HoneyLabs
Lookup
Explore
CVEsPayloadsCampaignsAEI IndexPortsUser-agents
Integrations
OverviewMCPFeedsAPI / Enrich
DocsBlog
Dashboard
iAnonymous lookups: 10/min, 60/hr per source IP. Sign in (free) to lift the limit, run heavier queries, and get an API key for MCP / HTTP.

Threat lookup.

Search by IP, CIDR, ASN, or domain (partial OK). Free, no account. Or skim the live data below and click into any value to drill in.

tryport:445proto:rdpport:102 AND NOT proto:httpcountry:NL AND NOT tag:scannerua:zgrab
query syntax

field:value pairs combined with AND, OR, NOT and parentheses. Case-insensitive keywords.

port:445 · country:NL · asn:14061 · cidr:80.82.77.0/24 · proto:rdp · cve:CVE-2017-0144 · ja4:… · ja4h:… · ja3:… · hassh:… · domain:example.com · path:/wp-login.php · ua:zgrab · tag:scanner · header:x-forwarded-for · banner:SSH-2.0 · has:cert

Anonymous visitors can run single-field pivots; boolean and text queries need a free account. The examples above are pre-authorized for everyone.

your IP
216.73.217.139 not observed

Or explore candidate campaign clusters, fingerprints carried by many IPs across only a handful of networks.

24.6M
events total
845.2K
24h
9.2K
last hour
10.6K
unique IPs / 24h
30.9K
ports targeted / 24h
100
countries / 24h
๐Ÿ‡ง๐Ÿ‡ท BR
top country
33
top port
last event 10s ago ยท cached 5 min

Most active right now

top 10, last 7 days ยท click for full report
131.108.161.217 ๐Ÿ‡ง๐Ÿ‡ทBR GRANDE REDE TELECOM EIRELLE 33 179.3K 34.32.98.232232.98.32.34.bc.googleusercontent.com ๐Ÿ‡ฉ๐Ÿ‡ชDE Google LLC 8240 124.2K 177.91.56.157 ๐Ÿ‡ง๐Ÿ‡ทBR Microchip.Net Fibra Optica 9443 123.5K 34.17.165.55.165.17.34.bc.googleusercontent.com ๐Ÿ‡ฎ๐Ÿ‡นIT Google LLC 8190 119.4K 34.172.164.119119.164.172.34.bc.googleusercontent.com ๐Ÿ‡บ๐Ÿ‡ธUS Google LLC 7860 118.2K 189.6.246.122bd06f67a.virtua.com.br ๐Ÿ‡ง๐Ÿ‡ทBR Claro NXT Telecomunicacoes Ltda 443/HTTPS 117.0K 34.18.217.2121.217.18.34.bc.googleusercontent.com ๐Ÿ‡ถ๐Ÿ‡ฆQA Google LLC 9443 115.1K 34.40.152.103103.152.40.34.bc.googleusercontent.com ๐Ÿ‡ฆ๐Ÿ‡บAU Google LLC 9990 107.7K 34.14.215.5757.215.14.34.bc.googleusercontent.com ๐Ÿ‡ฎ๐Ÿ‡ณIN Google LLC 7272 102.2K 34.158.194.225225.194.158.34.bc.googleusercontent.com ๐Ÿ‡ฐ๐Ÿ‡ทKR Google LLC 9980 74.1K

CVEs being scanned right now

24h ยท top 8 of 77 ยท 14 actively exploited ยท KEV = on CISA actively-exploited list
medium
CVE-2019-12461find peers โ†’

WebPort 1.19.1 - Cross-Site Scripting

15.9K
584 src IPs
medium
CVE-2021-28169find peers โ†’

Eclipse Jetty ConcatServlet - Information Disclosure

12.6K
715 src IPs
high
CVE-2022-24288find peers โ†’

Apache Airflow OS Command Injection

5.3K
392 src IPs
medium
CVE-2021-37598find peers โ†’

WP Cerber < 8.9.3 - Broken Access Control

3.4K
379 src IPs
medium
CVE-2024-36527find peers โ†’

Puppeteer Renderer - Directory Traversal

2.3K
501 src IPs
medium
CVE-2015-1880find peers โ†’

Fortinet FortiOS <=5.2.3 - Cross-Site Scripting

2.2K
193 src IPs
high
CVE-2026-4020find peers โ†’

