MCP Spotlight: HoneyLabs — Ground-Truth Threat Intelligence From a Honeypot Fleet, Direct to Your Agent

Server: honeylabs-mcp by HoneyLabs Stars: 7 · License: MIT (honeypot fleet: open source; MCP surface: closed) MCP Transport: Streamable HTTP + OAuth 2.1 (PKCE + DCR) Endpoint: https://mcp.honeylabs.net/mcp · Free tier: 500 credits/day · Last updated: May 27, 2026

What It Does

Most threat intelligence MCP servers are thin wrappers around someone else's data. They proxy VirusTotal lookups, query AbuseIPDB, or wrap a reputation feed that was already stale when it left the CSV export.

HoneyLabs is fundamentally different. It runs its own honeypot fleet — the Spip-Go network sensors sit on the public internet and log every probe that reaches them. Every TCP connection, every TLS handshake, every HTTP request, every SSH negotiation. 90 days of ground-truth observations — not repackaged third-party data — exposed as MCP tools your agent can query directly.

What your agent gets: not "this IP was reported malicious by someone," but "this IP probed our honeypots on port 445 at 14:32 UTC yesterday with this specific JA4 fingerprint and this payload."

Why It Matters for Agent Engineering

There are two kinds of threat intelligence data: reputation (someone else decided this is bad) and observation (we watched this happen). Reputation data has latency — an IP scans for days before it lands on a blocklist. Observation data is real-time — the moment a scanner touches a honeypot, it's logged and queryable.

For AI agents building security automation, this distinction is critical. An agent doing automated threat triage needs to answer:

• "Is this IP actively scanning right now?"
• "What specific CVEs is it probing for?"
• "Does its TLS fingerprint match known scanner infrastructure?"
• "What other IPs in the same ASN are showing the same behavior?"

HoneyLabs answers all four from its own sensor data. No reputation lag. No third-party API dependencies. Just the raw telemetry of what's actually happening on the internet right now.

The MCP Tool Surface

Seven tools, each designed for a specific investigative question:

Tool	What It Answers
ioc_lookup	Is this IP/domain known to be probing? When was it last seen? What ports and paths does it hit?
top_attackers	Ranked leaderboard of source IPs, ASNs, countries, ports, or user-agents over a time window.
search_events	Raw honeypot events matching filters — IP, ASN, country, dest_port, protocol, http_method.
attack_timeline	Hourly/daily attack volume over a window, with protocol, country, and port filters.
asn_enrich	Full profile for an ASN: total events, unique IPs, top ports, source countries, user-agents, org name.
fingerprint_search	Search by TLS JA4 / HTTP JA4H / SSH HASSH fingerprint — find shared infrastructure across IPs.
payload_search	Full-text URL-path + user-agent search across attack traffic. Pro tier.

Each tool response row counts as one credit. Free tier: 500 credits/day — enough for serious automation. Pro: 50,000. Team: 500,000.

Architecture: Not Just a Wrapper — a Fleet

HoneyLabs' architecture has three layers, two of which are open source:

Layer 1: Spip-Go (Open Source)

A lightweight, low-interaction network honeypot sensor written in Go. Listens for arbitrary TCP traffic (plain and TLS), captures everything scanners send, and logs each connection as structured ECS-shaped JSON. Built-in fingerprinting adds:

• Community ID v1 — flow hash matching Zeek/Suricata output
• JA4 — TLS client fingerprint from ClientHello
• JA4H — HTTP client fingerprint from first request
• HASSH — SSH client fingerprint from KEXINIT negotiation

Each sensor can optionally ship logs to Loom for enrichment and indexing.

Layer 2: Loom (Open Source)

The enrichment and indexing pipeline. Takes raw Spip logs, enriches with ASN/geo data, indexes fingerprints, and matches payloads against CVE exploit signatures. Powers the query engine behind the MCP tools.

Layer 3: MCP Server (Closed)

The streamable HTTP endpoint at mcp.honeylabs.net/mcp. Exposes the seven tools, handles OAuth 2.1 with PKCE + DCR for agent authentication, and enforces credit quotas per tier.

This isn't a thin API proxy — it's a full observation-to-query pipeline where the honeypot fleet generates the data.

Fingerprint-Driven Investigation

The fingerprint_search tool enables a uniquely powerful workflow: finding shared infrastructure behind seemingly unrelated IPs.

An attacker rents VPSes from five different providers. Each has a different IP, different ASN, different country. But they all run the same scanner binary, which means they share the same TLS JA4 fingerprint:

t13d1516h2_8daaf6152771_b1ff8ab2d16f

Your agent calls fingerprint_search(ja4="t13d1516h2_8daaf6152771_b1ff8ab2d16f") and gets every IP in the HoneyLabs dataset that presented that exact TLS fingerprint. Suddenly five seemingly unrelated IPs are connected by shared infrastructure — and your agent found it in one query.

This works across all three fingerprint types: JA4 (TLS), JA4H (HTTP), and HASSH (SSH). An SSH brute-forcer switching IPs every hour still has the same HASSH fingerprint. An HTTP scanner rotating through rented proxies still has the same JA4H.

