Show HN: HoneyLabs – Public honeypot threat Intel feed and MCP server (honeylabs.net)
Paste a public IPv4 and you get its 90-day report: ASN, country, what ports it hit, which CVE signatures matched, recent payloads, JA4 and HASSH fingerprints, and scanner classification (research / commercial / hosting provider / ISP / Tor exit). No signup is required for the basic lookup.
What I've been adding lately is an MCP (Model Context Protocol) server so Claude, Cursor, or any MCP-compatible agent can query the data directly.
Setup is as easy as getting a token and one command:
claude mcp add honeylabs \
--transport http \
https://mcp.honeylabs.net/mcp \
--header "Authorization: Bearer <hlk_…>"
Once configured, the agent can answer complex security questions without any custom glue code, such as:"Is 80.82.77.202 a known scanner? When was it last seen and what does it probe?"
"Which top 5 ASNs generate the most probes?"
"What scan organisations are probing on port 9200 right now?"
The implementation details can be found at https://honeylabs.net/mcp. Or just use the web-interface or curl.
For context on how the classifier stays current without manual curation:
- rDNS and ASN-org pattern matching. - ISP, CDN, and Enterprise classifications derived from PeeringDB's CC0 ASN data. - Tor exit lists refreshed hourly from torproject.org. - KEV (Known Exploited Vulnerabilities) flags refreshed daily from CISA.
Looking forward to your feedback!
2 comments
[ 4.1 ms ] story [ 25.1 ms ] thread