honeylabs-mcp
Honeypot threat intelligence for AI agents. Query 90 days of probe data from our sensor network: IP reputation, scanner classification, CVE probing trends, TLS/SSH/JA4 fingerprints. Free tier 500 credits/day, OAuth + bearer auth, streamable HTTP at https://mcp.honeylabs.net/mcp.
README
HoneyLabs
Honeypot threat intelligence as MCP tools. Query 90 days of probe data from our honeypot sensor network โ IP reputation, scanner classification, CVE probing trends, TLS/SSH/JA4 fingerprints, attack timelines โ straight from Claude, Cursor, Gemini, Cline, or any other Model Context Protocol client.
- ๐ Web: https://honeylabs.net
- ๐ MCP endpoint: https://mcp.honeylabs.net/mcp (streamable HTTP)
- ๐งฐ Tool catalog & worked prompts: https://honeylabs.net/mcp
- ๐ Docs: https://honeylabs.net/docs
- ๐ผ Pricing: Free tier ยท 500 credits/day ยท no card
Install
Claude Code
claude mcp add honeylabs \
--transport http \
https://mcp.honeylabs.net/mcp \
--header "Authorization: Bearer <your-key>"
Get a key at https://honeylabs.net/dashboard (magic-link sign-in, no password).
Claude Desktop / Cursor
Add to your MCP config:
{
"mcpServers": {
"honeylabs": {
"url": "https://mcp.honeylabs.net/mcp",
"headers": {
"Authorization": "Bearer <your-key>"
}
}
}
}
Cline
Same JSON config as Claude Desktop / Cursor. Install via the MCP Marketplace listing or paste the config block above into your settings.
Gemini CLI
gemini /mcp add honeylabs https://mcp.honeylabs.net/mcp
gemini /mcp auth honeylabs # OAuth flow, no static key
OAuth 2.1 with PKCE + DCR is supported at /oauth/authorize. Any MCP
client that speaks standard OAuth (Gemini, MCP Inspector, Smithery,
Cline's OAuth flow) works out of the box.
Tools
| Tool | What it answers |
|---|---|
ioc_lookup |
Is this IP / domain known to be probing? When was it last seen? What ports / paths does it hit? |
top_attackers |
Ranked leaderboard of source IPs, ASNs, countries, ports, or user-agents over a time window. |
search_events |
Raw honeypot events matching filters (IP, ASN, country, dest_port, protocol, http_method). |
attack_timeline |
Hourly / daily attack volume over a window, with protocol / country / port filters. |
asn_enrich |
Full profile for an ASN: total events, unique IPs, top ports, source countries, user-agents, org name. |
fingerprint_search |
Search by TLS JA4 / HTTP JA4H / SSH HASSH fingerprint โ find shared infrastructure. |
payload_search |
Full-text URL-path + user-agent search across attack traffic. Pro tier. |
Each row in a response counts as one credit. Free tier gets 500 credits/day, Pro gets 50,000, Team gets 500,000. See https://honeylabs.net/docs#plans for the full breakdown.
What the data is
HoneyLabs runs a fleet of honeypots that get probed by the public
internet all day. Every probe โ every connection, every TLS
handshake, every HTTP request โ is logged with the source IP, ASN,
geo, TLS/HTTP/SSH fingerprints, and full URL path. We retain the
last 90 days and expose it through this MCP server, a JSON API, a
public lookup web UI at /lookup/<ip>, and CSV / STIX exports.
What it is not: a CVSS database, a reputation feed copied from elsewhere, or generic threat indicators. It's our own ground-truth observations of what's actively scanning the internet right now.
Showcase prompts
Things to ask Claude / Cursor / Gemini once HoneyLabs is wired in:
- "Is 80.82.77.202 a known scanner? When was it last seen and what does it probe?"
- "Pull every IP that hit port 445 with a non-Windows User-Agent in the last 24 hours."
- "Show CVE-2024-4577 probing volume per day for the last 7 days, broken down by ASN."
- "For the top 10 attackers on port 6379 right now, what TLS JA4 fingerprints do they share?"
More worked examples at https://honeylabs.net/mcp.
Open source
The honeypot fleet itself (Spip-Go) and the enrichment pipeline (Loom) are public. This repo (the MCP / API surface) is closed.
Contact
- info@honeylabs.net
- https://www.linkedin.com/company/honeylabsnet/
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.