honeylabs-mcp
OfficialHoneyLabs
Honeypot threat intelligence as MCP tools. Query 90 days of probe data from our honeypot sensor network โ IP reputation, scanner classification, CVE probing trends, TLS/SSH/JA4 fingerprints, attack timelines โ straight from Claude, Cursor, Gemini, Cline, or any other Model Context Protocol client.
๐ Web: https://honeylabs.net
๐ MCP endpoint: https://mcp.honeylabs.net/mcp (streamable HTTP)
๐งฐ Tool catalog & worked prompts: https://honeylabs.net/mcp
๐ Docs: https://honeylabs.net/docs
๐ผ Pricing: Free tier ยท 500 credits/day ยท no card
Install
Claude Code
claude mcp add honeylabs \
--transport http \
https://mcp.honeylabs.net/mcp \
--header "Authorization: Bearer <your-key>"Get a key at https://honeylabs.net/dashboard (magic-link sign-in, no password).
Claude Desktop / Cursor
Add to your MCP config:
{
"mcpServers": {
"honeylabs": {
"url": "https://mcp.honeylabs.net/mcp",
"headers": {
"Authorization": "Bearer <your-key>"
}
}
}
}Cline
Same JSON config as Claude Desktop / Cursor. Install via the MCP Marketplace listing or paste the config block above into your settings.
Gemini CLI
gemini /mcp add honeylabs https://mcp.honeylabs.net/mcp
gemini /mcp auth honeylabs # OAuth flow, no static keyOAuth 2.1 with PKCE + DCR is supported at /oauth/authorize. Any MCP
client that speaks standard OAuth (Gemini, MCP Inspector, Smithery,
Cline's OAuth flow) works out of the box.
Tools
Tool | What it answers |
| Is this IP / domain known to be probing? When was it last seen? What ports / paths does it hit? |
| Ranked leaderboard of source IPs, ASNs, countries, ports, or user-agents over a time window. |
| Raw honeypot events matching filters (IP, ASN, country, dest_port, protocol, http_method). |
| Hourly / daily attack volume over a window, with protocol / country / port filters. |
| Full profile for an ASN: total events, unique IPs, top ports, source countries, user-agents, org name. |
| Search by TLS JA4 / HTTP JA4H / SSH HASSH fingerprint โ find shared infrastructure. |
| Full-text URL-path + user-agent search across attack traffic. Pro tier. |
Each row in a response counts as one credit. Free tier gets 500 credits/day, Pro gets 50,000, Team gets 500,000. See https://honeylabs.net/docs#plans for the full breakdown.
What the data is
HoneyLabs runs a fleet of honeypots that get probed by the public
internet all day. Every probe โ every connection, every TLS
handshake, every HTTP request โ is logged with the source IP, ASN,
geo, TLS/HTTP/SSH fingerprints, and full URL path. We retain the
last 90 days and expose it through this MCP server, a JSON API, a
public lookup web UI at /lookup/<ip>, and CSV / STIX exports.
What it is not: a CVSS database, a reputation feed copied from elsewhere, or generic threat indicators. It's our own ground-truth observations of what's actively scanning the internet right now.
Showcase prompts
Things to ask Claude / Cursor / Gemini once HoneyLabs is wired in:
"Is 80.82.77.202 a known scanner? When was it last seen and what does it probe?"
"Pull every IP that hit port 445 with a non-Windows User-Agent in the last 24 hours."
"Show CVE-2024-4577 probing volume per day for the last 7 days, broken down by ASN."
"For the top 10 attackers on port 6379 right now, what TLS JA4 fingerprints do they share?"
More worked examples at https://honeylabs.net/mcp.
Open source
The honeypot fleet itself (Spip-Go) and the enrichment pipeline (Loom) are public. This repo (the MCP / API surface) is closed.
Contact
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/honeylabshq/honeylabs-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server