Gravity SMTP WordPress Plugin - Sensitive Information Exposure

2.1K
378 src IPs
medium
CVE-2018-10141find peers โ†’

Palo Alto Networks PAN-OS GlobalProtect <8.1.4 - Cross-Site Scripting

1.9K
1 src IPs
Show all 77 CVEs being probed in the last 7 days โ†’

Most-seen fingerprints

copy any to your detection rules

SSH HASSH

24h ยท click to find peers
98ddc5604ef6a1006a2b49a58759fbe6506 / 2 IPs5bd26477da5440a6187bd3f1b39a429c498 / 7 IPs3356ae6145fa86124298066e281ea2d9135 / 3 IPs16443846184eafde36765c9bab2f4397113 / 33 IPsf555226df1963d1d3c09daf865abdc9a67 / 67 IPs

TLS JA4

24h ยท click to find peers
t13i1314h2_f57a46bbacb6_3b244d8fbcc8324.9K / 3 IPst13i190800_9dc949149365_97f8aa674fd9142.2K / 1.7K IPst13i1313h2_f57a46bbacb6_fb48f8b98a2934.2K / 247 IPst13i251000_b78ed14e2fd0_ab7e3b40a67713.4K / 4 IPst13i131000_f57a46bbacb6_ab7e3b40a67710.5K / 2.1K IPs

HTTP JA4H

24h ยท click to find peers
ge11nn0400_88d30a62b7ad389.6K / 1.9K IPsge11nn0500_9af7e0472034129.1K / 1.0K IPsge10nn0200_5594a17e7e7e16.9K / 1.4K IPsge11nn06en_e4773a62bf4c13.4K / 2 IPsge11nn0400_9c3956fad5da11.0K / 510 IPs

Live leaderboards

aggregated 24h

Top countries

24h
๐Ÿ‡ง๐Ÿ‡ทBRBrazil
188.5K
๐Ÿ‡ฎ๐Ÿ‡นITItaly
136.3K
๐Ÿ‡ฉ๐Ÿ‡ชDEGermany
126.8K
๐Ÿ‡ถ๐Ÿ‡ฆQAQatar
118.2K
๐Ÿ‡บ๐Ÿ‡ธUSUnited States
96.0K

Top ASNs

24h
AS396982Google LLC
519.2K
AS61675GRANDE REDE TELECOM EIRELLE
179.3K
AS209334Modat B.V.
22.4K
AS135377UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED
15.8K
AS50360Tamatiya EOOD
13.6K

Top ports

24h
33 3 src IPs
179.3K
8240 13 src IPs
125.2K
8190 24 src IPs
121.8K
9443 74 src IPs
116.8K
443 HTTPS 227 src IPs
13.0K

Top scanner hosts

24h, rDNS
๐Ÿ‡ฉ๐Ÿ‡ช232.98.32.34.bc.googleusercontent.com
124.2K
๐Ÿ‡ฎ๐Ÿ‡น5.165.17.34.bc.googleusercontent.com
119.4K
๐Ÿ‡ถ๐Ÿ‡ฆ21.217.18.34.bc.googleusercontent.com
115.1K
๐Ÿ‡ง๐Ÿ‡ฌip-58-126.4vendeta.com
13.4K
๐Ÿ‡ง๐Ÿ‡ท177-87-181-94.linknettelecom.tec.br
8.1K

Query it

free ยท no auth

Browser or curl

curl https://honeylabs.net/lookup/<ip>

Browser returns HTML, curl/wget returns JSON. Append ?format=json to force.

AI agents ยท MCP

Claude, Cursor, anything

claude mcp add honeylabs \
  --transport http \
  https://mcp.honeylabs.net/mcp \
  --header "Authorization: Bearer <key>"

Free tier 100 q/day. Get a key โ†’

HTTP ยท JSON-RPC

Your own code

POST https://mcp.honeylabs.net/mcp
Authorization: Bearer <key>
Accept: application/json, text/event-stream

{"jsonrpc":"2.0","id":1,"method":"tools/list"}

Standard MCP wire format. SSE response.

Free lookups rate-limited to 10/min, 60/hr per source IP. Results cached 10 min per IP. Public dataset strips honeypot identity, full payload bytes, and credentials at the database layer. More about the dataset โ†’