App-XD version 2.0.1 (build 6 )

Product Name: APP-XD 2.0.1 (Build

Valid on: 2024-05-22

2.0.1 (GA)
– Offline install for APP-XD Red – Packaging of Archive (.tar) files enables APP-XD Red (Softman) to be installed without access to online repositories

2.0.0 (GA)
– new product name: APP-XD (no change to APIs that use the previous HiTMAN name)
– Major new capability: Format Validation Extensions
– Support for New APP-XD Black platform running on COTS Hardware supplied by Waymont
– Fixed a bug where websocket highside to app server TLS connections used plain http
– Fixed a bug where websocket upgrade requests didn’t append the <data> to the request

– Added a management REST API that allows configuration of HITMAN and its applications, as well as Swagger API documentation for Soft HITMAN

– Added support for Websocket frame XSD lookups
– Fixed a bug where deleting a previously saved application version causes xsd lookup errors
– Improved the UI error message when nginx fails to start

– Added Application Versioning feature
– Added Ansible deployment onto TIGERTRAP platform
– Added deployment error diagnostics

– Fixed a bug where websocket upgrade responses would be dropped if they contained a body
– Improved websocket sec key generation

– The “Servers” and “High-side Client” whitelist fields now resolve symbolic names for Low Side requests
– Added a UTC clock to the Home and Logs pages

– Log rotation implemented to prevent logs growing to very large sizes
– Tidy up of log formats to provide consistency in how key/value pairs are presented.
– added separate statistics counters for unencrypted, partially encrypted and fully encrypted messages
– internal code changes as recommended by penetration testing review
– other miscellaneous bug fixes

– new API for HITMAN status
– added API failure logging
– added a Reverse Proxy MTLS support
– various bug fixes including fixes for penetration test deficiencies

– Added Ansible deployment method for the developers edition (softHITMAN) only. The playbooks can be found in ansible folder with an accompanying Readme. This method is not applicable to the appliance.

– added support for streamed responses HS to LS
– fully revised UI on both Soft and TT HITMAN
– Logging improvements and rationalisation
– Swift library permanently removed (other libraries not included in this version)
– documentation fully revised

– support for ECC keys in HITMAN
– removed support for RSA keys in TT HITMAN
– support for single sys logging (red side)
– interim delivery of UI improvements (not fully documented)

– Support 2 Network Cards in Soft HITMAN

– new HITMAN School
– reverse proxy documentation added
– aggregate statistics improvements
– application management changes
– initial management UI on TIGERTRAP
– added support for Content-Type: charset in requests to HITMAN
– added support for quoted boundary markers in requests to HITMAN
– removed restriction that a CR/LF must follow a boundary marker in requests to HITMAN


– Addition of documentation for Soft HITMAN
– New Installation Setup for Soft HITMAN
– New Configuration UI for Soft HITMAN
– XML Parsing in Soft HITMAN made equivalent to TT HITMAN

– 1st release of HITMAN. This is very much a work in progress released to The Authority as the existence proof of the results of the re-architecture project.

HITMAN includes:
O containing Release builds of Soft HITMAN and an ARM build of HITMAN for running on TIGERTRAP
O containing the Design Documents
O containing all the source code, test suite, and build scripts

– The maximum request or response size is 1Gb
– IPv6 not supported
– No libraries included either for C# or C++
– Reverse Proxies and Hitman do not support sending form data (multifile is not supported, only XML)

Known Issues
– Request IDs reset on reboot of Soft HITMAN
– If your applications uses high side requests then you must not run HITMAN School on the same node as Soft HITMAN.
– Logs generated by NginX may appear out of order from logs from other components when viewed in the Soft HITMAN UI.
– quotes in XSD request paths name not handled correctly
– TT does not properly check the integrity of the private key format
– non ASCII characters cannot be used in XSD path names
– User is able to upload unsupported or bad ECC private key type on TT HITMAN without getting an error
– TT HITMAN hangs in the following error use case. After more than 255 responses to requests are terminated by the application server (before the response is completed) the TIGERTRAP device will hang. A reboot of the TIGERTRAP is required to recover from the error.
– Misbehaving application servers can cause TT to lock up. TT will require a restart.
– Uploading the encryption private key as part of the APP-XD upload for COTS fails. The key can be uploaded via the Management UI.

APP-XD Red (Soft HiTMAN) requires to be run on a Linux system with this (or better) specification:
– Docker version >= 19.03.12
– docker-compose version >= 1.25.4
APP-XD Yellow requires
– TIGERTRAP version 4 hardware
– configuration compiler 4.1
APP-XD Black requires
– TIGERTRAP COTS hardware version 0.3 /Software 4.2.0
– configuration compiler 4.2.1
– note that an installation OVA containing the configuration compiler and build are available from Becrypt Technical Services

Note: pre production units are not supported with this release.

Firefox is the main browser supported by APP-XD

Arm based HITMAN is compatible with TIGERTRAPs built with configuration compiler 3.5.0

COTS based APP-XD may require manually restarting via iDRAC on first time boot, or after new application installation
– Power down High (Red)/Low (Black) sides via the iDRAC console
– Power cycle the Management side (Cold boot)
– Once Management has booted power on the High (Red)/Low (Black) sides

We're here to help

Please Contact us

general enquiries

+44 (0) 845 8382050


+44 (0) 345 8382070

Join Our Newsletter

Receive our latest blog posts directly in your inbox!