Driftnet by SecurityScorecard

API Documentation

Getting StartedInternet ScansScan ContentOpen PortsDomain ScansForward DNSDNS MX & TXTReverse DNSIP RegistrationsDomain RegistrationsCertificate TransparencyFavicon FingerprintsJA4Scan FingerprintsJA4TScan FingerprintsJARM Fingerprints
Getting StartedInternet ScansScan ContentOpen PortsDomain ScansForward DNSDNS MX & TXTReverse DNSIP RegistrationsDomain RegistrationsCertificate TransparencyFavicon FingerprintsJA4Scan FingerprintsJA4TScan FingerprintsJARM Fingerprints

JA4Scan Fingerprints

Overview

A JA4Scan fingerprint is an actively-probed signature for a server's TLS and QUIC handshake behaviour.

Driftnet probes every TLS server it encounters with a battery of TLS and QUIC handshakes and combines the responses into three fingerprints: ja4scan-tls, ja4scan-quic and ja4scan-tls-quic (the two halves joined).

Searching

Fingerprints can be looked up by hash. A ja4scan-tls or ja4scan-quic value is matched against both (they share a shape); a ja4scan-tls-quic value is matched on its own:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/ja4scan?hash=23100h0s00s0_fb0dc75e3bb0_6d6a17cede0d_se1cs0b920bb' \
  | jq . \
  | less -S

For a type-specific lookup, use the expression= parameter (e.g. ja4scan-quic:VALUE). Fingerprints can also be looked up by IP address or CIDR range:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/ja4scan?ip=8.8.8.0/24' \
  | jq . \
  | less -S
Example Response
{
  "page": 0,
  "pages": 1,
  "result_count": 20,
  "results": [
    {
      "date": "2019-05-13",
      "id": "auAgGXRnS8WguQIdjPhfvw",
      "items": [
        {
          "context": "",
          "is_metadata": true,
          "type": "ip",
          "value": "8.8.8.8"
        },
        {
          "context": "",
          "is_metadata": true,
          "type": "port-tcp",
          "value": "853"
        },
        ...
        {
          "context": "",
          "is_metadata": false,
          "type": "ja4scan-tls",
          "value": "23100h0s00s0_fb0dc75e3bb0_6d6a17cede0d_se1cs0b920bb"
        },
        {
          "context": "",
          "is_metadata": false,
          "type": "ja4scan-quic",
          "value": "031g0hlss000_94f9f684420f_6d6a17008abe_se1cs05444e9"
        },
        {
          "context": "",
          "is_metadata": false,
          "type": "ja4scan-tls-quic",
          "value": "23100h0s00s0_fb0dc75e3bb0_6d6a17cede0d_se1cs0b920bb__031g0hlss000_94f9f684420f_6d6a17008abe_se1cs05444e9"
        }
      ]
    },
    ...

Results are in the same "report" format described in the Internet Scans section. They include the IP address, port, and the TLS, QUIC and combined JA4Scan fingerprints.

The scan/ja4scan endpoint also accepts the expression=, page=, from= / to=, filter= and summarize= parameters. These work in exactly the same way as described in the Internet Scans section.

To see only the most recent lookup results for an IP and port, set the most_recent=true parameter.

JA4TScan FingerprintsFavicon Fingerprints
Driftnet by SecurityScorecard

© Copyright 2026 SecurityScorecard, Inc.

Terms & Conditions

|

Privacy Policy

API Documentation
Blog
Contact Us
;