Dissecting the Network Traffic of Grok: AI with Real-Time Intelligence

Grok is an advanced AI chatbot developed by xAI and integrated with X (formerly Twitter), designed for real-time, engaging conversations. It features multiple specialized modes, including Think Mode for structured reasoning and fact-checking, Big Brain Mode for handling complex problems in coding and math, and DeepSearch Mode for retrieving live information from external sources.

Network Traffic Analysis

The ATI team in Keysight has analyzed the network traffic of Grok and found some interesting insights that can help researchers optimize performance and enhance security. This analysis was conducted using HAR captures from a web session. Grok operates with standard web protocols and relies on secure TLS encryption for communication.

Overall Analysis

We have performed extensive user interactions with the Grok AI web application. The captured traffic was completely TLS encrypted. We have further analyzed the traffic based on host names.

Figure 1: Request-Response count per host

In the figure above we can observe the majority of request-response interactions were observed with grok.com, handling core functions like login, policy checking and loading post content. Additional Grok-related hosts, such as auth.grok.com and auth.x.ai, manage authentication, while other external hosts primarily serve static assets and analytics.

Figure 2: Cumulative payload per host

The diagram above shows that the host grok.com has the maximum cumulative payload followed by accounts.x.ai (authentication). The rest of the hosts are creating smaller network footprints.

Analyzing Endpoints

By examining the HAR file, we gain a detailed view of the HTTP requests and responses between the client and Grok's servers. This analysis focuses on critical endpoints and their roles in the platform's functionality.

Session Creation

• Endpoint: /v1/initialize
• Method: POST
• Purpose: Initiates a new user session and establishes necessary session parameters for communication with Grok’s services.
• Request Headers:
• Content-Type: application/json
• Accept: application/json, text/plain, /
• Origin: https://grok.com (Ensures requests originate from Grok's platform)
• Request Payload: JSON object containing session details
• Response Status: 200 OK (successful session creation)
• Response Body: Contains session configuration details

This interaction is fundamental, as it establishes a session context for subsequent user activities on the platform.

User Interaction Analytics

• Endpoint: /api/statsig/log_event
• Method: POST
• Purpose: Captures user interactions for analytics and performance monitoring.
• Request Headers:
• Content-Type: application/json
• Accept: */* (Accepts any response type, indicating a flexible API for logging events.)
• Request Payload: JSON object containing event details.
• Response Status: 204 No Content (Event logged successfully, no response body)

This interaction helps Grok track user engagement, analyze system performance, and optimize responses.

AI Model Interaction

• Endpoint: /rest/models
• Method: POST
• Purpose: Handles user queries, sends them to Grok’s AI models, and returns AI-generated responses.
• Request Headers:
• Content-Type: application/json
• Authorization: Bearer <REDACTED> (Requires authentication via a bearer token to restrict access to AI services for authenticated users only)
• Request Payload: JSON object containing the user query and model selection
• Response Status: 200 OK (Successful AI response retrieval)

This endpoint is central to Grok’s functionality, enabling real-time AI-powered conversations.

System Health & Event Logging

• Endpoint: /monitoring
• Method: POST
• Purpose: Logs system health checks and performance monitoring events to ensure uptime and reliability.
• Request Headers:
• Content-Type: application/json
• Accept: application/json
• Request Payload: JSON object containing system health status details
• Response Status: 200 OK (Successful system health log)

This interaction helps maintain system stability by tracking health metrics and performance insights.

User Logout Handling

• Endpoint: /sign-out
• Method: GET
• Purpose: Logs users out of the session, ensuring secure session termination.
• Request Headers:
• Accept: text/html, application/xhtml+xml, application/xml;q=0.9, image/avif, image/webp, image/apng, /
• Referer: https://grok.com/chat/... (Indicates the previous page before logout)
• Response Status: 307 Redirect (User is redirected to another endpoint after logout)

This request ensures users can securely terminate their sessions and prevent unauthorized access.

Session Data & Cookie Cleanup

• Endpoint: /delete-cookie
• Method: GET
• Purpose: Clears stored session data and tracking cookies to enhance privacy.
• Request Headers:
• Accept: text/html, application/xhtml+xml, application/xml;q=0.9, image/avif, image/webp, image/apng, /
• Request Payload: None
• Response Status: 200 OK (Confirmation of cookie deletion)

This request helps ensure user privacy by removing sessions and tracking cookies.

NOTE: While Grok can be useful it is a prohibited tool by many companies and government entities. Policy and technical systems must be in place to prevent usage, and it is vital to confirm this via test using BreakingPoint. These tests help validate the security measures and help organizations prevent accidental or malicious use of the platform.

Grok Traffic Simulation in Keysight ATI

At Keysight Technologies Application and Threat Intelligence (ATI), since we always try to deliver the hot trending application, we have published the Grok application in ATI-2025-04 which simulates the HAR collected from the Grok web application as of February 2025 including different user actions like signing in, performing text-based queries, using the DeepSearch feature, utilizing the Think feature, uploading a file and asking about it and signing out. Here all the HTTP transactions are replayed in HTTP/2 over TLS1.3.

Figure 3: Grok Feb25 HAR Replay HTTP/2 over TLS1.3 Superflow in BPS

The Grok application and its 4 new Superflows as shown below:

Figure 4: Grok App and its Superflows in BPS

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control's ability to detect or block such attacks.

Related Content

Related Posts