Speaker:: Roey Ben Chaim Title:: Total Recon: How We Discovered 1000s of Open Agents in the Wild Duration:: 16 min Video:: https://www.youtube.com/watch?v=N0DukgZSREo ## Key Thesis AI agents are still applications with discoverable breadcrumbs — endpoints, APIs, iframes, predictable URL structures — and through systematic OSINT and enumeration of platforms like Microsoft Copilot Studio, OpenAI Agent Builder, Custom GPTs, and MCP servers, Ben Chaim's team at Zenity found tens of thousands of agents exposed on the public internet, thousands of them unauthenticated, many containing sensitive enterprise data and credentials. ## Synopsis Ben Chaim (staff engineer at Zenity) opens by framing the core insight: an agent is still an application. It has breadcrumbs, discoverable resources, APIs, and can be embedded in iframes. Agent discovery is a subset of web discovery. The significance is that agents are deeply integrated into enterprises — they carry embedded credentials, connect to data sources, and can modify enterprise data. An exposed, unauthenticated agent is a gateway into the enterprise. **Microsoft Copilot Studio enumeration.** Copilot Studio creates agents at URLs composed of several components. The environment ID is derived from the tenant's Microsoft Azure AD tenant ID. An undocumented Microsoft API (discovered by ADInternal researchers) allows resolving a tenant ID from just a domain name — Microsoft later had to take this API down because it was being abused. The solution prefix (a 5–8 alphanumeric string) is the higher-entropy component, but in practice most developers use the default: a "CR" prefix followed by 2–3 alphanumeric characters, making the effective search space small enough to fuzz. Default agent names follow predictable patterns (copilot1, copilot2, test, ai, aibot), further reducing the search space. By combining fuzzing of solution prefixes with enumeration of common agent names, the team found tens of thousands of Copilot Studio agents. Using the Power Platform API, they further determined which required authentication and which did not. Subdomain enumeration extended the count further. **OpenAI Agent Builder enumeration.** Agent Builder agents are deployed by developers, typically on platforms like Vercel and Render. OpenAI recommends starter kits with well-known GitHub repository names. Combining the known naming conventions of those repos with the deployment platform's URL patterns, and factoring in branch names included in some deployment URLs, the search space becomes highly enumerable. A session creation check reveals whether an agent exists at a given URL. The team found exposed agents containing confidential information. **Custom GPTs.** Custom GPTs are public by design — their capabilities (default tools like Python, DALL-E, browser, plus custom connectors) are visible to anyone. The team used this to map attack surfaces. An example observed: a custom GPT with a connector that lists all Gmails. While this is "by design," it represents a significant information disclosure for attackers. **Open AI middlewares and MCP servers via OSINT.** Using Shodan queries for well-known MCP session ID patterns, the team found hundreds of thousands of open MCP servers — some authenticated, many not. An HTML hash search found an exposed Copilot API with a Swagger endpoint including a public "purge vector DB" endpoint. MCP registry files themselves are an intelligence source — they contain backend URLs and lists of available tools. Backlink searches for copilotstudio.microsoft.com (used when agents are embedded in iframes) revealed 2,500 open agents, many unauthenticated. The same technique applied to Amazon Bedrock agents yielded similar results. **Why it matters beyond discovery.** Even agents with guardrails are vulnerable to persistent probing — attackers can enumerate knowledge sources and tool configurations by asking the agent directly. With a small amount of prompt manipulation, guardrails can be bypassed to reveal available tools. An unanticipated public agent is a significant risk even if it has some built-in refusals. **PowerPawn** is Zenity's open-source tool for assessing agent posture. It includes four modules: Copilot Studio Hunter (resolves tenant ID from domain, fuzzes solution prefixes, iterates through agents, reports authentication status and capabilities); Agent Builder Hunter (checks for exposed endpoints given a wordlist of agent names); Custom GPT Enumerator (maps capabilities given a search term); and LLM Hound (finds AI middlewares via Shodan using MCP filters, accepts a Shodan API key). Takeaways: don't make agents public unless necessary; don't use default configurations (they reduce the search space); use tools like PowerPawn to identify your own public exposure; add observability to your AI stack because you don't know what you don't know. ## Key Takeaways - Agents are applications — they have discoverable endpoints, URLs, and APIs subject to standard web reconnaissance - Microsoft Copilot Studio's default URL structure is enumerable: tenant ID is resolvable from domain, solution prefix is fuzzable, default agent names are predictable - Tens of thousands of Copilot Studio agents found; thousands are unauthenticated and expose sensitive enterprise data - An undocumented Microsoft API allowed resolving tenant IDs from domain names — it was taken down after being abused - MCP servers are massively exposed on Shodan; MCP registry files leak backend URLs and tool inventories - Backlink search for copilotstudio.microsoft.com found 2,500 open agents directly - Even guarded agents can be probed to enumerate tools and knowledge sources with minimal prompt manipulation - Default configurations are the attacker's friend — they shrink the search space dramatically - PowerPawn (open source) automates Copilot Studio, Agent Builder, Custom GPT, and MCP server discovery ## Notable Quotes / Data Points - "Tens of thousands of agents just out there in the web. Out of them, thousands were unauthenticated." - ADInternal's undocumented Microsoft API for tenant ID resolution had to be taken down because it was being abused - Shodan query for MCP session IDs: hundreds of thousands of open MCP servers - 2,500 open Copilot Studio agents found via backlink search alone - Observed: fully exposed Swagger endpoint with "purge vector DB" action on a public API - Observed: Custom GPT with a connector listing all Gmails - PowerPawn open source: github.com (Zenity) — includes Copilot Studio Hunter, Agent Builder Hunter, Custom GPT Enumerator, LLM Hound #unprompted #claude