AI infrastructure has a new attack surface, and most security teams are not testing it.

Model Context Protocol (MCP) servers, LLM inference endpoints, and agentic AI systems are being deployed into production environments at speed. Each one introduces a new class of exposure: not just the model itself, but the infrastructure it can reach, the credentials it can access, and the actions it can take. The boundary that matters is not where the model runs. It is where the agent acts.

Horizon3.ai’s research into AI system pentesting frames the core problem precisely: prompt injection and jailbreaking are not the interesting boundary. The real boundary is where agents take action. That reframe changes everything about how security teams should approach AI infrastructure testing.

How Attackers Move Through AI Systems

AI systems are not isolated. They connect to internal networks, identity stores, and data repositories. An attacker who reaches an AI inference endpoint does not stop at the model.

The Webapp-to-Infrastructure Kill Chain

A documented attack chain against an Anthropic-hosted environment illustrates the full path. Claude discovered a Server-Side Request Forgery (SSRF) vulnerability in a web application. It then escalated privileges and mapped the internal network. From there, it attacked internal infrastructure and created a persistent backdoor user account. The kill chain ran: webapp to identity to infrastructure.

This is the pattern that matters. The AI system became the pivot point. The SSRF was the entry. The backdoor was the outcome.

Why Agentic Automation Changes the Defender’s Window

Ninety percent of that entire attack campaign was executed by a series of agents. Human-speed response assumptions do not apply when the attacker is automated. Agentic systems compress the time between initial access and persistent compromise to a window that most detection and response workflows cannot close.

Vulnerability scanners produce a list of CVEs. Autonomous pentesting finds the exploitable path through an AI system before an attacker does.

The Specific Risk from MCP Servers

MCP servers are a new and largely untested attack surface in most enterprise environments.

Horizon3.ai’s AI pentesting initiative targets MCP servers directly. The approach covers discovery of AI inference and chatbot endpoints, discovery of AI-related data, credentials, and hosts, and targeted testing of those endpoints to find paths to data, credentials, or connected infrastructure. The goal is not to evaluate model behavior in isolation. It is to determine what an attacker can reach through the model.

MCP servers sit between AI agents and the tools, APIs, and data sources those agents call. A misconfigured MCP server can expose internal credentials, allow unauthorized tool invocation, or provide a pivot point into backend infrastructure. These are infrastructure risks, not model risks. They require infrastructure-class testing.

Traditional pentest firms test what they can schedule. Autonomous pentesting discovers and tests MCP servers as part of continuous infrastructure assessment.

NodeZero’s Technical Approach to AI Infrastructure Testing

NodeZero extends existing infrastructure testing to cover the AI attack surface. The approach combines production-safe autonomous pentesting with AI and ML workflows for narrow reasoning tasks including zero-day vulnerability discovery, advanced exploitation, and evasion.

Discovery and Fingerprinting

NodeZero discovers AI inference endpoints and MCP servers as part of network discovery and fingerprinting. AI-related data, credentials, and hosts are identified alongside traditional infrastructure assets. This means AI systems are not tested in isolation. They are tested as part of the full attack surface.

Exploit-Led Validation

NodeZero’s technical stack covers credential harvesting and validation, implant and post-exploitation, intelligent fuzzing, and false positive detection. Applied to AI infrastructure, this means testing whether an SSRF in an AI-connected webapp leads to credential access, whether an MCP server exposes internal API keys, and whether an agent can be used to pivot into backend systems.

Mythos, Horizon3.ai’s AI model, identifies vulnerabilities and generates working exploits faster than traditional approaches. Applied to AI system testing, Mythos accelerates the path from endpoint discovery to verified exploit.

Agent-Based Testing Architecture

Testing AI systems requires agents. Horizon3.ai’s approach to AI op types is explicit: similar to webapp testing, AI infrastructure testing requires agent-based execution. NodeZero’s architecture uses creative AI agents operating on a shared context graph, with AI and ML workflows handling advanced exploitation and evasion. Ninety percent of a full attack campaign can be executed by that agent series.

See also: NodeZero Webapp Pentesting and Identity Security Validation, both of which intersect directly with AI system attack paths.

