Explore

CVEs Payloads Campaigns AEI Index Ports User-agents

Integrations

Put live honeypot telemetry where your team already works.

HoneyLabs sees what is sweeping the internet right now, from real sensors. You don't have to come to us to use it. One MCP server, a JSON/CSV API on every lookup, and pullable token feeds cover the AI assistants, SIEMs, SOAR runbooks, and firewalls security teams run today. Every recipe below hits a real, documented endpoint.

AIMCP serverNative tool calls for any AI assistant. OAuth or bearer key.{ }JSON / CSV APIEvery lookup takes ?format=json or ?format=csv. Curl-friendly.⇣Token feedsSave any query as a feed URL. Plain-text, CSV, or JSON. Pullable.

Why wire it in

Cut alert noise before an analyst sees it

A large share of inbound traffic is indiscriminate internet scanning. If our sensors have already logged a source IP sweeping the internet, your SIEM or SOAR can drop or deprioritise it automatically instead of paging someone to triage it by hand.

Enrich an observable in one hop

Any IP in a case gets a verdict, first and last seen, the ASN and provider, and the ports and paths it probes, from a single HTTP call. No second console to pivot into, no per-seat intel subscription to renew.

Block what is already attacking, at the edge

The scanner feed is a live list of IPs caught probing real sensors, not a stale reputation dump. Point a firewall URL alias or an ipset cron at it and the blocklist maintains itself on a five-minute cache.

Hunt by behaviour, not just by IP

Pivot on TLS and HTTP fingerprints (JA4, JA4H) and on CVE campaigns to find the same client across rotating IPs in your own logs, which a plain IP blocklist can never catch.

AI assistants

Native · Model Context Protocol

This is the first-class path. Wire the MCP server in once and Claude, Cursor, VS Code, Cline, or any MCP client can ask about an IP, a fingerprint, or a CVE campaign and get live answers, no glue code. Sign in with OAuth on first connect, or paste a bearer key.

Claude Code

claude mcp add honeylabs \
  --transport http \
  https://mcp.honeylabs.net/mcp \
  --header "Authorization: Bearer <hlk_…>"

Key from your dashboard, or drop the --header line and sign in via OAuth on first connect.

Add to Cursor Install in VS Code

One click for Cursor and VS Code. Sign in on first use (OAuth), nothing to paste.

Claude Desktop / claude.ai

Settings, Connectors, Add custom connector. Paste https://mcp.honeylabs.net/mcp and authenticate.

Any other MCP client

{
  "mcpServers": {
    "honeylabs": {
      "url": "https://mcp.honeylabs.net/mcp"
    }
  }
}

Remote streamable HTTP at https://mcp.honeylabs.net/mcp. Bearer key or OAuth 2.1 with PKCE.

Full prompt gallery and the tool catalog live on the MCP page.

SIEM

Wire-it-yourself · public API

Pull a scanner feed into a lookup table, then flag any source IP your sensors already know is sweeping the internet. No vendor app required.

Spl

Splunk

API recipe

Feed CSV becomes a lookup; flag known scanners inline in SPL.

Splunk search using a HoneyLabs lookup table to flag source IPs as known scanners, with live event counts, country, and ASN.

Live capture · our lab instance

# Scripted input, every 5 min: refresh the lookup table file
curl -fsS 'https://honeylabs.net/feed/<token>.csv' \
  > $SPLUNK_HOME/etc/apps/search/lookups/honeylabs_scanners.csv
# Define it once: Settings > Lookups > add a definition over that CSV.

# Search-time: flag any source IP HoneyLabs has caught scanning
index=firewall
| lookup honeylabs_scanners ip AS src_ip OUTPUT events asn country last_seen
| eval HoneyLabs=if(isnotnull(events),"known scanner","clean")
| table src_ip HoneyLabs events country asn last_seen

Reference in /docs →

Elastic

API recipe

Logstash http_poller ingests the feed; enrich events at index time.

Kibana Discover showing the HoneyLabs scanner feed indexed in Elasticsearch: 3,323 source IPs with country, ASN, and event counts.

Live capture · our lab instance

# logstash.conf  -  poll the JSON feed into an index
input {
  http_poller {
    urls => { honeylabs => "https://honeylabs.net/feed/<token>.json" }
    request_timeout => 30
    schedule => { every => "5m" }
    codec => "json"
  }
}
filter { split { field => "message" } }
output { elasticsearch { index => "honeylabs-scanners" } }
# Then build an enrich policy on honeylabs-scanners keyed by ip.

Reference in /docs →

SOAR & threat-intel platforms

Wire-it-yourself · public API

Enrich an observable on demand from a playbook, or import the feed as a first-class intel source. The JSON verdict is built to drop straight into a case.

