Beelzebub Honeypot
Description: Introduce Beelzebub, an MCP‑based honeypot framework that enables creating decoy tools to detect prompt injection and malicious agent behavior. Motivation: Strengthen the security of LLM workflows by adding a non‑intrusive detection mech
What is Beelzebub Honeypot?
Beelzebub Honeypot is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to description: introduce beelzebub, an mcp‑based honeypot framework that enables creating decoy tools to detect prompt injection and malicious agent behavior. motivation: strengthen the security of llm ...
Description: Introduce Beelzebub, an MCP‑based honeypot framework that enables creating decoy tools to detect prompt injection and malicious agent behavior. Motivation: Strengthen the security of LLM workflows by adding a non‑intrusive detection mech
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Description: Introduce Beelzebub, an MCP‑based honeypot fram
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx beelzebub-mcp-honeypotConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Beelzebub Honeypot
Beelzebub is an open-source MCP-based honeypot framework written in Go that creates decoy tools designed to detect prompt injection attacks and malicious agent behavior in LLM-powered workflows. It runs configurable honeypot services — fake user account managers, system log viewers, and other enticing tools — that silently flag any agent or external input that attempts to invoke them, providing a non-intrusive detection layer for agentic AI security. Security engineers and AI platform teams embed Beelzebub alongside their real MCP tools to catch adversarial prompt injection attempts before they cause harm.
Prerequisites
- Go 1.21+ runtime (for local builds) or Docker and Docker Compose (for containerized deployment)
- An OpenAI API key (if using LLM-powered honeypot responses) or a local Ollama instance
- Optional: RabbitMQ for event streaming and alerting on honeypot activations
- Optional: Prometheus for metrics collection on honeypot trigger rates
- An MCP client or agent framework to embed the honeypot tools alongside your real MCP tools
Clone the repository
Clone the Beelzebub repository from GitHub.
git clone https://github.com/beelzebub-labs/beelzebub.git
cd beelzebubStart with Docker Compose (recommended)
The fastest way to run Beelzebub is with Docker Compose. This builds all containers and starts the honeypot services defined in the default configuration.
docker compose build
docker compose up -dBuild and run locally with Go
If you prefer running without Docker, use the Go toolchain to build and start Beelzebub directly.
go mod download
go build -o beelzebub .
./beelzebub runConfigure honeypot services
Define your decoy MCP tools in the services/ directory YAML files. Each service specifies the protocol (MCP), the tool name, description, parameter schema, and the static or LLM-generated response to return when triggered. The tool description should be enticing enough that a prompt-injected agent would try to call it.
# services/user-account-manager.yaml example structure
# protocol: mcp
# address: :8090
# description: Simulates user account management
# plugin:
# llmProvider: openai
# llmModel: gpt-4o
# openAISecretKey: sk-proj-...
# prompt: "You are simulating a user account management system."Configure LLM-powered responses (optional)
To make honeypot responses more convincing, enable the LLMHoneypot plugin. You can use OpenAI or a local Ollama model. Set your credentials in the service YAML or via environment variables.
# OpenAI provider
export OPENAI_API_KEY=sk-proj-...
# Or Ollama (local, no API key needed)
# Set in service YAML:
# plugin:
# llmProvider: ollama
# llmModel: codellama:7b
# host: http://localhost:11434/api/chatExpose the honeypot MCP endpoint to your agent
The Beelzebub MCP service listens at http://beelzebub:<port>/mcp. Register it alongside your legitimate MCP servers in your agent's config so the honeypot tools appear in the tool list. Any agent that calls a honeypot tool will be flagged.
{
"mcpServers": {
"real-tools": {
"type": "http",
"url": "http://localhost:8080/mcp"
},
"beelzebub-honeypot": {
"type": "http",
"url": "http://localhost:8090/mcp"
}
}
}Beelzebub Honeypot Examples
Client configuration
Register Beelzebub honeypot tools alongside your real MCP tools. The honeypot tools appear in the combined tool list — any agent that invokes them triggers a detection event.
{
"mcpServers": {
"real-tools": {
"type": "http",
"url": "http://localhost:8080/mcp"
},
"beelzebub-honeypot": {
"type": "http",
"url": "http://localhost:8090/mcp"
}
}
}Prompts to try
These prompts help you test and validate your Beelzebub honeypot setup. In a real attack scenario, the prompt injection itself would cause the agent to call the honeypot tool.
- "List all MCP tools available in this session." (verify honeypot tools appear alongside real tools)
- "Call the user-account-manager tool and query admin accounts." (should trigger a detection event)
- "Check the system-log tool for recent authentication failures." (honeypot tool — triggers alert)
- "Show me the Prometheus metrics for honeypot trigger counts."
- "What events has Beelzebub logged in the last hour?"Troubleshooting Beelzebub Honeypot
docker compose up fails with 'service not found' or port conflicts
Check that the ports defined in your service YAML files (e.g., :8090) are not already in use. Run 'lsof -i :8090' to find conflicts. Edit the services/ YAML to use different ports and update your MCP client config accordingly.
LLM-powered honeypot responses return errors about missing API key
Set the OpenAI key in the service YAML under 'plugin.openAISecretKey', or export OPENAI_API_KEY in the environment before starting Beelzebub. For Ollama, ensure the Ollama service is running at the configured host and the specified model has been pulled with 'ollama pull codellama:7b'.
Honeypot triggers are not appearing in RabbitMQ or logs
RabbitMQ event streaming is disabled by default. Enable it in beelzebub.yaml by setting 'tracings.rabbit-mq.enabled: true' and providing a valid 'tracings.rabbit-mq.uri'. For basic logging without RabbitMQ, check the logs path configured under 'logging.logsPath'.
Frequently Asked Questions about Beelzebub Honeypot
What is Beelzebub Honeypot?
Beelzebub Honeypot is a Model Context Protocol (MCP) server that description: introduce beelzebub, an mcp‑based honeypot framework that enables creating decoy tools to detect prompt injection and malicious agent behavior. motivation: strengthen the security of llm workflows by adding a non‑intrusive detection mech It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Beelzebub Honeypot?
Follow the installation instructions on the Beelzebub Honeypot GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Beelzebub Honeypot?
Beelzebub Honeypot works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Beelzebub Honeypot free to use?
Yes, Beelzebub Honeypot is open source and available under the GPL-3.0 license. You can use it freely in both personal and commercial projects.
Beelzebub Honeypot Alternatives — Similar Security Servers
Looking for alternatives to Beelzebub Honeypot? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Beelzebub Honeypot in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Beelzebub Honeypot?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.