Core Model

Protocol and Heuristics

The scanner still matters in v4 because it helps infer frame families, field types, and promising attack paths.

Baseline discovery

WSHawk starts by observing handshake details, traffic shape, and repeated message families. The goal is to separate useful application actions from heartbeat and control noise.

Field and message-family inference

Structured payloads let the platform reason about likely identifiers, tenant fields, action names, and data-bearing inputs before you move into replay or comparison workflows.

json
1{
2  "action": "invoice.subscribe",
3  "tenantId": "acme-east",
4  "invoiceId": "inv_392",
5  "includeHistory": false
6}
7 
8# Likely attack points:
9# - tenantId: cross-tenant tamper candidate
10# - invoiceId: object-level access candidate
11# - includeHistory: state or visibility toggle

Protocol graph and target packs

The newer protocol layer can group related transitions and suggest likely attack paths. That helps operators decide when to test replay, identifier tampering, subscription abuse, or race windows.

Where heuristics stop

Heuristics can point you toward likely issues, but the most defensible v4 findings still come from replay, AuthZ diffing, race testing, and evidence review inside the project workflow.