent technical fingerprints point instead to VPS-based infrastructure operated by coordinated actors.
Notably, researchers assessed that this campaign may represent grey-hat activity—such as security researchers or bug bounty hunters operating at scale—rather than overtly malicious exploitation. Regardless of intent, the activity demonstrates how easily SSRF-style techniques can be applied to emerging AI infrastructure.
Campaign Two: Systematic Model Reconnaissance
The second campaign, which began on December 28, 2025, was more narrowly focused and operationally disciplined. Over just eleven days, two IP addresses generated 80,469 attack sessions—more than 7,000 attempts per day—systematically probing 73+ different LLM model endpoints.
The targets illustrate how comprehensive this reconnaissance effort was:
-
OpenAI (GPT-4o and variants)
-
Anthropic (Claude Sonnet, Opus, Haiku)
-
Meta (Llama 3.x)
-
Google (Gemini)
-
Mistral
-
Alibaba (Qwen)
-
DeepSeek (DeepSeek-R1)
-
xAI (Grok)
Rather than attempting immediate exploitation, the attackers relied on deliberately innocuous prompts such as “hi” and “How many states are there in the United States?” These low-noise queries appear designed to fingerprint which model endpoints respond successfully without triggering abuse detection or content-filtering controls.
What They’re Really Looking For
The objective behind these campaigns appears clear: identify misconfigured proxy servers that unintentionally expose or broker unauthorized access to commercial AI services. Many organizations deploy AI through proxy layers that connect applications to LLM APIs. When these proxies are misconfigured, they can:
-
Leak access credentials to commercial AI services
-
Expose internal API endpoints without proper authentication
-
Allow unauthorized consumption of expensive AI compute resources
In broader contexts, such weaknesses may also create pathways for data exfiltration or secondary abuse through model interactions, depending on how AI services are integrated into business workflows.
Researchers noted that the two IP addresses most active in the reconnaissance campaign had previously been observed exploiting hundreds of other known vulnerabilities, with sensor hits exceeding 4 million across their infrastructure. This level of historical activity strongly suggests professional threat actors engaged in systematic reconnaissance rather than casual experimentation.
Why Traditional Security Approaches Fall Short
Here’s the fundamental challenge: AI infrastructure introduces attack vectors that traditional security controls weren’t designed to address.
-
Your firewall sees legitimate HTTPS traffic. When an attacker sends a prompt to your LLM proxy, it looks like normal API usage. There’s no exploit payload in the traditional sense—just a text string asking your AI a question.
-
Your intrusion detection misses the reconnaissance. Innocuous prompts like “hi” don’t match signatures of known attacks. They’re intentionally designed to slip past automated detection while revealing whether a model endpoint is accessible.
-
Your access controls may not extend to model interactions. Many organizations focus on authenticating users to applications, but the pathway from application to AI service often lacks equivalent scrutiny.
The Real Risk: You Don’t Know What You’re Exposing
The most dangerous aspect of these campaigns isn’t the traffic itself—it’s what it reveals about organizational blind spots. Consider these questions:
-
Do you have a complete inventory of every AI service endpoint in your environment?
-
Can you identify every application that connects to LLM APIs, including shadow AI deployments?
-
Do you know which models are accessible from external networks versus properly segmented internal ones?
-
Are your proxy configurations regularly audited for misconfigurations that might leak credentials?
-
Do you monitor for reconnaissance patterns like repeated low-value queries from the same sources?
For many organizations, the honest answer to at least some of these questions is “no” or “we’re not sure.”
Moving from Awareness to Action
The 91,000+ attack sessions observed by researchers represent only what honeypots and sensors were able to capture. The actual scale of reconnaissance against production AI infrastructure is likely far larger.
Immediate Priorities
-
Inventory your AI attack surface. You can’t secure what you can’t see. Map every LLM deployment, API endpoint, proxy service, and model integration. Include both sanctioned tools and shadow AI deployments discovered through network monitoring.
-
Harden proxy configurations. Review every proxy layer that connects applications to AI services. Ensure authentication requirements, rate limiting, and access controls are properly configured. Eliminate any paths that might leak API credentials or allow unauthorized access.
-
Implement AI-specific monitoring. Traditional security monitoring won’t catch AI-focused reconnaissance. Deploy detection rules for suspicious patterns such as repeated low-value queries, systematic endpoint enumeration, or SSRF attempts targeting AI infrastructure.
-
Segment AI infrastructure. Apply network segmentation principles to AI deployments. Production LLM endpoints should not be directly accessible from external networks without multiple layers of authentication and authorization.
The CASR Advantage
This is precisely where Plurilock’s Cyber Adversary Simulation and Response (CASR) services and AI Risk Assessments become essential. Traditional penetration testing often misses AI-specific attack vectors because they require specialized knowledge of:
-
LLM architecture vulnerabilities
-
Proxy misconfiguration patterns
-
Model fingerprinting techniques
-
AI-specific SSRF exploitation methods
-
RAG pipeline security weaknesses
Our CASR team stays current with the latest AI attack methodologies—including campaigns like those discussed here—and simulates real adversary tactics against your infrastructure. We don’t just test whether your firewall blocks port 443. We test whether an attacker could fingerprint your models, exploit proxy configurations, or abuse AI services to access resources they shouldn’t.
The Window for Proactive Security Is Closing
The actors conducting these reconnaissance campaigns aren’t operating in the distant future—they’re active right now, systematically mapping AI deployments across the internet. As one researcher noted: “Eighty thousand enumeration requests represent investment. Threat actors don’t map infrastructure at this scale without plans to use that map.”
Organizations that wait until after a breach to secure their AI infrastructure will find themselves playing catch-up against adversaries who’ve been mapping their environment for months. The time to test your defenses isn’t after you’re on the target list—it’s before you realize you already are. â–
Key Takeaways
-
Over 91,000 attack sessions were observed against AI-related infrastructure in a three-month period, including systematic reconnaissance of 73+ different LLM model endpoints
-
Attackers use innocuous queries to fingerprint accessible models without triggering security alerts
-
Misconfigured proxy layers represent a critical vulnerability that traditional security tools may miss
-
The scale of observed reconnaissance suggests threat actors are building comprehensive maps of the AI attack surface for future exploitation
-
AI infrastructure requires specialized security assessment beyond traditional penetration testing
Ready to test your AI infrastructure against real-world attack scenarios? Plurilock’s CASR services simulate the latest adversary tactics targeting LLM deployments, proxy configurations, and AI service integrations. Contact us to schedule an assessment before you discover you’re already on an attacker’s reconnaissance list.
