Fingerprinting
TLS and HTTP clients have distinct fingerprints based on how they're implemented, not on what they claim to be. Strixl Labs computes four fingerprint families on every upload and matches them against a curated corpus of known-bad operator tooling.
JA3
JA3 is a hash of the TLS ClientHello: the version, the cipher suites, the extensions, the elliptic curves, and the EC point formats, in order. Different TLS stacks produce different JA3s. The same C2 kit tends to produce the same JA3 across deployments, which makes JA3 a useful identifier even when the attacker rotates IPs and domains.
JA3 only works on TLS 1.0 through 1.2. For TLS 1.3, use JA4.
JA4
JA4 is a newer fingerprint that works across TLS 1.2 and 1.3, includes SNI presence, and is more robust to minor TLS-stack changes than JA3. It's structured, so you can read parts of it directly: the first characters tell you the TLS version and whether SNI is present, for example.
Strixl Labs computes both JA3 and JA4 on every TLS handshake, whether you uploaded a PCAP or a Zeek ssl.log.
JA4H
JA4H is the HTTP equivalent of JA4. It hashes the HTTP method, version, cookie presence, header count, Accept-Language presence, and header ordering. Automated clients and C2 agents tend to emit distinctive header patterns that no browser produces; JA4H catches those even when the User-Agent has been set to look normal.
The engine computes JA4H on every HTTP request it sees in a capture, including plaintext requests to high-numbered ports.
JA4X
JA4X fingerprints X.509 certificates. The issuer fields, subject fields, and extensions in a certificate form a signature that's consistent across certs generated by the same tooling. C2 frameworks that generate certs on the fly leave a tell.
On top of JA4X, the engine flags self-signed certificates and certs where the issuer and subject match in suspicious ways. Both show up as badges in the investigation panel.
Known-bad corpus
Fingerprints from public research on Cobalt Strike, Sliver, Havoc, Metasploit, Mythic, and other operator frameworks are included in the matching corpus. When a pair's fingerprint hits the corpus, you see a Known bad badge with the framework name next to the fingerprint in the investigation panel.
The corpus is updated continuously from public sources. You don't manage it.
Fingerprint matches affect severity, not the behavioral score. A pair with a normal timing pattern but a Cobalt Strike JA4 will still score based on behavior; the severity bump pushes it toward the top of the queue. See Severity modifiers.