HoneyMCP for AI Security

HoneyMCP: MCP honeypot for observing AI agent interactions

HoneyMCP, developed by Barvhaim, is a honeypot that acts as a decoy Model Context Protocol server to monitor and log agent activity. The tool records and analyzes incoming MCP client requests and tool calls in real time, detects unauthorized access, and offers configurable decoy resources for threat analysis. It includes a lightweight architecture for easy deployment and integrates with MCP-compatible clients, aimed at cybersecurity researchers, AI developers, and system administrators who need protocol-level visibility for security testing.

The tool surfaces agent-to-server behavior at the protocol level

HoneyMCP operates as a decoy MCP server that produces structured telemetry of every interaction. It captures incoming requests and tool calls and provides live monitoring of agent activity, which researchers can inspect to understand tool invocation patterns. Outputs are available as logs and live interaction streams, enabling step-by-step reconstruction of how an agent attempted to access resources or call decoy tools during an investigation.

Logging and detection create forensic records but require pipeline integration

Logs are emitted through standard output or designated log files, and the server records details on every tool call and resource request. The tool also reports unauthorized access attempts and suspicious patterns. Because logs are file- and stream-based, teams must route them into their existing analysis pipeline or SIEM for large-scale correlation and alerting rather than relying on in-tool long-term analytics.

Deployment is lightweight but depends on MCP-compatible environments and Node.js

The tool is built to run where MCP is supported and typically requires Node.js for execution, and it lists compatibility with MCP clients such as Claude Desktop. Its lightweight architecture reduces overhead during testing, and the open-source nature permits customization of decoy tools and resources. These characteristics make deployment straightforward in test labs and research environments that already run MCP stacks.

Best suited to investigative workflows, not as a single production defense

HoneyMCP targets cybersecurity researchers, AI developers, and system administrators who need a controlled environment for threat hunting and protocol-level observation. The project is presented as a security and research tool intended for monitoring and testing rather than a turnkey production appliance. Its open-source design supports community-driven extensions, making it easier to integrate into broader defensive workflows that include human review and downstream analysis.

Practical for MCP-focused teams that require investigative visibility

HoneyMCP is a practical option for cybersecurity researchers and AI teams who need protocol-level honeypot testing. Its orientation toward experimentation and analysis means it fits investigative workflows better than single-point production defenses. Treat the tool as a visibility and research asset to feed into existing incident response processes, and retain human oversight for interpreting suspicious interactions and confirming true threats.