See what is scanning the internet, down to the payload.

We run open-source honeypot sensors on the public internet. Every scan, every TLS, HTTP, and SSH fingerprint, and every probe payload they capture is searchable here, 90 days back, free. Look up any IP, or wire the same data into your own tooling over MCP and HTTP.

$ curl honeylabs.net/lookup/<ip> returns JSON. for MCP and JSON-RPC.

-
events total
-
last 24h
-
unique IPs / 24h
-
countries / 24h
-
top port / 24h
-
since last event

One lookup, the whole picture

A live report for a single IP. Verdict, evidence, and every entity is a thread to pull.

open the full report
Recognized scanner · confidence high
AS202425 IP Volume inc·The Netherlands·Group-IB (commercial)
310.3K
events
111
distinct ports
Feb 16
first seen
Jul 2
last seen
Evidence · ports it swept

Pivot to

AS202425port:7895JA4 clustercountry:NL

Related

JA4 cluster2
Ports swept111
Rotating UAs7

Fingerprint

t13i191000_9dc949149365_be53661681a4

Or explore the live dataset

What is hitting the sensors right now. Click any row to pivot into a filtered view.

browse all
Top ports24h
loading…
Top source networks24h
loading…
Top HTTP fingerprintsJA4H · 24h
loading…

Emerging campaigns

One fingerprint carried by many IPs across only a few networks: a coordinated operation, not a lone scanner.

see all
loading…
loading…
loading…

Query it three ways

Same data and the same auth across all of them.

free · no authGET /lookup/<ip>

Browser or curl

Any public IPv4. Returns HTML in browsers, JSON for curl / wget / explicit Accept header, or append ?format=json.

curl https://honeylabs.net/lookup/<ip>

Rate limited to 30 lookups/hr per source IP. No account.

AI agents · MCPPOST /mcp

From Claude, Cursor, or anything

Streamable HTTP transport. Seven tools covering attacker enrichment, fingerprint search, payload search, and time-series.

claude mcp add honeylabs \
  --transport http \
  https://mcp.honeylabs.net/mcp \
  --header "Authorization: Bearer <key>"

Free tier: 500 credits/day. Pro: 50k/day with 90-day history. 1 credit = 1 row of data returned. Get a key from the dashboard.

HTTP · JSON-RPC 2.0POST /mcp

Direct API for your own code

Skip the MCP client. POST a JSON-RPC envelope, get an SSE response back. Same bearer auth as the MCP tab.

curl -X POST https://mcp.honeylabs.net/mcp \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Use tools/list to enumerate, tools/call to invoke. Standard MCP wire format.