blackdome-mcp 0.2.0

BlackDome MCP Server — AI agent access to live honeypot threat intelligence, attacker IPs, IOCs, and credential intel.

BlackDome MCP Server

Give your AI agents direct access to live honeypot threat intelligence. Look up attacker IPs, browse indicators of compromise (IOCs), inspect captured credentials and malware payloads, profile threat actors, and render a real-time global attack map — all from Claude, Cursor, or any MCP-compatible client.

Most tools are free and need no API key (the public community tier). A subset of high-value intelligence requires a paid plan.

Quick Start

Install

pip install blackdome-mcp

Configure

The free public tools work with no API key. To unlock the paid tiers (credential intelligence, payloads, actors, warboard, STIX export), get an API key at https://blackdome.ai/pricing.

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "blackdome": {
      "command": "blackdome-mcp",
      "env": {
        "BLACKDOME_API_KEY": "your-api-key-here"
      }
    }
  }
}

The env block is optional — omit BLACKDOME_API_KEY to run free public tools only.

Claude Code

claude mcp add blackdome -- blackdome-mcp
# Optional — only needed for paid tools:
export BLACKDOME_API_KEY="your-api-key-here"

Cursor

Add to your MCP settings:

{
  "blackdome": {
    "command": "blackdome-mcp",
    "env": {
      "BLACKDOME_API_KEY": "your-api-key-here"
    }
  }
}

Available Tools

Free tools work with no key. Paid tools require an API key whose plan includes the listed feature.

Tool	Tier	Description
lookup_attacker_ip	Free	Full dossier for one attacker IP — events, protocols, credentials (passwords masked), MITRE, edge nodes
top_attackers	Free	Most active attacker IPs over a window — pick one to drill into
attack_map	Free	Recent geolocated attack events for a live map (limit ≥ 10)
attack_heatmap	Free	Country-aggregated attack heatmap with centroids (limit ≥ 5)
credential_preview	Free	Sample of recent credentials (masked server-side) + teaser totals
verify_sigil	Free	Verify a BlackDome Sigil / audit record by id
recent_iocs	Free	Browse recent IOCs with full filter set (72h community delay)
ioc_trends	Free	Aggregated IOC trends — totals, breakdowns, daily new, top MITRE
export_iocs	Free (json/csv) · Pro (stix)	Export the IOC feed; STIX bundle needs the stix_export feature
search_credentials	Enterprise (credential_intel)	Search the global credential corpus with PLAINTEXT passwords
credential_stats	Enterprise (credential_intel)	Aggregate credential stats — top usernames/passwords, breakdowns
list_payloads	Pro (api_access)	List captured malware payloads, or fetch one by sha256 (VT/MB intel)
get_actor	Pro (api_access)	List clustered threat actors, or fetch one actor's sessions
warboard	Pro (api_access)	Sigil leaderboard with intrusion narratives + attacker command tails
list_notable_sessions	Enterprise (session_intel)	Ranked hand-keyed attacker sessions surfaced out of botnet noise
get_session_transcript	Enterprise (session_intel)	Structured command/output transcript for one attacker session
list_detonations	Pro (detonation_intel)	Malware detonation list with verdicts, Magika labels and IOC counts
get_detonation_report	Pro (detonation_intel)	Full detonation report with behavior, IOCs, artifact classification and report availability
get_artifact	Pro (detonation_intel)	Artifact dossier with linked detonation, IOCs and session identifiers only
whoami	Any key	Check your tenant, plan, features and live quota

Plans: Community (free) → Pro ($299, adds stix_export, api_access, detonation_intel) → Enterprise ($2000, adds credential_intel, bulk_api, session_intel) → OEM ($5000). See pricing.

Example Prompts

Once connected, try asking your AI assistant:

• "Who are the top attackers hitting the honeypots this month?"
• "Look up attacker IP 176.65.139.56 and summarize what they tried."
• "Show me the latest malicious sha256 IOCs from the last week."
• "What are the IOC trends — which MITRE techniques are spiking?"
• "Render a heatmap of where attacks are coming from."
• "Export the IOC feed as CSV so I can load it into my SIEM."
• "What plan am I on and which features do I have?" (runs whoami)
• "Search captured SSH credentials for the username root." (paid)
• "Show me the most active hand-keyed attacker sessions this week." (Enterprise)
• "Pull the detonation report for sha256 a6713518f2e26745683d33ded61b465d0645d7af850464c559fba8bb84e68398." (Pro)

Environment Variables

Variable	Required	Default	Description
BLACKDOME_API_KEY	No	—	Bearer API key. Free tools work without it; paid tools require it
BLACKDOME_BASE_URL	No	https://api.blackdome.ai	API base URL
BLACKDOME_TIMEOUT	No	15	Request timeout in seconds

Rate Limits

The free community tier is capped at roughly 30 requests/minute and 100 requests/day, and community IOC data carries a 72-hour freshness delay. Paid plans raise these limits substantially (Enterprise: 1000 req/min, 50,000 req/day). When you hit a limit the server returns a clear 429 error with retry timing. Use whoami to see your live quota.

Security

• Read-only. Every tool is a GET request — the server never mutates BlackDome data.
• Keyless free tier. Public tools require no API key and expose only community-tier data.
• Masked credentials. The free lookup_attacker_ip tool masks captured passwords to ******** before returning them; credential_preview is masked server-side. Plaintext passwords are returned only by the paid search_credentials tool, which requires the credential_intel feature.
• Secrets stay local. Your API key is read from the environment and sent only to the BlackDome API over HTTPS. No data is stored by the MCP server — it proxies directly to BlackDome.

License

MIT