BlackDome Threat Intel
БесплатноНе проверенLive honeypot threat intel: attacker IPs, IOCs, credentials, payloads, actors.
Описание
Live honeypot threat intel: attacker IPs, IOCs, credentials, payloads, actors.
README
BlackDome MCP Server
Give your AI agents direct access to live honeypot threat intelligence. Look up attacker IPs, browse indicators of compromise (IOCs), inspect captured credentials and malware payloads, profile threat actors, and render a real-time global attack map — all from Claude, Cursor, or any MCP-compatible client.
Most tools are free and need no API key (the public community tier). A subset of high-value intelligence requires a paid plan.
Quick Start
Install
pip install blackdome-mcp
Configure
The free public tools work with no API key. To unlock the paid tiers (credential intelligence, payloads, actors, warboard, STIX export), get an API key at https://blackdome.ai/pricing.
Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"blackdome": {
"command": "blackdome-mcp",
"env": {
"BLACKDOME_API_KEY": "your-api-key-here"
}
}
}
}
The
envblock is optional — omitBLACKDOME_API_KEYto run free public tools only.
Claude Code
claude mcp add blackdome -- blackdome-mcp
# Optional — only needed for paid tools:
export BLACKDOME_API_KEY="your-api-key-here"
Cursor
Add to your MCP settings:
{
"blackdome": {
"command": "blackdome-mcp",
"env": {
"BLACKDOME_API_KEY": "your-api-key-here"
}
}
}
Available Tools
Free tools work with no key. Paid tools require an API key whose plan includes the listed feature.
| Tool | Tier | Description |
|---|---|---|
lookup_attacker_ip |
Free | Full dossier for one attacker IP — events, protocols, credentials (passwords masked), MITRE, edge nodes |
top_attackers |
Free | Most active attacker IPs over a window — pick one to drill into |
attack_map |
Free | Recent geolocated attack events for a live map (limit ≥ 10) |
attack_heatmap |
Free | Country-aggregated attack heatmap with centroids (limit ≥ 5) |
credential_preview |
Free | Sample of recent credentials (masked server-side) + teaser totals |
verify_sigil |
Free | Verify a BlackDome Sigil / audit record by id |
recent_iocs |
Free | Browse recent IOCs with full filter set (72h community delay) |
ioc_trends |
Free | Aggregated IOC trends — totals, breakdowns, daily new, top MITRE |
export_iocs |
Free (json/csv) · Pro (stix) | Export the IOC feed; STIX bundle needs the stix_export feature |
search_credentials |
Enterprise (credential_intel) |
Search the global credential corpus with PLAINTEXT passwords |
credential_stats |
Enterprise (credential_intel) |
Aggregate credential stats — top usernames/passwords, breakdowns |
list_payloads |
Pro (api_access) |
List captured malware payloads, or fetch one by sha256 (VT/MB intel) |
get_actor |
Pro (api_access) |
List clustered threat actors, or fetch one actor's sessions |
warboard |
Pro (api_access) |
Sigil leaderboard with intrusion narratives + attacker command tails |
list_notable_sessions |
Enterprise (session_intel) |
Ranked hand-keyed attacker sessions surfaced out of botnet noise |
get_session_transcript |
Enterprise (session_intel) |
Structured command/output transcript for one attacker session |
list_detonations |
Pro (detonation_intel) |
Malware detonation list with verdicts, Magika labels and IOC counts |
get_detonation_report |
Pro (detonation_intel) |
Full detonation report with behavior, IOCs, artifact classification and report availability |
get_artifact |
Pro (detonation_intel) |
Artifact dossier with linked detonation, IOCs and session identifiers only |
whoami |
Any key | Check your tenant, plan, features and live quota |
Plans: Community (free) → Pro ($299, adds stix_export, api_access, detonation_intel) → Enterprise ($2000, adds credential_intel, bulk_api, session_intel) → OEM ($5000). See pricing.
Example Prompts
Once connected, try asking your AI assistant:
- "Who are the top attackers hitting the honeypots this month?"
- "Look up attacker IP 176.65.139.56 and summarize what they tried."
- "Show me the latest malicious sha256 IOCs from the last week."
- "What are the IOC trends — which MITRE techniques are spiking?"
- "Render a heatmap of where attacks are coming from."
- "Export the IOC feed as CSV so I can load it into my SIEM."
- "What plan am I on and which features do I have?" (runs
whoami) - "Search captured SSH credentials for the username root." (paid)
- "Show me the most active hand-keyed attacker sessions this week." (Enterprise)
- "Pull the detonation report for sha256 a6713518f2e26745683d33ded61b465d0645d7af850464c559fba8bb84e68398." (Pro)
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
BLACKDOME_API_KEY |
No | — | Bearer API key. Free tools work without it; paid tools require it |
BLACKDOME_BASE_URL |
No | https://api.blackdome.ai |
API base URL |
BLACKDOME_TIMEOUT |
No | 15 |
Request timeout in seconds |
Rate Limits
The free community tier is capped at roughly 30 requests/minute and 100 requests/day, and community IOC data carries a 72-hour freshness delay. Paid plans raise these limits substantially (Enterprise: 1000 req/min, 50,000 req/day). When you hit a limit the server returns a clear 429 error with retry timing. Use whoami to see your live quota.
Security
- Read-only. Every tool is a GET request — the server never mutates BlackDome data.
- Keyless free tier. Public tools require no API key and expose only community-tier data.
- Masked credentials. The free
lookup_attacker_iptool masks captured passwords to********before returning them;credential_previewis masked server-side. Plaintext passwords are returned only by the paidsearch_credentialstool, which requires thecredential_intelfeature. - Secrets stay local. Your API key is read from the environment and sent only to the BlackDome API over HTTPS. No data is stored by the MCP server — it proxies directly to BlackDome.
License
MIT
Установить BlackDome Threat Intel в Claude Desktop, Claude Code, Cursor
unyly install blackdome-threat-intelСтавит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.
Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh
Или настроить вручную
Выполни в терминале:
claude mcp add blackdome-threat-intel -- uvx blackdome-mcpFAQ
BlackDome Threat Intel MCP бесплатный?
Да, BlackDome Threat Intel MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для BlackDome Threat Intel?
Нет, BlackDome Threat Intel работает без API-ключей и переменных окружения.
BlackDome Threat Intel — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить BlackDome Threat Intel в Claude Desktop, Claude Code или Cursor?
Открой BlackDome Threat Intel на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare BlackDome Threat Intel with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
