Network reconnaissance tool with deep AI/ML service detection. Scans your network to discover hosts, open ports, and identifies AI services running across your infrastructure.
Built for security teams, IT admins, and researchers who need visibility into shadow AI, rogue LLM deployments, and GPU infrastructure on their networks.
There is a growing concern for shadow AI, and this provides a simple way to scan networks. Also many of the typical scanning tools for windows are slow and have poorly written interfaces, specifically for anyone running a 4k+ monitor. Agrus Scanner is built in native C#/.NET with WPF — no Electron, no embedded browser — so it launches fast, scans fast, and stays light on resources. I've been tired of trying to read tiny print so when a friend/client was looking for a way to scan for shadow AI, and without any windows type tool available, it seemed like a natural fit together.
It also works as a straightforward network scanner — ping sweeps, port scanning, and hostname resolution are all built in. You don't need a separate tool for basic recon. But where Agrus really stands out is AI detection: it goes beyond port scanning by actively probing discovered services with AI-specific API calls, pulling back model names, GPU details, container info, and version data. If someone on your network is running an AI service, Agrus finds it and tells you exactly what it is.
It also runs as an MCP server, so AI agents like Claude Code and OpenClaw can use it as a tool — scan networks, probe hosts, and pull back results autonomously. Point your agent at the endpoint and it handles the rest.
Download the latest installer from Releases:
AgrusScanner-Setup.msi — self-contained, no .NET runtime needed.
Requires Windows 10/11.
- Ping Sweep - Fast ICMP discovery across subnets (256 concurrent)
- Port Scanning - TCP connect scan with preset profiles (Quick, Common, Extended, AI, Deep AI)
- AI Service Detection - 45 probe definitions identifying 25+ AI/ML services
- Docker Container Enumeration - Detects AI containers via exposed Docker API
- GPU Infrastructure - Finds NVIDIA DCGM exporters and inference metrics
- Export Results - Save scan results to CSV or TXT via the toolbar EXPORT button
- Real-time Results - Live-updating UI as scan progresses
- MCP Server - Expose scanning tools to AI agents via Model Context Protocol
- Agent Skills - Works with Claude Code, OpenClaw, Cursor, and other AgentSkills-compatible tools
| Category | Services Detected |
|---|---|
| LLM | Ollama, vLLM, HF TGI, llama.cpp, KoboldCpp, LM Studio, LiteLLM, Jan.ai, GPT4All, LocalAI, FastChat, Tabby |
| Image Gen | Stable Diffusion (A1111), ComfyUI |
| ML Platform | NVIDIA Triton, TorchServe, TensorFlow Serving, MLflow, Ray Serve, BentoML, KServe, MindsDB |
| AI Platform | Open WebUI, AnythingLLM, LibreChat, Flowise, Dify, Gradio apps |
| GPU Infra | NVIDIA DCGM Exporter, Triton Metrics, TorchServe Metrics |
| Container | Docker API with 33 AI image pattern matches |
Detection goes beyond port scanning - the prober queries service-specific API endpoints, extracts model names, versions, GPU info, and container details.
- Enter an IP range (CIDR, range, or single IP)
- Select a scan preset:
- Quick - 6 common ports
- Common - 22 well-known ports
- Extended - 58 service ports
- AI Scan - 28 AI/ML-specific ports with service probing
- Deep AI Scan - All 65535 ports with full AI probing (slow but complete)
- No port scan - Ping sweep only
- Click START
- After scanning, click EXPORT to save results as CSV or TXT
AI Scan results show detected services with extracted details:
[LLM] Ollama :11434 (llama3, mistral) | [GPU Infra] NVIDIA DCGM :9400 (RTX 4090)
Run the scanner as a headless MCP server with a system tray icon:
AgrusScanner.exe --mcp-onlyThis starts a Streamable HTTP MCP server on http://localhost:8999/mcp (port configurable in settings). AI agents can then call the scanning tools directly.
Security note: The MCP server binds to
localhostonly and validates Host headers to block DNS rebinding attacks. Only processes on your own machine can connect. Do not expose this server to the network via reverse proxy or tunnel without adding your own auth layer.
MCP Tools:
| Tool | Description |
|---|---|
scan_network |
Ping sweep + port scan + DNS + AI probing across an IP range |
probe_host |
Deep-scan a single IP with port scan and AI detection |
list_presets |
List available scan presets with port counts |
The project includes a .mcp.json that connects Claude Code to the scanner. Start the MCP server, then use Claude Code in this project:
A Claude Code skill is also included at .claude/skills/agrus-scanner/SKILL.md that teaches the agent when and how to use the scanning tools.
Install the bundled OpenClaw plugin:
openclaw plugins install ./openclaw-pluginConfigure in OpenClaw settings:
{
"plugins": {
"entries": {
"agrus-scanner": {
"enabled": true,
"config": { "mcpUrl": "http://localhost:8999/mcp" }
}
}
}
}The skill at .claude/skills/agrus-scanner/SKILL.md follows the open AgentSkills format and works with any compatible agent (Cursor, Gemini CLI, OpenClaw, etc.). Point your tool at the MCP endpoint and the skill provides usage instructions.
v0.2.2 includes hardening across the codebase:
- Input limits — CIDR and range parsing capped at 65,536 addresses to prevent memory exhaustion
- Path traversal protection — MCP
export_resultsrestricted to the user's Documents folder - DNS rebinding defense — MCP server validates Host headers, rejecting non-localhost requests
- Response size cap — HTTP probe responses capped at 1 MB to block memory bombs from malicious servers
- CSV injection prevention — Export escapes formula-injection characters (
=,+,-,@) - NTLM protection — Removed SMB shell-open to prevent credential disclosure to untrusted hosts
- Diagnostic logging — Suppressed exceptions now log to
System.Diagnostics.Tracefor visibility - No hardcoded secrets — Build signing credentials moved to environment variables
| Key | Action |
|---|---|
| Ctrl + C | Copy selected IP address |
| Ctrl + = | Zoom in |
| Ctrl + - | Zoom out |
| Ctrl + 0 | Reset zoom |
| Ctrl + Scroll | Zoom |
| Right-click | Context menu (copy, open services) |
MIT License — use at your own risk. See LICENSE for full terms.