Connecting HoneyLabs to Your Agent

Step 1: Get an API Key

Visit honeylabs.net/dashboard — magic-link sign-in, no password required. Copy your API key.

Step 2: Add to MCP Config

{
  "mcpServers": {
    "honeylabs": {
      "url": "https://mcp.honeylabs.net/mcp",
      "headers": {
        "Authorization": "Bearer ${credentials.HONEYLABS_API_KEY}"
      }
    }
  }
}

Step 3: Or Use OAuth (Gemini, MCP Inspector, Smithery, Cline)

gemini /mcp add honeylabs https://mcp.honeylabs.net/mcp
gemini /mcp auth honeylabs    # OAuth flow, no static key

OAuth 2.1 with PKCE + DCR is supported at /oauth/authorize. Any MCP client that speaks standard OAuth works out of the box.

Production Patterns

Automated Scanner Triage

With HoneyLabs connected to Facio, a security agent can run autonomous triage on inbound connection logs:

Agent workflow (triggered by firewall log):
1. Extract source IPs from blocked connection events
2. For each IP: honeylabs.ioc_lookup → ports, paths, last seen, CVE matches
3. For high-activity IPs: honeylabs.asn_enrich → ASN profile, related IPs
4. For suspicious IPs: honeylabs.fingerprint_search → shared infrastructure
5. Route confirmed scanners to blocklist; flag unknowns for human review

The agent handles the repetitive lookups. Human analysts review only the borderline cases. Every decision is grounded in observation data, not third-party reputation scores.

CVE Trend Monitoring

Track which CVEs are being actively probed — not from CVSS scores or vendor advisories, but from actual attack traffic:

Agent workflow (daily cron):
1. honeylabs.top_attackers → current top scanning IPs
2. For top 10: honeylabs.ioc_lookup → CVE matches
3. Group by CVE, count unique IPs probing each
4. Compare to yesterday: which CVEs are surging?
5. Alert on surges — patch prioritization driven by real attack data

This turns CVE management from "patch everything with CVSS ≥ 7.0" to "patch what's actually being exploited against your infrastructure profile."

IOC Feed Automation

HoneyLabs supports watchlists — save any query as a named watchlist, get an IOC feed URL that firewalls and SIEMs can pull:

# Firewall-ready IP list, refreshed every 5 minutes:
curl -fsS 'https://honeylabs.net/feed/<token>' > /etc/blocklist.txt

# Structured CSV for SIEM ingestion:
curl 'https://honeylabs.net/feed/<token>.csv'

# Full event records for custom analysis:
curl 'https://honeylabs.net/feed/<token>.json'

Your Facio agent can create watchlists programmatically, rotate feed tokens, and manage the full lifecycle of IOC distribution — from honeypot observation to firewall rule.

Comparison: HoneyLabs vs. Traditional Threat Intel

Capability	HoneyLabs MCP	Traditional TI Feeds
Data source	Own honeypot fleet	Third-party aggregation
Observation latency	Real-time (probe → indexed)	Hours to days (report → publish)
Fingerprint search	✓ JA4 + JA4H + HASSH	— Rarely available
CVE probe tracking	✓ Exploit pattern matching on payloads	— CVSS scores only
ASN enrichment	✓ Full profile: events, IPs, ports, UAs	— Partial or stale
IOC feed generation	✓ Watchlists → revocable feed URLs	— Manual export
OAuth 2.1 agent auth	✓ PKCE + DCR	— API keys only
Free tier	✓ 500 credits/day	— Varies, often trial-only
Raw event access	✓ search_events with full filters	— Aggregated only

For security teams building agent-driven workflows, the owned-sensor model means no dependency on third-party data quality or timeliness. Your agent queries what happened on your sensors.

Key Takeaways

• Ground-truth observations: Not repackaged reputation data — actual probes logged by HoneyLabs' own honeypot fleet
• Seven MCP tools: IOC lookup, attacker leaderboards, event search, attack timelines, ASN enrichment, fingerprint search, payload search
• 90 days of data: Every TCP connection, TLS handshake, HTTP request, and SSH negotiation indexed and queryable
• Fingerprint investigation: JA4 (TLS), JA4H (HTTP), HASSH (SSH) — find shared infrastructure across seemingly unrelated IPs
• CVE trend tracking: Payload-to-exploit-pattern matching — see which CVEs are being actively probed, not just CVSS-scored
• Watchlists → IOC feeds: Save any query as a revocable feed URL for firewalls, Pi-holes, and SIEM ingestion
• OAuth 2.1 with PKCE: Agent-native authentication — no static key management required
• Two open-source layers: Spip-Go (honeypot sensor) and Loom (enrichment pipeline) are public — inspect how the data is generated

---

HoneyLabs: honeylabs.net · MCP endpoint: https://mcp.honeylabs.net/mcp · Dashboard: honeylabs.net/dashboard · Spip-Go: github.com/honeylabshq/Spip-Go · Loom: github.com/honeylabshq/Loom · Glama: glama.ai/mcp/servers/honeylabshq/honeylabs-mcp · Facio MCP docs: facio.bot/docs/mcp