Handler on Duty: Xavier Mertens Threat Level: green previous next My next class: Application Security: Securing Web Apps, APIs, and Microservices Orlando Mar 29th - Apr 3rd 2026 Scanning for exposed Anthropic Models Yesterday, a single IP address ( 204.76.203.210 ) scanned a number of our sensors for what looks like an anthropic API node. The IP address is known to be a Tor exit node. The requests are pretty simple: GET /anthropic/v1/models Host: 67.171.182.193:8000 X-Api-Key: password Anthropic-Version: 2023-06-01 It looks like this is scanning for locally hosted Anthropic models, but it is not clear to me if this would be successful. If anyone has any insights, please let me know. The API Key is a commonly used key in documentation, and not a key that anybody would expect to work. At the same time, we are also seeing a small increase in requests for "/v1/messages". These requests have been more common in the past, but the URL may be associated with Anthropic (it is, however, somewhat generic, and it is likely other APIs use the same endpoint. These requests originate from 154.83.103.179 , an IP address with a bit a complex geolocation and routing footprint. -- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter | Keywords: anthorpic ai My next class: Application Security: Securing Web Apps, APIs, and Microservices Orlando Mar 29th - Apr 3rd 2026 previous next Login here to join the discussion. Top of page × Diary Archives