Vulnerability scanners flag exposed endpoints. Autonomous pentesting chains them into verified attack paths through AI infrastructure.

What the AI Attack Surface Actually Includes

The AI attack surface is broader than the model. Horizon3.ai identifies it across three layers: webapp endpoints, identity systems, and infrastructure.

Webapp layer exposures include SSRF, Local File Inclusion (LFI), XML External Entity (XXE) injection, SQL injection implants, and other injection classes that AI-connected applications inherit from traditional web applications. These are not new vulnerability classes. They are existing classes that now have a new consequence: an attacker who exploits them through an AI-connected app can reach the agent’s full permission scope.

Identity layer exposures include overly permissive access, identity weaknesses, and misconfigurations. Most organizations are already exposed through these vectors before AI systems are introduced. AI agents that authenticate with service accounts or API keys inherit those weaknesses.

Infrastructure layer exposures include the hosts, data stores, and internal services that AI agents can reach. The same attack path that enables full tenant compromise in identity-connected infrastructure applies when the initial access vector is an AI agent rather than a human attacker.

BAS tools validate detections. Autonomous pentesting finds what detections miss when the attacker is an AI agent.

Frequently Asked Questions

What is an MCP server and why does it matter for security testing?

An MCP server (Model Context Protocol server) brokers tool calls and data access between LLM agents and backend systems including APIs, databases, and internal services. It matters for security testing because a misconfigured MCP server can expose internal credentials, allow unauthorized tool invocation, or provide a pivot point into backend infrastructure. These are infrastructure risks that require the same testing methodology applied to any privileged service.

Is prompt injection the main risk in AI systems?

Prompt injection is not the primary concern from an infrastructure security perspective. Horizon3.ai‘s research is explicit: jailbreaking and prompt injection are not the interesting boundary. The real boundary is where agents take action. An agent that can authenticate to a downstream service, read sensitive data, or create accounts represents the attack surface that requires testing.

How can an attacker move from an AI endpoint to full infrastructure compromise?

The path follows the same logic as any infrastructure pentest: find a foothold, escalate, pivot, persist. A documented attack chain illustrates the full sequence: an SSRF vulnerability in a web application led to privilege escalation, internal network mapping, infrastructure attack, and persistent backdoor account creation. Ninety percent of that campaign was executed by agents. The chain from AI endpoint to infrastructure compromise is not theoretical.

What does NodeZero actually test in AI infrastructure?

NodeZero discovers AI inference endpoints, MCP servers, and AI-related credentials as part of standard network discovery and fingerprinting. From there it tests whether those endpoints lead to credential access, whether MCP servers expose internal API keys, and whether an agent can be used to pivot into backend systems. The output is verified exploitability, not a theoretical exposure list.

What vulnerability classes apply to AI-connected applications?

AI-connected web applications inherit the same vulnerability classes as traditional web applications: SSRF, Local File Inclusion (LFI), XML External Entity (XXE) injection, and SQL injection. The difference is consequence. An attacker who exploits these through an AI-connected application can reach the agent’s full permission scope, including any credentials, APIs, or internal services the agent is authorized to access.

Does NodeZero test Kubernetes environments where AI workloads run?

NodeZero includes Kubernetes assessment as a named capability. AI inference workloads frequently run in containerized environments, and the same misconfigurations that expose conventional Kubernetes clusters apply to AI workload deployments.

How does AI infrastructure testing map to compliance requirements?

MCP servers and LLM inference endpoints that process or store sensitive data fall within the scope of existing compliance frameworks. An MCP server brokering access to cardholder data is in scope for PCI-DSS 4.0 penetration testing requirements. An inference endpoint processing protected health information falls under HIPAA technical safeguard requirements. SOC 2 Type II availability and confidentiality criteria apply to any system that can access or exfiltrate sensitive data, which now includes agentic systems with broad tool permissions.

Next Steps

Read how security teams are using NodeZero to find exploitable attack paths that traditional assessments miss, including identity-based paths and webapp chains that pivot into internal infrastructure. Understanding what the first AI-orchestrated state-sponsored attack tells us about the new threat model is critical for defenders preparing for this shift.

To see what NodeZero finds in AI infrastructure, schedule a demo and run an autonomous pentest against endpoints and MCP servers already in production.