Concepts

The v4 Workflow Lifecycle

WSHawk v4 is organized around local projects and evidence-backed operations, not disposable one-shot scans.

01

Create or open a project

A project is the local unit of work for the assessment. It holds identities, traffic, findings, notes, attack runs, and exports.

text
1[*] Project: realtime-saas
2[*] Target: https://app.realtime.test
3[+] Local store ready
02

Capture traffic and identity context

Start with a scan, pair the browser companion if needed, or capture traffic through the desktop tools so the project has useful state to work with.

Browser Pairing

Bring handshake context from a real browser session into the same local project.

Traffic History

Keep HTTP and WebSocket actions in one place instead of splitting the operation across tools.

03

Replay, compare, and race

Once you have captured actions and identities, the main offensive workflows are replay, AuthZ diffing, and race testing.

text
1[+] Replay completed
2[!] AuthZ diff: behavior mismatch detected
3[!] Race window: duplicate acceptance on later wave
04

Review evidence and notes

Findings matter more when the notes, traffic, timeline, and reproduction context stay tied to the same project. This is where v4 is much stronger than the older scanner-first model.

05

Export or regression-check

Finish by exporting a bundle for review or re-running the shipped validation labs after a change to confirm the workflow still behaves as expected.