Docs

Everything HoneyLabs exposes and how to call it. If a section looks long, it's mostly copyable examples.

Try it

The fastest way in is the search bar at the top of the lookup page (and every other page). No account, no signup. Type a query and press enter. Each of these is a live link. Click to run it:

country:NL port:445 cve:CVE-2024-4577 port:22 since:24h header:x-forwarded-for tag:censys tag:ipv6

Chasing one address instead? Type the IP, an ASN (AS14061), a CIDR, or a domain and the bar jumps straight to the report. The homepage's recently active scanners list is a good place to grab one.

Scripting it? The same lookups work over HTTP: curl https://honeylabs.net/lookup/<ip>?format=json. Full automation in JSON over HTTP and MCP.

What this is

HoneyLabs runs honeypots that sit on the public internet and log every probe that reaches them. We keep the last 90 days indexed and query-ready. The data is yours to look at, free, with no setup.

There's a per-IP report at /lookup/<ip>, a JSON variant of the same page, a small HTTP API, and an MCP server so Claude or Cursor can call us directly. The free tier covers most analyst use. Paid tiers raise the quota and the time window.

The IP report

Hit /lookup/<ip> with any public IPv4. You get a page with:

Event counts: total, last 24h, last 7d, days active.
A 90-day activity timeline.
Top ports hit, with a 14-day sparkline per port.
TLS / HTTP / SSH fingerprints and how often each was seen.
HTTP paths and user-agents the IP used.
Matched CVE signatures (we run payloads through public exploit patterns).
Related actors and recent raw events.

The page also has a curl card with a ready-to-paste request for the JSON form.

Filters

Type any of these into the search bar to get a filtered view across every attacker in the dataset, not just one IP. Write several and they AND together. Every example in the table is live. Click to run it.

Type this	Matches
port:445	Destination port the attacker hit on the honeypot.
asn:14061	Autonomous System number. AS14061 = DigitalOcean, for example.
country:NL	Two-letter ISO country code.
cidr:185.177.72.0/24	IPv4 block. Track a whole scanner farm at once.
domain:censys	Substring of the source IP's reverse-DNS, so a partial like 'censys' works.
ua:ZGrab	Substring of the HTTP User-Agent.
header:x-forwarded-for	Substring of the captured request headers (names and values). Honeypot identity is masked.
banner:SSH-2.0-Go	Substring of the protocol greeting banner (SSH-2.0-…, FTP 220 …). The client software a non-HTTP service announced.
path:/.env	Substring of the HTTP URL path.
cve:CVE-2024-4577	Events whose payload matched the public exploit pattern for this CVE.
ja4:t13d1516h2_…	TLS client fingerprint. Exact match. Copy it from a report.
ja4h:ge11nn0400_…	HTTP client fingerprint. Exact match.
hassh:06046baf…	SSH client fingerprint. Exact match.
ja3:e7d705a3…	Legacy TLS client fingerprint (MD5). Exact match, handy for matching TI feeds still keyed on JA3.
cert:CN=…	Substring of an mTLS client-certificate subject. Rare; only when a client presents a certificate.
community_id:1:…	Corelight Community ID flow hash. Exact match. Pivot a flow straight into your own Zeek, Suricata or Arkime.
has:cert	Match rows where a field is present (non-empty): has:cert, has:ja3, has:ja4, has:ja4h, has:hassh, has:community_id, has:sni.
tag:censys	Named scanners (censys, shodan, binaryedge, onyphe, shadowserver, criminalip, …), the catch-all 'scanner', or a network category: tor, hosting, cdn, isp, enterprise, research_net.
port:22 since:24h	Time window, combined with any filter. Defaults to 7d; 30d and 90d need a Pro/Team key.

Stack them. SSH brute-forcing from a Hetzner ASN in the last 24 hours is asn:24940 port:22 since:24h. On a results page the search bar pre-fills with the active query, so you can edit and re-run without retyping.

Wiring up a script? Every filter is also a URL query param, e.g. ?port=445, ?asn=14061&since=24h, so any query you build in the bar is a shareable, scriptable link. See JSON over HTTP.

