See what is scanning the internet, down to the payload.
We run open-source honeypot sensors on the public internet. Every scan, every TLS, HTTP, and SSH fingerprint, and every probe payload they capture is searchable here, 90 days back, free. Look up any IP, or wire the same data into your own tooling over MCP and HTTP.
$ curl honeylabs.net/lookup/<ip> returns JSON. for MCP and JSON-RPC.
One lookup, the whole picture
A live report for a single IP. Verdict, evidence, and every entity is a thread to pull.
open the full report →Pivot to
AS202425→port:7895→JA4 cluster→country:NL→Related
Fingerprint
t13i191000_9dc949149365_be53661681a4Or explore the live dataset
What is hitting the sensors right now. Click any row to pivot into a filtered view.
browse all →Emerging campaigns
One fingerprint carried by many IPs across only a few networks: a coordinated operation, not a lone scanner.
see all →Query it three ways
Same data and the same auth across all of them.
Browser or curl
Any public IPv4. Returns HTML in browsers, JSON for curl / wget / explicit Accept header, or append ?format=json.
curl https://honeylabs.net/lookup/<ip>Rate limited to 30 lookups/hr per source IP. No account.
From Claude, Cursor, or anything
Streamable HTTP transport. Seven tools covering attacker enrichment, fingerprint search, payload search, and time-series.
claude mcp add honeylabs \
--transport http \
https://mcp.honeylabs.net/mcp \
--header "Authorization: Bearer <key>"Free tier: 500 credits/day. Pro: 50k/day with 90-day history. 1 credit = 1 row of data returned. Get a key from the dashboard.
Direct API for your own code
Skip the MCP client. POST a JSON-RPC envelope, get an SSE response back. Same bearer auth as the MCP tab.
curl -X POST https://mcp.honeylabs.net/mcp \
-H "Authorization: Bearer <key>" \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'Use tools/list to enumerate, tools/call to invoke. Standard MCP wire format.