ai-surface
Maps the AI and application surface and emits the AI-BOM.
You know how modern apps break. apisec Surface maps and audits the AI and application attack surface of your own apps, in one inventory: agents, MCP, RAG, LLM call sites, model gateways, infrastructure, provider keys, and API endpoints.
It emits the AI-BOM and gates new high-risk findings in CI at PR time. Nothing leaves your machine.
Private by design. Nothing leaves your machine, so mapping your own gaps costs you nothing but a command.
Actions are map (read and inventory), audit (discover plus flag risk), and watch (monitor over time). Never "scan": these read the application to map the surface, they are not vulnerability scanners.
Maps the AI and application surface and emits the AI-BOM.
Audits MCP servers for risk.
Audits AI agents for risk.
Static read of source code.
Runtime read of the running client.
Monitors changes over time.
Surface can show you 347 endpoints and 2,814 candidate paths. It cannot tell you which of them an attacker can actually reach. That gap between a candidate and a proof is the whole job of the Platform.
A map is where readiness begins, not where the work ends.
The AI-BOM exports as a shareable summary: what's running, where the risk concentrates, and what a validation pass would prove. Forward it, drop it in the board deck, or attach it to the budget request.
You found the surface. This is how you make the case for proving it.
One page: surface inventory, risk concentration, and the exploitability questions still open. Built to send to whoever signs off.
Surface maps, free and static, at PR time. apisec proves, at runtime. Two motions, one arc.