// per-tool methodology

tls ja3 fingerprinter

drop a pcap file · extract tls client hellos · compute ja3 fingerprints · identify known clients and malware · database of known fingerprints · runs locally

public grade

flagship triageraw 13/14 · raw 12–14 / 14

Aheuristicflagship triage

capability class: Hheuristic
subcategory: network forensics
what to expect: trust as a first-pass tool · still verify before any legal use

what this grade means

real parser depth · 2+ exports with reason fields · honest limits · canonical UI shell

capability class · heuristic screener

rule-based scoring · statistical anomaly detection · gap analysis — flags worth checking, not verdicts

max grade for this class: B (A when honesty + output + UI all maxed)

heuristic screeners flag leads, not verdicts — every hit needs corroboration
threshold tuning affects false-positive and false-negative rates; uncommon baselines skew scores
capability class H is capped at B unless honesty, output usefulness, and UI all score 2 and raw ≥ 12

known limitations

even A-grade tools can be wrong on rare inputs, malformed files, or adversarial samples
independent verification is required before consequential or evidentiary use
the grade is not a court-admissibility score — jurisdiction and chain of custody still apply

B minimum ship bar

newly added forensics tools must clear the public B minimum before merging
minimum: letter grade B or A · raw score ≥ 9/14 · UI dimension = 2 · IF/OU/DQ/RB/HN ≥ 1 each · no critical red flags (missing engine, placeholder logic, no exports)
the ship bar is enforced by quality.audit.json sidecars and npm run tools:grade-forensics --check

open the tool

run tls ja3 fingerprinter →full grading rubric