A security director at a mid-sized enterprise came to us recently with a question that sounds simple but turns out to be surprisingly hard to answer: “How many OpenClaw instances are running inside our network right now?”
He didn't know. His team didn't know. And that uncertainty — not any specific vulnerability, not any known threat actor — was the thing keeping him up at night.
His instinct was correct. Globally, over 260,000 OpenClaw instances are estimated to be exposed on the public internet. Approximately 12,000 of those are vulnerable to remote code execution. The vast majority were deployed by individuals, not IT teams — employees exploring a tool, optimizing a workflow, trying something they heard about at a conference. And in most cases, nobody in security knew it was happening.
This is the defining security challenge of the current AI adoption wave: the tools are being deployed faster than governance can catch up.
Here is what organizations need to be able to answer — and how ThreatBook's Threat Detection Platform (TDP) helps them get there.
Employees deploy AI tools for legitimate reasons. Productivity gains are real. The problem isn't the intent — it's the invisibility. When installations happen outside IT processes, security teams have no way to assess risk, enforce policy, or respond if something goes wrong.
By analyzing network traffic signatures, TDP surfaces the full picture in real time:
The result is a live inventory — across workstations, servers, and personal devices — without requiring endpoint agents on every machine.
OpenClaw listens on 0.0.0.0:18789 by default. Many users are unaware of what that means in practice: unless explicitly restricted, the service is reachable from outside the network the moment it is deployed.
For an attacker conducting routine internet-wide scanning, a misconfigured OpenClaw instance is trivially discoverable and exploitable. Discovery is a matter of minutes. Exploitation can follow immediately.
TDP monitors for inbound external connections to OpenClaw services and flags internal devices communicating with those exposed services — providing early warning before an exposed instance becomes an active incident.
The risk isn't limited to what's inside the network. Employees who connect to OpenClaw instances hosted on external infrastructure — including personal cloud environments or third-party services — introduce two distinct categories of exposure.
The first is data compliance risk. Productivity data — emails, calendar entries, source code, documents — may transit through servers outside the organization's control, potentially violating data residency requirements or internal information security policies.
The second is lateral movement risk. If an external OpenClaw instance has been compromised by a threat actor, an employee connecting to it effectively gives that actor an authenticated pathway into internal corporate resources. The employee's credentials and access rights become the attacker's entry point.
TDP surfaces internal hosts communicating with external OpenClaw infrastructure, giving security teams the context to assess and contain.
OpenClaw is the current example. But the underlying dynamic — employees deploying powerful, network-connected AI software outside formal IT processes — applies to the entire category of AI agent tools and will intensify as adoption grows.
The instances security teams don't know about are precisely the ones that matter most. Visibility is the prerequisite for everything else.
ThreatBook TDP provides real-time network traffic analysis and AI application detection across enterprise environments. Contact us to request a trial or learn more about AI application visibility.