JA4 Fingerprinting is a passive network traffic analysis technique that creates a compact digital signature from the specific parameters negotiated during the initial Transport Layer Security (TLS) Client Hello handshake. Unlike its predecessor JA3, the JA4 method introduces a modular, extensible hashing format that separates protocol, cipher, and extension fields into distinct sections, allowing analysts to identify the originating client software, operating system, or malicious tool with greater granularity and precision.
Glossary
JA4 Fingerprinting

What is JA4 Fingerprinting?
JA4 is a modern TLS fingerprinting method that generates a concise, human-readable hash of the Client Hello packet parameters, enabling high-fidelity identification of malware and scraping tools regardless of destination IP.
This method is critical for web scraping mitigation and bot management because it operates transparently before any application data is exchanged. By fingerprinting the TLS layer, security infrastructure can identify and block automated scraping tools, headless browsers, and malware command-and-control traffic based on their unique cryptographic handshake patterns, even when the traffic is routed through residential proxies or VPNs designed to mask the source IP address.
Key Features of JA4 Fingerprinting
JA4 fingerprinting generates a compact, human-readable hash from the parameters of the TLS Client Hello packet, enabling high-fidelity identification of client applications regardless of destination IP or port.
The JA4 Hash Structure
The JA4 fingerprint is a 12-character string composed of four distinct fields separated by underscores: JA4 = PROTO_TLS_CIPHER_EXT.
- PROTO: Indicates the TLS version (e.g.,
t13for TLS 1.3,t12for TLS 1.2). - TLS: A hash of the ordered list of cipher suites.
- CIPHER: A hash of the ordered list of TLS extensions.
- EXT: A hash of the ALPN (Application-Layer Protocol Negotiation) values. This structured format allows for rapid, human-readable comparison and grouping of similar client behaviors.
Sorting for Stability
A critical innovation of JA4 over its predecessor JA3 is the mandatory sorting of cipher suites and extensions before hashing.
- JA3 generated different fingerprints if a client randomized the order of its cipher list, causing fragmentation.
- JA4 enforces a canonical sort order, ensuring that the same logical configuration always produces the same hash. This eliminates a major source of false negatives in threat hunting and asset identification.
Application Identification via ALPN
The fourth field of the JA4 hash is derived from the Application-Layer Protocol Negotiation (ALPN) extension. This field captures the specific application protocol the client intends to speak.
- A standard web browser will present
h2andhttp/1.1. - A malware C2 agent might present a custom or absent ALPN value.
- A Python
requestslibrary will have a distinct ALPN signature. This provides a powerful, high-level discriminator for identifying the software category.
Grease Values and Intentional Randomization
Modern TLS libraries, particularly those in browsers, inject GREASE (Generate Random Extensions And Sustain Extensibility) values into the Client Hello.
- These are random, invalid cipher suites and extensions designed to prevent protocol ossification.
- JA4 intelligently filters out known GREASE codes before hashing.
- Without this filtering, every connection from a Chrome browser would produce a unique, useless fingerprint. This filtering is essential for generating a stable, useful identifier.
Passive Network Deployment
JA4 fingerprinting is a passive identification technique. It operates by observing the initial unencrypted Client Hello packet in a TCP stream.
- No injection: No packets are sent to the client.
- No decryption: The analysis is performed on the plaintext handshake.
- Minimal latency: The fingerprint is computed in microseconds. This makes it ideal for high-throughput network sensors, IDS/IPS platforms, and Zeek integrations where inline blocking or real-time alerting is required.
Hunting Malware and C2 Frameworks
JA4 is a cornerstone of modern threat hunting because malware implants and command-and-control (C2) frameworks use distinct TLS libraries with unique, hard-coded configurations.
- Cobalt Strike beacons have a characteristic set of cipher suites and extensions.
- Metasploit payloads generate a different, equally identifiable JA4 hash.
- Custom RATs often use outdated or minimal TLS stacks that stand out sharply against a background of standard browser traffic. Security teams maintain threat intelligence feeds of known-malicious JA4 hashes to detect compromised hosts.
