events in the last 24 hours

HoneyLabs,
queryable by your AI.

The same 13M+ events behind honeylabs.net, exposed as MCP tools. Query attacker fingerprints, targeted ports, and CVE matches from Claude, Cursor, or any MCP client.

500 credits/day, 7-day lookback, no credit card.

Connect in 30 seconds
Streamable HTTP
claude mcp add honeylabs \
  --transport http \
  https://mcp.honeylabs.net/mcp \
  --header "Authorization: Bearer hlk_..."

Need a key? for a magic link.

Free, no API key

IP threat reports

Instant browser profile for any public IPv4. Timeline, targeted ports, TLS/SSH fingerprints, CVE matches.

honeylabs.net/lookup · curl returns JSON

Last 24 hours

Top sources, last 24 hours

Same view your AI gets when it calls top_attackers. Cached for 5 minutes.

Origin

Top countries

top_attackers(by=country)
  • 🇫🇷France81.6K
  • 🇧🇷Brazil71.6K
  • 🇺🇸United States59.1K
  • 🇧🇬Bulgaria17.3K
  • 🇵🇪Peru16.7K
Networks

Top ASNs

top_attackers(by=asn)
  • AS3215Orange56.3K
  • AS396982Google LLC31.9K
  • AS274818CONEXAO MAIS EMPRESA D30.5K
  • AS263432CORPORATIVA TELECOMUNI27.4K
  • AS209334Modat B.V.26.2K
Targets

Top ports hit

top_attackers(by=port)
  • 3306MySQL29 IPs
  • 3389RDP104 IPs
  • 443HTTPS216 IPs
  • 53DNS43 IPs
  • 39131168 IPs
Infra

Top scanner hostnames

top_attackers(by=domain)
  • 🇫🇷lfbn-ami-1-74-102.w90-24.abo.w56.3K
  • 🇧🇷177.91.72.63.rev.corporativafi27.4K
  • 🇷🇺host-79-164-41-168.qwerty.ru15.7K
  • 🇧🇬ip-58-126.4vendeta.com12.8K
  • 🇧🇷187-4-161-46.user3p.v-tal.net.11.5K

To reproduce the last column from an MCP client: top_attackers(by="domain", since="2026-05-13", until="2026-05-14")

Example conversation

The AI calls the MCP tools, gets back rows, summarises the answer.

You
Who's hammering SSH on the internet this week? Any unusual clients?
AI
top_attackers(by="asn", dest_port=22, since="2026-05-06", until="2026-05-13")
fingerprint_search(fp_type="hassh", fingerprint="5bd26477da54…")
AI
Top SSH-scanning ASN this week is AS47890 (Unmanaged Ltd) with 6,163 hits to port 22. AS48090 (Techoff Srv Limited, NL) is #2, mostly from the cluster 45.148.10.141-152.

One HASSH stands out: 5bd26477da54… - 8,885 events from just 21 unique IPs across RO, NL, PA and US. Tight infra footprint, port 22 only - looks like one coordinated brute-force operation. Want the IP list?

Sensor IPs are redacted from every response.

Common uses

SOC & IR

Enrich alerts in seconds

Drop an IP, JA4 or HASSH into your assistant and get sighting history, targeted ports, and ASN context without leaving chat.

Threat hunting

Track campaigns over time

Slice events by ASN, country, port, or fingerprint. Spot when a campaign starts, shifts targets, or burns its infrastructure.

Research

Test a hypothesis fast

3.7M JA4 TLS, 3.2M JA4H HTTP, 26K HASSH SSH fingerprints. Ask the AI to correlate and summarise, no SQL needed.

7 threat-intel tools

Sensor names and honeypot IPs are redacted from every response.

search_events free

Raw events filtered by IP, country, ASN, port, or HTTP method. Returns timestamps, JA4/JA4H/HASSH fingerprints, user-agent and event summary.

search_events(country="CN", dest_port=22, limit=10)
→ [{ timestamp, source_ip, ssh_client_hassh, event_summary, … }]
top_attackers free

Leaderboard grouped by IP, ASN, country, port, user-agent, JA4 fingerprint, or URL path. Includes first/last seen and target diversity.

top_attackers(by="asn", since="2026-05-06", until="2026-05-13")
→ [{ value: 14061, event_count: 121519, asn_org: "DigitalOcean, LLC", … }]
ioc_lookup free

Given an IP or domain: sighting count, first/last seen, targeted ports, ASN, top user-agents, JA4 and HASSH fingerprints.

ioc_lookup("<ip-or-domain>")
→ { total_events: 272780, asn_org: "IP Volume inc", country_code: "NL",
    ports_targeted: [22,23,80,443,3389,…], top_user_agents: [...] }
attack_timeline free

Hourly or daily event counts. Optional filters for protocol, country, dest_port. Useful for spotting campaign starts and traffic spikes.

attack_timeline(bucket="day", filter_dest_port=445)
→ [{ bucket: "2026-05-12", event_count: 9870, unique_sources: 419 }, …]
asn_enrich free

Full honeypot profile for an ASN: top IPs, ports, protocols, source countries. Attribute campaigns to hosting providers.

asn_enrich("AS202425", since=…, until=…)
→ { org_name: "IP Volume inc", total_events: 32597, unique_ips: 55,
    top_ports: [7777, 2715, 1723, 3128, 25], top_source_ips: [...] }
fingerprint_search free

Find all activity matching a JA4 TLS, JA4H HTTP, or HASSH SSH fingerprint. 3.7M / 3.2M / 26K fingerprints in the dataset.

fingerprint_search(fp_type="ja4", fingerprint="t13i190800_…")
→ { total_events, top_source_ips, source_asns, samples: [...] }
payload_search pro

Full-text search across masked HTTP bodies, headers, and URL paths. Hunt who probed a specific path or sent a specific payload.

payload_search(query="/.git/config", since=…, until=…)
→ [{ source_ip, url_path, event_summary, … }]

Pricing

Free tier covers most workflows. Paid tiers extend the lookback window and add payload search.

Available now
Free
$0
forever, no credit card
  • 500 credits / day
  • 7-day lookback
  • 6 core tools
  • All event fields & fingerprints
  • · payload_search (Pro)
Coming soon
Pro
$29
per month
  • · 50,000 credits / day
  • · 90-day lookback
  • · All 7 tools
  • · payload_search
  • · 60 calls / min
Coming soon
Coming soon
Team
$199
per month
  • · 500,000 credits / day
  • · 365-day lookback
  • · All 7 tools
  • · Priority support
  • · 300 calls / min
Coming soon

About the data

·Internet-facing honeypot sensors capturing raw TCP, TLS, HTTP and SSH probes.
·All payloads, headers, URLs and SNI are scrubbed of sensor IPs before exposure.
·Timestamps are UTC. Source IPs and ASNs are real, attacker-controlled.
·Fingerprints: JA4 TLS, JA4H HTTP request, HASSH SSH client.
·Ingestion runs continuously, new events arrive every few seconds.
·Parameterised queries, redacted views, per-tier rate limits and quotas.