HoneyLabs
Honeypot threat intelligence as MCP tools. Query 90 days of probedata from our honeypot sensor network — IP reputation, scannerclassification, CVE probing trends, TLS/SSH/JA4 fingerprints, attacktimelines — straight from Claude, Cursor, Gemini, Cline, or any otherModel Context Protocol client.
- 🌐 Web: https://honeylabs.net
- 🔌 MCP endpoint: https://mcp.honeylabs.net/mcp (streamable HTTP)
- 🧰 Tool catalog & worked prompts: https://honeylabs.net/mcp
- 📖 Docs: https://honeylabs.net/docs
- 💼 Pricing: Free tier · 500 credits/day · no card
Install
Claude Code
claude mcp add honeylabs \
--transport http \
https://mcp.honeylabs.net/mcp \
--header "Authorization: Bearer <your-key>"
Get a key at https://honeylabs.net/dashboard (magic-link sign-in, nopassword).
Claude Desktop / Cursor
Add to your MCP config:
{
"mcpServers": {
"honeylabs": {
"url": "https://mcp.honeylabs.net/mcp",
"headers": {
"Authorization": "Bearer <your-key>"
}
}
}
}
Cline
Same JSON config as Claude Desktop / Cursor. Install via the MCPMarketplace listing or paste the config block above into your settings.
Gemini CLI
gemini /mcp add honeylabs https://mcp.honeylabs.net/mcp
gemini /mcp auth honeylabs # OAuth flow, no static key
OAuth 2.1 with PKCE + DCR is supported at /oauth/authorize. Any MCPclient that speaks standard OAuth (Gemini, MCP Inspector, Smithery,Cline's OAuth flow) works out of the box.
Tools
| Tool | What it answers |
|---|---|
ioc_lookup |
Is this IP / domain known to be probing? When was it last seen? What ports / paths does it hit? |
top_attackers |
Ranked leaderboard of source IPs, ASNs, countries, ports, or user-agents over a time window. |
search_events |
Raw honeypot events matching filters (IP, ASN, country, dest_port, protocol, http_method). |
attack_timeline |
Hourly / daily attack volume over a window, with protocol / country / port filters. |
asn_enrich |
Full profile for an ASN: total events, unique IPs, top ports, source countries, user-agents, org name. |
fingerprint_search |
Search by TLS JA4 / HTTP JA4H / SSH HASSH fingerprint — find shared infrastructure. |
payload_search |
Full-text URL-path + user-agent search across attack traffic. Pro tier. |
Each row in a response counts as one credit. Free tier gets 500credits/day, Pro gets 50,000, Team gets 500,000. Seehttps://honeylabs.net/docs#plans for the full breakdown.
What the data is
HoneyLabs runs a fleet of honeypots that get probed by the publicinternet all day. Every probe — every connection, every TLShandshake, every HTTP request — is logged with the source IP, ASN,geo, TLS/HTTP/SSH fingerprints, and full URL path. We retain thelast 90 days and expose it through this MCP server, a JSON API, apublic lookup web UI at /lookup/<ip>, and CSV / STIX exports.
What it is not: a CVSS database, a reputation feed copied fromelsewhere, or generic threat indicators. It's our own ground-truthobservations of what's actively scanning the internet right now.
Showcase prompts
Things to ask Claude / Cursor / Gemini once HoneyLabs is wired in:
- "Is 80.82.77.202 a known scanner? When was it last seen and whatdoes it probe?"
- "Pull every IP that hit port 445 with a non-Windows User-Agent inthe last 24 hours."
- "Show CVE-2024-4577 probing volume per day for the last 7 days,broken down by ASN."
- "For the top 10 attackers on port 6379 right now, what TLS JA4fingerprints do they share?"
More worked examples at https://honeylabs.net/mcp.
Open source
The honeypot fleet itself (Spip-Go)and the enrichment pipeline (Loom)are public. This repo (the MCP / API surface) is closed.
