Show expected-vs-weak-fit destinations clearly
The category page should help reviewers understand why some hosts are routine while others deserve immediate scrutiny.
QI
Secondary Calls Detail
A secondary-call detail page should explain one destination as a boundary story: who called it, what company context was nearby, and whether the destination fits expectation.
Use This Page When Asking
Is this downstream destination an expected boundary crossing, or the start of a weaker-fit outbound story?
Open c6 raw detailSessions
4
Shared by several runs
Calls
12
Steady reuse pattern
Protocol
https
Expected transport
Attribution
high
Strong session context
Why This Detail Matters
Important Metadata
Boundary path worth review
The raw destination page makes recent call sequence and attribution explicit.
Destination Host
10.0.2.15
IP Address
10.0.2.15
Protocol
http
Port
8080
First Seen
today
Last Seen
22 min ago
What This Detail Should Help Decide
Keep protocol and attribution visible near the top
Those two fields change how quickly a destination can be trusted.
Use the raw call table as proof of the story
The detail page should frame the boundary question before presenting the recent-call ledger.
Destination-Centered Topology
A secondary-call map should show who called the host, over what protocol, and what the exposure looks like.
Useful per destination: caller sessions, endpoint, protocol/port, data volume, likely purpose, and whether the connection is expected, encrypted, and policy-safe.
Destination
10.0.2.15:8080
Representative risky edge because it is plain HTTP and tied to a small but unusual set of calls.
1 session · 3 calls · 0.4 KB avg
Protocol
http
Port
8080
Encryption
none
Current posture
investigate caller
Caller Chain
Who initiated the outbound edge.
unknown usersame live session
Claude Codeagent
10.0.1.44endpoint
Connection Context
What the edge itself looks like.
10.0.2.15destination host
httpprotocol
8080port
Comparative Context
How it differs from the rest of the graph.
api.github.comexpected https peer
api.anthropic.comexpected model peer
only HTTP edgeoutlier
Risk Lens
The security meaning of the call.
unencrypted trafficpolicy issue
small payloadtriage hint
review session + file edgespossible exfil path
Representative Event Chain
The page should show how the item participates in a readable sequence, not just a pile of supporting rows.
- 1
Destination
The page establishes the host as a specific boundary surface
Protocol, port, and host identity should tell the reviewer what kind of outward path this is immediately.
api.github.comhttps443 - 2
Caller context
Sessions and users explain whether the destination fits expectation
The page should make clear which execution lanes commonly call the host and which ones would look surprising.
alice@company.com4 sessions - 3
Precursor evidence
Nearby files or tools explain why the destination matters now
Boundary meaning changes when the host appears right after sensitive file or capability use.
/repos/qpoint-iofilesystemsession detail - 4
Follow-up
The reviewer drops into raw calls only after the host story is framed
Recent-call rows remain useful, but the page should first explain why the destination deserves inspection.
recent callsraw detail
c6 Evidence Tables
Recent Calls
c6 shows session, method, path, bytes, time, and attribution on one table.
| Session / User | Method | Path | Status | Bytes | Attribution |
|---|---|---|---|---|---|
| sess_01XFa9q... / unknown | POST | /bridge | 200 | 4.2KB | weak |
| sess_01XFa9q... / alice@company.com | GET | /health | 200 | 0.8KB | medium |
Return To Category
Compare this representative detail against the full category framing and drill targets.
Open Secondary Calls overviewOpen c6 Raw Detail
Use the original detail page for exact raw evidence after the c12 story framing.
Open c6 raw detailOpen c6 Raw List
Compare this item against the broader c6 entity ledger once the representative story is clear.
Open c6 raw list