Thread Truncated (Cap Enforced)
Only the first 20 tweets are unrolled into slides to ensure reliable PDF exporting and high server performance.
Canvas & Ratio
Choose your destination platform format
Layout Template
Choose a content structure for your slides
Preset Themes
Typography & Sizing
Brand Kit Customization
AGENCYConfigure brand assets for headers & footers
Outro Slide CTA
Customize your closing call-to-action slide
Background Pattern
Build Your Carousel
Drag and drop any post card below onto a slide, or use the quick buttons to insert content/images instantly!

## Starting with JA4: TLS Client Fingerprint


JA4 (the replacement to JA3) fingerprints clients based on their TLS Client Hello packet which is sent before encryption, allowing you to know what's talking on the network without the need to break encryption.



Chrome 132: JA4=t13d1517h2_8daaf6152771_b6f405a00624 AnyDesk: JA4=t12i550500_168bb377f8c8_a1e935682795 SoftEther VPN: JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 Sliver Malware (GoLang): JA4=t13d190900_9dc949149365_97f8aa674fd9

## JA4Server - JA4S: TLS Server Response Fingerprint



Each TLS server may respond to different clients differently but will always respond to the same client with the same fingerprint which allows for higher fidelity detection.

AnyDesk: JA4=t12i550500_168bb377f8c8_a1e935682795 JA4S=t120300_009f_cef8820c8f19 SoftEther VPN: JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 JA4S=t130200_1302_a56c5b993250

Addigy (written in Go): JA4=t13d190900_9dc949149365_97f8aa674fd9 (Go) JA4S=t130200_1301_234ea6891581 <-- (Addigy server response to Go)

Sliver Malware (written in Go) JA4=t13d190900_9dc949149365_97f8aa674fd9 (Go) JA4S=t130200_1301_a56c5b993250 <-- (C2 response to Go)

When looking for certain traffic, rarely do you want to rely on JA4 alone as there could be too many FPs, instead you want to combine as many fingerprints and additional metadata as possible such as JA4 AND JA4S AND JA4X, etc.

The more fingerprints you can combine along with other metadata, the higher fidelity detection you can build.

## JA4HTTP - JA4H: HTTP Client Fingerprint





Parts 'a' and 'b' are effectively a fingerprint of the application. In the above example, Lumma C2 pretends to be the Tesla Browser in its user-agent string, yet you can clearly see that, when doing a post request over HTTP/1.1, their fingerprints look completely different. Just another reason to never trust user-agent strings.

Part 'c' is the fingerprint of the cookie. Each website/app defines what it's cookie fields should be, therefor everyone connecting to a Fortigate Firewall, for example, should all have the exact same JA4H_c fingerprint, because the cookie fields are set by the Fortigate upon login. Anyone with a different cookie is probably a hacking tool.

Part 'd' is the user's cookie fingerprint, this is unique to that user as it includes their session token and other specific data. This allows you to track a user through your site with JA4H_d and if it stays the same but the application fingerprint changes from Chrome to say, Cobalt Strike, then that's session hijacking. Easy.

## JA4X509 - JA4X: X509 TLS Certificate Fingerprint

JA4X fingerprints the structure of a cert, not the values within it. This essentially makes it a fingerprint of the application or script used to create a cert, not a fingerprint of the cert itself. As such, it's great for finding things like SOHO devices and malware C2s.