Exporting AIHound Data to BloodHound CE: Visualizing AI Credential Attack Paths

TLDR: AI assistants insecurely store credentials in multiple places on workstations. AIHound uncovers them — and BloodHound CE turns them into a visual attack graph so you can see exactly what’s at risk.

AI coding assistants and MCP servers insecurely store API keys, OAuth tokens, and session credentials across dozens of locations on developer workstations. AIHound scans for these exposures, but a flat JSON report only tells part of the story. When you import AIHound results into BloodHound CE, every credential, config file, and downstream service becomes a node in an interactive graph so you can trace exactly how a single exposed key cascades into a full compromise chain.

This guide walks through three steps: running an AIHound scan, importing the results into BloodHound CE, and using the pre-built Cypher queries to explore attack paths.

Prerequisites

  • AIHound v3.2.3. Python, Go, or compiled executable aihound.exe(included in the Other Versions/pyinstaller/dist folder). AIHound can be downloaded here: netwrix/AIHound: Credential Scanner for Popular Desktop AI Platforms
  • BloodHound CE v9.x or later installed (running in Docker or standalone)
  • Administrative credentials for your BloodHound CE instance

Step 1 — Run AIHound and Export to BloodHound Format

AIHound scans your local machine for AI-related credentials and configuration files. The --bloodhound flag outputs results in BloodHound CE’s OpenGraph format.

Basic scan with BloodHound export

aihound.exe --bloodhound aihound_report.json

This produces two things: a color-coded summary in the terminal and an aihound_report.json file ready for BloodHound import.

Verbose scan with multiple output formats

For deeper visibility into what AIHound checks, add the -v (verbose) flag. You can also generate an HTML report alongside the BloodHound export:

aihound.exe -v --bloodhound aihound_report.json --html-file report.html

Scan specific tools only

If you only want to scan for specific AI tools, use the --tools flag. Run --list-tools first to see all supported tools:

aihound.exe --list-tools
aihound.exe --tools claude-code cursor openai-cli --bloodhound aihound_report.json

Understanding the output file

The generated JSON file follows BloodHound CE’s OpenGraph format. It contains nodes (credentials, config files, AI services) and edges (relationships like “Authenticates”, “Contains”, “ExposedIn”). AIHound maps 9 custom node types:

Node Type Description
AICredential API keys, OAuth tokens, session credentials
AIService AI platforms (OpenAI, Anthropic, AWS Bedrock, etc.)
MCPServer Model Context Protocol server instances
ConfigFile Configuration files containing credentials
EnvVariable Environment variables holding secrets
AITool AI coding assistants (Claude Code, Cursor, etc.)
NetworkEndpoint Network-exposed AI service endpoints
DataStore Conversation history, models, training data
CredentialStore OS credential stores (Keychain, Credential Manager)

Step 2 — Import the JSON File into BloodHound CE

First time? Import saved Cypher queries (once per BloodHound instance):

python3 -m aihound --import-queries \
  --bloodhound-server http://<bloodhound IP>:8080 \
  --bloodhound-user admin \
  --bloodhound-password <password>

This imports 29 saved Cypher queries into BloodHound’s Saved Queries panel. Running it again is safe — it skips existing queries and re-registers the schema.

Example Cypher queries (also available in Saved Queries after import):

// Show the full credential graph
MATCH path = (a:AIHound)-[r]->(b:AIHound) RETURN path

// Blast radius from critical credentials
MATCH path = (c:AIHound_AICredential)-[*1..4]->(target)
WHERE c.risk_level = "critical"
RETURN path

// MCP server attack chain: tool -> server -> credential -> service
MATCH path = (t:AIHound_AITool)-[:AIHound_UsesMCPServer]->(m:AIHound_MCPServer)-[:AIHound_RequiresCredential]->(c:AIHound_AICredential)-[:AIHound_Authenticates]->(s:AIHound_AIService)
RETURN path

Open BloodHound CE in your browser (default: http://<bloodhound ip>:8080).

  1. Log in with your admin credentials.
  2. In the left sidebar, select Quick Upload and upload the aihound_report.json file generated in Step 1.
  3. Alternatively, in the left sidebar, select Administration.
  4. Navigate to File Ingest in the submenu.
  5. Click Upload Files and select the aihound_report.json file generated in Step 1.
  6. Wait for the import to complete. BloodHound will display a confirmation banner.

Once imported, the AIHound nodes and relationships appear alongside your existing Active Directory objects in BloodHound’s graph.

Step 4 — Explore Attack Paths with Cypher Queries

The python3 -m aihound --import-queries command installed a library of saved Cypher queries into BloodHound. These cover the most common AI credential attack scenarios so you can start exploring immediately.

Accessing saved queries

  1. In BloodHound CE, click the Explore tab in the left sidebar.
  2. Select the Cypher tab.
  3. Select Saved Queries to expand the menu.
  4. Filter Platforms by Saved Queries.
  5. All AIHound queries are prefixed with “AIHound —” for easy identification.
  6. Click any query to run it. Results appear as an interactive graph.

Recommended queries to start with

The following queries are listed in order of priority. Start with the full graph to get an overview, then drill into specific attack paths.

Full Graph — Show Me Everything
Displays all AIHound nodes and edges in a single view. This is the best starting point to understand the scope of AI credential exposure across the scanned machine.
Saved query name: AIHound - FULL GRAPH - All AIHound nodes and edges

Blast Radius — What If a Credential Leaks?
Starting from a specific file or credential, shows every service, data store, and tool that becomes accessible if that credential is compromised.
Saved query name: AIHound - BLAST RADIUS

Credential → Service → Data Chain
Maps the full attack chain from stored credentials through the services they authenticate to and the data stores those services can access.
Saved query name: AIHound - CREDENTIAL → SERVICE → DATA

Overly Permissive Files
Finds credential files with world-readable or group-readable permissions — the lowest-hanging fruit for an attacker with local access.
Saved query name: AIHound - OVERLY PERMISSIVE FILES

MCP Server Attack Chains
Traces the path from AI coding tools through MCP servers to the credentials and services they depend on.
Saved query name: AIHound - MCP SERVER ATTACK CHAINS

Same Secret Sprawl
Identifies credentials that appear in multiple locations, increasing the attack surface and complicating remediation.
Saved query name: AIHound - SAME SECRET SPRAWL

Network Attack Surface
Shows AI services exposed on the network, especially those with weak or missing authentication.
Saved query name: AIHound - NETWORK ATTACK SURFACE

Writing custom Cypher queries

For investigations beyond the saved queries, you can write custom Cypher directly in the BloodHound query editor. Example: find all critical-risk credentials and what services they unlock:

MATCH (c:AICredential)-[:Authenticates]->(s:AIService)
WHERE c.risk_level = "critical"
RETURN c.name

Bonus: Table Queries for Reporting

AIHound also registers table-format queries that return structured rows instead of graph visualizations — useful for generating reports or exporting to CSV. These include:

  • Most dangerous files ranked by credential count
  • Risk distribution across all credentials
  • Services ranked by credential exposure
  • All critical credentials with remediation guidance
  • Overly permissive files with detailed permissions

Quick Reference

Scan and export:

aihound.exe --bloodhound aihound_report.json

Import Cypher Queries in BloodHound (one-time):

python3 -m aihound --import-queries \
  --bloodhound-server http://<bloodhound IP>:8080 \
  --bloodhound-user admin \
  --bloodhound-password <password>

Import: BloodHound CE → Administration → Data Management → Upload Files

Explore: Saved Queries → AIHound queries