HoneyLabs – Public honeypot threat Intel feed and MCP server

I've been running a small fleet of honeypots for about a year. They get hit by a mix of research scanners (Censys, Shadowserver, etc.), old worms, and a bump of CVE probes the day a new Nuclei template ships. The data was sitting in a database and useful only to me, so I put a front end on it.

https://honeylabs.net

Paste a public IPv4 and you get its 90-day report: ASN, country, what ports it hit, which CVE signatures matched, recent payloads, JA4 and HASSH fingerprints, and scanner classification (research / commercial / hosting provider / ISP / Tor exit). No signup is required for the basic lookup.

What I've been adding lately is an MCP (Model Context Protocol) server so Claude, Cursor, or any MCP-compatible agent can query the data directly.

Setup is as easy as getting a token and one command:

claude mcp add honeylabs \ --transport http \ https://mcp.honeylabs.net/mcp \ --header "Authorization: Bearer <hlk_…>"

Once configured, the agent can answer complex security questions without any custom glue code, such as:

"Is 80.82.77.202 a known scanner? When was it last seen and what does it probe?"

"Which top 5 ASNs generate the most probes?"

"What scan organisations are probing on port 9200 right now?"

The implementation details can be found at https://honeylabs.net/mcp. Or just use the web-interface or curl.

For context on how the classifier stays current without manual curation:

- rDNS and ASN-org pattern matching. - ISP, CDN, and Enterprise classifications derived from PeeringDB's CC0 ASN data. - Tor exit lists refreshed hourly from torproject.org. - KEV (Known Exploited Vulnerabilities) flags refreshed daily from CISA.

Looking forward to your feedback!