The same 13M+ events behind honeylabs.net, exposed as MCP tools. Query attacker fingerprints, targeted ports, and CVE matches from Claude, Cursor, or any MCP client.
500 credits/day, 7-day lookback, no credit card.
claude mcp add honeylabs \
--transport http \
https://mcp.honeylabs.net/mcp \
--header "Authorization: Bearer hlk_..."
Need a key? for a magic link.
Instant browser profile for any public IPv4. Timeline, targeted ports, TLS/SSH fingerprints, CVE matches.
honeylabs.net/lookup · curl returns JSON
Same view your AI gets when it calls top_attackers. Cached for 5 minutes.
top_attackers(by=country)
top_attackers(by=asn)
top_attackers(by=port)
top_attackers(by=domain)
To reproduce the last column from an MCP client:
top_attackers(by="domain", since="2026-05-13", until="2026-05-14")
The AI calls the MCP tools, gets back rows, summarises the answer.
Sensor IPs are redacted from every response.
Drop an IP, JA4 or HASSH into your assistant and get sighting history, targeted ports, and ASN context without leaving chat.
Slice events by ASN, country, port, or fingerprint. Spot when a campaign starts, shifts targets, or burns its infrastructure.
3.7M JA4 TLS, 3.2M JA4H HTTP, 26K HASSH SSH fingerprints. Ask the AI to correlate and summarise, no SQL needed.
Sensor names and honeypot IPs are redacted from every response.
Raw events filtered by IP, country, ASN, port, or HTTP method. Returns timestamps, JA4/JA4H/HASSH fingerprints, user-agent and event summary.
search_events(country="CN", dest_port=22, limit=10)
→ [{ timestamp, source_ip, ssh_client_hassh, event_summary, … }]
Leaderboard grouped by IP, ASN, country, port, user-agent, JA4 fingerprint, or URL path. Includes first/last seen and target diversity.
top_attackers(by="asn", since="2026-05-06", until="2026-05-13")
→ [{ value: 14061, event_count: 121519, asn_org: "DigitalOcean, LLC", … }]
Given an IP or domain: sighting count, first/last seen, targeted ports, ASN, top user-agents, JA4 and HASSH fingerprints.
ioc_lookup("<ip-or-domain>")
→ { total_events: 272780, asn_org: "IP Volume inc", country_code: "NL",
ports_targeted: [22,23,80,443,3389,…], top_user_agents: [...] }
Hourly or daily event counts. Optional filters for protocol, country, dest_port. Useful for spotting campaign starts and traffic spikes.
attack_timeline(bucket="day", filter_dest_port=445)
→ [{ bucket: "2026-05-12", event_count: 9870, unique_sources: 419 }, …]
Full honeypot profile for an ASN: top IPs, ports, protocols, source countries. Attribute campaigns to hosting providers.
asn_enrich("AS202425", since=…, until=…)
→ { org_name: "IP Volume inc", total_events: 32597, unique_ips: 55,
top_ports: [7777, 2715, 1723, 3128, 25], top_source_ips: [...] }
Find all activity matching a JA4 TLS, JA4H HTTP, or HASSH SSH fingerprint. 3.7M / 3.2M / 26K fingerprints in the dataset.
fingerprint_search(fp_type="ja4", fingerprint="t13i190800_…")
→ { total_events, top_source_ips, source_asns, samples: [...] }
Full-text search across masked HTTP bodies, headers, and URL paths. Hunt who probed a specific path or sent a specific payload.
payload_search(query="/.git/config", since=…, until=…)
→ [{ source_ip, url_path, event_summary, … }]
Free tier covers most workflows. Paid tiers extend the lookback window and add payload search.