Jump To Category Page

Jump To Representative Detail

Secondary Calls Category View

Secondary-call inventory should show where AI activity crosses or approaches external boundaries before it behaves like a destination ledger.

The category page should help the reviewer see which destinations are ordinary, which ones are weakly explained, and what internal context was nearby when the call happened.

Use This Page When Asking

Which downstream destinations are expected, and which ones become a boundary question?

Representative Detail

api.github.com

Open representative detail

Destinations

Most are background

Distinct hosts

A few carry the meaning

Weakly explained paths

One plain HTTP lane

Best first read

boundary pair

Expected host vs weak fit host

Why This Page Exists

This category page should help the reviewer decide what matters in secondary calls before the raw table takes over the reading experience.

What This Page Should Make Obvious

The reviewer should know what is routine, what is risky, and what deserves the next click.

Boundary meaning beats raw call count

The category page should explain which destinations matter because of nearby context, not just because they have traffic.

Protocol and attribution shift trust quickly

Plain HTTP or weak attribution should stand out above the destination table.

Keep precursor context attached

A destination is easier to judge when the page shows which files or sessions came right before it.

Fastest Drill Paths

The next clicks should feel obvious and intentional.

Representative expected destination

A common host that still matters because it often follows important company-context work.

Open representative detail

Best first click for showing what a good destination story should look like.

Raw destination ledger

The exact host, protocol, port, and call counts remain useful after the story framing.

Open c6 raw list

Reviewers will still want the raw inventory as a verification step.

Destination-Centered Topology

A secondary-call map should show who called the host, over what protocol, and what the exposure looks like.

Useful per destination: caller sessions, endpoint, protocol/port, data volume, likely purpose, and whether the connection is expected, encrypted, and policy-safe.

Destination

10.0.2.15:8080

Representative risky edge because it is plain HTTP and tied to a small but unusual set of calls.

1 session · 3 calls · 0.4 KB avg

Protocol

http

Port

8080

Encryption

none

Current posture

investigate caller

Caller Chain

Who initiated the outbound edge.

3 nodes

unknown usersame live session

Claude Codeagent

10.0.1.44endpoint

Connection Context

What the edge itself looks like.

3 nodes

10.0.2.15destination host

httpprotocol

8080port

Comparative Context

How it differs from the rest of the graph.

3 nodes

api.github.comexpected https peer

api.anthropic.comexpected model peer

only HTTP edgeoutlier

Risk Lens

The security meaning of the call.

3 nodes

unencrypted trafficpolicy issue

small payloadtriage hint

review session + file edgespossible exfil path

c6 Raw Reference

c6 shape: destination ledger with protocol, port, sessions, call volume, and bytes.

1 plain HTTP destination

One secondary-call path is still unencrypted and weakly classified.

Destinations

HTTP paths

Avg bytes

4.2KB

Review candidate

10.0.2.15:8080

Why Keep The Raw Ledger

c12 should still flow back into the raw inventory model. This page frames the question and likely answer; the raw table proves it.

Open c6 Raw List

Use the original category ledger for exact rows, counts, and timestamps.

Open c6 raw list

Raw Secondary-Call Inventory

Destination, protocol, port, sessions, total calls, and bytes.

Destination	Protocol	Port	Sessions	Total calls
api.github.com	https	443	4	12
registry.npmjs.org	https	443	3	8
10.0.2.15	http	8080	1	3