JA4 vs. JA3 vs. JA3S Fingerprinting
Comparison of three generations of TLS client fingerprinting methods used for identifying malware, botnets, and scraping tools in encrypted traffic.
| Feature | JA3 | JA3S | JA4 |
|---|---|---|---|
Hashing Target | Client Hello packet | Server Hello packet | Client Hello packet |
Number of Fields Hashed | 5 fields | 5 fields | 10+ fields |
Protocol Support | TLS 1.2 and earlier | TLS 1.2 and earlier | TLS 1.2 and TLS 1.3 |
QUIC Protocol Support | |||
Encrypted Client Hello (ECH) Resilience | |||
ALPN Negotiation Captured | |||
Hash Collision Rate | 0.05% | 0.05% | < 0.001% |
Output Format | 32-char MD5 | 32-char MD5 | 12-char truncated SHA-256 |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear answers to the most common technical questions about JA4 fingerprinting, its operational mechanics, and its role in modern bot management and threat detection workflows.
JA4 fingerprinting is a method for generating a concise, human-readable hash of the parameters within a TLS Client Hello packet to identify the client application initiating an encrypted connection. It works by capturing specific, unencrypted fields from the initial handshake—including the TLS version, cipher suites, extensions, and elliptic curve preferences—and feeding them through a standardized hashing algorithm. The output is a short string like ja4=t13d1516h2_8daaf6152771_e5627efa2ab1. Unlike its predecessor JA3, JA4 introduces separate fingerprints for the client and server sides of the connection, accounts for QUIC protocol traffic, and normalizes the hash format to reduce collisions and improve consistency across diverse network environments. This passive identification technique requires no decryption and operates purely on observable metadata, making it ideal for high-throughput network monitoring and bot management platforms.
Related Terms
JA4 fingerprinting operates within a broader ecosystem of traffic analysis and bot detection techniques. These related concepts provide context for how JA4 integrates into enterprise security architectures.
TLS Fingerprinting
The foundational passive identification technique that analyzes Client Hello parameters—including cipher suites, TLS extensions, and elliptic curves—to identify originating software. JA4 is a modern evolution of this concept, replacing legacy methods like JA3 that produced brittle, high-entropy hashes. TLS fingerprinting works regardless of destination IP or payload encryption, making it ideal for detecting malware and scrapers that use custom TLS stacks.
TCP/IP Stack Fingerprinting
A passive OS identification technique that examines subtle variations in TCP header fields to determine the operating system of a connecting client. Key indicators include:
- Initial Window Size: Varies predictably between Linux, Windows, and macOS
- TTL (Time to Live): Default values differ by OS
- TCP Options Ordering: The sequence and presence of options like MSS, SACK, and window scaling
- Don't Fragment Bit Behavior: Handling differs across stacks
Combined with JA4, TCP/IP fingerprinting provides multi-layer identification that resists spoofing.
Browser Fingerprinting
A stateless identification method that aggregates unique device attributes to generate a stable identifier. Unlike JA4 which operates at the transport layer, browser fingerprinting works at the application layer by probing:
- Canvas rendering and WebGL capabilities
- Installed fonts and plugin enumerations
- AudioContext signal processing artifacts
- Screen resolution and color depth
Browser fingerprinting is effective against headless browsers like Puppeteer and Selenium that JA4 alone cannot distinguish from legitimate Chrome instances.
Bot Management
A comprehensive security discipline that integrates multiple signals—including JA4 hashes, behavioral analysis, and IP reputation—to classify automated traffic. Modern bot management platforms use machine learning to correlate JA4 fingerprints with:
- Request velocity and inter-request timing
- Navigation flow anomalies and session patterns
- JavaScript challenge pass/fail rates
- CAPTCHA interaction telemetry
JA4 provides the cryptographic identity layer, while behavioral analysis determines intent. Together they enable surgical blocking of malicious automation without impacting legitimate API consumers.
Deep Packet Inspection (DPI)
An advanced network filtering method that examines payload data beyond basic headers to identify scraping tools using protocol-specific signatures. While JA4 operates on the unencrypted Client Hello handshake, DPI can:
- Decrypt and inspect TLS traffic when deployed with SSL bump proxies
- Detect HTTP/2 and HTTP/3 fingerprinting artifacts in application data
- Identify proprietary API client signatures embedded in request bodies
DPI complements JA4 by providing visibility into encrypted payloads, though it introduces latency and privacy compliance concerns that passive JA4 fingerprinting avoids.
Anomaly Detection
A machine learning approach that establishes a baseline of normal traffic and flags statistical deviations indicative of scraping activity. JA4 fingerprints serve as a critical feature in anomaly models by:
- Clustering traffic by client implementation rather than IP
- Detecting new JA4 hashes that deviate from known legitimate client profiles
- Identifying JA4 rotation patterns where scrapers cycle through TLS implementations
- Correlating JA4 with request volume spikes to distinguish organic traffic surges from automated campaigns
This statistical layer transforms JA4 from a static blocklist into a dynamic threat detection system.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us