Cortex / TheHive

API recipe

A ~15-line analyzer turns an IP observable into a HoneyLabs verdict.

# Cortex analyzer  -  HoneyLabs_Lookup
from cortexutils.analyzer import Analyzer
import requests

class HoneyLabs(Analyzer):
    def run(self):
        ip = self.get_data()
        d = requests.get(
            f"https://honeylabs.net/lookup/{ip}?format=json", timeout=20
        ).json()
        self.report({
            "verdict": d["verdict"]["label"],
            "events":  d["total_events"],
            "scanner": d.get("scanner_tag"),
            "last_seen": d["last_seen"],
        })

if __name__ == "__main__":
    HoneyLabs().run()

Reference in /docs →

MISP

API recipe

Add the CSV feed as a network IOC source; MISP correlates automatically.

# Sync Actions -> Feeds -> Add Feed
Provider      : HoneyLabs
Input Source  : Network
URL           : https://honeylabs.net/feed/<token>.csv
Source Format : Simple CSV
Value field   : 1            # the ip column
Settings      : enabled, caching enabled
# Fetch on the usual feed schedule. IPs land as ip-src attributes.

Reference in /docs →

n8n

n8n / Tines

API recipe

One HTTP node enriches any IP mid-workflow. No SDK, no auth to set up.

n8n HTTP Request node calling the HoneyLabs lookup API, with the live JSON verdict for 80.82.77.202 in the output panel.

Live capture · our lab instance

# n8n "HTTP Request" node (or a Tines HTTP action)
Method : GET
URL    : https://honeylabs.net/lookup/{{ $json.ip }}?format=json
# Optional, lifts the anonymous rate limit:
Header : Authorization: Bearer hlk_xxxxxxxxxxxxxxxx

# Branch on  {{ $json.verdict.verdict == "scanner" }}

Reference in /docs →

Firewalls & blocklists

Wire-it-yourself · public API

The plain-text feed is one IP per line, edge-cached for 5 minutes - exactly what a URL-table alias or an ipset cron job wants. Drop traffic from IPs your own sensors caught scanning.

pfSense / OPNsense

API recipe

A URL-table alias auto-refreshes; reference it in a block rule.

# Firewall -> Aliases -> add a "URL Table (IPs)" alias
Name             : HoneyLabs_Scanners
Type             : URL Table (IPs)
URL              : https://honeylabs.net/feed/<token>
Update frequency : 1 day

# Then: Firewall -> Rules -> WAN -> block, Source = HoneyLabs_Scanners

Reference in /docs →

iptables / ipset

API recipe

Cron pulls the list into an ipset; one rule drops the whole set.

# /etc/cron.d/honeylabs  -  refresh every 30 min
*/30 * * * * root ipset create honeylabs hash:ip -exist; \
  curl -fsS 'https://honeylabs.net/feed/<token>' | \
  while read ip; do ipset add honeylabs "$ip" -exist; done

# One-time: drop anything in the set
iptables -I INPUT -m set --match-set honeylabs src -j DROP

Reference in /docs →

Code & CLI

Wire-it-yourself · public API

No client at all. The same JSON your tools consume is one request away from a shell or a script. Anonymous calls work; a key lifts the rate limit.

curl + jq

API recipe

Verdict for any IP in one line. curl's UA gets JSON without the flag.

curl -s 'https://honeylabs.net/lookup/80.82.77.202?format=json' \
  | jq '{verdict: .verdict.label, events: .total_events, asn: .geo.org}'

# { "verdict": "Recognized scanner", "events": 292541, "asn": "IP Volume inc" }

Reference in /docs →

Python

API recipe

requests in, dict out. Key is optional and only raises your quota.

import requests

r = requests.get(
    "https://honeylabs.net/lookup/80.82.77.202",
    params={"format": "json"},
    headers={"Authorization": "Bearer hlk_xxxxxxxxxxxxxxxx"},  # optional
    timeout=20,
)
v = r.json()["verdict"]
print(v["label"], v["confidence"])  # Recognized scanner high

Reference in /docs →

About the token feeds

The firewall and SIEM recipes pull a /feed/<token> URL. You create one from any HoneyLabs query you save: the feed then tracks that query live. Each is available as plain text (one IP per line), .csv, or .json, is anonymous and token-gated, and is edge-cached for five minutes so a tight cron never hammers the origin.

Create a feed →Feed formats in /docs →Get an API key →

Running HoneyLabs inside a tool that isn't here? The JSON, CSV, and feed surfaces cover almost anything that speaks HTTP. Tell us what you wired up and we'll document it.