Blog · 2026-05-28
Hello from HoneyLabs
A short tour of what we run, what is in the dataset, and what we plan to write about here.
What you're looking at
HoneyLabs runs a fleet of internet-facing honeypot sensors and ships the events into a public, query-ready dataset. Right now we have over 13 million events across SSH, HTTP, TLS, and raw-TCP probes.
This blog is where we will share findings from the data. A few examples of what we plan to write up:
- CVE probing waves. When a new exploit lands on Twitter, which IPs are first to start scanning the internet for it. Sometimes within hours.
- ASN heat maps. Which networks are quietly hosting most of the scanning traffic. Often more concentrated than you would expect.
- Bot fleet rotations. When a Mozi or Mirai variant goes dark and a new C&C address replaces it, the timing tells you something about who is operating it.
- Tool fingerprints. TLS JA4 and HTTP JA4H signatures cluster scanners into families. We will publish lookup tables when we find something useful.
How to use the data yourself
- /lookup for ad-hoc IP, ASN, port, or CVE queries with full boolean syntax.
- /feeds to turn any query into a daily digest email or a token-gated URL your firewall can pull.
- /mcp to wire HoneyLabs into Claude, Cursor, or any other MCP client and ask natural-language questions over the data.
The dataset is free for individual research use. We will publish writeups here as we find things worth sharing.