INCIDENT

MCP - HoneyLabs launches a public MCP server exposing 90-day

HoneyLabs launches a public MCP server exposing 90-day honeypot threat intelligence data for Claude/Cursor agents to query security scanning patterns, CVE probes, and ASN classifications without custom integration.

Updated: 5/18/2026
high Severity
Status: active

Description

Show HN: HoneyLabs – Public honeypot threat Intel feed and MCP server — I've been running a small fleet of honeypots for about a year. They get hit by a mix of research scanners (Censys, Shadowserver, etc.), old worms, and a bump of CVE probes the day a new Nuclei template ships. The data was sitting in a database and useful only to me, so I put a front end on it. https://honeylabs.net Paste a public IPv4 and you get its 90-day report: ASN, country, what ports it hit, which CVE signatures matched, recent payloads, JA4 and HASSH fingerprints, and scanner classification (research / commercial / hosting provider / ISP / Tor exit). No signup is required for the basic lookup. What I've been adding lately is an MCP (Model Context Protocol) server so Claude, Cursor, or any MCP-compatible agent can query the data directly. Setup is as easy as getting a token and one command: claude mcp add honeylabs \ --transport http \ https://mcp.honeylabs.net/mcp \ --header "Authorization: Bearer <hlk_…>" Once configured, the agent can answer complex security questions without any custom glue code, such as: "Is 80.82.77.202 a known scanner? When was it last seen and what does it probe?" "Which top 5 ASNs generate the most probes?" "What scan organisations are probing on port 9200 right now?" The implementation details can be found at https://honeylabs.net/mcp . Or just use the web-interface or curl. For context on how the classifier stays current without manual curation: - rDNS and ASN-org pattern matching. - ISP, CDN, and Enterprise classifications derived from PeeringDB's CC0 ASN data. - Tor exit lists refreshed hourly from torproject.org. - KEV (Known Exploited Vulnerabilities) flags refreshed daily from CISA. Looking forward to your feedback!

Impact

HoneyLabs launches a public MCP server exposing 90-day honeypot threat intelligence data for Claude/Cursor agents to query security scanning patterns, CVE probes, and ASN classifications without custom integration.

Attack Vectors

  • threat intelligence
  • honeypot operations
  • security scanning
  • ASN classification
  • CVE detection

Mitigation

    Sources