GitHub

MirageMCP is an open source honeypot for AI MCP services.

Built by Lemuridae Labs to emulate a file-archive MCP, MirageMCP gives teams a believable target so suspicious behavior shows up early — from fake logins to REST API probes.

Open source Model Context Protocol (MCP) Network-ready deployment OpenTelemetry Browser push alerts
Simulated Login MFA prompts, credential capture, and session mimicry with no real risk.
MCP Archive Faux file search and archive operations that feel authentic.
OpenTelemetry Export events, logs, and metrics via OTLP to the tools you already use.
Push Alerts Real-time browser notifications for your on-call team.

What is a honeypot?

A honeypot is a deliberately crafted service designed to be probed. It looks legitimate while keeping real assets safe. MirageMCP focuses on the emerging surface where AI tooling and MCP-aware automation meet.

Early indicators

See the first touch: enumeration, credential stuffing, or AI agents trying to access MCP tools.

Low-risk observation

Interactions are contained and simulated. You get attacker behavior without exposing live systems.

Research-grade data

Structured logs enable repeatable analysis, correlation, and training of defensive models.

What is AI MCP?

The Model Context Protocol (MCP) is a standard for connecting AI systems to tools and data sources. It can be exposed over different channels, including HTTP and HTTPS. In many organizations, MCP services are easy to overlook and may be reachable from the outside. That creates real risk of data disclosure, tampering, or other unauthorized activity.

MCP client connects

AI tooling discovers the MCP entry point and initiates a handshake.

Archive interface presented

File search, metadata, and download actions appear authentic.

Event instrumentation

Each action is tagged, timestamped, and enriched for analysis.

What does MirageMCP simulate?

MirageMCP emulates the surfaces attackers look for: a login panel, archive endpoints, and MCP-style responses. Everything is synthetic, but the experience feels real.

Archive Login

REST Endpoints

POST /api/auth/login
GET /api/archive/search
GET /api/archive/{id}
POST /api/archive/export

Example Alert

{ "event": "mcp.archive.search", "actor": "unknown-client", "ip": "203.0.113.18", "result": "denied", "tags": ["probe", "mcp", "honeypot"] }

Architecture overview

MirageMCP is a Java-based Spring Boot application built with Spring AI. It runs as a containerized service, stays isolated from production, and emits structured alerts via OpenTelemetry and browser push notifications.

Technical overview

Spring Boot orchestrates the MCP endpoints, simulated login flow, and REST API routes. Spring AI helps the MCP behaviors feel authentic. OpenTelemetry exports events, logs, and metrics via OTLP to your observability stack. Browser push notifications deliver real-time alerts to the people who need them. Container deployment keeps the honeypot segmented and easy to run on network sensors.

MCP Clients Agents + Tools MirageMCP Spring Boot + Spring AI MCP + REST Simulation OpenTelemetry instrumented Sensor Host Containerized OpenTelemetry Events, logs, metrics (OTLP) Push Notifications Browser alerts for admins Security Outputs SIEM, alerts, research Observability Stack Grafana, Jaeger, Elastic...

Observability & real-time alerts

MirageMCP doesn't just capture events — it gets them to the right people. Native OpenTelemetry support and browser push notifications keep your team informed the moment something happens.

OpenTelemetry native

MirageMCP exports structured telemetry via the OpenTelemetry Protocol (OTLP), so you control exactly where your honeypot data lands.

  • Events and logs for every interaction — login attempts, MCP handshakes, REST probes
  • Metrics for request rates, credential patterns, and probe frequency
  • Compatible with Grafana, Jaeger, Datadog, Elastic, and any OTLP-capable backend
  • Correlate honeypot signals with production telemetry in your existing dashboards
// OTLP log export example
{
  "resourceLogs": [{
    "scopeLogs": [{
      "logRecords": [{
        "severityText": "WARN",
        "body": "mcp.archive.search",
        "attributes": {
          "actor": "unknown-client",
          "ip": "203.0.113.18"
        }
      }]
    }]
  }]
}

Browser push notifications

Authorized administrators receive real-time alerts directly in their browser — no polling, no dashboard watching. You’ll know the instant an attacker engages.

  • Instant push notifications for high-priority events
  • Works across desktop and mobile browsers
  • Authorization-based access — only approved admins receive alerts
  • Configurable thresholds to control alert volume and priority
// Browser push notification payload
{
  "title": "MirageMCP Alert",
  "body": "Login attempt from 203.0.113.18",
  "tag": "credential-probe",
  "data": {
    "event": "auth.login.attempt",
    "severity": "high",
    "actor": "unknown-client"
  }
}

Signals you can act on

MirageMCP focuses on clean, structured signals that can flow into SIEM, security analytics, or research pipelines.

Behavior timeline

Correlate rapid enumeration attempts with MCP handshakes and REST probes.

Credential trails

See which credential pairs and MFA patterns attackers test on MCP services.

Tooling fingerprints

Detect scripted AI agents, scanners, and unusual automation signatures.

Containment ready

No real data exposure. Alerts are isolated and safe to share.

Collaborate with us

We’d love to collaborate and grow MirageMCP with the community — from sharing field insights to improving the simulator and alerting workflows.

Share findings

Tell us what you’re seeing in the wild: common probes, new MCP patterns, or gaps we should cover.

Contribute code

Open a PR for new endpoints, richer telemetry, or better realism in the archive flow.

Run pilots

Deploy MirageMCP in your environment and share feedback on signals, alerts, and ops fit.

Collaborate on GitHub Talk with Lemuridae Labs