Search grammar

The bar at the top of every page speaks key:value. Several terms AND together. Try it right here: this box runs the exact same classifier the real bar does, so you can watch a query resolve as you type, then hit Run:

›

filtered query→/lookup?country=NL&port=445

Most fields have aliases; they all resolve to the canonical name (and the resolved link above updates to match):

cc → countrycountry_code → countryas → asndest_port → portnet → cidrrange → cidrrdns → domainhost → domainptr → domaintls → ja4http → ja4hssh → hasshurl → pathuseragent → uauser_agent → uaheaders → headerhdr → headercertificate → certcid → community_idcommunityid → community_id

Boolean queries (OR / AND / NOT)

The bar also takes a Lucene/KQL-style query with full boolean logic, the same fields as above. OR and NOT (or a leading -) work as you'd expect; AND is the default between adjacent terms. Parentheses group; double quotes wrap values with spaces. Build one below and watch it compile to a ?q= link (aliases get rewritten to canonical on the way):

›

boolean query→/lookup?q=(port%3A445%20OR%20port%3A3389)%20AND%20NOT%20country%3AUS

Bad queries return a friendly chip describing the problem (unknown field, malformed value, out-of-range port) once you run them. Values are bound parameters; the query language doesn't open a path to raw SQL. For automation, the same query rides in a ?q= URL param (URL-encoded), exactly the link the box shows.

CSV exports

Most endpoints take ?format=csv for a downloadable spreadsheet. The JSON path is the canonical form; CSV is a convenience for one-off analysis.

# CSV (any leaderboard, the per-IP report, the per-CVE actor list)
curl 'https://honeylabs.net/lookup/<ip>?format=csv'
curl 'https://honeylabs.net/api/cves/<id>?format=csv'
curl 'https://honeylabs.net/api/ports?format=csv'

Watchlists & IOC feeds

Save any ?q= query under a name. Two consumer surfaces hang off it: an email digest on a cadence (daily, hourly on Pro), and one or more revocable IOC feed URLs that firewalls, Pi-holes, and SIEM cron jobs can pull from directly. The feed is anonymous and token-gated, edge-cached for 5 minutes.

Create from the Watchlists section of your dashboard, or use the Save as watchlist chip on any /lookup?q= results page.

# Feed URL formats. Content-type follows the extension.
curl 'https://honeylabs.net/feed/<token>'        # text/plain, one IP per line (firewall-ready)
curl 'https://honeylabs.net/feed/<token>.csv'    # ip,first_seen,last_seen,events,asn,country
curl 'https://honeylabs.net/feed/<token>.json'   # array of full event records

# Wire into fail2ban / Pi-hole / Cisco / any blocklist consumer:
*/5 * * * *  curl -fsS 'https://honeylabs.net/feed/<token>' > /etc/blocklist.txt

Tokens are 32-byte URL-safe random. Anyone with the token can fetch. That is the point. Revoke from the dashboard the moment a token leaks. The URL stops working within ~5 minutes, on the next edge-cache eviction.

Side-by-side IP compare

/compare takes up to 4 IPs and lines them up: ASN, country, total events, port profile, CVE matches. Useful when investigating whether two addresses are running the same scanner from different rentals.

https://honeylabs.net/compare?ips=1.2.3.4,5.6.7.8

The page surfaces shared ports and shared CVE probes between every IP in the set so the overlap jumps out without scanning the table manually.

JSON over HTTP

Any lookup URL takes ?format=json. If you call with Accept: application/json or with curl's default User-Agent, you get JSON without the flag.

curl https://honeylabs.net/lookup/<ip>?format=json

Trimmed example response. Sample IP is from RFC 5737 (documentation use); a real request returns the IP you asked about.

{
  "ip": "203.0.113.5",
  "country": "NL",
  "asn": 202425,
  "rdns": "scanner.example",
  "totals": { "events": 481223, "events_24h": 1842, "days_active": 87 },
  "ports": [{ "port": 22, "count": 124091 }, { "port": 445, "count": 88210 }],
  "fingerprints": {
    "tls":  [{ "ja4":  "t13d1516h2_8daaf6152771_b1ff8ab2d16f", "count": 12 }],
    "http": [{ "ja4h": "ge11nn0400_88d30a62b7ad", "count": 71244 }],
    "ssh":  [{ "hassh": "06046bafe5a3...", "count": 8 }]
  },
  "cves": [{ "id": "CVE-2024-4577", "count": 12 }],
  "recent_events": [{ "timestamp": "...", "dest_port": 445, "...": "..." }]
}

Anonymous requests are capped at 10 per minute and 100 per hour per source IP. There's no daily cap on anonymous use. An API key on the request bypasses the per-IP limit and uses your plan's daily credit budget instead; see the next section.

