TLDR: AI assistants insecurely store credentials in multiple places on workstations. AIHound uncovers them — and BloodHound CE turns them into a visual attack graph so you can see exactly what’s at risk.
AI coding assistants and MCP servers insecurely store API keys, OAuth tokens, and session credentials across dozens of locations on developer workstations. AIHound scans for these exposures, but a flat JSON report only tells part of the story. When you import AIHound results into BloodHound CE, every credential, config file, and downstream service becomes a node in an interactive graph so you can trace exactly how a single exposed key cascades into a full compromise chain.
This guide walks through three steps: running an AIHound scan, importing the results into BloodHound CE, and using the pre-built Cypher queries to explore attack paths.
Prerequisites
- AIHound v3.2.3. Python, Go, or compiled executable
aihound.exe(included in the Other Versions/pyinstaller/dist folder). AIHound can be downloaded here: netwrix/AIHound: Credential Scanner for Popular Desktop AI Platforms - BloodHound CE v9.x or later installed (running in Docker or standalone)
- Administrative credentials for your BloodHound CE instance
Step 1 — Run AIHound and Export to BloodHound Format
AIHound scans your local machine for AI-related credentials and configuration files. The --bloodhound flag outputs results in BloodHound CE’s OpenGraph format.
Basic scan with BloodHound export
aihound.exe --bloodhound aihound_report.json
This produces two things: a color-coded summary in the terminal and an aihound_report.json file ready for BloodHound import.
Verbose scan with multiple output formats
For deeper visibility into what AIHound checks, add the -v (verbose) flag. You can also generate an HTML report alongside the BloodHound export:
aihound.exe -v --bloodhound aihound_report.json --html-file report.html
Scan specific tools only
If you only want to scan for specific AI tools, use the --tools flag. Run --list-tools first to see all supported tools:
aihound.exe --list-tools
aihound.exe --tools claude-code cursor openai-cli --bloodhound aihound_report.json
Understanding the output file
The generated JSON file follows BloodHound CE’s OpenGraph format. It contains nodes (credentials, config files, AI services) and edges (relationships like “Authenticates”, “Contains”, “ExposedIn”). AIHound maps 9 custom node types:
| Node Type | Description |
|---|---|
| AICredential | API keys, OAuth tokens, session credentials |
| AIService | AI platforms (OpenAI, Anthropic, AWS Bedrock, etc.) |
| MCPServer | Model Context Protocol server instances |
| ConfigFile | Configuration files containing credentials |
| EnvVariable | Environment variables holding secrets |
| AITool | AI coding assistants (Claude Code, Cursor, etc.) |
| NetworkEndpoint | Network-exposed AI service endpoints |
| DataStore | Conversation history, models, training data |
| CredentialStore | OS credential stores (Keychain, Credential Manager) |
Step 2 — Import the JSON File into BloodHound CE
First time? Import saved Cypher queries (once per BloodHound instance):
python3 -m aihound --import-queries \
--bloodhound-server http://<bloodhound IP>:8080 \
--bloodhound-user admin \
--bloodhound-password <password>
This imports 29 saved Cypher queries into BloodHound’s Saved Queries panel. Running it again is safe — it skips existing queries and re-registers the schema.
Example Cypher queries (also available in Saved Queries after import):
// Show the full credential graph
MATCH path = (a:AIHound)-[r]->(b:AIHound) RETURN path
// Blast radius from critical credentials
MATCH path = (c:AIHound_AICredential)-[*1..4]->(target)
WHERE c.risk_level = "critical"
RETURN path
// MCP server attack chain: tool -> server -> credential -> service
MATCH path = (t:AIHound_AITool)-[:AIHound_UsesMCPServer]->(m:AIHound_MCPServer)-[:AIHound_RequiresCredential]->(c:AIHound_AICredential)-[:AIHound_Authenticates]->(s:AIHound_AIService)
RETURN path
Open BloodHound CE in your browser (default: http://<bloodhound ip>:8080).
- Log in with your admin credentials.
- In the left sidebar, select Quick Upload and upload the
aihound_report.jsonfile generated in Step 1. - Alternatively, in the left sidebar, select Administration.
- Navigate to File Ingest in the submenu.
- Click Upload Files and select the
aihound_report.jsonfile generated in Step 1. - Wait for the import to complete. BloodHound will display a confirmation banner.
Once imported, the AIHound nodes and relationships appear alongside your existing Active Directory objects in BloodHound’s graph.
Step 4 — Explore Attack Paths with Cypher Queries
The python3 -m aihound --import-queries command installed a library of saved Cypher queries into BloodHound. These cover the most common AI credential attack scenarios so you can start exploring immediately.
Accessing saved queries
- In BloodHound CE, click the Explore tab in the left sidebar.
- Select the Cypher tab.
- Select Saved Queries to expand the menu.
- Filter Platforms by Saved Queries.
- All AIHound queries are prefixed with “AIHound —” for easy identification.
- Click any query to run it. Results appear as an interactive graph.
Recommended queries to start with
The following queries are listed in order of priority. Start with the full graph to get an overview, then drill into specific attack paths.
Full Graph — Show Me Everything
Displays all AIHound nodes and edges in a single view. This is the best starting point to understand the scope of AI credential exposure across the scanned machine.
Saved query name: AIHound - FULL GRAPH - All AIHound nodes and edges
Blast Radius — What If a Credential Leaks?
Starting from a specific file or credential, shows every service, data store, and tool that becomes accessible if that credential is compromised.
Saved query name: AIHound - BLAST RADIUS
Credential → Service → Data Chain
Maps the full attack chain from stored credentials through the services they authenticate to and the data stores those services can access.
Saved query name: AIHound - CREDENTIAL → SERVICE → DATA
Overly Permissive Files
Finds credential files with world-readable or group-readable permissions — the lowest-hanging fruit for an attacker with local access.
Saved query name: AIHound - OVERLY PERMISSIVE FILES
MCP Server Attack Chains
Traces the path from AI coding tools through MCP servers to the credentials and services they depend on.
Saved query name: AIHound - MCP SERVER ATTACK CHAINS
Same Secret Sprawl
Identifies credentials that appear in multiple locations, increasing the attack surface and complicating remediation.
Saved query name: AIHound - SAME SECRET SPRAWL
Network Attack Surface
Shows AI services exposed on the network, especially those with weak or missing authentication.
Saved query name: AIHound - NETWORK ATTACK SURFACE
Writing custom Cypher queries
For investigations beyond the saved queries, you can write custom Cypher directly in the BloodHound query editor. Example: find all critical-risk credentials and what services they unlock:
MATCH (c:AICredential)-[:Authenticates]->(s:AIService)
WHERE c.risk_level = "critical"
RETURN c.name
Bonus: Table Queries for Reporting
AIHound also registers table-format queries that return structured rows instead of graph visualizations — useful for generating reports or exporting to CSV. These include:
- Most dangerous files ranked by credential count
- Risk distribution across all credentials
- Services ranked by credential exposure
- All critical credentials with remediation guidance
- Overly permissive files with detailed permissions
Quick Reference
Scan and export:
aihound.exe --bloodhound aihound_report.json
Import Cypher Queries in BloodHound (one-time):
python3 -m aihound --import-queries \
--bloodhound-server http://<bloodhound IP>:8080 \
--bloodhound-user admin \
--bloodhound-password <password>
Import: BloodHound CE → Administration → Data Management → Upload Files
Explore: Saved Queries → AIHound queries





