K Kilasec
Free · no signup · no upload

Find the shadow AI on your network

Drop in logs you already have — DNS, proxy, or a packet capture — and see every AI service being called from your network, and by which machines. Including the private LLM gateways nobody told you about.

Your logs never leave your browser. The analyzer is the real Kilasec discovery tool, compiled to run locally via WebAssembly. Files are read in memory and never uploaded — to Kilasec or anyone. Everything on this page is served from kilasec.com; no third party is contacted at all.
Drop log files or a capture here
or click to choose — you can select several at once
Zeek · Squid · Pi-hole / dnsmasq · pcap & pcapng (tcpdump / Wireshark) · most firewall/proxy exports

How to get your logs

Any one of these works. DNS or proxy/SNI logs from the network edge give the clearest picture.

Pi-hole / dnsmasq (easiest)

Pi-hole and dnsmasq log every DNS lookup. Grab the query log:

sudo cp /var/log/pihole/pihole.log ~/pihole.log        # Pi-hole v6
# or older Pi-hole / plain dnsmasq:
sudo cp /var/log/dnsmasq.log ~/dnsmasq.log

Drop that file above. Each query[A] host from 10.x.x.x line becomes a data point.

Squid proxy

Squid's access log carries the CONNECT host (SNI) for HTTPS:

sudo cp /var/log/squid/access.log ~/squid-access.log

Drop it above — native Squid format is auto-detected.

Zeek / Corelight

Use dns.log and/or ssl.log (TSV with the #fields header, or JSON):

cp /opt/zeek/logs/current/ssl.log ~/ssl.log
cp /opt/zeek/logs/current/dns.log ~/dns.log

Drop either or both.

pfSense / OPNsense / other firewall

Export the DNS Resolver (Unbound) or proxy log, or any firewall log that records destination hostnames. The generic parser pulls hostnames + a client IP out of most exports — just drop the file and see what it finds.

Packet capture (Wireshark or tcpdump) — no logs handy

Capture a few minutes at a choke point (a mirror port, or the gateway). The tool reads DNS queries and TLS SNI — it never decrypts anything. Both Wireshark's default .pcapng and tcpdump's .pcap work — just drop the file, no conversion.

sudo tcpdump -i any -w ~/capture.pcap -s 400 'port 53 or port 443'
# …let it run a bit, Ctrl-C, then drop capture.pcap above

In Wireshark, just File → Save As and drop the result. A small snap length (-s 400) is plenty — only DNS names and the TLS handshake are read.

Prefer to run it yourself, air-gapped? The same tool ships as a single-file Python CLI — read the source, run it offline, no browser.
Get the CLI →