curl with a key

Get a key from your dashboard, then pass it as a bearer token. The key gives you your plan's daily credit budget and time-range window for any HTTP or MCP request. One credit = one row of data returned (minimum one per call), so a top_attackers call with limit=20 costs 20 credits, and a single ioc_lookup costs 1.

curl https://honeylabs.net/lookup?asn=14061&since=30d&format=json \
  -H "Authorization: Bearer hlk_xxxxxxxxxxxxxxxx"

Public showcase data (top countries, top ports, top ASNs) lives at /api/showcase and /api/stats. Both are unauth.

curl https://honeylabs.net/api/showcase

MCP for AI agents

Claude, Cursor, and any other Model Context Protocol client can call HoneyLabs directly. For sample SOC-style prompts and a tool catalog, see /mcp.

The fastest path is the connector. In Claude.ai or Claude Desktop, open Settings > Connectors > Add custom connector, paste this URL, and sign in when prompted. No API key involved.

https://mcp.honeylabs.net/mcp

For Claude Code and other CLI clients, use a key from your dashboard:

claude mcp add honeylabs \
  --transport http \
  https://mcp.honeylabs.net/mcp \
  --header "Authorization: Bearer hlk_xxxxxxxxxxxxxxxx"

Then ask Claude something like "what does this IP do on our honeypots?" with an IP from your alerts or logs, and it will call ioc_lookup on its own. Available tools:

ioc_lookup: Start here. Look up an IP or domain and get its full honeypot profile.
top_attackers: Leaderboard of source IPs by event volume, with country and ASN.
search_events: Raw events with every field. Use when you want fingerprints in the response.
payload_searchPro: Substring search across URL paths and user-agents.
attack_timeline: Hourly or daily attack volume over a window.
asn_enrich: Full profile for an ASN: top sources, ports, paths, fingerprints.
fingerprint_search: Find activity by TLS, HTTP, or SSH fingerprint.

The MCP endpoint also supports JSON-RPC 2.0 over HTTP if you'd rather call it from your own code:

curl -X POST https://mcp.honeylabs.net/mcp \
  -H "Authorization: Bearer hlk_xxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Leaderboards

Four public leaderboards aggregate across the whole dataset. All refresh continuously and have indexed pages per entity for sharing.

/cves: top 100 CVE signatures probed in the last 7 days, with CISA KEV flag and event volume per CVE. Each row links to /cves/<CVE-ID>, a per-CVE drill-down showing the top source IPs currently probing for that signature plus the URL patterns we match.
/asn/<asn>: per-ASN honeypot activity report (7-day window). Stats cards, top dest ports, top source countries, top user-agents, and the top 25 source IPs in that ASN each linking to their own lookup.
/port and /port/<n>: most-probed destination ports (top 100) plus a per-port drill-down with top source ASNs, countries, IPs, and user-agents hitting that port.
/ua: most common User-Agent strings (top 100) by event volume. Each row links to a filtered lookup view of every IP sending that UA.

JSON + CSV variants for every leaderboard:

curl https://honeylabs.net/api/cves?window=7d
curl https://honeylabs.net/api/cves?window=7d&format=csv
curl https://honeylabs.net/api/cves/CVE-2024-4577
curl https://honeylabs.net/api/asn/14061
curl https://honeylabs.net/api/ports?limit=50
curl https://honeylabs.net/api/port/22
curl https://honeylabs.net/api/user-agents?limit=50

CVE windows accept 1h, 24h, or 7d. 30d is unsupported; the underlying pattern-match aggregation times out at that range.

CSV exports are supported on every leaderboard and on per-IP / per-CVE detail pages via ?format=csv.

Plans & limits

Plan	Credits / day	Calls / minute	Max time window
Free	500	10	7d
Pro	50,000	60	90d
Team	500,000	300	365d

Anonymous traffic (no key) has its own per-IP cap: 10 requests per minute, 100 per hour, 7-day query window, no daily credit budget. You can browse /lookup all day without an account; sign in if you're clicking through enough reports to bump the limit or wiring up an agent.

Free is live today. Pro and Team are request-based for now; tell us how you'd use it and we'll review.

Privacy

We store your email and the API keys you mint. We log query metadata (which tool, how many rows, latency) so we can enforce the quota. We never log the raw output of your queries.

You can export everything we have on your account, or delete the account entirely, from the dashboard. See /privacy for the long version.