OpenA2A Research, Security Research on AI Agent Infrastructure

OpenA2A

Research

Updated Jun 15, 2026

Security research on AI agent infrastructure. A continuous honey-agent fleet, monthly internet-wide exposure sweeps, and live indices. Every finding classified by Threat Matrix technique, every count published with its query.

Latest report →Threat lifecycle →Methodology →

reports published

300K+

honey-agent events

320.5K

exposed AI services

Jun 15, 2026

latest report

Featured · State of AI Agent Security: A Surface in Migration

The exposed surface is broadening as attacker attention narrows.

Behavioral Threat Report Issue 2. In the 30-day window the Model Context Protocol drew 97.9% of honey-agent events, up from 75%. Exposure rose to 320,506 services with exposed Ollama up 225% and MLflow up 173%. 41% of unique attacker fingerprints returned. Reported on a corrected 30-day-window basis.

Read the report →

97.9%

targeted MCP

41%

return rate

300K+

events since launch

6,232

unique fingerprints

Live signalscontinuous measurement

See live indices

Exposure over time

Exposed AI services per monthly internet-wide sweep. Latest: 320.5K.

What's exposed

OpenClaw Gateways175.9K54.9%

Ollama Instances83.5K26.1%

MLflow Tracking31.8K9.9%

Streamlit AI Apps24.1K7.5%

MCP Streamable HTTP1.7K0.5%

Jupyter Notebooks1.6K0.5%

What attackers target

Model Context Protocol (MCP)104.7K97.9%

Agent-to-Agent (A2A) handshake1.3K1.2%

Context-read (other)9120.9%

Agent-to-Agent (A2A) task560.1%

Honey-agent events, May 16 to June 15, 2026 (30 days).

Where attacks originate

US · United States66.4K62.1%

GB · United Kingdom5.5K5.1%

NL · Netherlands3.8K3.6%

CA · Canada3.8K3.5%

JP · Japan3.5K3.2%

Top 5 of 99 countries observed.

Confirmed findings

162artifacts confirmed across 157 hosts

exposed .git/config repos115

agent instruction files31

credentials and private keys15

MCP tool manifests1

Content-verified ARIAscout Shodan probe · June 2026.

Passive Shodan-index probe, dedup’d by host (point-in-time). A floor, not directly comparable to the January 2026 active host probe.

6 reports

behavioral threat reportJun 15, 202615 min read

State of AI Agent Security: A Surface in Migration

behavioral threat reportMay 12, 202615 min read

State of AI Agent Security: The Protocol Attackers Prefer

Inaugural Behavioral Threat Report. 206,571 honey-agent events across 9,037 unique attacker fingerprints over 30 days. The Model Context Protocol drew three of every four attacker events. 45% of unique attackers returned across multiple sessions. 343 wild injection-bait surfaces detected on the public web.

exposure sweepApr 10, 20266 min read

Internet-Wide AI Exposure Sweep: April 2026

321,929 exposed AI services indexed by Shodan. 263,853 OpenClaw gateways on port 18789, 25,097 Streamlit apps, 25,036 Ollama instances identified by product signature. First sweep using product-based queries for higher-confidence identification.

ecosystem analysisApr 2, 20268 min read

OASB Scanner Benchmark: detection on a ground-truth labeled corpus

The HMA full pipeline scores 82.9% F1 (82.6% recall, 83.2% precision, 1.16% FPR) on 4,245 labeled samples across 9 attack categories. The verdict counts attack findings and excludes posture findings (missing defenses, and wildcard tool access that thousands of benign MCP servers also declare). DVAA full-repo detection 29.1%. Comparison with 9 industry scanners from Holzbauer et al. The earlier 89.2% and 82.1% F1 figures are withdrawn.

exposure sweepMar 20, 20266 min read

Internet-Wide AI Exposure Sweep: March 2026

490,295 Shodan detections. ~140,000 verified exposed AI services after active HTTP probing. 3.5x inflation factor between passive scanning and confirmed findings.

exposure sweepFeb 5, 20267 min read

97,000 AI Agents Exposed

We scanned 97,013 internet-facing hosts for AI agent vulnerabilities. 14.4% had confirmed security issues. 1,190 had their system instructions publicly readable.