What can you do with this server?

The HoneyLabs MCP server lets you query 90 days of real-world honeypot threat intelligence data — including IP reputation, attack trends, fingerprints, and raw events — directly from any MCP-compatible AI client. * ioc_lookup: Check if an IP/domain has been observed in honeypot data, including first/last seen timestamps, targeted ports, user agents, URL paths, and TLS/HTTP/SSH fingerprints. * top_attackers: Ranked leaderboard of attack sources grouped by IP, ASN, country, port, user agent, JA4 fingerprint, or URL path over a specified time window, with optional filters. * search_events: Retrieve raw honeypot event records filtered by source IP, country, ASN, destination port, protocol, or HTTP method. * attack_timeline: Hourly or daily attack volume trends over a time range, optionally filtered by protocol, country, or destination port — useful for spotting spikes or tracking scanning campaigns. * asn_enrich: Full profile of an ASN (hosting provider/network), including total events, unique IPs, top targeted ports, source countries, and user agents. * fingerprint_search: Find honeypot activity matching a specific TLS (JA4), HTTP (JA4H), or SSH (HASSH) fingerprint to identify shared infrastructure or track specific scanning tools. * payload_search (Pro/Team only): Full-text search across HTTP URL paths and user agents to find exploit attempts, CVE probing, or specific attack payloads.

honeylabs-mcp

Official

by honeylabshq

Overview Schema Related Servers Score Discussions

Python

Remote

HoneyLabs

Honeypot threat intelligence as MCP tools. Query 90 days of probe data from our honeypot sensor network: IP reputation, scanner classification, CVE probing trends, TLS/SSH fingerprints (JA4, JA3, JA4H, HASSH), mTLS client certificates, Community ID flow hashes, and attack timelines. Use it straight from Claude, Cursor, Gemini, Cline, or any other Model Context Protocol client.

🌐 Web: https://honeylabs.net
🔌 MCP endpoint: https://mcp.honeylabs.net/mcp (streamable HTTP)
🧰 Tool catalog & worked prompts: https://honeylabs.net/mcp
📖 Docs: https://honeylabs.net/docs
🔑 Access: free with a key, within fair-use limits

Install

Claude Code

claude mcp add honeylabs \
  --transport http \
  https://mcp.honeylabs.net/mcp \
  --header "Authorization: Bearer <your-key>"

Get a key at https://honeylabs.net/dashboard (magic-link sign-in, no password).

Claude Desktop / Cursor

Add to your MCP config:

{
  "mcpServers": {
    "honeylabs": {
      "url": "https://mcp.honeylabs.net/mcp",
      "headers": {
        "Authorization": "Bearer <your-key>"
      }
    }
  }
}

Cline

Same JSON config as Claude Desktop / Cursor. Install via the MCP Marketplace listing or paste the config block above into your settings.

Gemini CLI

gemini /mcp add honeylabs https://mcp.honeylabs.net/mcp
gemini /mcp auth honeylabs    # OAuth flow, no static key

OAuth 2.1 with PKCE + DCR is supported at /oauth/authorize. Any MCP client that speaks standard OAuth (Gemini, MCP Inspector, Smithery, Cline's OAuth flow) works out of the box.

Related MCP server: Google Threat Intelligence MCP Server

Tools

Tool	What it answers
`ioc_lookup`	Is this IP / domain known to be probing? When was it last seen? What ports / paths does it hit?
`top_attackers`	Ranked leaderboard of source IPs, ASNs, countries, ports, or user-agents over a time window.
`search_events`	Raw honeypot events matching filters (IP, ASN, country, dest_port, protocol, http_method, ja4/ja3, community_id, has_client_cert).
`attack_timeline`	Hourly / daily attack volume over a window, with protocol / country / port filters.
`asn_enrich`	Full profile for an ASN: total events, unique IPs, top ports, source countries, user-agents, org name.
`fingerprint_search`	Search by TLS JA4 / JA3 / HTTP JA4H / SSH HASSH fingerprint to find shared infrastructure.
`payload_search`	Full-text URL-path + user-agent search across attack traffic. Pro tier.

Each row in a response counts as one credit. A free key gives 500 credits a day, with higher limits for heavier use. See https://honeylabs.net/docs#plans for the breakdown.

What the data is

HoneyLabs runs a fleet of honeypots that get probed by the public internet all day. Every probe, meaning every connection, TLS handshake, and HTTP request, is logged with the source IP, ASN, geo, TLS/HTTP/SSH fingerprints, and full URL path. We retain the last 90 days and expose it through this MCP server, a JSON API, a public lookup web UI at /lookup/<ip>, and CSV / STIX exports.

This is our own ground-truth record of what is actively scanning the internet right now, gathered first-hand rather than copied from a CVSS database or a third-party reputation feed.

Showcase prompts

Things to ask Claude / Cursor / Gemini once HoneyLabs is wired in:

"Is 80.82.77.202 a known scanner? When was it last seen and what does it probe?"
"Pull every IP that hit port 445 with a non-Windows User-Agent in the last 24 hours."
"Show CVE-2024-4577 probing volume per day for the last 7 days, broken down by ASN."
"For the top 10 attackers on port 6379 right now, what TLS JA4 fingerprints do they share?"

More worked examples at https://honeylabs.net/mcp.

Open source

The honeypot fleet itself (Spip-Go) and the enrichment pipeline (Loom) are public. This repo (the MCP / API surface) is closed.

Contact

Install Server

license - permissive license

quality

maintenance

How are these scores calculated?

Maintenance

–Maintainers

–Response time

–Release cycle

1Releases (12mo)

Commit activity

Resources

Need Help?

Related Servers

Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/honeylabshq/honeylabs-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server