Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

BlackDome Threat Intel

БесплатноНе проверен

Live honeypot threat intel: attacker IPs, IOCs, credentials, payloads, actors.

GitHubEmbed

Описание

Live honeypot threat intel: attacker IPs, IOCs, credentials, payloads, actors.

README

BlackDome MCP Server

Give your AI agents direct access to live honeypot threat intelligence. Look up attacker IPs, browse indicators of compromise (IOCs), inspect captured credentials and malware payloads, profile threat actors, and render a real-time global attack map — all from Claude, Cursor, or any MCP-compatible client.

Most tools are free and need no API key (the public community tier). A subset of high-value intelligence requires a paid plan.

Quick Start

Install

pip install blackdome-mcp

Configure

The free public tools work with no API key. To unlock the paid tiers (credential intelligence, payloads, actors, warboard, STIX export), get an API key at https://blackdome.ai/pricing.

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "blackdome": {
      "command": "blackdome-mcp",
      "env": {
        "BLACKDOME_API_KEY": "your-api-key-here"
      }
    }
  }
}

The env block is optional — omit BLACKDOME_API_KEY to run free public tools only.

Claude Code

claude mcp add blackdome -- blackdome-mcp
# Optional — only needed for paid tools:
export BLACKDOME_API_KEY="your-api-key-here"

Cursor

Add to your MCP settings:

{
  "blackdome": {
    "command": "blackdome-mcp",
    "env": {
      "BLACKDOME_API_KEY": "your-api-key-here"
    }
  }
}

Available Tools

Free tools work with no key. Paid tools require an API key whose plan includes the listed feature.

Tool Tier Description
lookup_attacker_ip Free Full dossier for one attacker IP — events, protocols, credentials (passwords masked), MITRE, edge nodes
top_attackers Free Most active attacker IPs over a window — pick one to drill into
attack_map Free Recent geolocated attack events for a live map (limit ≥ 10)
attack_heatmap Free Country-aggregated attack heatmap with centroids (limit ≥ 5)
credential_preview Free Sample of recent credentials (masked server-side) + teaser totals
verify_sigil Free Verify a BlackDome Sigil / audit record by id
recent_iocs Free Browse recent IOCs with full filter set (72h community delay)
ioc_trends Free Aggregated IOC trends — totals, breakdowns, daily new, top MITRE
export_iocs Free (json/csv) · Pro (stix) Export the IOC feed; STIX bundle needs the stix_export feature
search_credentials Enterprise (credential_intel) Search the global credential corpus with PLAINTEXT passwords
credential_stats Enterprise (credential_intel) Aggregate credential stats — top usernames/passwords, breakdowns
list_payloads Pro (api_access) List captured malware payloads, or fetch one by sha256 (VT/MB intel)
get_actor Pro (api_access) List clustered threat actors, or fetch one actor's sessions
warboard Pro (api_access) Sigil leaderboard with intrusion narratives + attacker command tails
list_notable_sessions Enterprise (session_intel) Ranked hand-keyed attacker sessions surfaced out of botnet noise
get_session_transcript Enterprise (session_intel) Structured command/output transcript for one attacker session
list_detonations Pro (detonation_intel) Malware detonation list with verdicts, Magika labels and IOC counts
get_detonation_report Pro (detonation_intel) Full detonation report with behavior, IOCs, artifact classification and report availability
get_artifact Pro (detonation_intel) Artifact dossier with linked detonation, IOCs and session identifiers only
whoami Any key Check your tenant, plan, features and live quota

Plans: Community (free) → Pro ($299, adds stix_export, api_access, detonation_intel) → Enterprise ($2000, adds credential_intel, bulk_api, session_intel) → OEM ($5000). See pricing.

Example Prompts

Once connected, try asking your AI assistant:

  • "Who are the top attackers hitting the honeypots this month?"
  • "Look up attacker IP 176.65.139.56 and summarize what they tried."
  • "Show me the latest malicious sha256 IOCs from the last week."
  • "What are the IOC trends — which MITRE techniques are spiking?"
  • "Render a heatmap of where attacks are coming from."
  • "Export the IOC feed as CSV so I can load it into my SIEM."
  • "What plan am I on and which features do I have?" (runs whoami)
  • "Search captured SSH credentials for the username root." (paid)
  • "Show me the most active hand-keyed attacker sessions this week." (Enterprise)
  • "Pull the detonation report for sha256 a6713518f2e26745683d33ded61b465d0645d7af850464c559fba8bb84e68398." (Pro)

Environment Variables

Variable Required Default Description
BLACKDOME_API_KEY No Bearer API key. Free tools work without it; paid tools require it
BLACKDOME_BASE_URL No https://api.blackdome.ai API base URL
BLACKDOME_TIMEOUT No 15 Request timeout in seconds

Rate Limits

The free community tier is capped at roughly 30 requests/minute and 100 requests/day, and community IOC data carries a 72-hour freshness delay. Paid plans raise these limits substantially (Enterprise: 1000 req/min, 50,000 req/day). When you hit a limit the server returns a clear 429 error with retry timing. Use whoami to see your live quota.

Security

  • Read-only. Every tool is a GET request — the server never mutates BlackDome data.
  • Keyless free tier. Public tools require no API key and expose only community-tier data.
  • Masked credentials. The free lookup_attacker_ip tool masks captured passwords to ******** before returning them; credential_preview is masked server-side. Plaintext passwords are returned only by the paid search_credentials tool, which requires the credential_intel feature.
  • Secrets stay local. Your API key is read from the environment and sent only to the BlackDome API over HTTPS. No data is stored by the MCP server — it proxies directly to BlackDome.

License

MIT

from github.com/blackdome-ai/blackdome-mcp

Установить BlackDome Threat Intel в Claude Desktop, Claude Code, Cursor

Рекомендуется · одна команда, все IDE
unyly install blackdome-threat-intel

Ставит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.

Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh

Или настроить вручную

Выполни в терминале:

claude mcp add blackdome-threat-intel -- uvx blackdome-mcp

FAQ

BlackDome Threat Intel MCP бесплатный?

Да, BlackDome Threat Intel MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для BlackDome Threat Intel?

Нет, BlackDome Threat Intel работает без API-ключей и переменных окружения.

BlackDome Threat Intel — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить BlackDome Threat Intel в Claude Desktop, Claude Code или Cursor?

Открой BlackDome Threat Intel на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare BlackDome Threat Intel with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development