Live application traffic
Return path
Adversarial capture stream
💻
Node 1

User Laptop

Session creation, personal input, credentials, banking activity, and browser-originated requests begin here.

📶
Node 2

Wi-Fi Router

Traffic leaves the local network edge where consumer or branch routing equipment can be observed or mirrored.

🌐
Node 3

Internet Service Provider

Carrier infrastructure becomes a transit layer where bulk encrypted traffic can be copied at scale.

☁️
Node 4

Backend Service

Application APIs, authentication, and business logic terminate or relay high-value encrypted sessions.

🗄️
Node 5

Primary Database

Structured records, transaction history, patient or user data, and regulated identifiers sit behind the app layer.

Adversarial Capture
🕶️

Bulk interceptor stores the encrypted payloads.

The attacker does not need to read the traffic immediately. They only need to collect it reliably, preserve the ciphertext, and wait for future cryptanalytic or quantum-enabled decryption capability.

Harvested now

2026
attacker_capture.encrypted_sessions MongoDB Compass style snapshot · stored traffic awaiting later decryption
Read Only Snapshot
Timestamp Source IP Destination Session ID Scheme Ciphertext Payload Record Type
2026-04-19T09:14:23Z 100.74.18.42 api.mercurytreasury.example sess_89af23 RSA-2048 4f2f799e18ac5bcb57f0d8a3eb935af58e8b5d11b3d44039b18f3ef7c0d06b6dbe902bc174e1cd5f41028bca41ef7c5a6c1f0f15be8f4a Card authorization
2026-04-19T09:16:51Z 100.74.18.42 login.partnercare.example sess_8e0ad7 ECC 8b7dbe421c934de17a4cce0849e31ca5c8f0d3f4b5678182d4f00d2d1fbf94c7dc28e0af11e4aab68ce31374af86 Patient portal login
2026-04-19T09:19:14Z 100.74.18.42 wallet.edgepay.example sess_914bd2 TLS 1.2 0cb6d8af15dceb021bf80a89fe66d1dca64492fc4d7a6eeb4b7ed51ed91fc31a7e94251bcdbfc210ddb6a7ec2d05ae61645b Crypto transfer request
2026-04-19T09:23:08Z 100.74.18.42 hr.identityvault.example sess_927af0 RSA-2048 2ee1aa71057c2af3901940aa8c91bb63f76d8924df4c51ad84a0f145c9ebae44b0a5cf7f11cba7ccbf6dd0f1213a5b4a7198c01a0fd Identity verification
2026-04-19T09:27:55Z 100.74.18.42 claims.pharmasync.example sess_938cc1 ECC 97caa10bf5075ae2dd3ab7ef54018fd6b1a4a3df701995f28b5d4b717da151c7f89446ab65ee92d2f18bf934c0c6a142d9ef9b Prescription refill
2026-04-19T09:31:42Z 100.74.18.42 taxprofile.identitygrid.example sess_94df78 RSA-2048 cc21a5ff78db3d2fd4a1a91902587e0bd39d93b659ef0051da14c64d3f3f0cda94df00ad715c9fe2dcb9cbda6437f51476e2e5e742 Tax identity update
The attacker can already sort captured records by target, timestamp, cryptographic scheme, and business process, even before the protected payload is intelligible.

Decrypted later

2028
attacker_capture.decrypted_records MongoDB Compass style snapshot · previously harvested sessions now reveal plaintext
Sensitive Plaintext
Timestamp Source IP Destination Session ID Scheme Ciphertext Payload Record Type
2026-04-19T09:14:23Z 100.74.18.42 api.mercurytreasury.example sess_89af23 RSA-2048 4485 3290 8817 4421 · exp 10/30 · cvv 418 Card authorization
2026-04-19T09:16:51Z 100.74.18.42 login.partnercare.example sess_8e0ad7 ECC Patient ID 28841 · Insulin glargine 18u nightly · atorvastatin 20mg daily Patient portal login
2026-04-19T09:19:14Z 100.74.18.42 wallet.edgepay.example sess_914bd2 TLS 1.2 bc1q7n8aw2u3qyrm7d5ks4v3z0m0r7qqjz03j4e8hx Crypto transfer request
2026-04-19T09:23:08Z 100.74.18.42 hr.identityvault.example sess_927af0 RSA-2048 SSN 412-88-1934 · Passport XN1187432 · 2840 Steiner St, San Francisco, CA Identity verification
2026-04-19T09:27:55Z 100.74.18.42 claims.pharmasync.example sess_938cc1 ECC Metformin 500mg BID · sertraline 50mg daily · refill at Mission Bay Pharmacy Prescription refill
2026-04-19T09:31:42Z 100.74.18.42 taxprofile.identitygrid.example sess_94df78 RSA-2048 TIN 83-7719421 · DOB 1989-10-14 · 410 Townsend St, San Francisco, CA Tax identity update
That is the core HNDL problem: traffic that looked safely encrypted at collection time can become toxic stored intelligence once the underlying protection is no longer sufficient.